A story of an undercover investigation by the BBC shows how dishonest employees at call centers — who collect plastic payment card details on clients — might be making a little extra pocket change by selling them.
The focus of the BBC story is centered on an Indian call center employee for Symantec Security Corporation stealing payment card information. It is also centered on UK customers, which is understandable given it is the BBC, but the reality is that information is stolen then sold from countries all over the world.
Payment card details are handled by telephone at call centers in a lot of places and the calls come from all over, too. A lot of companies have different tiers (levels of personnel) handling calls, depending on the difficulty or nature of the call. At a lot of major companies, these tiers are located in different centers, which are in different countries. Any call might start in one country and, given the nature of the call, it could be transferred to another center located in another country. Given this, payment card information can be sent and then illicitly recorded over a fairly wide geographical area.
Besides that, dishonest employees are caught on a regular basis in a lot of different places. They don't all necessarily reside in India and call centers there are not the only place payment card information can be compromised. In fact, payment card information can be compromised anywhere (not just call centers) where they are used at a point of sale.
Information crooks are recruited and some think even planted anywhere financial information can be stolen. Even if they are not, payment card details are being bartered in forums on the Internet. It probably wouldn't be very hard to find a place to sell credit/debit card information when all it takes to do it is a click of a mouse.
The BBC story, which aired on video, chronicles an investigative effort by their reporters on the streets of Delhi. In the segment, it shows reporters making contact with the underground broker, who offers them payment card details from "all over the world" for $10-$12, each. It then shows a buy being made and money changing hands.
When the information was checked, it revealed that only one in seven card numbers were actually usable. They were able to trace some of the good numbers to a call center handling Symantec (Norton) products. The story stated that there has only been one successful prosecution in India for this type of crime and that it netted a non-custodial sentence. It also stated that the laws regarding the protection of data are not as stringent as they are in some places. The story mentions that Symantec's official comment was that it was an isolated incident and that the employee was removed.
Since one to seven card details turned out to be real, I guess we can assume the underground broker wasn't being completely honest. I've also seen reports of credit card details being sold for a lot less and you don't have to travel to India to find them.
In November, Symantec — the point of compromise in the story — issued a report on the underground economy, which focused on this very subject. "Credit cards are also typically sold in bulk, with lot sizes from as few as 50 credit cards to as many as 2,000. Common bulk amounts and rates observed by Symantec during this reporting period were 50 credit cards for $40 ($0.80 each), 200 credit cards for $150 ($0.75 each), and 2,000 credit cards for $200 ($0.10 each)," according to the report.
If this report is anywhere near accurate and the BBC was buying card details at $10-$12 each — if only one to seven was good in the Delhi exchange — the BBC was getting ripped off!
According to the 68-page report by Symantec, these details can be bought anywhere that has an Internet connection. Counterfeit instruments (ready to use) are often sent through the mail, too. The information is sold via IRC (Internet relay chat) channels in forums designed to market stolen financial information. Although credit/debit card details seem to dominate the scene, a lot of other information is sold that can be used to commit financial crimes and identity theft in these forums, too.
If you don't want to believe the Symantec report, the FBI took down one of these forums not very long ago. This forum known as Dark Market was responsible for about $70 million in fraud, worldwide. My best guess is that the information in the report is pretty accurate.
Although dishonest insiders are the cause of a portion of it, we should remember that hackers breaking into business systems, phishing, malicious software and even the trash can be sources of stolen information. The places targeted for information can be merchants, restaurants, goverment organizations, charity organizations, universities, medical facilities or anywhere payment card information is used at a point of sale.
Keeping up with all the points of compromise is difficult, but one place that attempts to is the DataLossDB site. Please note that the unknown data breaches are the most lucrative for the criminals behind this activity. Once a breach is discovered, measures are enacted to disable the stolen data.
It can be extremely difficult, if not impossible, to identify the point of compromise in most individual cases. The reason for this is there are too many different places where information might have been stolen from.
Maybe that's the problem, or we are storing and transmitting too much information all over the place? Since everyone is making money by transmitting information, I doubt this practice is going to stop anytime soon. So far as outsourcing, I doubt this is going to stop in the near term, either. Companies save a lot of payroll by outsourcing jobs. Payroll is a big expense for corporations and cutting payroll seems to be in vogue these days.
Nothing is going to change until laws are passed that force everyone making money from this information start doing the right things. This includes laws that prohibit people from being irresponsible (my opinion) to laws that punch the criminals stealing the information where it hurts.
Until then, the rest of us will have to batten down the hatches and weather the storm. I highly recommend making sure your information is protected as well as it can be (there are no guarantees) by protecting your own electronic transmissions. Monitoring financial activity — from your financial statements to information on your credit report and the Internet — is a good idea, too. Of course, while doing this, you need to ensure your electronic transmissions are protected by a reliable vendor and that you aren't paying for protection that you could get for free. Sadly enough, everyone claiming they can protect you isn't necessarily being completely honest, either.
Showing posts with label crimeware. Show all posts
Showing posts with label crimeware. Show all posts
Sunday, March 22, 2009
Sunday, February 08, 2009
Spammers Love to Hurt Internet Users
Love is a many splendored social engineering tool and spammers are busy sending out a whole lot of their particular brand of love across the electronic universe.
An interesting blog post (Love Hurts) by Kevin Haley at Symantec points out that malicious code writers are busy spreading their work in attachments hidden in the millions of spam messages being spewed out by zombies (compromised computers). If you click on one of these attachments — and your machine isn't bulletproof — it also can become a zombie and used as part of a botnet to send out more spam. Botnets are groups of compromised computers used to form a super computer. Of course, downloading malware can also mean that all your personal and financial information will be stolen, too. Please note (as you will see below) that some forms of malware currently being sent out can do both.
Kevin's blog post came out at almost the same time Symantec issued it's monthly Spam Landscape Report. With Valentine's Day coming up, love is a predictable lure and it's probably a good idea to make sure you know who loves you before clicking on any links in an e-mail.
Another predictable finding in the report is that spam levels are continuing to rise to normal levels after they fell when McColo was shut-down. McColo (a Web service hosting provider) was shut down in November after it was discovered they were the source of a large number of botnets, which are used to send out spam. Last month, 79 percent of all e-mail was spam. The report also notes that the point of origin for spam is shifting a little. Although the United States is still number one, the number of active zombies in other countries is rising. While some of this is being attributed to McColo, the report points out that this might point to the fact that some of these countries have an increasing number of users accessing the Internet.
From a spam-commerce point of view, the report indicates weight loss products, counterfeit drugs, cheap watches and porn top the list of items available at super-cheap prices as Valentine's Day approaches.
Besides Valentine's Day, President Obama also continues to be used as a spam lure, according to the report. A lot of this spam contains malware with files names such as usa.exe, obamanew.exe, statement.exe, barackblog.exe and barackspeech.exe. The malware being spread in these spam e-mails is called the W32.Waledac, which is capable of both stealing sensitive personal and financial information and turning a machine into a zombie. It also establishes a backdoor to a machine so it can be remotely accessed.
Current events (and holidays) have been and probably will continue to be used as social engineering lures to snare the unwary.
Also noted was a rise in Russian spam hawking goods and services. With cheap long distance services using VoIP, the Russians have actually set up telephone numbers for their intended victims to call. My guess is that they will entice someone to send money, which can't be recovered when the person sending it discovers they've been scammed.
Chinese gambling spam is also mentioned as a new phenomenon in the report. It appears to be patterned after English language gambling spam, but is written in Chinese.
Last, but not least, Nigerian spam is mentioned. Nigerian or 419 spam is named after the section of the Nigerian penal code dealing with fraud. It normally is a come-on for lost riches or winning a lottery and has a lot of spelling and grammatical errors. Typically known as advance fee fraud, the victim is enticed in sending money across a border (wire transfer is preferred) to secure their fortune. Of course in the end, the victim never receives anything and is often left in financial ruin.
There are many twists to advance fee and one of them is to send a bogus financial instrument to a person with instructions to cash it. If the person doesn't get arrested for presenting it, they are instructed to send the money back to the scammer. Of course, the cashing institution eventually figures out the instrument is bogus and the victim is held liable for it.
A lot of people think that advance fee all comes from Nigeria, which isn't true. I've personally traced it to a lot of other places and called some of the telephone numbers. The person answering didn't sound Nigerian and I've spoken to a few people from Nigeria in my time. Naturally, this doesn't mean that scam activity is not coming from Nigeria and just that not all of it does.
Pam Dixon, of the World Privacy Forum, went on record recently that the spelling and grammatical errors aren't being seen as much in advance fee lures anymore. Obviously, advance fee scammers, wherever they hail from, are being more careful and have discovered spell check?
To close, the Anti-Phishing Working Group's recent report on phishing, which is delivered via spam, has noted that the number of crimeware-spreading URLs out there has increased 258 percent versus the same time period last year. It also noted a record high in the amount of hijacked and victimized brand names. Last but not least, it noted another record in the amount of malicious application variants being seen in the wild (on the Internet).
This would suggest that spam is getting more dangerous and the people sending it are becoming more sophisticated. The smartest thing to do with all spam is to delete it. Making sure your computer's security is updated with a known and reliable vendor is also a smart thing to do. After all, as I've speculated many times before, most fraud, phishing and financial misdeeds on the Internet start with spam.
Sunday, December 14, 2008
Most Internet Scams Start with Spam
I'm sure we've all noticed spam levels are slightly down, or that our spam filters seem to be working a little better. Nevertheless, spam continues to get through filters and for the next few weeks, a lot of it will have a holiday theme. Due to the sour economic situation, it's also likely going to take advantage of financial fears or the promise of a rescue from an already bad situation.
Since most unfortunate situations involving fraud, phishing, and financial misdeeds on the Internet start with a spam e-mail, it pays to use a little common sense and caution before falling for a too good to be true, or sometimes scary e-mail from an unknown source.
Last week, Symantec issued its December 2008 State of Spam Report. It predicts that although spam volumes are down after a lot of providers blocked access to sites hosted by McColo.com, we will likely see them rise again. Spam levels dropped a reported 65 percent after this happened. "McColo.com was allegedly hosting a significant number of botnet command-and-control systems'" according to the report. The bad news is that the report indicates the bad guys are moving elsewhere and that a number of them are hosting their efforts from IP addresses in (where else) China.
Getting back to the holiday season, the report notes that spammers are mimicking marketing come-ons from legitimate retailers offering holiday shopping deals. This makes it hard to distinguish exactly who is behind the e-mail. Sometimes the line between legitimate and illegitimate becomes a little blurry, which is something spammers have always taken advantage of.
The report also reveals a lot of links leading to malware infected sites in spam e-mails are using political themes to draw in their victims. Items related to Barack Obama are especially popular with spammers and scammers. In another twist to using Obama's good name, one spam campaign offered a Barack Obama coin, "a piece of history for only $9.95 plus shipping." This was an attempt to steal debit and credit card information.
Hot news stories were also used as lures to download malicious software. In particular, the recent Mumbai terrorist attacks pointed to links designed to infect machines. Ironically, a lot of this malware is designed to turn a computer into what is referred to as a "zombie," which when used in a botnet is used to send out even more spam.
While we haven't seen the holiday season pass, spammers of the scammer type are already using the IRS name to steal personal and financial information. The pre-tax season phishing scheme mentioned in the Symantec Report involved a come-on designed to snare people by telling them they had a tax refund or economic stimulus payment due to them. The link in these e-mails went to fake IRS site(s) — complete with offical logos — designed to steal personal and financial information.
The IRS isn't alone when it comes to having their good name spoofed. Just this week the FBI reported that their name was being used (yet again) in a campaign involving a typical Nigerian 419 scam. If an intended victim got leery after initially responding — they were threatened with "official consequences" should they fail to turn over the required personal and financial information.
Fear or scaring a victim into submitting to a scam is nothing new. In fact, some of it is now being referred to as Scareware. Scareware most frequently surfaces as a fake message claiming your computer is infected. In then offers to fix the problem for a nominal amount of money. My guess is that malware might actually be downloaded on a system by clicking on one of these come-ons.
Since it's hard to pay in cash over the Internet, anyone who pays on this form of extortion might have their method of payment stolen, also. Symantec recently released another report showing how many personal and financial details are for sale (super-cheap) on the Internet.
Alex Eckelberry of Sunbelt Software and the popular Sunbelt Blog just posted a visual presentation of scareware examples on his Flickr account.
There is little doubt that spam and its intended purposes have made the electronic world somewhat of a "virtual minefield" at times. It pays to make your computer bullet-proof by using good state of the art software from a legitimate vendor, but even if you are protected in this manner, you also need to protect yourself from social engineering schemes designed to lure a person into doing something they are going to regret later.
The Anti Phishing Working Group offers sage advice (from a variety of reputable sources) to the average person on how to avoid becoming a victim. Interestingly enough, they also recently released a report that is rather ominous stating the the number of crimeware spreading URLs are at an all-time high. Crimeware is another name for malware when it has a pure criminal intent.
To close this post, I'll point to a amusing video Symantec did on the 12 Days of Christmas Spam. It's probably best to end on a lighter note on what has become a serious problem.
Since most unfortunate situations involving fraud, phishing, and financial misdeeds on the Internet start with a spam e-mail, it pays to use a little common sense and caution before falling for a too good to be true, or sometimes scary e-mail from an unknown source.
Last week, Symantec issued its December 2008 State of Spam Report. It predicts that although spam volumes are down after a lot of providers blocked access to sites hosted by McColo.com, we will likely see them rise again. Spam levels dropped a reported 65 percent after this happened. "McColo.com was allegedly hosting a significant number of botnet command-and-control systems'" according to the report. The bad news is that the report indicates the bad guys are moving elsewhere and that a number of them are hosting their efforts from IP addresses in (where else) China.
Getting back to the holiday season, the report notes that spammers are mimicking marketing come-ons from legitimate retailers offering holiday shopping deals. This makes it hard to distinguish exactly who is behind the e-mail. Sometimes the line between legitimate and illegitimate becomes a little blurry, which is something spammers have always taken advantage of.
The report also reveals a lot of links leading to malware infected sites in spam e-mails are using political themes to draw in their victims. Items related to Barack Obama are especially popular with spammers and scammers. In another twist to using Obama's good name, one spam campaign offered a Barack Obama coin, "a piece of history for only $9.95 plus shipping." This was an attempt to steal debit and credit card information.
Hot news stories were also used as lures to download malicious software. In particular, the recent Mumbai terrorist attacks pointed to links designed to infect machines. Ironically, a lot of this malware is designed to turn a computer into what is referred to as a "zombie," which when used in a botnet is used to send out even more spam.
While we haven't seen the holiday season pass, spammers of the scammer type are already using the IRS name to steal personal and financial information. The pre-tax season phishing scheme mentioned in the Symantec Report involved a come-on designed to snare people by telling them they had a tax refund or economic stimulus payment due to them. The link in these e-mails went to fake IRS site(s) — complete with offical logos — designed to steal personal and financial information.
The IRS isn't alone when it comes to having their good name spoofed. Just this week the FBI reported that their name was being used (yet again) in a campaign involving a typical Nigerian 419 scam. If an intended victim got leery after initially responding — they were threatened with "official consequences" should they fail to turn over the required personal and financial information.
Fear or scaring a victim into submitting to a scam is nothing new. In fact, some of it is now being referred to as Scareware. Scareware most frequently surfaces as a fake message claiming your computer is infected. In then offers to fix the problem for a nominal amount of money. My guess is that malware might actually be downloaded on a system by clicking on one of these come-ons.
Since it's hard to pay in cash over the Internet, anyone who pays on this form of extortion might have their method of payment stolen, also. Symantec recently released another report showing how many personal and financial details are for sale (super-cheap) on the Internet.
Alex Eckelberry of Sunbelt Software and the popular Sunbelt Blog just posted a visual presentation of scareware examples on his Flickr account.
There is little doubt that spam and its intended purposes have made the electronic world somewhat of a "virtual minefield" at times. It pays to make your computer bullet-proof by using good state of the art software from a legitimate vendor, but even if you are protected in this manner, you also need to protect yourself from social engineering schemes designed to lure a person into doing something they are going to regret later.
The Anti Phishing Working Group offers sage advice (from a variety of reputable sources) to the average person on how to avoid becoming a victim. Interestingly enough, they also recently released a report that is rather ominous stating the the number of crimeware spreading URLs are at an all-time high. Crimeware is another name for malware when it has a pure criminal intent.
To close this post, I'll point to a amusing video Symantec did on the 12 Days of Christmas Spam. It's probably best to end on a lighter note on what has become a serious problem.
Tuesday, October 07, 2008
How Using Pirated Software Turns People into Internet Crime Victims
The Business Software Alliance's October report called Online Software Scams: A Threat to Your Security reveals the dangers of buying or downloading pirated software. Sadly, pirated software doesn't always advertise that it is counterfeit and often appears to be the "real thing" to the untrained eye. This poses a clear and present danger to anyone shopping for software, whether it be on a e-commerce site, peer to peer (P2) site or at a more traditional shopping venue.
In the report's introduction it points to an actual example of how a misguided employee of the Wagner Resource Group of McLean Virginia used his office computer to download video and music files using Limewire and exposed the entire corporation to the dark side of the Internet. "In this case, the Wagner employee’s action set off a terrible chain reaction, opening up the firm’s computers to outsiders and exposing the names, dates of birth, and Social Security numbers of about 2,000 of the firm’s clients, including US Supreme Court Justice Stephen Breyer, according to the report.
Although many view downloading a video or music file as a victimless crime, the consequences can become personal when cyber criminals add a little malicious software (often referred to as crimeware) to the mix. Specifically, it can lead to identity (information) theft or turn a user's machine into a zombie, which is controlled remotely and used to commit other misdeeds on the Internet.
It is estimated that one-third of all software is counterfeit. In 2008, a study was conducted that revealed that if software piracy could be reduced by 10 percent in the United States it would generate 32,000 new jobs, 41 billion in economic growth and 7 billion in tax revenues.
A lot of pirated software is sold via downloads. When this occurs, the normal form of payment is a credit or debit card. This means that the person, who buys pirated software is providing this information to a criminal, who in turn might use it again or sell it to a third party. Like pirated software, credit/debit card information is sold on the Internet in underground chat rooms.
The report also covers another area, where Internet crime is known to flourish, or auction sites. In 2005, a study was done on software sold on eBay and roughly 50 percent of the items purchased had malicious/unwanted elements or had been tampered with.
While auction sites have worked with outside industries on preventing theft and abuse, they generally disclaim any responsibility for what occurs on their site. Additionally, there is little to no protection for the consumer buying these products (my opinion).
Because of this, the BSA is calling for auction sites to assume responsibility, step up the warning process on their sites and slow the process down by eliminating the "buy it now" process, which makes monitoring illegal sales nearly impossible.
The software industry isn't the only industry calling out issues with auction sites. In August, two bills were introduced to combat crime on auction sites, which were largely supported by the National Retail Federation. The sale of stolen or counterfeit goods in general has long been an issue on these sites. A good resource to learn about the danger of counterfeit goods in general is the International Anticounterfeting Coalition.
The BSA offers a lot of tips for consumers on how to avoid becoming a victim in their recently released report. It also offers a more visual means of learning by offering a video on the subject.
Suspected piracy can also be reported at http://www.bsacybersafety.com/ or by calling 1-888-NO-PIRACY.
In the report's introduction it points to an actual example of how a misguided employee of the Wagner Resource Group of McLean Virginia used his office computer to download video and music files using Limewire and exposed the entire corporation to the dark side of the Internet. "In this case, the Wagner employee’s action set off a terrible chain reaction, opening up the firm’s computers to outsiders and exposing the names, dates of birth, and Social Security numbers of about 2,000 of the firm’s clients, including US Supreme Court Justice Stephen Breyer, according to the report.
Although many view downloading a video or music file as a victimless crime, the consequences can become personal when cyber criminals add a little malicious software (often referred to as crimeware) to the mix. Specifically, it can lead to identity (information) theft or turn a user's machine into a zombie, which is controlled remotely and used to commit other misdeeds on the Internet.
It is estimated that one-third of all software is counterfeit. In 2008, a study was conducted that revealed that if software piracy could be reduced by 10 percent in the United States it would generate 32,000 new jobs, 41 billion in economic growth and 7 billion in tax revenues.
A lot of pirated software is sold via downloads. When this occurs, the normal form of payment is a credit or debit card. This means that the person, who buys pirated software is providing this information to a criminal, who in turn might use it again or sell it to a third party. Like pirated software, credit/debit card information is sold on the Internet in underground chat rooms.
The report also covers another area, where Internet crime is known to flourish, or auction sites. In 2005, a study was done on software sold on eBay and roughly 50 percent of the items purchased had malicious/unwanted elements or had been tampered with.
While auction sites have worked with outside industries on preventing theft and abuse, they generally disclaim any responsibility for what occurs on their site. Additionally, there is little to no protection for the consumer buying these products (my opinion).
Because of this, the BSA is calling for auction sites to assume responsibility, step up the warning process on their sites and slow the process down by eliminating the "buy it now" process, which makes monitoring illegal sales nearly impossible.
The software industry isn't the only industry calling out issues with auction sites. In August, two bills were introduced to combat crime on auction sites, which were largely supported by the National Retail Federation. The sale of stolen or counterfeit goods in general has long been an issue on these sites. A good resource to learn about the danger of counterfeit goods in general is the International Anticounterfeting Coalition.
The BSA offers a lot of tips for consumers on how to avoid becoming a victim in their recently released report. It also offers a more visual means of learning by offering a video on the subject.
Suspected piracy can also be reported at http://www.bsacybersafety.com/ or by calling 1-888-NO-PIRACY.
Tuesday, September 16, 2008
Improved OnGuardOnLine Site Teaches Cyber Safety to the Average Person
One of the better places for the average person to learn about the sometimes murky waters of the Internet is free and sponsored by the Federal Trade Commission. Although OnGuardOnline.gov and AlertaEnLinea.gov, its Spanish-language counterpart have been around for awhile -- some new and exciting improvements have been made to the site with a just released Web 2.0 redesign.
The new and improved site allows users to grab and embed games and videos, search for topics on the site, take a “show of hands” poll, and have a more interactive experience while learning how to avoid becoming an Internet crime statistic.
Articles and games covering sixteen topics -- including social networking, phishing, email scams and laptop security; plenty of buttons and banners you can post on your blog or website; free publications consumers and organizations can order; and links to the OnGuard Online partners from the public and private sector.
I should add that a lot of good people from both the government and private sectors have given resources and their valuable time to assist the Federal Trade Commission with this site. Industry and government partners -- include the U.S. Department of Justice, Office of Justice Programs, Department of Homeland Security, Internal Revenue Service, United States Postal Inspection Service, Department of Commerce, Technology Administration, Securities and Exchange Commission, National Cyber Security Alliance, Anti-Phishing Working Group, i-SAFE, AARP, National Consumers League, Direct Marketing Association, WiredSafety.org, The SANS Institute, The National Association of Attorneys General, Better Business Bureau, NetFamilyNews, CompTIA, National Crime Prevention Council, Association of College Unions International, and the Latinos in Information Sciences and Technology Association.
In my opinion, this represents a valuable partnership in dealing with the ever growing problem of crime on the Internet. This also represents a very credible collaboration of resources and industry experts (my humble opinion).
There is also a lot of material that businesses and organizations can use to educate their people with. Frequently, I get approached on this subject and I will continue to recommend this site as a valuable resource. Of course, the benefits for the individual person wanting to protect themselves, or become more knowledgeable are there (free for the taking), also.
If you are one of those businesses or organizations wanting additional matertials, you can get free OnGuard Online publications. For 50 or more copies, visit ftc.gov/bulkorder. If you need less than 50 copies, call 1-877-FTC-HELP.
Monday, August 18, 2008
Report Reveals That Internet Fraud Threatens E-Commerce
The Center for American Progress just released a report indicating that not enough is being done to protect the public from fraud on the Internet. It's also warning that the convenience, choices and lower prices enjoyed by Internet users are at risk because of this.
They report reveals that high levels of fraud and abuse may cause more and more consumers to lose trust, a key-component of any successful business. Malicious software, phishing and spam were cited as primary causes for the high levels of fraud and abuse on the Internet.
Studies indicate that over 80 percent of all e-mail is spam. It should be noted that spam is the preferred delivery vehicle of fraud and abuse on the Internet. Malware and phishing normally start with a spam e-mail. In Phishing schemes -- which are designed to steal personal and financial information -- the use of malicious software to automatically steal information is on the rise. In the past, phishing normally relied on a social engineering scheme to accomplish this goal.
The Anti Phishing Working Group, an organization that tracks phishing activity, has noted an increase in the use of malicious software to phish information. They speculate that ability of e-criminals to use automated tools to spread crimeware (a.k.a. malware) could be the reason for the increase.
The report states that although the Federal Trade Commission is stepping up enforcement activity, it's resources are limited and more action by the State attorney generals is desperately needed. It cites as an example that over the past three years, only 11 cases against spyware distributors have been brought forward by the States, which is the same number taken for action by the FTC.
The Center for American Progress and the Center for Democracy and Technology asked States to provide data on the complaints they received 2006 and 2007. Thirty six States responded and most of them had a Internet related category listed in their top-ten complaints. It was also noted that overall Internet related complaints increased from 2006 to 2007. Eight of the States listed Internet related complaints in their top-three and four States listed them as being the number-one complaint.
The FTC, who gathers data on a much wider scale noted an increase of 16,000 Internet related complaints in 2007 versus the number received in 2006. When comparing the numbers to 2005, a 24,000 increase in complaints was noted.
The report points out that many experts speculate that not all cybercrime is reported or even discovered. Additionally, the standard for classifying it varies from State to State, which makes it hard to evaluate current statistical data. Given these factors, many believe the problem is understated.
In looking at the enforcement level by the States, the Center for American Progress and the Center for Democracy and Technology gathered information from annual and biennial reports, websites, news articles, and the bimonthly Cybercrime Newsletter released by the National Association of Attorneys General.
Data from the Cybercrime Newsletter revealed that 60 percent of the cases prosecuted were for the sexual enticement of minors or pornography. Crimes involving the theft of information or identity theft represented 8.9 percent of the total and 15.5 percent involved online sales and services. The majority of the cases involving online sales and services were for false advertising or the quality of a product or service.
The conclusion given by the researchers is that not very many crimes involving phishing, spyware, spam, adware and hacking were being effectively investigated or prosecuted. "Internet crime requires almost no expense to execute, carries potentially high financial rewards, and involves relatively little risk of being caught and punished," according to the report.
The monetary cost of all this activity isn't cheap, either. In 2007, an estimated $7.1 billion was lost due to phishing, viruses and malware in the United States, alone. Given that the estimated losses in 2006 was a mere $2 billion, this would lead a reasonable person to speculate that the problem is a growing one. Worldwide estimates put the losses at about $100 billion.
The report gives a possible reason for the increase in activity. With few overhead or start-up costs a phishing group can net about $250,000 a month and operate anonymously from just about anywhere in the world.
Do it yourself (DIY) phishing kits for sale on the Internet have been cited as a primary cause of more and more activity, also. Some of these DIY kits even come with technical support. The bottom line is that it no longer takes much technical knowledge to become a phisherman.
The report speculates that we shouldn't be surprised that online fraud and abuse are at high levels and calls for stronger deterrents. They believe that stronger action by the state attorneys general is key to this effort.
While more support at the State level is needed, I'm not sure if the States can control Internet crime all by themselves. Internet crime moves across borders with a click of a mouse and it's going to be difficult for Alabama to prosecute a spammer or phisherman living in Moscow, Shanghai, Montreal or London.
Two so-called spam kings were recently prosecuted by the federal government. One later escaped and killed himself and family members in the process. These arrests didn't seem to make much of a dent in the amount of spam being sent. Both of the government press releases on these stories mentioned they were catering to commercial clients. Any solution to crime on the Internet will have to take a long and hard look at what enables the activity to be too easy to facilitate in the first place.
Some blame the Internet Service Providers (which seem to be a dime a dozen) for looking the other way because spam brings in revenue for them. Of course, auction sites like eBay have long been criticized for looking the other way at the the criminal activity on their sites. Since Internet Service Providers and Auction sites operate worldwide with a click of the mouse, it's difficult to prosecute or investigate anything on the Internet.
This list of Internet crime enablers is long and the one's referenced regarding service providers and auction sites are merely two examples of them. But if you were to take a look at all them, they have one thing in common: which is maintaining an environment conducive to making money easily. The question is how long will it take for the financial and social costs of Internet fraud and abuse to inspire a more responsible and practical approach to the problem?
They report reveals that high levels of fraud and abuse may cause more and more consumers to lose trust, a key-component of any successful business. Malicious software, phishing and spam were cited as primary causes for the high levels of fraud and abuse on the Internet.
Studies indicate that over 80 percent of all e-mail is spam. It should be noted that spam is the preferred delivery vehicle of fraud and abuse on the Internet. Malware and phishing normally start with a spam e-mail. In Phishing schemes -- which are designed to steal personal and financial information -- the use of malicious software to automatically steal information is on the rise. In the past, phishing normally relied on a social engineering scheme to accomplish this goal.
The Anti Phishing Working Group, an organization that tracks phishing activity, has noted an increase in the use of malicious software to phish information. They speculate that ability of e-criminals to use automated tools to spread crimeware (a.k.a. malware) could be the reason for the increase.
The report states that although the Federal Trade Commission is stepping up enforcement activity, it's resources are limited and more action by the State attorney generals is desperately needed. It cites as an example that over the past three years, only 11 cases against spyware distributors have been brought forward by the States, which is the same number taken for action by the FTC.
The Center for American Progress and the Center for Democracy and Technology asked States to provide data on the complaints they received 2006 and 2007. Thirty six States responded and most of them had a Internet related category listed in their top-ten complaints. It was also noted that overall Internet related complaints increased from 2006 to 2007. Eight of the States listed Internet related complaints in their top-three and four States listed them as being the number-one complaint.
The FTC, who gathers data on a much wider scale noted an increase of 16,000 Internet related complaints in 2007 versus the number received in 2006. When comparing the numbers to 2005, a 24,000 increase in complaints was noted.
The report points out that many experts speculate that not all cybercrime is reported or even discovered. Additionally, the standard for classifying it varies from State to State, which makes it hard to evaluate current statistical data. Given these factors, many believe the problem is understated.
In looking at the enforcement level by the States, the Center for American Progress and the Center for Democracy and Technology gathered information from annual and biennial reports, websites, news articles, and the bimonthly Cybercrime Newsletter released by the National Association of Attorneys General.
Data from the Cybercrime Newsletter revealed that 60 percent of the cases prosecuted were for the sexual enticement of minors or pornography. Crimes involving the theft of information or identity theft represented 8.9 percent of the total and 15.5 percent involved online sales and services. The majority of the cases involving online sales and services were for false advertising or the quality of a product or service.
The conclusion given by the researchers is that not very many crimes involving phishing, spyware, spam, adware and hacking were being effectively investigated or prosecuted. "Internet crime requires almost no expense to execute, carries potentially high financial rewards, and involves relatively little risk of being caught and punished," according to the report.
The monetary cost of all this activity isn't cheap, either. In 2007, an estimated $7.1 billion was lost due to phishing, viruses and malware in the United States, alone. Given that the estimated losses in 2006 was a mere $2 billion, this would lead a reasonable person to speculate that the problem is a growing one. Worldwide estimates put the losses at about $100 billion.
The report gives a possible reason for the increase in activity. With few overhead or start-up costs a phishing group can net about $250,000 a month and operate anonymously from just about anywhere in the world.
Do it yourself (DIY) phishing kits for sale on the Internet have been cited as a primary cause of more and more activity, also. Some of these DIY kits even come with technical support. The bottom line is that it no longer takes much technical knowledge to become a phisherman.
The report speculates that we shouldn't be surprised that online fraud and abuse are at high levels and calls for stronger deterrents. They believe that stronger action by the state attorneys general is key to this effort.
While more support at the State level is needed, I'm not sure if the States can control Internet crime all by themselves. Internet crime moves across borders with a click of a mouse and it's going to be difficult for Alabama to prosecute a spammer or phisherman living in Moscow, Shanghai, Montreal or London.
Two so-called spam kings were recently prosecuted by the federal government. One later escaped and killed himself and family members in the process. These arrests didn't seem to make much of a dent in the amount of spam being sent. Both of the government press releases on these stories mentioned they were catering to commercial clients. Any solution to crime on the Internet will have to take a long and hard look at what enables the activity to be too easy to facilitate in the first place.
Some blame the Internet Service Providers (which seem to be a dime a dozen) for looking the other way because spam brings in revenue for them. Of course, auction sites like eBay have long been criticized for looking the other way at the the criminal activity on their sites. Since Internet Service Providers and Auction sites operate worldwide with a click of the mouse, it's difficult to prosecute or investigate anything on the Internet.
This list of Internet crime enablers is long and the one's referenced regarding service providers and auction sites are merely two examples of them. But if you were to take a look at all them, they have one thing in common: which is maintaining an environment conducive to making money easily. The question is how long will it take for the financial and social costs of Internet fraud and abuse to inspire a more responsible and practical approach to the problem?
Sunday, August 03, 2008
Bills Introduced to Combat Organized Crime on Auction Sites
While stories of individual people getting scammed on auction sites are legendary, individuals aren't only ones victimized on these sites. Large retailers and brand owners are victimized when their stolen or counterfeit merchandise is sold on these sites, also.
In response to this, two bills are being introduced to combat this problem in the halls of Congress.
The reason this has become a growing issue is that criminals can net 70 percent of the value of stolen merchandise on an auction site versus the going 30 percent received on street corners, flea markets and pawn shops. So far as all the knock-off (counterfeit) goods being sold on auction sites, it's hard to put a dollar loss to it, but many believe it's substantial.
According to the International Anticounterfeting Coalition, counterfeiting costs U.S. businesses $200 to $250 billion a year. Counterfeiting and e-fencing pose safety risks to the public-at-large, also. Outdated or merchandise that isn't what it is advertised to be could potentially poison people, or cause bodily harm when it doesn't work like it's supposed to.
Simply stated auction sites, provide an anonymous marketing environment to sell both stolen and counterfeit goods.
“By hiding behind the anonymity of the Internet, they can make more money with less risk of getting caught than selling to a stranger on a street corner who might turn out to be a police officer. This bill would lift that cloak and help law enforcement put on-line criminals where they belong – behind bars,” according to Joe LaRocca, the National Retail Federations Vice President of Loss Prevention.
To address this problem, a federal bill (H.R. 6713, the E-Fencing Enforcement Act of 2008) is being introduced by Representative Bobby Scott, chairman of the House Judiciary Committee’s Subcommittee on Crime, Terrorism and Homeland Security.
The bill will require on-line auction operators to maintain information about high-volume sellers and provide the information to a person with "standing" once a police report is filed. The definition of a person of standing would be a law enforcement officer or a representative from a company, who has an interest in the merchandise being illegally sold on an auction site.
This is the second bill introduced recently to combat organized retail crime, which costs retailers anywhere from $15 to 30 billion a year. On July 15th, H.R. 6491, the Organized Retail Crime Act of 2008, was introduced by Representative Brad Ellsworth, a former county sheriff, along Representative Jim Jordan, as the lead co-sponsor. The bill establishes that unless auction site owners can show specific steps to prove goods being sold were not being obtained by theft or fraud, they could be viewed as "facilitating" the activity. This bill will also require site operators to cooperate with the police and organizations with a stake in stopping the activity. In certain instances, it will also allow merchants to initiate civil actions over stolen merchandise being sold on an auction site.
In the past, auction operators have been criticized for not effectively cooperating with companies and law enforcement when they made an inquiry into suspected criminal activity on their sites. It has also been established that smaller (individual) victims and merchants often receive little to no assistance after being victimized in an Internet auction deal.
E-fencing, phishing, counterfeit goods and the use of fraudulent financial instruments to buy merchandise from unsuspecting customers have all victimized countless people and organizations on auction sites.
Criminals often lure people to do their dirty work, also. Recruits are normally harvested off the Internet, sometimes from job sites, and offered work to reship stolen merchandise and or launder money from fraudulent transactions. Much of this activity involves sending money, or hot merchandise across an International border --making it extremely difficult to track.
A lot of criminal activity is facilitated on auction sites by what is known as phishing. Phishing is where an account owner is tricked into giving up their account details, either via social engineering, or more and more often, after downloading some malicious sofware. The stolen account details are then used to take-over the account and use it for illicit purposes.
In fact, eBay and PayPal accounts are frequently the most phished brands out there.
Phishing, normally facilitated by spam e-mails, is another ever-growing criminal activity on the Internet. Recent studies by the Anti Phishing Working Group show that it is becoming more automated and malicious software (crimeware) used to automatically steal information is becoming more prevalent.
There is little doubt that a lot of the criminal activity on auction sites is sophisticated and reeks of organized crime.
For anyone investigating fraud on an auction site, the only way to effectively do so, is to have access to information quickly and with as little red tape as possible. A lot of these crimes cross over borders quickly and by the time and investigator gets what they need, the trail is often pretty cold.
When auction site owners -- who suffer no financial liability and collect a lot of revenue in fees from this activity -- don't cooperate or move too slowly, it only ensures that criminals will be laughing all the way to the bank.
Even the government has had their stolen inventory sold on eBay and Craigslist. In April, the GAO issued a report that military items, including F-14 components, were being sold on auction sites. In August of last year, a U.S. Attorney was quoted as saying that stamps being stolen from self service vending machines with cloned payment cards were being sold on auction sites. At the time, I ran a simple search query and found some pretty good deals on stamps. As of today, these great deals still exist. Many of them are being sold below cost and the last I checked the Postal Service still offers credit. Why would someone sell stamps below cost?
In my opinion, both of the bills don't only serve the large merchants out there, but have the potential to protect everybody from fraud on auction sites. While both of these bills are being driven by the National Retail Federation, I see a lot of benefits to passing them for everyone concerned with fraud on auction sites.
I highly recommend that these other people, join in with the NRF and the Congressmen involved, and support getting these bills passed.
In response to this, two bills are being introduced to combat this problem in the halls of Congress.
The reason this has become a growing issue is that criminals can net 70 percent of the value of stolen merchandise on an auction site versus the going 30 percent received on street corners, flea markets and pawn shops. So far as all the knock-off (counterfeit) goods being sold on auction sites, it's hard to put a dollar loss to it, but many believe it's substantial.
According to the International Anticounterfeting Coalition, counterfeiting costs U.S. businesses $200 to $250 billion a year. Counterfeiting and e-fencing pose safety risks to the public-at-large, also. Outdated or merchandise that isn't what it is advertised to be could potentially poison people, or cause bodily harm when it doesn't work like it's supposed to.
Simply stated auction sites, provide an anonymous marketing environment to sell both stolen and counterfeit goods.
“By hiding behind the anonymity of the Internet, they can make more money with less risk of getting caught than selling to a stranger on a street corner who might turn out to be a police officer. This bill would lift that cloak and help law enforcement put on-line criminals where they belong – behind bars,” according to Joe LaRocca, the National Retail Federations Vice President of Loss Prevention.
To address this problem, a federal bill (H.R. 6713, the E-Fencing Enforcement Act of 2008) is being introduced by Representative Bobby Scott, chairman of the House Judiciary Committee’s Subcommittee on Crime, Terrorism and Homeland Security.
The bill will require on-line auction operators to maintain information about high-volume sellers and provide the information to a person with "standing" once a police report is filed. The definition of a person of standing would be a law enforcement officer or a representative from a company, who has an interest in the merchandise being illegally sold on an auction site.
This is the second bill introduced recently to combat organized retail crime, which costs retailers anywhere from $15 to 30 billion a year. On July 15th, H.R. 6491, the Organized Retail Crime Act of 2008, was introduced by Representative Brad Ellsworth, a former county sheriff, along Representative Jim Jordan, as the lead co-sponsor. The bill establishes that unless auction site owners can show specific steps to prove goods being sold were not being obtained by theft or fraud, they could be viewed as "facilitating" the activity. This bill will also require site operators to cooperate with the police and organizations with a stake in stopping the activity. In certain instances, it will also allow merchants to initiate civil actions over stolen merchandise being sold on an auction site.
In the past, auction operators have been criticized for not effectively cooperating with companies and law enforcement when they made an inquiry into suspected criminal activity on their sites. It has also been established that smaller (individual) victims and merchants often receive little to no assistance after being victimized in an Internet auction deal.
E-fencing, phishing, counterfeit goods and the use of fraudulent financial instruments to buy merchandise from unsuspecting customers have all victimized countless people and organizations on auction sites.
Criminals often lure people to do their dirty work, also. Recruits are normally harvested off the Internet, sometimes from job sites, and offered work to reship stolen merchandise and or launder money from fraudulent transactions. Much of this activity involves sending money, or hot merchandise across an International border --making it extremely difficult to track.
A lot of criminal activity is facilitated on auction sites by what is known as phishing. Phishing is where an account owner is tricked into giving up their account details, either via social engineering, or more and more often, after downloading some malicious sofware. The stolen account details are then used to take-over the account and use it for illicit purposes.
In fact, eBay and PayPal accounts are frequently the most phished brands out there.
Phishing, normally facilitated by spam e-mails, is another ever-growing criminal activity on the Internet. Recent studies by the Anti Phishing Working Group show that it is becoming more automated and malicious software (crimeware) used to automatically steal information is becoming more prevalent.
There is little doubt that a lot of the criminal activity on auction sites is sophisticated and reeks of organized crime.
For anyone investigating fraud on an auction site, the only way to effectively do so, is to have access to information quickly and with as little red tape as possible. A lot of these crimes cross over borders quickly and by the time and investigator gets what they need, the trail is often pretty cold.
When auction site owners -- who suffer no financial liability and collect a lot of revenue in fees from this activity -- don't cooperate or move too slowly, it only ensures that criminals will be laughing all the way to the bank.
Even the government has had their stolen inventory sold on eBay and Craigslist. In April, the GAO issued a report that military items, including F-14 components, were being sold on auction sites. In August of last year, a U.S. Attorney was quoted as saying that stamps being stolen from self service vending machines with cloned payment cards were being sold on auction sites. At the time, I ran a simple search query and found some pretty good deals on stamps. As of today, these great deals still exist. Many of them are being sold below cost and the last I checked the Postal Service still offers credit. Why would someone sell stamps below cost?
In my opinion, both of the bills don't only serve the large merchants out there, but have the potential to protect everybody from fraud on auction sites. While both of these bills are being driven by the National Retail Federation, I see a lot of benefits to passing them for everyone concerned with fraud on auction sites.
I highly recommend that these other people, join in with the NRF and the Congressmen involved, and support getting these bills passed.
Sunday, May 25, 2008
Oregon case reveals the tie between software piracy and identity theft!
(Photo courtesy of naveenium at Flickr)
Software Piracy is a multi-billion dollar issue. Whether it's hawked in a spam e-mail, a flea market or on a auction site -- it might not work as well as advertised -- and could even lead to identity theft.
You never know what might be installed in pirated software. The person selling it to you might add a little malicious software (containing a keylogger) and steal all your personal and financial information.
A recent case showing how pirated software leads to identity theft was announced by the Department of Justice:
An Oregon man pleaded guilty today to selling counterfeit computer software with a retail value of more than $1 million, in addition to aggravated identity theft and mail fraud, announced Assistant Attorney General of the Criminal Division Alice S. Fisher and Karin J. Immergut, U.S. Attorney for the District of Oregon. This case is part of the Justice Department’s initiative to combat online auction piracy.
Jeremiah Joseph Mondello, 23, of Eugene, Ore., pleaded guilty to one count each of criminal copyright infringement, aggravated identity theft and mail fraud before U.S. District Court Judge Ann L. Aiken in Eugene. Mondello faces up to 27 years in prison, a maximum fine of $500,000 and three years of supervised release. Sentencing has been set for July 23, 2008.
Although this only appears to be a small win in the overall problem, it illustrates the danger of installing unauthorized software on your system. You might get more than you bargained for:
Mondello admitted to stealing individuals’ identifying information to establish online payment accounts in their names. Mondello acquired victims’ names, bank account numbers and passwords by using a computer keystroke logger program to surreptitiously obtain this information. The keystroke logger program installed itself on the victim’s computer and then recorded the victim’s name and bank account information as the information was being typed. The program then electronically sent the information back to Mondello, and he used this stolen information to establish the online payment accounts.
In other words, the moral of the story is that the money you save buying knock-off software can easily be lost when the seller returns to clean out your financial assets.
Trust me, criminals are not honorable and they could care less, if you get left holding the bag.
Last, but not least, most victims of identity theft are able to get their financial institutions to write-off their losses. However, if they discover you used illegal software -- which happened to contain malicious capabilities -- my guess is they are going to deny your fraud claim.
DOJ credited the Software & Information Industry Association for their assistance in this conviction. This association represents the software industry and goes after software and content piracy. They provide a means to report instances of piracy and offer up to a million dollar reward for doing so.
Full press release on this matter, here.
Sunday, May 11, 2008
FBI reports tax stimulus phishing campaign underway
The FBI Cyber Investigations Division issued a press release that spammers are phishing for people's personal details using the tax stimulus program as bait.
My guess is that the intent in getting your bank account information is to take it over and drain it of all it's assets.
Please note that phishing normally requires a person to willingly give up their information, but more and more, a new phenomenon is being seen called a drive by infection is being seen in the "wild" a.k.a. the Internet.
I wrote about this recently in a post called, "Nowadays, all you need to do is visit the wrong site to have your personal information stolen! "
As noted in the post, the phishermen have been seen using social engineering ploys, along with malicious software in conjunction with each other.
If you want to learn more via FBI recommended educational tools, or report a phishy e-mail, here is a way you may do so:
Please notify the IC3 by filing a complaint at www.ic3.gov. More information on scams is also available on www.fbi.gov and www.lookstoogoodtobetrue.com.
You can also report IRS related phishing scams to phishing@IRS.gov, here.
FBI press release with example of one of the phishmails, here.
In case you want to see when you are going to get your "actual" stimulus check (if you qualify), the IRS has a tool to figure it all out on their site.
The Federal Bureau of Investigation warns consumers of recently reported spam e-mail purportedly from the Internal Revenue Service (IRS) which is actually an attempt to steal consumer information. The e-mail advises the recipient that direct deposit is the fastest and easiest way to receive their economic stimulus tax rebate. The message contains a hyperlink to a fraudulent form which requests the recipient's personally identifiable information, including bank account information. To convince consumers to reply, the e-mail warns that a failure to complete the form in a timely manner will delay the issuance of the rebate check.
My guess is that the intent in getting your bank account information is to take it over and drain it of all it's assets.
Please note that phishing normally requires a person to willingly give up their information, but more and more, a new phenomenon is being seen called a drive by infection is being seen in the "wild" a.k.a. the Internet.
I wrote about this recently in a post called, "Nowadays, all you need to do is visit the wrong site to have your personal information stolen! "
As noted in the post, the phishermen have been seen using social engineering ploys, along with malicious software in conjunction with each other.
If you want to learn more via FBI recommended educational tools, or report a phishy e-mail, here is a way you may do so:
Please notify the IC3 by filing a complaint at www.ic3.gov. More information on scams is also available on www.fbi.gov and www.lookstoogoodtobetrue.com.
You can also report IRS related phishing scams to phishing@IRS.gov, here.
FBI press release with example of one of the phishmails, here.
In case you want to see when you are going to get your "actual" stimulus check (if you qualify), the IRS has a tool to figure it all out on their site.
Wednesday, May 07, 2008
Stolen information from 40 financial and medical institutions discovered on rogue server
Once in awhile, I speculate that stolen information is a lot more valuable to the criminal element before it becomes apparent that it's been stolen. I've also speculated aloud that there is probably a lot more stolen information out there than we are aware of. The good folks at Finjan are well on their way to substantiating this speculation.
Yesterday, they announced the following on their malicious page of the month:
They made the observation that last year, according to what statistics are available, 8.5 million records were compromised. One of these statistics, obtained from IC3 states that 20 percent of the 206,884 cases (roughly 40,000) were due to computer hacking. Finjan points out that on this one server, they discovered approximately 5,000 records.
I’ll let the reader do their own math, but if this is true there is probably a lot of unknown hacking activity happening in the wild.
Please note that all the kind people compiling statistics only know what is reported to them, and some of them have been very vocal in pointing this out. My personal guess is that there is so much stolen information out there that when any individual case is investigated, it’s almost impossible to do more than speculate, exactly where the point of compromise occurred.
Besides that, hackers are unlikely to want to reveal where they are stealing all their information from. Once revealed, it’s harder to use and not worth as much money.
The information on the server included compromised medical information, online banking information (including passwords) and complete logs of payment card (debit/credit) card transactions, including CVV2 information and the miscellaneous “extras.” This all occurred on “supposedly” secure sites.
I found this interesting because the merchants have been under fire for becoming compliant with PCI data security standards in light of a few highly publicized data breaches. Of course in the recent Hannaford case, they were compromised and had been certified as being PCI compliant. PCI data security procedures are the payment card industries own standards for protecting information.
Based on these findings, hackers don’t have to compromise a merchant to steal everything they need to commit financial crimes and it’s pretty obvious that financial institutions are being compromised, also.
Also found on the server was a lot of business proprietary information harvested from a lot of internal e-mail accounts. In the past year or so there seems to have been a lot of campaigns to obtain other than financial information from businesses. The clear intent in this activity is corporate espionage (my speculation).
Finjan reports that this particular theft campaign was made possible with a do-it-yourself (DIY) crimeware kit called the AdPack Toolkit. They also reported that this kit gives the user command and control functions, enabling them to execute admin functions with the illicit software.
Finjan is not revealing (they never do) exactly which institutions were compromised. Even though they are not revealing names, they did report the activity to law enforcement and the institutions involved.
Yesterday, they announced the following on their malicious page of the month:
While we were examining malicious code, we came across a domain which was being used as a command and control for the Crimeware that was executed on attacked machines. The domain was also used as the “drop site” for private information being harvested by that Crimeware.The information discovered was from 40 unnamed financial and medical institutions from several different continents. The server used to store this information was being moved frequently, but if found, anyone could access it.
When we further examined this server, we found the stolen data left unprotected and available for anyone on the web (i.e. no access restrictions, no encryption whatsoever).
The server that we analyzed contained more than 1.4Gb of data (both business and personal related) collected from infected PCs, which consisted of 5,388 unique log files, that were traced back to 5,878 distinct IP addresses. Both email communications and web related data were found.
They made the observation that last year, according to what statistics are available, 8.5 million records were compromised. One of these statistics, obtained from IC3 states that 20 percent of the 206,884 cases (roughly 40,000) were due to computer hacking. Finjan points out that on this one server, they discovered approximately 5,000 records.
I’ll let the reader do their own math, but if this is true there is probably a lot of unknown hacking activity happening in the wild.
Please note that all the kind people compiling statistics only know what is reported to them, and some of them have been very vocal in pointing this out. My personal guess is that there is so much stolen information out there that when any individual case is investigated, it’s almost impossible to do more than speculate, exactly where the point of compromise occurred.
Besides that, hackers are unlikely to want to reveal where they are stealing all their information from. Once revealed, it’s harder to use and not worth as much money.
The information on the server included compromised medical information, online banking information (including passwords) and complete logs of payment card (debit/credit) card transactions, including CVV2 information and the miscellaneous “extras.” This all occurred on “supposedly” secure sites.
I found this interesting because the merchants have been under fire for becoming compliant with PCI data security standards in light of a few highly publicized data breaches. Of course in the recent Hannaford case, they were compromised and had been certified as being PCI compliant. PCI data security procedures are the payment card industries own standards for protecting information.
Based on these findings, hackers don’t have to compromise a merchant to steal everything they need to commit financial crimes and it’s pretty obvious that financial institutions are being compromised, also.
Also found on the server was a lot of business proprietary information harvested from a lot of internal e-mail accounts. In the past year or so there seems to have been a lot of campaigns to obtain other than financial information from businesses. The clear intent in this activity is corporate espionage (my speculation).
Finjan reports that this particular theft campaign was made possible with a do-it-yourself (DIY) crimeware kit called the AdPack Toolkit. They also reported that this kit gives the user command and control functions, enabling them to execute admin functions with the illicit software.
Finjan is not revealing (they never do) exactly which institutions were compromised. Even though they are not revealing names, they did report the activity to law enforcement and the institutions involved.
Thursday, May 01, 2008
Internet Gangstas don't appreciate software piracy, either!
Crimeware salesmen, like most e-commerce types, take a dim view when their creations are knocked-off (pirated). To protect themselves, they warn their customers (Internet criminal types) that if their products are counterfeited, they can and will be reported to the anti-virus companies.
Specifically, the verbiage used as reported on the Symantec blog is, "the binary code of your bot will be immediately sent to antivirus companies."
The reason reporting reporting the binary code of a bot defeats the crimeware kit in question (Zeus) was mentioned in a previous post on this blog:
Here are the details, as reported on the Symantec blog by Liam OMurchu:
It should be noted that these crimeware kits, as I've written frequently, make it fairly easy for not very technical criminals to commit technical crimes. As noted in their licensing agreement, the criminals selling these kits in underground forums even provide technical support.
Interestingly enough, Liam noted:
Of course, in most instances, there is no honor among thieves.
Liam notes that this licensing agreement is for much talked about Zeus kit, which has "drive-by" capabilities. If you are unfamiliar with what "drive by" means on the Internet, it means that your computer only needs to visit a site to become infected.
Here is a previous post, I recently did about the "drive by" problem, which is making the Internet a more dangerous place all the time:
Nowadays, all you need to do is visit the wrong site to have your personal information stolen!
Liam's post on the Symantec blog, here.
Specifically, the verbiage used as reported on the Symantec blog is, "the binary code of your bot will be immediately sent to antivirus companies."
The reason reporting reporting the binary code of a bot defeats the crimeware kit in question (Zeus) was mentioned in a previous post on this blog:
Known as the "Zeus kit," in honor of the Zeus Trojan, the kit is pretty resistant to computer security programs and has the ability to mask itself using a binary generator. The binary generator sends out a unique set of numbers every time it is used, making it hard for security programs to detect since they rely on spotting what is known as a "signature." Even if a security program recognizes one signature, the binary generator changes it the next time, and the security program will probably fail to recognize it.
Here are the details, as reported on the Symantec blog by Liam OMurchu:
Here is a perfect example. The screen shot below is taken from a typical underground software package. Shown in the screen shot are the terms and conditions of the sale—the “licensing agreement.” Yes, that’s right; some underground packages come with a licensing agreement. The document is written in Russian, but a translation is provided below.
2. The Client:
1. Does not have the right to distribute the product in any business or commercial purposes not connected with this sale.
2. May not disassemble / study the binary code of the bot builder.
3. Has no right to use the control panel as a means to control other bot nets or use it for any other purpose.
4. Does not have the right to deliberately send any portion of the product to anti-virus companies and other such institutions.
5. Commits to give the seller a fee for any update to the product that is not connected with errors in the work, as well as for adding additional functionality.
In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code of your bot will be immediately sent to antivirus companies.
It should be noted that these crimeware kits, as I've written frequently, make it fairly easy for not very technical criminals to commit technical crimes. As noted in their licensing agreement, the criminals selling these kits in underground forums even provide technical support.
Interestingly enough, Liam noted:
Despite the clear licensing agreement and the associated warnings, this package still ended up being traded freely in underground forums shortly after it was released. It just goes to show you just can’t trust anyone in the underground these days.
Of course, in most instances, there is no honor among thieves.
Liam notes that this licensing agreement is for much talked about Zeus kit, which has "drive-by" capabilities. If you are unfamiliar with what "drive by" means on the Internet, it means that your computer only needs to visit a site to become infected.
Here is a previous post, I recently did about the "drive by" problem, which is making the Internet a more dangerous place all the time:
Nowadays, all you need to do is visit the wrong site to have your personal information stolen!
Liam's post on the Symantec blog, here.
Tuesday, April 22, 2008
Nowadays, all you need to do is visit the wrong site to have your personal information stolen!
On his birthday, Uriel Maimon of RSA reflected about a lot of personal things (as most of us do), as well as, how spam and phishing are becoming more sophisticated and dangerous.
One major player in the spam and phishing game are known as the "Rock Phish." In his birthday post, Uriel gives us a little historical perspective on the group:
Apparently, the Rock Phish are now setting up a double whammy for anyone foolish enough to click on a socially engineered link received in a spam e-mail. Counting on the fact that a lot more people go to phishing sites than will actually type in their personal details, the Rock Phish are loading the sites with crimeware that steals personal information, automatically.
More specifically, Uriel describes the phenomenon of "drive by infection" as when:
Even worse, it appears that the Rock Phish make this easy for any criminal to mount a pretty sophisticated phising expedition by selling all the "tackle" necessary to do it for a measly $700.00.
Known as the "Zeus kit," in honor of the Zeus Trojan, the kit is pretty resistant to computer security programs and has the ability to mask itself using a binary generator. The binary generator sends out a unique set of numbers every time it is used, making it hard for security programs to detect since they rely on spotting what is known as a "signature." Even if a security program recognizes one signature, the binary generator changes it the next time, and the security program will probably fail to recognize it.
For the less technically inclined, the Zeus Kit offers a lot of operational capabilities for the information thief. Some of these capabilities are "the ability to take screenshots of a victim's machine, or control it remotely, or add additional pages to a website and monitor it, or steal passwords that have been stored by popular programs," according to Uriel.
There is little doubt that the criminal groups like the Rock Phish are making the Internet more dangerous all the time. So far as getting infected while "driving by" a site, Websense announced today that a mass attack via malicious JavaScript injection is infecting thousands of trusted sites, including government ones. According to report released today, this activity has exploded by a "factor of ten."
Sophos also mentioned in it's Q1 Security Threat Report that they are finding infected web pages at a rate of one every five seconds.
In simple terms, all the average web surfer has to do is visit one of these sites to become infected and have all their information stolen from them.
It's probably a good time to make sure you've updated the protection on your computer and to just say delete to any spam getting past whatever filer you are currently using. By the way, has anyone noticed besides me that more and more spam has been getting past these filters in the past couple of weeks?
Blog post at RSA by Uriel Malmon, here.
By the way, I noticed that despite a lot of us commenting on this great post, no one bothered to wish him a Happy Birthday. The post has a lot of good information on it and it would be nice to thank him for educating the rest of us.
One major player in the spam and phishing game are known as the "Rock Phish." In his birthday post, Uriel gives us a little historical perspective on the group:
The Rock Phish group is a phishing gang believed to be based out of Russia -- and, by some accounts, is responsible for roughly 50% of phishing attacks by volume. The Rock gang has also pioneered several new approaches in phishing: in 2004 it was the first (and, for a long time, they were the only) gang to employ bot-nets in its phishing infrastructure in order to make the attacks live longer and be more scalable. It also pioneered new techniques in its spam mails so the mail could more easily evade spam filters.
Apparently, the Rock Phish are now setting up a double whammy for anyone foolish enough to click on a socially engineered link received in a spam e-mail. Counting on the fact that a lot more people go to phishing sites than will actually type in their personal details, the Rock Phish are loading the sites with crimeware that steals personal information, automatically.
More specifically, Uriel describes the phenomenon of "drive by infection" as when:
This is done via a technique called "drive-by infection", wherein a vulnerability in the victim's operating system, browser, or software is exploited in order to infect the victim without his/her knowledge (and much less his/her consent, or with the victim having to proactively download software). The vulnerabilities that are exploited in these situations are often unknown to the software vendors and therefore often not addressed, leaving the victims defenseless (just like your humble servant finds himself when in the company of a beautiful woman).
Even worse, it appears that the Rock Phish make this easy for any criminal to mount a pretty sophisticated phising expedition by selling all the "tackle" necessary to do it for a measly $700.00.
Known as the "Zeus kit," in honor of the Zeus Trojan, the kit is pretty resistant to computer security programs and has the ability to mask itself using a binary generator. The binary generator sends out a unique set of numbers every time it is used, making it hard for security programs to detect since they rely on spotting what is known as a "signature." Even if a security program recognizes one signature, the binary generator changes it the next time, and the security program will probably fail to recognize it.
For the less technically inclined, the Zeus Kit offers a lot of operational capabilities for the information thief. Some of these capabilities are "the ability to take screenshots of a victim's machine, or control it remotely, or add additional pages to a website and monitor it, or steal passwords that have been stored by popular programs," according to Uriel.
There is little doubt that the criminal groups like the Rock Phish are making the Internet more dangerous all the time. So far as getting infected while "driving by" a site, Websense announced today that a mass attack via malicious JavaScript injection is infecting thousands of trusted sites, including government ones. According to report released today, this activity has exploded by a "factor of ten."
Sophos also mentioned in it's Q1 Security Threat Report that they are finding infected web pages at a rate of one every five seconds.
In simple terms, all the average web surfer has to do is visit one of these sites to become infected and have all their information stolen from them.
It's probably a good time to make sure you've updated the protection on your computer and to just say delete to any spam getting past whatever filer you are currently using. By the way, has anyone noticed besides me that more and more spam has been getting past these filters in the past couple of weeks?
Blog post at RSA by Uriel Malmon, here.
By the way, I noticed that despite a lot of us commenting on this great post, no one bothered to wish him a Happy Birthday. The post has a lot of good information on it and it would be nice to thank him for educating the rest of us.
Thursday, April 17, 2008
Symantec releases Internet Threat Security Report
Symantec recently issued it's Internet Security Report, which covers the second half of 2007. The key findings in the report are that malicious activity has become web based, attackers are going after end users rather than computers, the underground community is maturing and consolidating and the bad guys are getting better at improvising and adapting.
The report confirms that hacker tool kits are increasingly making it easier for less sophisticated types to effective commit technical crimes. Symantec also believes that these tool kits are being professionally developed, which supports the deduction that the underground community is maturing and consolidating.
Perhaps the availability of tool kits is the reason that a 559 percent increase in phishing websites has been noted?
The report also shows that the bad guys are going after "trusted" sites, such as social networking sites.
The underground economy in stolen financial details is also on the increase. These details, which are sold in Internet forums are getting cheaper. With all the phishing going on coupled with a record amount of data breaches an over abundant supply of stolen information is likely the reason for this. The report found a wide variety of pricing on payment card numbers, ranging from .40 cents to $20 per card.
The easy availability of encoders and other portable payment card technology makes it "too easy" to counterfeit the numbers into realistic looking plastic. In addition to this, there is a thriving market in counterfeit documents, which provides a wide-array of realistic counterfeit identification to vet the counterfeit financial instruments.
Besides identities and payment card details, stolen bank accounts are becoming increasingly available. Symantec attributes the increase in bank account information to a mirror increase in banking trojans over the second half of 2007.
Besides being used to clean out an account, bank account details are useful to criminals when they commit check fraud. Anyone, who follows scams on the Internet, knows that counterfeit checks are being delivered to unsuspecting mules to cash in a variety of advance fee (419) type scams. Please note there are organized gangs, who move from area to area committing check fraud using mules, who know exactly what they are doing, also.
Recently, an International task force monitored the mail and discovered large amounts of counterfeit checks being shipped throughout North America and the European Union.
All in all this report is a very interesting read. If you are a more visual type, Symantec also did a very nice flash presentation on this, which can be seen on the page linked to in the previous sentence.
The report confirms that hacker tool kits are increasingly making it easier for less sophisticated types to effective commit technical crimes. Symantec also believes that these tool kits are being professionally developed, which supports the deduction that the underground community is maturing and consolidating.
Perhaps the availability of tool kits is the reason that a 559 percent increase in phishing websites has been noted?
The report also shows that the bad guys are going after "trusted" sites, such as social networking sites.
The underground economy in stolen financial details is also on the increase. These details, which are sold in Internet forums are getting cheaper. With all the phishing going on coupled with a record amount of data breaches an over abundant supply of stolen information is likely the reason for this. The report found a wide variety of pricing on payment card numbers, ranging from .40 cents to $20 per card.
The easy availability of encoders and other portable payment card technology makes it "too easy" to counterfeit the numbers into realistic looking plastic. In addition to this, there is a thriving market in counterfeit documents, which provides a wide-array of realistic counterfeit identification to vet the counterfeit financial instruments.
Besides identities and payment card details, stolen bank accounts are becoming increasingly available. Symantec attributes the increase in bank account information to a mirror increase in banking trojans over the second half of 2007.
Besides being used to clean out an account, bank account details are useful to criminals when they commit check fraud. Anyone, who follows scams on the Internet, knows that counterfeit checks are being delivered to unsuspecting mules to cash in a variety of advance fee (419) type scams. Please note there are organized gangs, who move from area to area committing check fraud using mules, who know exactly what they are doing, also.
Recently, an International task force monitored the mail and discovered large amounts of counterfeit checks being shipped throughout North America and the European Union.
All in all this report is a very interesting read. If you are a more visual type, Symantec also did a very nice flash presentation on this, which can be seen on the page linked to in the previous sentence.
Saturday, March 29, 2008
How did hackers plant malware at Hannaford Bros. and steal 4.2 million payment card numbers?
Hannford Brothers, the latest retailer to be compromised in a large scale data breach is reporting that hackers using malware breached their systems.
The next million dollar question (literally) is how was the malware (sometimes referred to as crimeware) dropped on their system? A lot of people are looking at this carefully because the company had been certified as meeting PCI (Payment Card Industry) data protection standards.
Ross Kerber at the Boston Globe, who gets the hat tip for breaking this latest development in the story wrote:
Jaikumar Vijayan at ComputerWorld was able to get some expert speculation from "Mike Paquette, chief strategy officer at Top Layer Networks, a vendor of intrusion-prevention systems in Westboro, Mass." Bill Brenner at SearchSecurity.com wrote about increasing speculation that a dishonest insider planted the malware on Hannaford's network.
The insider theory intrigues me because it seems that most security breaches can be traced to a social cause. A dishonest human --who has been given access to a system -- can defeat a lot (most) computer security.
Going further into all the speculation has come about from the Hannaford announcement, I decided to see what the blogosphere had to say.
Securosis.com gives a lot of interesting perspective in their post, Picking Apart The Hannaford Breach- What Might Have Happened .
The post points out some interesting thoughts, such as that credit card numbers are useless without names (Hannaford claims no names, or social security numbers were stolen) and that the breach was most likely discovered at financial instiutions when customers complained about fraudulent transactions on their cards.
rmogull summed up his "admitted" speculation with:
In the end, as long as there is lack of transparency in data breaches, the best anyone can do is speculate. The reasons for a lack of transparency in data breaches are a mile long, encompassing everything from protecting ongoing investigative efforts to avoiding the financial pitfalls of all the litigation that arises after a data breach.
Of course, in more simple terms, it might also mean that no one is really sure?
Given that, I wonder if anyone can be really sure that their personal information is safe? Your guess is probably as good as mine!
Previous posts on this blog about the Hannaford Data Breach:
Security vendor removes Hannaford as a client on their site after data breach is revealed!
Hannaford Brothers data breach might reveal current security standards are outdated
The next million dollar question (literally) is how was the malware (sometimes referred to as crimeware) dropped on their system? A lot of people are looking at this carefully because the company had been certified as meeting PCI (Payment Card Industry) data protection standards.
Ross Kerber at the Boston Globe, who gets the hat tip for breaking this latest development in the story wrote:
Data security specialists say the new details show how hackers have grown more adept at penetrating weak links in the systems that connect merchants and banks. In previous breaches, such as the record-setting intrusion at TJX Cos. of Framingham, where as many as 100 million card numbers were compromised, hackers took advantage of merchants who stored customer names and card data - sometimes in violation of payment industry standards - at central locations in their computer networks.Because hackers, criminals and misfits rarely give up their latest hacks, we'll have to be content with speculation from the experts.
In contrast, Hannaford says it did not store customer information. The hackers who struck Hannaford mined a stream of data that the merchant and banks were not responsible for protecting under industry rules, industry specialists said.
Jaikumar Vijayan at ComputerWorld was able to get some expert speculation from "Mike Paquette, chief strategy officer at Top Layer Networks, a vendor of intrusion-prevention systems in Westboro, Mass." Bill Brenner at SearchSecurity.com wrote about increasing speculation that a dishonest insider planted the malware on Hannaford's network.
The insider theory intrigues me because it seems that most security breaches can be traced to a social cause. A dishonest human --who has been given access to a system -- can defeat a lot (most) computer security.
Going further into all the speculation has come about from the Hannaford announcement, I decided to see what the blogosphere had to say.
Securosis.com gives a lot of interesting perspective in their post, Picking Apart The Hannaford Breach- What Might Have Happened .
The post points out some interesting thoughts, such as that credit card numbers are useless without names (Hannaford claims no names, or social security numbers were stolen) and that the breach was most likely discovered at financial instiutions when customers complained about fraudulent transactions on their cards.
rmogull summed up his "admitted" speculation with:
In conclusion, it looks like some sort of a network breach (which could be anything from phishing/malware to compromise from a retail location to a full network hack). A sniffer was possibly installed, since it seems they don’t keep credit card information (again, assuming statements are true). The fraud was detected by the banks or credit card companies, then it took a little under two weeks to contain. Not great, and indicative of either a little sophistication on the attacker’s part, or a lack of sophistication on Hannaford’s part.There are also some interesting comments with more speculation at the bottom of the post. From what I can gather a lot IT types read this blog.
In the end, as long as there is lack of transparency in data breaches, the best anyone can do is speculate. The reasons for a lack of transparency in data breaches are a mile long, encompassing everything from protecting ongoing investigative efforts to avoiding the financial pitfalls of all the litigation that arises after a data breach.
Of course, in more simple terms, it might also mean that no one is really sure?
Given that, I wonder if anyone can be really sure that their personal information is safe? Your guess is probably as good as mine!
Previous posts on this blog about the Hannaford Data Breach:
Security vendor removes Hannaford as a client on their site after data breach is revealed!
Hannaford Brothers data breach might reveal current security standards are outdated
Thursday, February 28, 2008
Finjan discovers criminal database with 8700 account credentials to trusted domains!
Is the Corporate World under attack by hackers? A new report from Finjan suggests that top level domains have been compromised and access details are for sale on the black market.
It should be noted that government domains have been allegedly compromised, also.
From the Finjan press release:
Dark Reading Kelly (Jackson Higgins) went more into depth on the risks associated with this new discovery:
From a more social perspective, this continues the scary trend of crimeware for sale, which enables not very technical criminals to commit fairly technical crimes at will.
Besides the fact that (in theory at least) sensitive information can be stolen from some of these sites, a visitor can be compromised when visiting a "trusted site."
Besides the risk of sensitive information being compromised, compromised sites, once publicized might face another problem a.k.a. unfavorable public exposure. This could lead to a loss of trust in their brand, and as seen recently, potential litigation.
This doesn't even take into consideration all the other assorted costs of recovering from a large scale data compromise that becomes public knowledge.
Finjan is inviting the corporate world to make inquiries, whether or not, their particular site is at risk. I'll provide the link to do so, here.
They are also providing more information on this latest crimeware kit on their "Malicious Page of the Month."
Dark Reading story, which seems to be a good information source on this story, here.
It should be noted that government domains have been allegedly compromised, also.
From the Finjan press release:
Finjan Inc., a leader in secure web gateway products, today announced it has uncovered a database containing more than 8,700 harvested FTP account credentials, including username, password and server address - in the hands of hackers. These stolen credentials enable criminals to compromise servers and automatically inject crimeware to infect users visiting them. Among those stolen accounts are those of Fortune-level global companies in a wide range of industries including manufacturing, telecom, media, online retail, IT, as well as government agencies. The stolen FTP accounts include some of the world’s top 100 domains as ranked by Alexa.com.
Dark Reading Kelly (Jackson Higgins) went more into depth on the risks associated with this new discovery:
The so-called meoryprof.info (Me-or-you-Profit) site is selling username, password, and server addresses of these FTP servers as well as the NeoSploit Version 2 crimeware package, which basically lets the bad guys who buy it instantly infect these sites with malicious code -- with the goal of stealing valuable and confidential data from them as well as any visitors to the sites. It also “qualifies” the stolen accounts so that buyers either can then set a price to resell the compromised FTP credentials to other cybercriminals, or determine which are the more potentially lucrative sites to hack.
“With a click of a button they say ‘I want to infect his FTP server’ with the crimeware,” says Ben-Itzhak. Finjan did not test all of the sites to see if they had been infected yet or not.
From a more social perspective, this continues the scary trend of crimeware for sale, which enables not very technical criminals to commit fairly technical crimes at will.
Besides the fact that (in theory at least) sensitive information can be stolen from some of these sites, a visitor can be compromised when visiting a "trusted site."
Besides the risk of sensitive information being compromised, compromised sites, once publicized might face another problem a.k.a. unfavorable public exposure. This could lead to a loss of trust in their brand, and as seen recently, potential litigation.
This doesn't even take into consideration all the other assorted costs of recovering from a large scale data compromise that becomes public knowledge.
Finjan is inviting the corporate world to make inquiries, whether or not, their particular site is at risk. I'll provide the link to do so, here.
They are also providing more information on this latest crimeware kit on their "Malicious Page of the Month."
Dark Reading story, which seems to be a good information source on this story, here.
Wednesday, February 13, 2008
A badge of authority is a time tested tool cyber fraudsters use to steal cash!
(Photo courtesy of brykmantra at Flickr)
Using a badge of authority to lure victims is nothing new in social engineering circles. I've written about instances, where law enforcement agencies and the IRS have been used to hook victims for all kinds of sinister purposes.
Another badge of authority frequently used is security software. Historically, a victim was required to download something to become infected. This isn't completely the case anymore -- with advancements in hacker techniques -- all a person has to do is to visit an infected site to make their system become sick.
Of course, the less technical versions (requiring a person to click on something) are still out there, also.
Just the other day, John Leyden (Register) reported that an Indian antivirus site, AVSoft technologies was infecting unsuspecting visitors with the Virut virus. This virus opens a "backdoor on infected PCs, allowing hackers to download and run other malware (or anything else they fancy) onto infected computers," according to John.
In case anyone want more information on the Virut virus, Symantec's definition can be seen, here.
Recently, I also read a post by Alex Eckelberry at the Sunbelt blog, which showed that affiliates of reputable security software companies were spreading malware:
We’ve seen a number of examples lately of legitimate security companies being advertised through malware.Alex finished his post with a sage comment for his peers:
It is important to note that this advertising is not from the companies themselves. It’s coming through affiliates (meaning, people who make commissions sale they refer).
Affiliate programs are a great way to spread the word on your product, but they need to be monitored carefully for abuse.Technology changes all the time, but the lures used to attract the unwary seem to remain the same. Interestingly enough, some of the same lures have been used for hundreds of years and will probably still being used long after this blog has been deleted by a search engine.
Alex's post, along with some interesting (educational comments) from people within the industry, can be seen, here.
Wednesday, January 16, 2008
Your computer will not love this Valentine
The Storm Worm, which turns systems into spam spewing zombies without their owner's knowledge is taking a predicted twist and using Valentine's Day as a lure.
Websense is reporting:
Most recently, we've seen the Storm Botnet leased by the phishermen to steal people's personal and financial details.
CNet (Robert Vamosi) did a good write-up on this latest Storm phenomenon, here.
The best way to protect your computer from this (besides having good security software) is to simply "just say delete" to any unsolicited Valentines you receive!
Previous posts I've written about the Storm Worm can be seen, here.
Websense is reporting:
Websense® Security Labs™ has received reports and confirmed that the Storm worm has once again switched lure tactics. The worm has now adopted a Valentine's Day twist in its attempts to infect users with malicious code. For more details on how we protect against Storm attacks, see http://www.websense.com/securitylabs/blog/blog.php?BlogID=141.Websense (full) alert with screenshots, here.
Most recently, we've seen the Storm Botnet leased by the phishermen to steal people's personal and financial details.
CNet (Robert Vamosi) did a good write-up on this latest Storm phenomenon, here.
The best way to protect your computer from this (besides having good security software) is to simply "just say delete" to any unsolicited Valentines you receive!
Previous posts I've written about the Storm Worm can be seen, here.
Tuesday, January 01, 2008
FTC issues report on Malicious Spam and Phishing
The Federal Trade Commission just released it's report on the current state of malicious spam and phishing in today's electronic world.
Interestingly enough, it points out that spammers are criminals.
While this isn't a new revelation, the report seems to want to drive that point home. Maybe this is part of the education process referred to at the bottom of this post?
Here is what the press release had to say:
Going deeper into the problem the report discusses a phenomenon called fast flux:
Also cited are some statements from jailed bot-herders that botnets are being rented by the hour for $300-$700 an hour.
The report also give some statistical information on what this is costing all of us:
Besides going after the criminal element, the report states that e-mail authentication is crucial in detecting spam at the ISP level so that it can be filtered out by existing spam filters.
Of greatest importance (call me a socialist) is that the report calls that a broader effort needs to be made to educate the public on the dangers of spam:
In keeping with this theory, the FTC has three sites listed on the right side of the press release to educate the public about spam, FTC Spam site, OnGuard Online: Spam Scams and OnGuard Online: Phishing.
The full report can be viewed, here.
Interestingly enough, it points out that spammers are criminals.
While this isn't a new revelation, the report seems to want to drive that point home. Maybe this is part of the education process referred to at the bottom of this post?
Here is what the press release had to say:
During the workshop, panelists confirmed that spam has increasingly become a significant global vector for the dissemination of malware and the propagation of financial crimes. Panelists opined that, in most instances, the acts of malicious spammers are inherently criminal, and criminal law enforcement agencies are best suited to shut down their criminal operations.The report discusses the problem of botnets at length and refers to a 2006 report stating that an estimated 12 million bot infected computers are being used to send spam. The report also states that most of these computers are physically located outside the United States.
Going deeper into the problem the report discusses a phenomenon called fast flux:
With fast flux, infected bot computers serve as proxies or hosts for malicious websites. The IP addresses for these sites are rotated regularly to evade discovery. For example, a phisher can deploy numerous and different IP addresses for a single phishing campaign, foiling the efforts of ISPs and law enforcement seeking to stop these campaigns by dismantling a single web site. Despite these challenges, the record reflects that at least one ISP does take proactive measures to detect and disconnect “fast flux” web sites from a portion of its network.The report also acknowledges that DIY (do it yourself) crimeware kits are making it easy for just about anyone to mount a phishing campaign. One kit described sells for as little as $17.
Also cited are some statements from jailed bot-herders that botnets are being rented by the hour for $300-$700 an hour.
The report also give some statistical information on what this is costing all of us:
A survey by Consumer Reports reveals that viruses, phishing, and spyware resulted in over $7 billion in costs to U.S. consumers in 2007. The survey revealed further that computer infections prompted 850,000 U.S. households to replace their computers. The costs to businesses also are high. One panelist reported that 80 percent of 639 businesses it studied experienced cybercrime-related losses, totaling $130 million.Also included in the report is information on Operation Bot Roast conducted by the FBI and Department of Justice.
Besides going after the criminal element, the report states that e-mail authentication is crucial in detecting spam at the ISP level so that it can be filtered out by existing spam filters.
Of greatest importance (call me a socialist) is that the report calls that a broader effort needs to be made to educate the public on the dangers of spam:
Consumer and business education can have a significant impact in the fight against spam and phishing. Because spam is an ever-evolving problem, stakeholders should revitalize efforts to educate consumers about how to protect their computers from online threats and improve methods for disseminating educational materials to consumers and businesses. In addition, the Summit identified consumer-interfacing tools such as spam reporting buttons as valuable tools for ISPs and reputation service providers. Accordingly, staff will encourage industry to continue to develop and fine-tune such tools.
In keeping with this theory, the FTC has three sites listed on the right side of the press release to educate the public about spam, FTC Spam site, OnGuard Online: Spam Scams and OnGuard Online: Phishing.
The full report can be viewed, here.
Tuesday, December 25, 2007
Storm Worm bot-herders use scantily clad women in Santa attire to recruit zombies!
Here is a warning from Dancho Danchev about a site that might leave your computer with a worm.
The site invites a person to watch a bunch of scantily clad women in Santa attire for "free."
From the Mindstreams of Information blog:
In case you are less than technically astute (a lot of us are) the storm worm has been around for awhile. Wikipedia offers a good explanation of how it will trash a Windows system, here.
Downloading it normally leads to your computer becoming a spam spewing zombie controlled by a bot-herder. Of course, becoming infected also poses certain information theft risks, also.
Full post from Dancho, here.
(Screen shot courtesy of the Mindstreams of Information blog)
Update:
Found some more information on this on the SANS Internet Storm Center, which can be seen, here.
And apparently some splogs have been set up on blogspot to support this current storm on the Internet:
Also reported SANS Internet Report Center, here.
The site invites a person to watch a bunch of scantily clad women in Santa attire for "free."
From the Mindstreams of Information blog:
Stormy Wormy is back in the game on the top of Xmas eve, enticing the end users with a special Xmas strip show for those who dare to download the binary. The domain merrychristmasdude.com is logically in a fast-flux, here are some more details :
Administrative, Technical Contact
Contact Name: John A Cortas
Contact Organization: John A Cortas
Contact Street1: Green st 322, fl.10
Contact City: Toronto
Contact Postal Code: 12345
Contact Country: CA
Contact Phone: +1 435 2312633
Contact E-mail: cortas2008 @ yahoo.com
In case you are less than technically astute (a lot of us are) the storm worm has been around for awhile. Wikipedia offers a good explanation of how it will trash a Windows system, here.
Downloading it normally leads to your computer becoming a spam spewing zombie controlled by a bot-herder. Of course, becoming infected also poses certain information theft risks, also.
Full post from Dancho, here.
(Screen shot courtesy of the Mindstreams of Information blog)
Update:
Found some more information on this on the SANS Internet Storm Center, which can be seen, here.
And apparently some splogs have been set up on blogspot to support this current storm on the Internet:
If you google for merrychristmasdude.com you'll see a number of spam blogs set up with that domain in their body and directing traffic to siski.cn (take a look for that in your proxy logs while you're at it.)IT also appears that the hackers behind this are moving on to New Years lures and a new domain.
Visiting skiski.cn will redirect you over to shockbabetv.com and attempt to install a fake video codec, which itself appears to be a downloader to deliver more coal to your stocking.
Shortly before 1600 GMT 25-DEC-2007 we got a report indicating that the Storm Botnet was sending out another wave of attempts to enlist new members. This version is a New Years-themed e-card directing victims to "uhave post card.com." (spaces inserted to break the URL) NOTE: Please do not blindly go to this URL -- there is malware behind it.
Also reported SANS Internet Report Center, here.
Sunday, December 02, 2007
Are criminal to criminal (C2C) networks making cyber crime too easy?
With the FBI's announcement of Operation Bot Roast II detailing the arrests of several bot-herders infecting computer systems on an International basis, it's become apparent that a lot of crime is going on with the click of a mouse.
One of the more amazing revelations to come forward from Operation Bot Roast II was that a teenager was described in the media as a "cyber crime kingpin." Most of the people arrested were under 30. This led me to wonder if our young people are getting smarter, or cyber crime is getting a lot easier to commit?
I ran into an article from ZDNet entitled, "The new battleground in cyber crime." It covered a lot of things, I already knew, but perhaps it hits on the reason cyber crime is growing at an explosive rate.
From the article written by Yuval Ben-Itzhak (originally published on News.com):
Yuval made another statement in his article, which is something I've tried to point out numerous times:
When I say I've tried to point this thought out before, it was in reference to all the data breaches we see in the news. Once a data breach becomes transparent, the information probably isn't of very much use in the C2C business model, anymore.
Maybe that is why after a data breach, we rarely see anyone get caught using the information?
If this is true, the more we can monitor the C2C business model in real time, the more effective we will be in attacking the criminals behind it?
While investing a lot of resources dealing with the data breaches is probably necessary, it does little to solve the overall problem. The statistics are that once a data breach becomes transparent the information rarely gets used, if at all.
With litigation arising from some of these data breaches, the cost of revealing one is becoming cumbersome, also. I wonder what would happen if we started spending more money up-front going after what is going on right now? We might spend a lot less money cleaning up the mess, after the fact.
Unfortunately, the monetary resources allocated by most organizations to fight cyber, financial and information crime are often considered a necessary evil. The result is that the people dedicated to protecting us from these types of crimes are often some pretty over-worked individuals.
Please note that this is true in both the private and public sectors.
Couple this with certain marketing practices that make committing some of these crimes fairly easy and it's no wonder, we are facing an ever growing problem.
Perhaps, we should start rethinking how we go after this problem?
Yuval's article (which I consider an interesting read) can be seen, here.
Some of the reference material, he used in writing his article came from the security research people at Finjan. The interesting information in this report is available on the Internet, and can be seen by linking, here.
One of the more amazing revelations to come forward from Operation Bot Roast II was that a teenager was described in the media as a "cyber crime kingpin." Most of the people arrested were under 30. This led me to wonder if our young people are getting smarter, or cyber crime is getting a lot easier to commit?
I ran into an article from ZDNet entitled, "The new battleground in cyber crime." It covered a lot of things, I already knew, but perhaps it hits on the reason cyber crime is growing at an explosive rate.
From the article written by Yuval Ben-Itzhak (originally published on News.com):
In an age where "data equals money," fortune has replaced fame as hackers' key motivation. Criminals are willing to pay top dollar for personal, financial, and corporate data collected by Trojans and other "crimeware."The criminal to criminal (C2C) business model was a new term for me, but after thinking about it -- it describes exactly what we keep hearing is going on out there.
The evidence is out there. Price lists discovered on the black market reveal that criminals are willing to pay $5,000 for a financial report, $500 for a credit card with PIN, and $150 for a driver's license ID.
With do-it-yourself malicious software packages available for $200, cybercriminals need neither deep pockets nor programming skills to compromise a Web site or steal sensitive financial data from an infected PC. Indeed, Finjan's security research confirms that crimeware toolkits have become cybercriminals' favorite weapon. The new business model is criminal-2-criminal (C2C)--attackers selling malicious code and stolen data to other criminal elements that profit from it.
Yuval made another statement in his article, which is something I've tried to point out numerous times:
The cybercrime equation is simple: the longer the crimeware remains undetected, the higher the profit for the attackers.
When I say I've tried to point this thought out before, it was in reference to all the data breaches we see in the news. Once a data breach becomes transparent, the information probably isn't of very much use in the C2C business model, anymore.
Maybe that is why after a data breach, we rarely see anyone get caught using the information?
If this is true, the more we can monitor the C2C business model in real time, the more effective we will be in attacking the criminals behind it?
While investing a lot of resources dealing with the data breaches is probably necessary, it does little to solve the overall problem. The statistics are that once a data breach becomes transparent the information rarely gets used, if at all.
With litigation arising from some of these data breaches, the cost of revealing one is becoming cumbersome, also. I wonder what would happen if we started spending more money up-front going after what is going on right now? We might spend a lot less money cleaning up the mess, after the fact.
Unfortunately, the monetary resources allocated by most organizations to fight cyber, financial and information crime are often considered a necessary evil. The result is that the people dedicated to protecting us from these types of crimes are often some pretty over-worked individuals.
Please note that this is true in both the private and public sectors.
Couple this with certain marketing practices that make committing some of these crimes fairly easy and it's no wonder, we are facing an ever growing problem.
Perhaps, we should start rethinking how we go after this problem?
Yuval's article (which I consider an interesting read) can be seen, here.
Some of the reference material, he used in writing his article came from the security research people at Finjan. The interesting information in this report is available on the Internet, and can be seen by linking, here.
Subscribe to:
Posts (Atom)
