YOU!… YES YOU, SHOULD READ THIS!: Why Phishing Works And How To Avoid Becoming a Victim

Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), Firearms, Weapons & Personal Safety, National security, Terrorism, Cyber Terrorism & Related Crimes, Social Media, Technology & Digital Security Comments Off

Oct 292012

Why Phishing Works And How To Avoid Becoming a Victim

Security Week
by Jon-Louis Heimeri
October 20, 2012

Teach Someone to Phish and They Can Feed Themself Forever…

Or maybe, we work harder to avoid phishing.

Phishing is a form of social engineering that attempts to steal sensitive information. An attacker’s goal is to compromise systems to obtain usernames, passwords, and other account and/or financial data. They most frequently accomplish phishing attacks via email. The attacker sends crafted emails to people within an organization. The email usually pretends to be from someone trustworthy, like your bank, UPS/FedEx, a credit card company or an airline, or some other site for which you may have login credentials. The email includes a link to an “official” website that is actually a fake site operated by the attacker.

Once the user visits the fake site, they may be asked overtly to enter account information such as usernames, passwords, credit card details, social security or bank account numbers. The victim may also be exposed to malware by the fake site. Taking advantage of a variety of vulnerabilities in the browser, the attacker may be able to install a Trojan Horse on the user’s computer. If done correctly, the attack can capture sensitive information without the victim even knowing that they have been compromised.

Why Phishing Works

Such attacks are especially troublesome when the victims are privileged users within an organization. Suppose a user has privileges to approve or send checks, or authorize a bank transfer such as an ACH transfer. If that user can be tricked into giving up their username and password, then an imposter can potentially re-use the official username/password to initiate their own transfer. Since the transfer is being authorized by an appropriate account holder (as far as the system is concerned, with a valid username and password) it is harder to identify this as fraud without additional monitoring and validations.

Attackers utilize more advanced and more determined phishing methods if they are sure they have identified high value account holders. “Spear phishing” includes techniques to ensure that the attacks are successful. An attacker might, for instance, develop their target employee list, and then check social media pages like Facebook for interests, children’s names and schools, and other available information to gather detailed intelligence that they can use to craft a targeted email. You may not automatically respond to an email from your bank, but would an email from your dealer about an emergency recall notice on your new car, or a notice from a pharmaceutical company about critical side effects of a prescription drug you are taking, or an email about your daughter’s financial aid at college be likely to get some attention? These targeted emails are usually highly effective.

Current phishing attacks against financial institutions are very customized. They are designed to be effective in these environments by targeting large numbers of financial institution employees. The goal is to infect and compromise enough users that the attacker can get end-to-end control of financial transaction approval systems, allowing him to initiate and approve transactions that appear to be properly authorized. These attacks use tailored techniques, dynamic websites, and regularly update the methods used. The result is a series of attacks that have an alarmingly high success rate, yet a relatively low detection rate.

As far as we know right now, these attacks have mostly been conducted against small-to-medium sized banks and credit unions, but some large banks and other financial organizations have been specifically targeted. The resulting compromises have allowed fraudulent wire transfers of sizeable amounts – $400,000 to 900,000, and sometimes more. Attackers are often able to browse an organization’s accounts and specifically select accounts with the highest balances.

Avoid Becoming a Victim

Organizationally, there are things you can do to help avoid becoming a victim, and to minimize damage if you are victimized:

1. Consider using dedicated systems for payment requests and approval processes. Consider disabling email access on any system involved with payment processing. If an attacker cannot compromise the systems in payment processing, he will have a harder time obtaining payment usernames and passwords, and a harder time actually requesting/approving a transfer.

2. Consider using a strong authentication mechanism on all payment processing systems. This would include replacing or augmenting username/password combinations with a hardware token and PIN, or with biometrics such as a fingerprint reader. An attacker will be unable to copy and reuse strong authentication such as a token or biometrics.

3. Consider blocking Internet access for systems involved in payment processing. If the system genuinely has no Internet access, malware would be unable to talk back to its controlling systems and attacker.

4. Consider disabling the use of USB flash drives in payment processing systems. In some circles USB flash drives are often referred to as “malware delivery devices.” Disabling USB flash drives removes one more potential avenue for infection.

5. Use tools available in your email client. Outlook, for instance, has the ability to help filter potentially harmful links. In Outlook, go to Tools/Options/Preferences/Junk E-mail/Options, and check “Disable links and other functionality in phishing messages” and “Warn me about suspicious domain names in e-mail addresses.” These are not perfect solutions but they can help.

6. Be diligent in your use of anti-virus and anti-malware software, including regular updates and scans. Most of the malware used as part of a phishing attack is not detected by standard anti-virus software, but some of it is. Some malware indicators may not be changed before an anti-virus update is available, and sometimes older versions of malware are distributed. Additionally, anti-virus software can help identify secondary infections that may be related to an attack.

7. Use reputation-based website, IP address, and URL filtering to help ensure that any systems accessed from within the company are not considered “bad” sites. You can extend this further by allowing only “white-list” access – access to addresses that have specifically been recognized as “good” sites (note that this has the potential to inhibit some Internet capability).

8. Consider enforcing time-of-day login and payment processing. Many fraudulent transactions occur after normal working hours. For instance, a series of large transfers that completed at 7:00PM Friday evening might be functionally ignored until staff return and see abnormal activities Monday morning.

9. Consider limiting access to payment processing systems from mobile devices, laptops, and systems based in home offices. These distributed systems are typically more vulnerable to threats.

10. Do not allow access to any internal organization system, especially payment processing systems, from a personally owned home computer. There is simply no way the organization can enforce proper control over such a system.

11. Conduct employee security awareness sessions to instruct employees on how to identify phishing emails and avoid falling victim to them. Any reduction in exposure slows compromise and increases your organization’s capability to identify an escalating threat.

12. Explicitly communicate to employees, partners and clients that you will never solicit account information via email, or send a link to update account information.

Individually, there are things employees can do to help avoid becoming a victim and compromising the integrity of organizational operations:

1. Never open attachments or links in unsolicited emails.

2. In general, be suspicious of all emails containing links. If you get an email with a link for you to click, do not click it. Navigate independently to the destination site (for example, by typing www.mybigbank.com into a new browser window) and find the referenced location without using the conveniently included link.

3. Do not respond to suspicious emails in any manner.

4. Do not access emails on the same computers used to initiate or approve payments.

5. Make management aware when you receive a suspicious email.

Examples of Phishing Emails

You can refer back to a previous column I wrote on here for a detailed breakdown of a phishing email. But what if the email is not as blatant as the one I dissected before?

For purposes of this analysis, we will assume that “Account Operator” is a reasonable role in your organization. The attacker has gathered enough intelligence to know that the salutation is appropriate. Also assume that the organization name replaced with xxxxx.com is the name of your organization. What is wrong with this email?

1. Effectively, not much. By all appearances this is an email that came from your own security department providing notice that your ACH privileges have been at least temporarily revoked.

2. Checking the email address will show nothing as the email address has been spoofed.

3. Your first clue should be that the email has a generic salutation. If this email actually came from your own security department, it would probably be addressed to “Martin”, or “Mr. Reyes”, and not to the job role.

4. The only real clue in this email is the hyperlink available at “view details.” In most browser-based email clients and some clients like Outlook, hovering over the hyperlink field will show the embedded link without actually opening it. The hyperlink pointed to a site that was completely unrelated to the organization, something similar to this: “http://jkdev.nodonenet.com/forwarding.htm”

Chances are that you have been the target of a phishing attack. If you are in the financial community, chances are that you have been exposed to dedicated attacks – and will be again. Your best protection against phishing attacks is a combination of training and awareness that can limit the success of phishing attacks, and technical controls that will help identify compromised systems and attempts by those systems to talk to hostile servers on the Internet.

Direct Link: http://www.securityweek.com/why-phishing-works-and-how-avoid-becoming-victim

Don’t Be A Victim of… Cell Phone Financial Identity Theft!

Jul 312012

Cell Phone Financial Identity Theft

SCIENCE DAILY

by Wake Forest University

July 26, 2012

While the cell phone is an amazingly useful device, using it for banking — and consumers are increasingly using mobile phones as banking tools — can lead to identity theft and other financial crimes, if reasonable precautions aren’t taken.

“Anyone who has access to your cell phone has access to your identity in a few clicks,” says Elizabeth Baker, an assistant professor at Wake Forest University and an expert in information system security issues. “Often, credit card companies limit your financial responsibility if your card is stolen and fraud is committed. This is not true for your checking and savings bank accounts. Money fraudulently withdrawn can be costly.”

* * Baker offers the following tips for protecting yourself from mobile financial theft.

* Never store financial information on your cell phone — logins, passwords, account numbers, Social Security numbers, etc. — not even in a mobile banking app.

If you lose your phone, whoever finds it has immediate access to your account if your login credentials are stored. A thief can use the app and get your account info to withdraw your money. Big hazard.

* Never text message any financial information from your cell phone.

Text messages are not secure modes of communication, and all of the texts that you send are logged in your phone. A hacker or thief could access your phone and the text message logs to easily find your financial information.

* Lock your phone or have a way to delete the information on your phone remotely.

According to a survey last year by data security firm Sophos, 22 percent of respondents have lost their phones, while 70 percent didn’t use password protection. Use a password.

* Check your accounts frequently for suspicious activity.

Every few days, if not everyday, you should check on your money. Since you will be the one without the money and with scarce opportunity to get any restitution, it is important to be on top of the account to make sure that nothing unexpected is happening.

Teenagers and young adults are particularly vulnerable to mobile identity theft because they are comfortable sharing information through their phones, Baker says. Make sure to discuss these dangers with your teens when they open their first bank accounts and monitor their accounts regularly.

Direct Link: http://www.sciencedaily.com/releases/2012/07/120726180137.htm

Firefox 13 leaks ahead of release, plays catch-up to other browsers

Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), Firearms, Weapons & Personal Safety, Social Media, Technology & Digital Security No Responses »

Jun 042012

Firefox 13 leaks ahead of release, plays catch-up to other browsers

Los Angeles Times

By Salvador RodriguezJune 4, 2012

Firefox 13, the latest version of Mozilla’s browser, leaked a day ahead of its official release. (Firefox / June 4, 2012)

Welcome to the 2010s, Firefox.

The latest version of Mozilla’s Web browser, Firefox 13, leaked onto the Internet a day ahead of its official release, and is available for download to anyone.

But unlike previous versions of Firefox that trail blazed new ways to surf the Web, this version is more about bringing Firefox up to par with its peers. It’s not a bad browser, but it’s nothing special either.

The official version will become available from Mozilla on Tuesday, but the early version, which is available here, appears to be the full, real thing.

The latest Firefox rendition, which has been available in Beta form for some time, brings a couple of new features with it to make the browser more helpful as well as faster.

The most notable changes will be visible to users on the browser’s default home page and its new tab page.

The default home page has been redesigned to include more than the Firefox logo and Google search bar. It now also includes thumbnail shortcuts to your downloads, bookmarks, history and other pages.

The new tab page is no longer a white, blank waste of real estate, but rather, it shows you your nine most visited websites, which as WebProNews notes, is nothing we haven’t seen before but something Firefox was definitely missing. And for those users who do like the blank page, there’s a button on the top right corner that brings it back.

Another addition to Firefox is a feature called Tabs on Demand, which is great for users who like to leave millions of tabs open. Tabs on Demand works when a user reloads a previous session that had numerous open tabs.

But rather than open each of them up simultaneously, inevitably making your computer crash or drag, Tabs on Demand only opens each tab as you get around to using it.

And there’s also Reset Firefox. This feature works when Firefox stops working by migrating your bookmarks, passwords, cookies and other data to a new profile while resetting everything else to default.

It’s a near-nuke option for when everything else fails to fix the problem.

So check out the latest version of Firefox or wait for Tuesday and get it officially from its makers. It’s nice and fresh, but it’s not a standout as Firefox once was.

ALSO:

Google Chrome becomes most used Web browser

Google Chrome heading to iPhone, analysts predict

Is Facebook going to buy Opera, make its own browser?

Direct Link: http://www.latimes.com/business/technology/la-fi-tn-firefox-13-leaks-20120604,0,16098.story

Computer expert who stole eight million people’s personal details for an ‘intellectual challenge’ jailed for two and half years

Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), Firearms, Weapons & Personal Safety, Investigative, Law Enforcement, National security, Terrorism, Cyber Terrorism & Related Crimes, Social Media, Technology & Digital Security No Responses »

Apr 052012

Computer expert who stole eight million people’s personal details for an ‘intellectual challenge’ jailed for two and half years

Program scanned through 200,000 PayPal accounts
Part of Nokia internal network temporarily shut down
Girlfriend used stolen card details to try and pay for luxury hotels
Hacker hoarded enough personal details to fill 67,500 double-sided A4 pages

MAIL Online (UK)

By Phil Vinter

3 April 2012

A computer hacker illegally acquired enough credit and debit card details to carry out a potential £800,000 worth of fraud.

Edward Pearson, 23, of Lendale, York, used a trojan virus to download thousands of credit card details along with the postcodes, passwords, names and dates of birth of more than eight million people in the UK.

One of his programs scanned through 200,000 accounts registered to online payment service PayPal – identifying names, passwords and current balances.

Pearson, an ‘incredibly talented’ boarding school student who carried out the crime for an ‘intellectual challenge’, has been jailed for two years and two months.

Fraudster: Edward Pearson, 23, stole the personal details of more than eight million people.

Pearson’s girlfriend Cassandra Mennim, 21, tried to pay for luxury hotels using stolen credit card details

He also managed to shut down part of the mobile phone giant Nokia’s internal network for two weeks after hacking in and copying the details of over 8,000 members of staff, Southwark Crown Court heard.

His 21-year-old girlfriend, Cassandra Mennim, a sociology student at the University of York, triggered a police inquiry after she tried to pay for luxury hotel stays using stolen credit card details.

Pearson was arrested after investigators linked a web alias, ‘G-Zero’, which had appeared on hacking forums, to his personal email address.

On one of his computers officers found 8,110,474 names, dates of birth, and postcodes for adults living in the UK.

Police officers in the case said that if the details were printed onto double-sided A4 it would fill a staggering 67,500 sheets.

David Hughes, prosecuting, said the hacker had carried out a series of ‘sophisticated, planned frauds.’

He said: ‘Pearson used his considerable expertise for his criminal intentions.

‘When police examined other computers they found the details of 2,701 credit or debit cards.

‘Based on the average fraud used on a single card being £309, the potential gain to be made by him was £834,000.

‘In fact the actual fraud on these credit and debit cards attributed to Pearson amounted to £2,351, but the total on the cards was £39,832.’

The details were all stolen over an 18-month period between January 1, 2010, and August 30, 2011.

Pearson coded trojan viruses, called Zeus, SpyEye and Python, to automatically scour the internet in search of personal details.

His Python program successfully downloaded the details of 200,000 PayPal accounts.

Mr Hughes added that Pearson had hacked into the systems of Nokia and web giant AOL to gain access to their employees’ details, as well as other sensitive information.

‘This had a significant negative impact on the company, which had to shut its networks down for two weeks while checks were carried out on it,’ he said.

Mennim was caught after booking rooms at the Cedar Court Grand Hotel and Lady Anne Middleton Hotel, both in York, using stolen credit card details and PayPal accounts.

Andrew Bodnar, defending Pearson, said his hacking had not been for financial gain, but more as an intellectual challenge.

‘This is a young man who has very advance computer skills, but has put them to the wrong use, but he is not the criminal mastermind that everyone claims he is.

‘The total amount of money he fraudulently amounted, is the figure of £2,351.

Pearson’s girlfriend Cassandra Mennim tried to pay for a luxury hotel stay at the Cedar Court Grand Hotel in York

Mennim also used PayPal details to tell staff she would pay for an expensive stay at Lady Anne Middleton’s Hotel, in York

‘These have been done using the Paypal accounts, to order pizza and other takeaway foods, and to pay for mobile phone accounts.

‘It is fair to say that he produced the Trojan, Zeus and other software as an intellectual challenge, and he hacked into Nokia to see if he could.’

He added that although he had shared some of the details, he had never sold them.

Shut down: Mobile phone giant Nokia was shut down by Pearson for two weeks after he hacked in to their network and copied the details of more than 8,000 members of staff, Southwark Crown Court heard

Stephen Grattage, defending Mennim, who gained 9 A’s and 4 A*’s at GCSEs, said she was a vulnerable young women who had found comfort in Pearson following a difficult previous relationship.

‘She stands before the court, saying she is ashamed of herself, and she is ashamed of her actions and is very sorry.

‘She says she will pay back the money that she owes to the hotel.’

‘This was a very sophisticated crime, in which you managed to access highly confidential information and put many individuals at risk of attack.’
MS RECORDER ANN MULLIGAN

Sentencing Pearson to two years and two months and handing Mennim a 12 month supervision order the judge Ms Recorder Ann Mulligan said: ‘It is extremely regrettable that you two promising young individuals find yourself in the dock.

‘This was a very sophisticated crime, in which you managed to access highly confidential information and put many many individuals at risk of attack.

‘You had a staggering amount of personal details, 8.1 million, which included names, dates of births, credit and debit card details and security codes, the use of which they could have been used for, is hard to imagine.

‘Your computers and software were a devastating tool kit.

‘I accept that you didn’t sell this information, but you shared it with other computer programmers, and you had no way of knowing how they might use this information.

Victim: Online payment provider PayPal was hacked into by computer expert Edward Pearson

‘This stupendous criminality was not about financial gain, but about an intellectual challenge.’

Pearson, originally from Blandford Forum, Dorset, and now of Lendale, York, admitted making an article for use in fraud and two counts of possession of an article for use in fraud.

Mennim, of Balmoral Terrace, South Gosforth, Newcastle upon Tyne, admitted two counts of obtaining services dishonestly.

More…

Direct Link: http://www.dailymail.co.uk/news/article-2124114/Computer-hacker-Edward-Pearson-Lendale-York-stole-million-people-s-personal-details-jailed-half-years.html

Logging In With a Touch or a Phrase (Anything but a Password)

Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), National security, Terrorism, Cyber Terrorism & Related Crimes, Social Media, Technology & Digital Security No Responses »

Dec 262011

Logging In With a Touch or a Phrase (Anything but a Password)

The New York Times

By SOMINI SENGUPTA

December 23, 2011

Fred R. Conrad/The New York Times

One touch-recognition password involves turning an image of a combination lock 90 degrees.

Passwords are a pain to remember. What if a quick wiggle of five fingers on a screen could log you in instead? Or speaking a simple phrase?

Video about Biometric Passwords

Fred R. Conrad/The New York Times

In another alternative to the password, one would sign one’s name on a small screen.

Fred R. Conrad/The New York Times

Nasir Memon of N.Y.U.’s Polytechnic Institute has been working on touch recognition in iPads.

Neither idea is far-fetched. Computer scientists in Brooklyn are training their iPads to recognize their owners by the touch of their fingers as they make a caressing gesture. Banks are already using software that recognizes your voice, supplementing the standard PIN.

And after years of predicting its demise, security researchers are renewing their efforts to supplement and perhaps one day obliterate the old-fashioned password.

“If you ask me what is the biggest nuisance today, I would say it’s the 40 different passwords I have to create and change,” said Nasir Memon, a computer science professor at the Polytechnic Institute of New York University in Brooklyn who is leading the iPad project.

Many people would agree. The password has become a monkey on our digital backs — an essential key to our many devices and accounts, but increasingly a source of exasperation and insecurity.

The research arm of the Defense Department is looking for ways to use cues like a person’s typing quirks to continuously verify identity — in case, say, a soldier’s laptop ends up in enemy hands on the battlefield. In a more ordinary example, Google recently began nudging users to consider a two-step log-in system, combining a password with a code sent to their phones. Google’s latest Android software can unlock a phone when it recognizes the owner’s face or — not so safe — when it is tricked by someone holding up a photograph of the owner’s face.

Still, despite these recent advances, it may be premature to announce the end of passwords, as Bill Gates famously did in 2004, when he said “the password is dead.”

“The spectacularly incorrect assumption ‘passwords are dead’ has been harmful, discouraging research on how to improve the lot of close to two billion people who use them,” Cormac Herley, a researcher at Microsoft, the company that Mr. Gates founded, wrote in a recent paper. Mr. Herley suggested instead that developers try “to better support the use of passwords” — for example, by helping people protect their wireless connections from eavesdroppers. “Passwords,” Mr. Herley continued, “have proved themselves a worthy opponent: all those who have attempted to replace them have failed.”

The touch-screen approach of Professor Memon in Brooklyn works because, as it happens, each person makes the same gesture uniquely. Their fingers are different, they move at different speeds, they have what he calls a different “flair.” He wants logging in to be easy; besides, he said, some people find biometric measures like an iris scan to be “creepy.”

In his research, the most popular gestures turned out to be the ones that feel most intuitive. One was to turn the image of a combination lock 90 degrees in one direction. Another was to sign one’s name on the screen. In principle, the gesture can be used to unlock a device, or an app on the device that safely holds a variety of passwords.

Despite their resilience, passwords are weak, notably because their users have limited memories and a weakness for blurting out secrets. Most people need dozens of them, and they tend to pick ones that are so complex they need to be written down, or so simple they can be easily guessed. Recently, criminals have become adept at stealing passwords by sneaking malicious software onto computers or tricking users into typing them into an illegitimate site.

Companies like Facebook and Twitter have sought to address the frustration with passwords by allowing their usernames and passwords to open the door to millions of Web sites, a convenience that brings obvious risks. A thief with access to a master username and password can have access to a host of accounts.

Rachna Dhamija, a California computer scientist turned entrepreneur, sought to combat those weaknesses by breaking up the password. The user first logs in to the service that Ms. Dhamija built, UsableLogin, and signs in with her own partial password. Behind the scenes, the service verifies that the user is on an authorized device, and pulls the third piece from the cloud, generating a unique password for any Web site that the user wants to log in to — Facebook, for instance. In other words, one piece of the password rests with the user, another is stored in her device, and a third piece is kept online.

“You take a secret and you spread it across,” said Ms. Dhamija, whose service was recently acquired by Webroot Software, based in Broomfield, Colo. “You’re spreading the risk. The password is not stored in its whole form anywhere.”

But even if a user has been authorized at the start of a session, what if someone else gains access to her computer an hour later? Darpa, the Defense Department’s technology research arm, has invited security researchers to develop ways to verify a user every instant, based on the way the individual uses the machine — “for example, how the user handles the mouse and how the user crafts written language in an e-mail or document,” it explains on its Web site.

Each of these techniques is driven by the notion that a password alone is an insufficient means to verify online identity. Think of them as a fortification: a password-plus.

Many companies use a smart card or a security “dongle” — a small piece of hardware that plugs into the computer and functions as a key — as that second step of verification to allow access to internal networks. Today, biometrics — an individual’s unique physical traits — are emerging as an alternative.

At least a half-dozen banks in the United States ask their customers to verify who they are by reciting a two-second phrase to a computer over the phone, in addition to punching in their PINs. It could be as simple as “at my bank,” and a million customers could recite the very same phrase and still sound unique, according to Nuance Communications, a company based in Burlington, Mass., that makes the technology.

As mobile phones become bodily appendages for people worldwide, they too are emerging as instruments to verify identity. Google introduced its two-step process earlier this year. It sends a six-digit code to an application on a Google user’s cellphone to be entered, along with a password, when signing onto a Google account on a computer or tablet. The code can also be sent as a text message for those who don’t have smartphones, or it can be conveyed through a phone call.

The extra step is not mandatory, and the company will not say how widely it has been adopted. But as vulnerable as passwords are to theft and compromise, Google says, it is increasingly important for a user’s identity to be verified through another channel — a cellphone, in this case.

“I think we’ll start to see people using their mobile devices as their pervasive identifiers,” said Brendon Wilson, a security researcher at Symantec. “The password will no longer be the final arbiter that you are you. You will see layers on top.”

Direct Link: http://www.nytimes.com/2011/12/24/technology/logging-in-with-a-touch-or-a-phrase-anything-but-a-password.html?nl=todaysheadlines&emc=tha25

Older Entries