Category Archives: Identity Theft

Spam worming up rapidly –McAfee

Email and spam volume McAfee PR of today, McAfee Quarterly Threat Report Sees Social Media Worm Resurgence as Spam Rises Dramatically: Targeted Attacks Continue Rise; “Pump and Dump” Returns with Record Stock Market Highs

McAfee Labs today released the McAfee Threats Report: First Quarter 2013, which reported a significant spike in instances of the Koobface social networking worm and a dramatic increase in spam. McAfee Labs also saw continued increases in the number and complexity of targeted threats, including information-gathering Trojans and threats targeting systems’ master boot records (MBRs).

McAfee Labs found almost three times as many samples of Koobface as were seen in Continue reading

eCrime Summit in Prague 25-27 April 2012

These ecrime meetings are always interesting and useful. -jsq

Press release of 29 March:

Containing the Global Cybercrime Threat is Focus of Counter eCrime Operations Summit (CeCOS VI) in Prague, April 25-27

CeCOS VI, in Prague, Czech Republic, to focus on harmonizing operational issues, cybercrime data exchange, and industrial policies to strengthen and unify the global counter-ecrime effort.

CAMBRIDGE, Mass.—(BUSINESS WIRE)—The 6th annual Counter eCrime Operations Summit (CeCOS VI) will convene in Prague, Czech Republic, April 25-27, 2012, as the APWG gathers global leaders from the financial services, technology, government, law enforcement, communications sectors, and research centers to define common goals and harmonize resources to strengthen the global counter-cybercrime effort.

CeCOS VI Prague will review the development of response systems and resources available to counter-cybercrime managers and forensic professionals from around the world.

Specific goals of this high-level, multi-national conference are to identify common forensic needs, in terms of the data, tools, and communications protocols required to harmonize cybercrime response across borders and between private sector financial and industrial sector responders and public sector policy professionals and law enforcement.

Key presentations will include:

Continue reading

Davos discovers cyber attacks

Cyber attacks made the Davos Top 5 Global Risks in Terms of Likelihood. Davos, the annual conclave of the hyper-rich and famously elected, has also discovered Severe income disparity and Water supply crisis, so maybe they’re becoming more realistic.

However, in Figure 17 on page 25 they’ve got Cyber attacks as an origin risk, along with Massive incident of data fraud or theft and Massive digital misinformation. I think they’re missing the point, which is the real origin risk is poor infosec, and the origin of that is vendors like MSFT knowingly shipping systems with design flaws and people and organizations running them while hiding such problems.

Interesting comment on page 26: Continue reading

Route Hijacking: Identity Theft of Internet Infrastructure

Peter Svensson gives an old and quite serious problem some mainstream press in this AP story from 8 May 2010:
On April 25, 1997, millions of people in North America lost access to all of the Internet for about an hour. The hijacking was caused by an employee misprogramming a router, a computer that directs data traffic, at a small Internet service provider.

A similar incident happened elsewhere the next year, and the one after that. Routing errors also blocked Internet access in different parts of the world, often for millions of people, in 2001, 2004, 2005, 2006, 2008 and 2009. Last month a Chinese Internet service provider halted access from around the world to a vast number of sites, including Dell.com and CNN.com, for about 20 minutes.

In 2008, Pakistan Telecom tried to comply with a government order to prevent access to YouTube from the country and intentionally “black-holed” requests for YouTube videos from Pakistani Internet users. But it also accidentally told the international carrier upstream from it that “I’m the best route to YouTube, so send all YouTube traffic to me.” The upstream carrier accepted the routing message, and passed it along to other carriers across the world, which started sending all requests for YouTube videos to Pakistan Telecom. Soon, even Internet users in the U.S. were deprived of videos of singing cats and skateboarding dogs for a few hours.

In 2004, the flaw was put to malicious use when someone got a computer in Malaysia to tell Internet service providers that it was part of Yahoo Inc. A flood of spam was sent out, appearing to come from Yahoo.

The Pakistani incident is illustrated in the accompanying story and video by RIPE.

This problem has been known for a long time. Why hasn’t it been fixed? Continue reading

Teachable Moment: APWG/CMU Phishing Education Landing Page program

Phishing? Fail!

When you take down a phishing domain or server, don’t just take it off the net: redirect it to this education page so victims of phishing can learn in the act of being suckered by a phisher that they should be more careful what they click on.

As someone in the audience pointed out, whatever you do don’t redirect phishing pages back to the actual sites being phished, i.e., if the phisher was pretending to be a bank, don’t take down the phisher’s redirect and replace it with a redirect to the bank itself. THat just teaches people the wrong thing, to follow a bad link.

Instead, link to the APWG/CMU landing page. Which could use a catchier name (how about Phishing: Fail!), but it’s already a really good service.

MySpace Anti-Phishing

Shing Yin Khor of Fox Interactive Media, which owns MySpace, gave an entertaining talk at APWG in which she gave a good case that MySpace has mostly eliminated phishing ads on MySpace and is busily suppressing other phishing.
Throwing money at the issue of phishing actually works.
MySpace’s anti-phishing forces include former law enforcement people, including a former federal and state prosecutor, a former L.A. D.A., and a former FBI agent. They have successfully sued spam king Scott “ringtones” Richter and his CPA empire.

MySpace does have an advantage in actually hosting all displays and messages. It’s good to be a many-hundred-million shopping mall. She didn’t say that; I did. She did say they use MySpace specific measures such as education via Tom’s profile. Tom was one of the founders of MySpace. Every new user gets Tom as a friend, so his online persona (pictured) has 240 million friends, so that’s a channel that reaches most of their users. She did say:

Education is just as important as technical measures.
What works on MySpace will work on other social network sites.

But Shing’s theme of pro-active measures against phishing and spam is one other organizations could take to heart. Don’t think you can do nothing: you can.

Of course, if you have fewer than 200 million users, you may want to band together with other organizations, for example by joining APWG. Even MySpace does.

APWG Atlanta Buckhead

apwgfall08.jpg Five years of the Anti-Phishing Working Group! Dave Jevans gave a retrospective, followed by country reports:

Japan: Pretending to be grandchild to get bank account transfer is popular. ATM scams are the most lucrative.

Russia: Second biggest global source of spam. Ecrime economy is ten times the si ze of the anti-ecrime industry, and that’s a problem.

Brazil: Most phishing is done locally. Is all organized crime.

I don’t want to go into too much detail, even though the bad guys don’t seem to need any help. APWG continues to climb the ecrimeware curve, catching up with th e miscreants.

Paypal Says Old IE is Like Car Without Seat Belt: EV SSL blocking

bullet-details-ev-ssl.jpg
The eBay-owned company, which runs a Web-based payment system that allows the transfer of funds between bank accounts and credit cards, said browsers that do not have support for blocking identity theft-related Web sites or for EV SSL (Extended Validation Secure Sockets Layer) certificates are considered “unsafe” for financial transactions.

“In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts,” said PayPal Chief Information Security Officer Michael Barrett.

Barrett only mentioned old, out-of-support versions of Microsoft’s Internet Explorer among this group of “unsafe browsers,” but it’s clear his warning extends to Apple’s Safari browser, which offers no anti-phishing protection and does not support the use of EV SSL certificates.

BPayPal Plans to Ban Unsafe Browsers, By Ryan Naraine, EWeek.com, 2008-04-17

Now on the one hand, I think EV SSL is color-coded checklist security candy: Continue reading

Class Action Coming for Identity Theft?

zerodaythreat.jpg It wouldn’t be a moment too soon:
I painfully predicted a few years back that phishing and related identity theft would result in class action suits. I lost my bet as it didn’t happen fast enough, but a significant step has been taken (reported by Lynn) with the publication of a book that apparently blames the banks and the software manufacturers for identity theft.

Signs of Liability: ‘Zero Day Threat’ blames IT and Security industry, Ian Grigg, Financial Cryptography, April 14, 2008

The book review iang quotes gets it about online crime not being amateur anymore: it’s organized. And it gets it about perhaps a more important point: Continue reading