Whaling in Singapore?

Singapore appears to be the source of a virus cleverly designed to hoodwink U.S. executives by appearing to be an emailed subpoena which mentions them by name, as well as their title.

The SANS Storm Center said three days ago that

We've gotten a few reports that some CEOs have received what purports to be a federal subpoena via e-mail ordering their testimony in a case. It then asks them to click a link and download the case history and associated information.

One problem, it's total bogus. It's a "click-the-link-for-malware" typical spammer stunt. So, first and foremost, don't click on such links. An interesting component of this scam was that it did properly identify the CEO and send it to his e-mail directly. It's very highly targeted that way.

The report says that the server that the trojan reports back to is "hard-coded to an ISP in Singapore at this time," from where, according to Ars Technica, it "steals copies of any security certificates installed on the system."

(This, by the way, is calling whaling, since it is like phishing but is more targeted, and going for bigger phish, so to speak.)

The Inquirer says that the web servers delivering the emails are based in China, and, in language too loose to take seriously, "the cyber ruffians who later nefariously take control of the victims’ computers, based in Singapore."

There's no evidence the "cyber ruffians" are based in Singapore, as far as I can work out. The only possible connection could be the English and errors in the emails, which, John Markoff of the NYT reports, "led several researchers to believe that the attackers were not familiar with the United States court system and that the group might be based in a place that used a British variant of English, such as Hong Kong."

That said, just because an ISP may have been compromised doesn't mean that those involved are physically located in Singapore. Indeed, it would seem very unlikely they are; if they're smart enough to launch an attack like this, you'd have to bet against them being anywhere near the 'command and control' center itself.

Still, it's unsettling that an ISP may have been compromised. So far we don't know much more, though I've put in requests for more information. (The source of the information about Singapore appears to have come from someone at Verisign, whose Asian PR address bounces. So don't expect something anytime soon.)

Technorati Tags: phishing, whaling, singapore, scams, security, NYT, china, trojan

Backed Up? Or Cracked Up?

There's quite a commotion online about a program called g-archiver that promises to back up your Gmail account, but in the process apparently harvests all users' Gmail usernames and passwords, and mails them to a separate Gmail account.

This is indeed scary, although it's possible that the person behind it wasn't collecting the passwords for nefarious purposes. But it highlights some important issues that we tend to overlook in this Web 2.0, mashup age:

• Your online email account is more vulnerable than an offline one (by which I mean, storing your old emails online, rather than downloading them to your computer and deleting the online copy.) In this sense, POP is good, IMAP and webmail bad.
• If you give your username and password to third parties, i.e., those who access your account on your behalf, you need to be more rather than less careful than with the original service. For example, services like Plaxo allow you to access your other accounts but will inevitably require you to enter your username and password, which will be stored on their server.

On top of that, it's intriguing to take a look at how legitimate this one program appears, and how little those websites helping in its distribution have vetted it. I found copies at Download.com (owned by CNET), despite a commenter pointing out it steals passwords, Shareware Junkies, BrotherSoft, Softpedia, ZDNet, Download3000, FreedownloadsCenter, the excellently named Safe Install and Filedudes.

Just out of interest, G-Archiver is apparently the work of a company called MateMedia, which registered the website hosting the software. An interview with the company's president, Russ Mate, is here.

A message on the original blog post purporting to be from Mr. Mate says "MateMedia is a legitimate company and we are absolutely horrified that this has occurred", and will be notifying any download sites hosting the software to "remove it immediately."

That clearly hasn't happened yet, but neither has the company removed it from its own website, at the time of writing. (Seeing the software alongside tools like FriendTools, which automates adding friends and comments for MySpace spammers, or TubeAdder, which does the same thing on YouTube, might give a prospective user pause for thought.)

My rules of thumb:

• Never download software without visiting the author's original site, and finding out who produced it. This applies to Facebook apps as well. (In G-Archiver's case, there is no contact page.)
• Think hard before you give your email password to any service, however legitimate. It's not so much about losing your email password but about all the other passwords and personal data that a bad guy could access inside your email account.

As Web 2.0 involves more and more cross-pollination of information, so we need to be smarter about who we give our passwords to, and what information we store behind those passwords, both in email and in social networking accounts.

Technorati Tags: passwords, security, web 2.0, gmail, google, g-archiver

Phishing For a Scapegoat

It's somewhat scary that more than 10 employees of a laboratory that works on security issues (including phishing) could fall for a phishing attack. The Oak Ridge National Laboratory, or ORNL, managed for the U.S. Department of Energy by UT-Battelle, works on science and technology involved in energy production and national security. In late October the lab was targeted from Chinese websites, according to eWeek:

All of the phishing e-mails instructed lab employees to open an attachment for more information or to click on an embedded link. ORNL's investigators now believe that about 11 staff fell for the come-ons and opened the attachments or clicked on the links. That was enough for the attackers to install keyloggers or other types of malware that gave attackers access to systems and the ability to extract data.

The interesting thing here is whether this was a "coordinated attack" and a "cyberattack" as has been suggested in the media. The Knoxville News Sentinel, for example, quotes lab director Thom Mason as saying, involved the thieves making "approximately 1,100 attempts to steal data with a very sophisticated strategy that involved sending staff a total of seven phishing e-mails, all of which at first glance appeared legitimate." Meanwhile this AP article quotes Mason's memo to employees:

The assault appeared "to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions" in the United States, lab director Thom Mason said in a memo to the 4,200 employees at the Department of Energy facility.

The key here may be that the attackers were after personal information, not military secrets. As John C. Sharp writes:

The headlines keep coming about the news that several high-profile military labs - including some of the world's leading nuclear research labs - have been compromised by phishing scams. Unfortunately, many of these headlines are missing the point.

Example: In one story published today, PC World claims that Chinese Hackers "launched" a coordinated "major attack" on two US Military Laboratories.

This is almost certainly *not* what happened. According to most of the published data, this was a phishing attack, plain and simple.

The fact is that China's computers are so insecure that more or less anyone could use them to do more or less anything, from relaying spam to launching phishing attacks. So it's not proof that China, or even Chinese, were involved just because the IP addresses are Chinese.

Of course, we don't know for sure what happened yet. But if the attack was enabled by employees clicking on an email attachment or link that originated from a Chinese server, you've got to question a) the security training at a place like that, and b) wonder what kind of security filters they have on their servers that would allow such emails to get through, especially given the sheer number of emails that were sent.

Sometimes "China" is a great excuse for all sorts of incompetence and inefficiency, and "sophisticated cyber attack" is just another way of saying "sorry, we haven't got a clue about all this Internets stuff."

Oak Ridge Speared in Phishing Attack Against National Labs

Technorati Tags: phishing, security, cyberattack, china, email, viruses, data theft, identity theft

Hi, I'm Sheila from Phishers 'R' Us

It amuses me that banks talk about security but rarely apply it in a consistent enough way to save people like you and me from getting scammed. Take what just happened to me this morning:

My bank rings me up (the number is a private number so doesn't show up on my screen, but that doesn't seem to be unusual anymore; nearly half of the people who call me seem to withhold their number these days. In any case, it's not hard to fake a callerID.)

The woman on the phone tells me there's been a problem with my last phonebanking transaction. Before she can tell me more, she asks me to key in my six-digit phonebanking ID, she says. I'm just about to do so, eager to sort out the problem, when I realize that I've not confirmed that she is who she says she is. So I ask her:

"Sorry, but I need to confirm who you are first."

"Yes, I am Sheila and I work for the phonebanking division."

"Yes, but how do I know you're Sheila from the phonebanking division, and not Sheila from Phishers 'R' Us?"

Clearly Sheila hasn't faced this kind of situation before.

"Er, well, if you key in your phonebanking ID, I can tell you details about your account, and that will confirm it."

"Well, it may do, or else it would tell me you'd already succeeding in hacking into my account and were now just toying with me."

A pause.

"Yes, but the PIN number goes straight into the computer," says Sheila, a bit nonplussed now.

I try to explain that a) I'm not personally accusing her of being a scammer, only that I have no way of confirming whether she is a bank employee or a clever social engineering fraudster because she called me first and b) that technology makes it eminently possible that someone could capture my six digit PIN if I key into my phone. (A simple decoder attached to the phone will grab the DTMF signals (the beeps when you press a key) and figure out what digits they represent. I didn't tell this to Sheila because she was already beginning to sense I was a 'difficult customer.')

In the end I tell Sheila I'm going to call her back, to which she politely agrees. When I later explain to her that the bank should think about plugging the hole in their security fence, she listens politely, thanks me for my feedback, and says:

"One last thing, Mr. Wagstaff. I don't know if you've been told but we're running a promotion at the moment that for every customer you're able to bring in you get a $200 gift voucher for redemption at Takashimaya Department Store."

A bank with its priorities right, it seems.

What amazes me about this is that banks don't seem to have learned from past mistakes. A few months back I wrote about a scam in Hong Kong which uses exactly this tactic. Fraudsters stole wallets and handbags at a sporting event, removing only the ATM and business cards. The victims then got phone calls the next day pretending they're from the bank informing them they've lost their card, and asking them to approve cancellation of the card by keying in their PIN number.  Voila. If Sheila was Sheila the Scammer, someone would be at least half way into my account by now.

I wish banks would be smarter about this. I wish in particular the banks I use would be smarter about this. Scammers are clever, particular about social engineering -- the art of lulling people into a sense of false security. We ordinary people want to please, and we want to help solve a problem, especially if it's connected to us, so we're easy prey for someone at the end of the phone offering both.

The lesson is the same as the one I'm always trying to pass on: Don't give anything to anyone just because they ask you to. Find out first whether they are who they say they are. A realtor asking for a deposit? Show me the documents that prove you are authorized by the landlord. Here to check the meter? Where's your badge? Valet? How do I know you're not just a guy in a red jacket and jaunty hat about to steal my car?

Authenticate, authenticate, authenticate. And if it's someone like a banker, a real estate agent or an official, be hard on them if they seem impatient with your efforts. It's your money, not theirs.

del.icio.us Tags: scams, banks, phishing, social engineering, authentication

A Literate Scam

Good grammar is important, whether you're pitching a story to a journalist or a scam to a dupe.

Here are two examples: how not to and how to. First off, a PR pitch that endangers its credibility with an error in the subject line:

And now, here's an example of getting it right: A scam that not only illustrates good grammar (right down to the correct use of the singular verb with "couple") but also how callous scammers are getting:

<...>

The Foundation is non-profit and Our Mission is to facilitate inspiring, meaningful outdoor experiences for youth who suffer life-challenging medical conditions as a result of HIV/AIDS.

We offer new hope and life skills for adjudicated youth, at-risk youth and those with disabilities and dependencies.These adventure programs build esteem, confidence, and character values that help build the foundation for a family and career.

<...>

We have a couple of Donors in CANADA and USA who has pledged but and we need a Payment/Liaison Agent urgently who will among other functions accept funds on our behalf and we will offer 10% of whatever we get in return.

<...> 

The scam, by the way, is probably seeking a phisher's mule: Someone who will allow their bank account to be used for laundering funds obtained from phishing expeditions. But it may also involve attempting to fleece the individual in time-honored 419er tradition.

I'm not suggesting, by the way, that the text is original. It's lifted from several sources, however, indicating a degree of sophistication on the part of the scammer. Some is from the Tony Semple Foundation for Hope, some from  the Wilderness Outdoor Leadership Foundation. (This explains the apparent non-sequitur from the first paragraph to the second.) The scam has used different names for its foundation, each a variation on the organizations whose words it has stolen: for example, the Foundation of Hope and the OutdoorFun Foundation UK. It seems to have been running about a month.

Technorati Tags: scams, grammar, spelling, phishing, PR, mules

The Source of the Malware Scourge

Despite appearances, the U.S. is still the most popular place for the bad guys to place their malware code.

StopBadware.org has listed those Internet Service Providers that wittingly or unwittingly host “badware” — an umbrella term for any kind of software that insidiously installs itself on your computer. What’s interesting is that while there is one China company on the list, by far the biggest culprit is one iPowerWeb Inc, based in Phoenix, Arizona, which has more than 10,000 infected sites on their servers. (By comparison, then next biggest culprit has a quarter that.)

Badware is usually installed on a site without the owner’s knowledge, either by exploiting holes in the software that delivers content to the site or hacking into the site by guessing the owner’s password or making use of a hole in the server software. Victims would unwittingly download the badware by either visiting the website in question or be directed there from other websites which had been infected. Here’s a case of a fake MySpace page which lures victims to an iPowerWeb-hosted site where users give up their MySpace password. Interesting detail on how these work is here.

iPowerWeb appear to have a long history of attracting accusations that it doesn’t take this kind of thing seriously. Examples are here, here and here (from two years ago). So far there’s no press statement from iPowerWeb on its website; I’ve requested comment.

The sad thing here is that when Google and organisations like StopBadware find these hacked sites the sites are flagged and removed from Google searches, or else prefaced by a warning page. While this makes sense, it causes mayhem for the owners of these sites who are either not technically savvy enough to resolve the problem, or find themselves in limbo while their site is removed from the list after they’ve cleaned it up. A recent discussion of the problem on the stopbadware Google Group is here. (StopBadware says it will respond to appeals within 10 days and says the time is closer to two.)

One can only imagine the scale of the mess caused by all this. Hosting companies need to be smarter about monitoring this problem they’ll face declining custom or lawsuits.

Tags: badware, malware, stopbadware, google, phishing, drivebydownloads, myspace

Loose Bits, Nov 28 2006

From my PR intray, some surprisingly interesting little odds and ends:

LocalCooling is a 100% Free power management tool from Uniblue Labs that allows users to optimize their energy savings in minutes and as a result reduce Greenhouse Gas emissions. The software "automatically optimizes your PC's power consumption by using a more effective power save mode. You will be able to see your savings in real-time translated to more evironmental terms such as how many trees and gallons of oil you have saved."

Electronic Arts Inc. today announced SimCity for mobile, which "lets mobile phone users create and manage the growth of a living city in the palm of their hands. Originally created by Will Wright, SimCity is now available on major U.S. carriers." Not sure how this works, as there's nothing yet on EA's site. It does sound a bit like milking a cash cow or is it flogging a dead horse? 

CyberDefenderFREE is "a full internet security suite that can operate  standalone, or complement existing security software to add an existing layer of early-alert security to the desktop." As far as I can work out, this is a competitor to Windows Defender although it seems to include a collaborative element, where users report either manually or automatically dodgy software and sites they've come across. I think.

 

Technorati tags: simcity, mobile games, security, phishing, viruses, malware, environment, power, greenhouse gases, global warming, games, windows

del.icio.us tags: simcity, mobile games, security, phishing, viruses, malware, environment, power, greenhouse gases, global warming, games, windows

The Anti-Phishing Gimmick

The boffins have spoken, and they've spoken right: Don't use anti phishing toolbars, or at least don't rely on them. (Anti phishing toolbars sit in your browser and supposedly warn you if you've been directed to a website that's about to plunder your bank account, or at least steal your passwords.) I've been saying the same thing for a year or so, but I'm not a boffin, so it's better to listen to them.

According to VNUnet a team from Carnegie Mellon compared 10 anti-phishing toolbars and missed up to more than half of the phishing sites. D'oh.

"Overall we found that the anti-phishing toolbars that were examined in this study left a lot to be desired," wrote the researchers.

This is not the first test of such toolbars. One by 3Sharp commissioned by Microsoft concluded in September that, er, Microsoft's antiphishing toolbar in Internet Explorer was best. Mozilla released one concluding that, er, Mozilla's own Firefox 2.0 browser was better than IE. But all the possible bias aside, the figures are still sobering: Firefox blocked around 80%, IE 66% in the Mozilla study; IE blocked about 83% in the 3Sharp study. That's still a lot slipping through.

I have no idea why these toolbars are so popular. My more modest tests more than a year ago showed that most of them were poor and I concluded that

unless such tools offer really good protection against the inventiveness of phishers, they merely lull users into a false sense of security. If you want to fight the phishers, you’ve got to be smarter than this.

Yes, it's pompous of me to quote myself but there you go.

Actually what amazes me from the report (PDF file) is how many toolbars there are out there. They counted 84 on one website alone. Why so much effort? Well, the losses are big from phishing -- billions of dollars, according to the researchers. But I can't help feeling that a lot of the effort here is less altruistic and more about branding, or simply just a way to get a bit of the user's screen real estate. Nearly every toolbar pictured in the report carries a big logo of the provider of the toolbar -- who wouldn't want their brand plastered over a browser?

But unless the toolbar actually saves the user in 95% or more of cases, these things are useless, and actually counterproductive. I strongly disagree (I love strongly disagreeing, and don't do it enough) with the notion that "some protection is better than nothing at all", as argued by the 3Sharp guys. This assumes the user is an idiot, and can't learn to be suspicious and follow certain basic rules (Don't click on a link in any email or chat message that doesn't ring quite true, including one that doesn't address you by name. Call your bank if you get an email from them that contains a link).

Some things the user just has to wise up to. We don't provide security officers to accompany each shopper around a pickpocket-prone mall, so just like at the mall, online we have to just get smarter and look out for ourselves. Users should not be fooled into thinking these toolbars are in most cases anything other than a gimmick, however good the intentions of their authors.

Technorati tags: phishing, toolbars, scams, fraud

del.icio.us tags: phishing, toolbars, scams, fraud

Press 4 To Give Us All Your Money

I guess it had to happen: phishers are not only trying to snag you by setting up fake banking websites, now they’re trying to snag you by setting up fake switchboards too.

Tim McElligott writes in Telephony Online that scammers “posing as a financial institution and using a VoIP phone number e-mailed people asking them to dial the number and enter the personal information needed to gain access to their finances.” Simply put, the phishers in this case aren’t directing you to a fake website where you enter your password and other data sufficient for them to empty your account; they’re directing you to an automated phone service, where you’d give the same details.

The information comes from Cloudmark (“the proven leader in messaging security solutions for service providers, enterprises and consumers”), which claims in a press release that it has seen two separate such attacks this week:

In these attacks, the target receives an email, ostensibly from their bank, telling them there is an issue with their account and to dial a number to resolve the problem. Callers are then connected over VoIP to a PBX (private branch exchange) running an IVR [an automated voice menu] system that sounds exactly like their own bank's phone tree, directing them to specific extensions. In a VoIP phishing attack, the phone system identifies itself to the target as the financial institution and prompts them to enter account number and PIN.

As Telephony Online points out, setting up this kind of phone network is easy. “Acquiring a VoIP phone number is about as hard as acquiring an IP address or a domain name,” it quotes Adam O'Donnell, senior research scientist at Cloudmark, as saying. “Phishers figured out how to quickly and fraudulently get that information a long time ago.” An old PC with a voice modem card and with a little PBX software and you’ve got a company's phone tree which can sound exactly like your bank, O’Donnell says.

This all makes sense. Indeed, we should have seen it coming. It’ll be interesting to see how banks cope with this. Right now their argument has been that if in doubt, a customer should phone them. That no longer is as watertight an option. They could argue that customers should not respond to any email they receive, but that’s also not always true. Banks and other financial institutions need to communicate with customers.

One solution to this is the signature: Postbank last month launched a service where all its emails to customers come with an electronic signature. The only problem with this is that most email clients don’t support the service — only Microsoft Outlook. This is a bit like giving customers a lock that only works on certain kinds of door.

Perhaps banks are just going to have to pick up the phone. If customers are now under threat from automated phone trees maybe the solution is not more technology, but less? A cost the phishers are unlikely to be able to bear would be an actual voice on the other end of the line that sounded familiar and authentic. The only question then would be for the customer to establish the authenticity of the banking assistant.

Getting Into the Rhythm of Online Passwords

I started writing about phishing a long time ago, it seems now. It must be at least two years, I think, maybe more. Then it seemed a very obscure activity, and I can recall one editor being less than impressed with the whole issue. Now it’s bigger than even I thought it might be. [Insert some statistic here to illustrate size of problem, usually cobbled together by someone hoping to make money out of scaring people.] But it remains scary, because phishers are getting better. Don’t be taken in by the rather pathetic attempts that sometimes land in your inbox. Phishing — the art of relieving you of the contents of your bank account/online auction account etc — is going to remain with us, and get more sophisticated.

So “solutions” are always interesting. And here’s another one, which reveals imagination on the part of the folk developing it, and, I suspect, how convoluted and advanced the war is going to become. BioPassword, a Seattle-based company, yesterday introduced what it’s calling “the industry’s first multifactor authentication software solution that authenticates users and reduces fraud over the Internet.” In English, this program allows companies to figure out, based on two different methods, whether you’re you signing into your account with them, or someone else. What’s interesting about it is the second method uses the way you type: Are you a pecker, a touch-typist, or what?

BioPassword are calling themselves the “first” because other methods use as their second authentication factor something that’s not actually software driven — something you know (your mother’s maiden name), something you are (a biometric) or something you have (i.e. a smart card). None of these are cheap, and once the bad guy knows it (your mom’s maiden name), or has it (a copy of your thumbprint, a smart card) he’s in for keeps. They’re also claiming their solution is cheaper than all these, because it’s built into the software. Another advantage, they say, is that it doesn’t require the user to do anything extra, other than typing in their name and password. Which presumably they’re doing anyway, unless they’re using some password storing software, or speak to their computer using voice recognition technology.

So how does this work? Well, as far as I can figure out, a pop-up window appears when you log in. You’d probably be asked to type something a few times — or, possibly, not informed at all about what is going on, to preserve the “naturalness” of your typing, since most of us type differently when we’re being, or feel we’re being, watched. The software would monitor typing speed over time, adjusting its accuracy. What is being typed is not being stored, so there’s nothing a sophisticated phisher could capture in the authentification software, but the rhythm and pattern of the way you type.

On his blog BioPassword CEO Mark Upson says the company has been trundling around the press and analyst offices. He rightly identifies the frustration users have with tokens — those little bits of plastic that spew out supposedly random numbers which act as an extra authentication for most banks and company networks. Reckons Upson: “The more token users I talk to, the more I see how frustrated they are having to deal with a piece of hardware they lose, break, and have to travel with at all times. We will get a great uptake on using our technology in lieu of the token or worst case as a backup when the token is not available for whatever reason.” (That’s not the only problem: phishers have now found a way to capture the numbers from these tokens as the user enters them using remotely installed software. The software then throws up an error message to the user, while the bad guy quickly enters the digits himself. Expect the makers of these tokens to increase the rate at which the number changes.)

He also rightly poopoos the keyboard fingerprint scanner you can find on some ThinkPads and other laptops as novelties since banks don’t use them and with good reason: “The problem is once someone has my electronic fingerprint, I’m hosed as it can be used over and over again.”

Then there’s the “profiling” approach: watching your customer’s behavior — we’re talking about when they log into their account, what they do when they’re there, etc — which he also rightly suggests is going to throw up a lot of false alarms (unless you’re a real creature of habit, you probably don’t log on at the same time or do the same things when you do log on. Maybe you do. I’m assuming here.)

I haven’t tried the BioPassword thing, but my instincts tell me it’s not a bad idea. I can think of at least one chink, though: If the bad guy has installed a keystroke monitor, it shouldn’t take too much effort to tweak such software to capture the same data as that being monitored by BioPassword — the speed and rhythm of the user’s typing. In the end it’s just another kind of data that makes up identity theft, and a bad guy could, I suspect, easily grab that data and then either mimic the user’s typing pattern, or automate the entry of username and password to mimic the user’s pattern. There are probably other problems, but it’s too early in the morning for me to think of them.

Bottom line: solutions like this are good, but they’re not really solutions. A solution implies an end to the problem. There’s no end to the problem of phishing. Where there’s people and money together on the Internet, there will always be a problem. BioPassword raises the stakes but it at best it will represent a challenge to the phishers and shut out the kiddies. But an end to the problem? Don’t bank on it.

Dog Loving Phishers Learn from Nigerian Scammers

It's interesting, if you like this kind of thing, to see how online scams learn from each other. Until recently I thought of the Nigeria 419 scam -- where you're contacted by some grieving African widow, burdened with millions that she wants to share with  you, if only you'll let her park it in your bank account for a while -- and the whole phishing industry -- where folk lure you into giving up access to your bank account by tricking you to fake websites, or installing little programs on your PC to capture your passwords as two separate businesses -- were separate worlds.

One worked mainly out of Africa, the other out of Eastern Europe. One had a long tradition -- the Nigerian scam letters date back to the 1970s in hardcopy form, phishing really only started as a transnational scam in 2003. One used pure social engineering techniques to fool you -- we're in trouble, we need your help -- while the other relied more on clever technology -- a credible website, a credible looking email from your bank.

Now the two are overlapping. Perhaps it's been happening for a while, and I've only just spotted it. But this morning I received an email that I thought initially was Nigeria 419. But only closer inspection it's not: Dear !, it begins. Nigerian 419ers would never be that sloppy. They would always call me "Dear Friend" or "Fellow worshipper", or "Fabulously good-looking sir".  I like it when people call me that. Not "!".

Shrugging off the poor start, the email gets down to business: Our noncommercial enterprise has been engaging in organization and maintenance of shelters for stray dogs and cats for more than 12 years in one of the countries of the former Soviet Union. For the time weve constructed 18 shelters which maintenance, as you see, costs much. It's not the money, though, that's the problem. It's barbarous taxation which size makes up 48 % of the transferred sum that donors make. It is quite clear that suffering animals reach a mere trifle of these donations. And it besides that our cities are full of the sick and hungry animals eating garbage on cesspits that our legislators do not care a fig. Nasty, nasty legislators. (The "care a fig" touch is nice, quite reminiscent of the Nigeria 419 literary style.

Anyway, we're talking dog shelters here, not millions of dollars of salted away corrupt African wealth. So already I'm thinking this is not your ordinary scam. It would, after all, be a push to then suggest I stash millions of dollars of pooch support into my account. And indeed, that's not what I'm being asked to do: Therefore we have come to a decision to engage people who could fulfill not complicated work of short duration as our financial agents. Our sponsors could transfer means for us to your bank account and you, in your turn, could send the means to our agents addresses to Russia. The mediation doesnt require any investments on your part. Moreover we are ready to pay to you for this work not less than 8 % of the sum sent by you and, naturally, to cover all your expenses bound up with sending the money to our address.

Ah. To me this is clear that what they're looking for are mules. These are folk in other countries who can transfer, and launder, cash illicitly gained from phishing and other bank scams. Usually this is because when a scammer successfully drains an account he cannot easily transfer that money directly overseas because of restrictions on moving money from the account. So he hires locals -- most of whom don't really know where the money comes from or is going to -- who transfer the money on his behalf. Nice little earner until the cops come calling.

Here's how our canine sheltering friends put it: Our requirements are simple: you should be over 20 year of age and you should love animals very much. Thus we can avoid the barbarous taxation of our country and above all help poor animals. If you are ready to work together with us and have some spare time fill in the resume stated below. If you satisfy our conditions we send you our employment agreement with gratitude and explain all circumstances of your future work with us in details. There then follows a form, and the email is signed, Novikova Olga, Noncommercial Enterprise "Harmony".

There you have it. Who is going to fall for this kind of scam? Probably more than you think. Who doesn't love dogs? And who doesn't want to make 8% commission on sitting on a pile of cash? Bottom line: Phishers are clearly attending seminars given by Nigerian scammers.

technorati tags: phishing, nigerian_scam, crime, fraud, banking

The Gates Are Open, Phishers Welcome

I'm probably naive, but I'm gobsmacked that, nearly 24 hours later, a phishing website is still active despite my alerting the registrar and host of the domain in question. The only access was via a form so I'm not able to record my email to them but it was shortly after I posted the comment above.

I've not been able to contact the bank in question because there's no media contact that I can find on their website. The scam has been recorded here and the Halifax website seems to be down so perhaps something is happening. But why is the original phishing site still up? And why don't banks have an easy way for members of the public (or journalists, for that matter) to alert them to such scams? Millers Miles, which records phishing attacks, has recorded more than a dozen against the Halifax in the past year. 

technorati tags: phishing, banks

Phishing and the Peril of Fonts

I’m amazed at how lax domain registrations still are, despite the fact that phishing is now so much a household word that even my mum’s heard of it. But here’s another trick being used to try to dupe those people who still remain gullible: change the “o” in online to “c” because in many email readers it will look more or less the same:

Which it does, actually. Quite a neat trick, if you like that kind of thing. (There really is a Halifax Online, and the website address is exactly the same, minus the o/c thing. Even the homepage is the same Javascript login page as above, and everything looks the same minus a note at the bottom saying the bank never asks for personal details via email.)  Clicking on this link will take you to a webpage, that, surprise, surprise, looks very much like the UK’s Halifax Building Society:

I haven’t investigated it further, but I’m assuming the data entered quickly finds its way into the pockets of scumbags, and there’s probably some other nice bits and bobs being loaded onto one’s computer as it happens. The site is still live as of writing, with the address in the first screenshot above.

What amazes me is that the registrar won’t bat an eyelid at what is obviously a very dodgy domain name — Halifax being quite a well-known brand in the UK — and, indeed, even accepts the registration as a “private” one, and therefore allows the person registering the domain to not submit any address or phone number:

The registrant is a non-trading individual who has opted to have their address omitted from the WHOIS service.

The registrar in this case is PIPEX Communications Hosting Ltd, also known as 123-Reg.co.uk, whom I’ve asked to comment on this. Halifax is also being told about it, just in case they don’t know.

Microsoft's Spyware Gate

Microsoft have launched a new version of their Antispyware application, now rebuilt and renamed Windows Defender. Initial reports are favorable, including Paul Thurrott, who is good on these kind of things:

Windows Defender Beta 2 combines the best-of-breed spyware detection and removal functionality from the old Giant Antispyware product and turns it into a stellar application that all Windows users should immediately download and install. Lightweight, effective, and unobtrusive, Windows Defender is anti-spyware done right, and I still consider this to be the best anti-spyware solution on the market. Highly recommended.

Expect this program to become part of the next Windows operating system, meaning that spyware is going to be kept out of most computers by default. This is a good thing. What is less good is that it lets Microsoft decide what is and what isn’t spyware, giving them one more gate to control. Also, spare a thought for all the companies that have been selling antispyware software for the past few years; I can’t see many of them surviving past Windows Vista.

Keeping the Keyloggers out of the Basement

Here’s a product about to be announced that claims to really protect users against keylogging — when bad guys capture the keystrokes you make and then transmit it back to base: StrikeForce’s WebSecure (PDF file):

The basic idea, StrikeForce’s PR guy Adam Parken tells me, is that “keystrokes are encrypted at the hardware driver and delivered directly to the browser.” This, he says, “gets around the OS, messaging service, etc. where keyloggers normally hide.” It looks a bit like this (from a WebSecure presentation):

If that makes any sense. The grey boxes are the bits in between the keyboard and the network, and they’re all places that keyloggers hide. Anti-keylogging programs, as I understand them, are usually merely programs that try to guess what’s going on, and, if they see something sleazy, warn the user. Usually this is based on a prior knowledge, or library, of known keyloggers or known keylogging tricks.

WebSecure, instead, according to the press release, “automatically encrypts every keystroke at the keyboard level, then reroutes those encrypted keystrokes directly to the Web browser, bypassing the multiple communication areas that are vulnerable to keylogging attacks.”

WebSecure is going to be demoed at DEMO here sometime in the next 24 hours or so. If they do the job seamlessly and as promised, WebSecure could be quite a useful tool for companies and end users. But it’s an area long tackled and never conquered by security software developers, so I’m not holding my breath.

Verifying the Verifiers

It’s easy to forget in these days of sophisticated scams that still the easiest way to get your personal data is by asking you for it. I just got a call this morning from a guy who claimed to be from my bank’s verification department. Without further ado he asked me to confirm my name and other details, and declined to give me a telephone number I could call to confirm his identity. He seemed somewhat upset that I wouldn’t even confirm that I was me, if you know what I mean.

Eventually I reached someone who said they would check it out and call me back. Then I had to remind them to give me a name or something so I knew it was them calling and some other scammer. I could see us getting caught in a cycle of confused identity:

– Hi. Is this Wagstaff Jeremy? (for some reason that’s what my bank calls me. I must have filled out a form wrongly somewhere down the track)
– Who is this?
– We’re calling from the verification division of your bank. We want to verify your details.
– How do I know you’re the Verification Division? How can I verify that?
– You can’t. Not until we verify that you’re Wagstaff Jeremy.
– I’m not going to tell you something like that!
– Oh.  A moment’s silence.
– Are you the people I called to verify that it was the Verification Division?
– You mean the Verification of Verications Division?
– That’s what you call it?
– Yes.
– Geez. Yes, I guess so.
– We can’t verify that until we verify you.
– Ah. Long silence ensues.
– How about I call you back?
– We can’t give out our telephone number. It’s confidential.
– Well, so is mine.
– No, it’s not. We have it.
– So you don’t need to verify it.
– Er… Pause. Sound of head being slapped. Yes, we do, because we still don’t know whether you’re Wagstaff Jeremy or not.
– True. Do a lot of your calls to people end up like this?
– Yes. You wouldn’t believe how suspicious people can be. It’s shocking.
– I can imagine. What’s your name?
– I can’t tell you that. But you can call me Bob.
– OK, Bob. Bye.

Admittedly this was an Indonesian bank; perhaps it wouldn’t happen if it was one of the big ones. But somehow I doubt it, whether in banks or elsewhere. Social engineering is still the easiest way to extract information. It’s not natural for people answering a phone to be suspicious when people start asking questions — most of us want to be helpful, especially if it may fix a problem with our bank account.

Banks: don’t encourage customers to be cavalier with their own personal information. Never call them up without giving them an easy way, via a switchboard and code, to confirm it’s an employee and not a scumbag they’re talking to.

The First U.S.-China Cyberwar?

There’s growing coverage of China’s Internet ‘cyberwar’ against the U.S., which seems to have been going on for more than two years with neither side wanting to go public. The U.S. is calling the attack Titan Rain, and as Bruce Schneier points out, the attackers are very well organized. This from AFP:

A systematic effort by hackers to penetrate US government and industry computer networks stems most likely from the Chinese military, the head of a leading security institute said. The attacks have been traced to the Chinese province of Guangdong, and the techniques used make it appear unlikely to come from any other source than the military, said Alan Paller, the director of the SANS Institute, an education and research organization focusing on cybersecurity. "These attacks come from someone with intense discipline. No other organization could do this if they were not a military organization," Paller said in a conference call to announced a new cybersecurity education program. In the attacks, Paller said, the perpetrators "were in and out with no keystroke errors and left no fingerprints, and created a backdoor in less than 30 minutes. How can this be done by anyone other than a military organization?"

So what are they after? Paller says they’re after sensitive information, and may have gotten it, including military flight planning software from its Redstone Arsenal. Here’s a bit more detail about how these guys work, from a TIME story quoting Shawn Carpenter, the hacker who uncovered the attacks:

Carpenter had never seen hackers work so quickly, with such a sense of purpose. They would commandeer a hidden section of a hard drive, zip up as many files as possible and immediately transmit the data to way stations in South Korea, Hong Kong or Taiwan before sending them to mainland China. They always made a silent escape, wiping their electronic fingerprints clean and leaving behind an almost undetectable beacon allowing them to re-enter the machine at will. An entire attack took 10 to 30 minutes.

More on Carpenter in a Wikipedia entry here, and on his whistleblowing experience here. There’s an interesting piece by SearchSecurity’s Bill Brenner which looks at an August report by LURHQ dissecting the Myfip worm which appears to have been used by Chinese hackers to ferret around and grab PDF files. The worm has been around since August 2004. Later variants looked for Word documents, AutoCAD drawings, templates, Microsoft Database files, etc:

[Joe] Stewart [senior security researcher with Chicago-based security management firm LURHQ Corp] said his team was easily able to trace the source of Myfip and its variants. "They barely make any effort to cover their tracks," he said. And in each case, the road leads back to China. Every IP address involved in the scheme, from the originating SMTP hosts to the "document collector" hosts, are all based there, mostly in the Tianjin province.

China, according to AFP, yesterday denied its military was involved in hacking:

"We have clear stipulations against hacking. No one can use the internet to engage in illegal activities," foreign ministry spokesman Qin Gang told a regular briefing on Tuesday. "The Chinese police will deal with hacking and other activities disturbing social order in accordance with law."

Doesn’t make a lot of sense as a denial. Is he saying no one is doing it? Or no one official? Or that it’s going on and the police will deal with it? Not the first time a Chinese spokesman has uttered something meaningless. But I guess so long as the U.S. doesn’t make any official, public complaint this guerrilla war will remain unacknowledged by both sides. I guess the obvious lesson here is that security is not just against sleazeballs after your money, but after your PDF files too. And don’t think that because you’re not military you’re not affected. If you’re any kind of company you might have something that is valuable in the corporate and government espionage world.

The Phisher King is Back

I’m glad to report Australian phisher king Daniel McNamara has revived his Code Phish website which dissects phishing attacks and associated scams. He’s just taken a close peek at one ‘mule ad’ (as I call them) or job scam as he calls them: DHL Mail Job Scam.  These are efforts by the phishers to repatriate their illicit earnings by hiring unsuspecting individuals to let the stolen funds pass through their accounts. It seems that Eastern Europe is still the main source of such scams:

What's really interesting however is where this scam is located. It's sitting on the same hoster as the Ukrainian National Animal Welfare Foundation Job Scam and the GlobalFinances Job Scam. This would indicate they are mostly likely all being run by the same gang. The hoster is probably unaware of these sites scam status but we have seen them used numerous times over the last year to host scam sites which would indicate they most likely offer some sort of "get hosting working in minutes!" automatic setup for payments by credit cards and if it's one things phishers have steady access to, it's stolen credit card details.

Welcome back, Daniel.

Zone Labs to Offer Sygate, Kerio Users a Deal

From a press release emailed to me by Zone Labs, makers of Zone Alarm:

The personal firewall market is currently undergoing a major shift, with Symantec set to retire the Sygate line of personal firewalls tomorrow (including the free version and Sygate Pro), and Kerio discontinuing its personal firewall at the end of December to pursue an enterprise strategy. […] In order to help consumers affected by recent events, Zone Labs will be announcing a new promotion to Sygate and Kerio users later this week to ensure that consumers have essential firewall protection available at an affordable price.

Not clear what kind of offer yet, but I’ll let you know.

 

Bruce on Phishing: It's the Banks, Stupid

Bruce Schneier again talks sense, this time about phishing: Schneier on Security: Phishing

Financial companies have until now avoided taking on phishers in a serious way, because it's cheaper and simpler to pay the costs of fraud. That's unacceptable, however, because consumers who fall prey to these scams pay a price that goes beyond financial losses, in inconvenience, stress and, in some cases, blots on their credit reports that are hard to eradicate. As a result, lawmakers need to do more than create new punishments for wrongdoers -- they need to create tough new incentives that will effectively force financial companies to change the status quo and improve the way they protect their customers' assets.

(Here’s the full column at Wired, and here’s a discussion on Slashdot.)

Regular readers of this column will know this is similar to what I’ve been harping on about for a while although this is much better written and argued than anything I’ve said. Banks have got to accept responsibility for the problem, and devise solutions. To be fair, some are: My bank has finally gotten around to issuing SecurID-type number pads, and secondary authorisation for online credit card transactions.

What's Safe?

Another example of why you can’t really trust software to tell you whether a website is dangerous or not. The Register reports that a Trusted search software labels fraud site as 'safe':  

Digital certificate firm GeoTrust's launch of a search engine with built in trust features this week has been marred by the classification of a phishing site as genuine. Powered by Ask Jeeves, GeoTrust TrustWatch search aims to protect users against fraudulent behaviour and phishing attacks by giving web sites a verification rating. It's a laudable aim, but the classification of a recently created phishing site as "verified as safe" raises serious doubts about the effectiveness of the technology. Such incorrect classifications create a false sense of security that can only play into the hands of would-be fraudsters.

As I’ve explained elsewhere, it’s more dangerous to offer a service that claims to warn you about phishing–related and other dodgy websites if you can’t guarantee 100% success, as it merely lulls a user into a false sense of security. Another reason why these things won’t work is the false positive, which EarthLink found to its (temporary) cost.

 

The Demise of the Anti-phishing Toolbar?

Must confess I missed this when it first kicked in, but could it be the nail in the ‘anti-phishing toolbar’ coffin? EarthLink lands a win, according to ZDNet, after being sued by a bank incorrectly flagged as a phishing website:

EarthLink had warned its customers who installed a free "ScamBlocker" toolbar--and visited AssociatedBank.com--that the Web site was "potentially fraudulent" and said that they should "not continue to this potentially risky site."

The warning was wrong. Associated Bank, headquartered in Green Bay, Wis., with more than 300 locations in the Midwest, operated a legitimate Web site.

EarthLink got off the hook because they bought their list of dodgy websites from a third party. But who? The articles I’ve read don’t mention who it was. And how could the third party have judged a bank to be a phishing website?

I’ve not been a fan of most of these toolbars because I don’t think they do a good job of warning the user of dodgy websites. as my tests a few months back indicated. But to be honest it didn’t occur to me that these toolbars would create false positives. Bizarre.

Dogbert Goes Phishing

It’s not on his homepage yet, but check out Friday’s Dilbert strip: it’s about phishing and does more than a 1,000 bank warning notices could do to show how it works and why folk are dumb to be taken in by it.

An email lands on The Pointy Haired One’s screen, Dear Customer, This is your bank. We forgot your social security number and password. Why don’t you send them to us and we can protect your money. Sincerely, I.B. Banker.

‘Looks legit,’ the Pointy Haired One thinks to himself.

(It’s up now: here’s the link.)

The Real Lesson From CardSystems

The sad truth about the CardSystems debacle is that it wasn’t unusual, at least in the delay and obfuscation over reporting it. An AP report in yesterday’s HoustonChronicle says

Most businesses do not report cyber attacks to law enforcement authorities, fearing the disclosure would harm their image and benefit rivals, FBI Director Robert Mueller said Tuesday.

Mueller's comments were based on an annual survey conducted by the FBI and the private Computer Security Institute that found just 20 percent of businesses reported computer intrusions last year, a figure that has held steady for several years.

The reasons cited most often for keeping the incidents quiet were loss of business to competitors and potential damage to a company's image.

In other words, don’t tell anyone and you’re fine. The old security through secrecy thang. Hopefully CardSystems will make people aware that’s just not going to cut it anymore.