March 14, 2006
Redirection: The Next Generation of Phishing Attacks
Redirection: The Next Generation of Phishing Attacks
Two banks learn the hard way about scammers' new strategy.
By Maria Bruno-Britz
March 14, 2006
Just when you thought it was safe to go in the cyber water, phishers have developed yet another way to outsmart current security technology. According to security solutions provider RSA Cyota (Bedford, Mass.), this new technique, dubbed smart redirection attack, is designed to ensure that potential phishing victims always link to a live Web site.
This development marks the third step in the evolution of phishing, says Naftali Bennett, SVP at RSA Cyota Consumer Solutions. "First we had simple phishing attacks with one hosted spoof Web site for victims to click to. We would then go in and shut the site down. The next was to have one phishing attack with several hosted spoof sites where you'd divide the total e-mails sent into smaller groups that connect to a given site. We've become efficient at taking these down. Now we have this new development."
According to Bennett, in smart redirection attacks, scammers build a set of sites where all the links in the phishing attack connect to a redirection or hub Web site. This hub site checks to see which phishing sites are still live and redirects victims to them accordingly. Even if a company shuts down some of the sites, there might still be a "survivor" site. He says the goal of this new strategy is to lengthen the duration of phishing attacks.
Technicians at RSA Cyota's Anti-Fraud Command Center discovered the technique and report that, so far, attacks on two different banks—one in the U.K. and one in Canada—have been detected. Bennett said RSA took the sites down and executed a procedure where efforts were concentrated on finding and closing the redirection site. Although this task is not always easy, he says going after the hub site must be the focus of anti-phishing strategies going forward. "This means that phishing attacks will be more effective until we deploy the new remedies," he explains. "We have over 80 banks (including Barclay's, ING and Washington Mutual, along with smaller FIs and credit unions) using our anti-phishing services. Those banks doing this on their own need to know it's not enough to just shut down one site [in a phishing attack]."
In general, Bennett says banks must take a broader view of fraud. "It's like having security patrols in your neighborhood to keep criminals out of the homes," he says. "That's good, but you still need locks on your doors. And it's even better if your house has an alarm. In banking, you need a good, but not burdensome, lock on 'the door' to your online banking site—the authentication part. Banks should also place alarms within their Internet banking sites to view all transaction activities, see where people are logging in from, whether someone is using a hijacked computer. Strong authentication at the door at login is important, but is not sufficient anymore."
March 14, 2006 at 08:47 PM in Phishing & identity theft | Permalink | TrackBack (35) | Top of page | Blog Home
January 19, 2006
Phishing Attacks Hit All-Time High
Phishing Attacks Hit All-Time High - Yahoo! News
Elizabeth Millard, newsfactor.com Thu Jan 19, 4:29 PM ET
The Anti-Phishing Working Group (APWG) is saying that phishing attacks are more rampant now than ever, especially after last year, which saw steady growth of the online fraud.
The number of unique fraud attacks launched over e-mail in November 2005 was nearly double that of November 2004, according to the industry group.
Although phishers continue to stick to some tried-and-true tactics -- such as using the names of financial institutions to trick people into giving up their account information -- they also have started using the names of other brands, like eBay, Google, and Apple.
The number of major brand names targeted increased from 64 to 93 over the course of the past year, the APWG claims. Also increased is the number of Trojans used by phishers, particularly those pieces of malicious software that are carrying keylogger programs.
Serious Problem
The continued rise in phishing attacks shows increasing sophistication in strategy as well as more organized efforts among online criminals, said Dave Jevans, APWG chairman.
"We're a long way from the days when attacks on systems were done to show off," he said. "With the motivation today being money, that creates a different kind of attacker."
Often, he said, phishers are highly organized and very technologically savvy in using remote-controlled zombie machines to launch their attacks.
As Internet users become more aware of potential scams involving financial institutions, phishers have been broadening their tactics to include messages purporting to be from well-trusted companies like Apple.
"Basically, if they think it'll work, they'll try it," said Jevans. "So many companies send e-mails out to users with information about their account settings, and phishers see that as an opportunity to cash in."
Changing the Filter
The APWG is keen on educating users to help reduce the phishing threat. And, as users become slowly more aware of the problem and take protective measures, other organizations have launched some technological efforts to tackle the phishing problem.
For example, the recently released Thunderbird e-mail client, version 1.5, has a built-in phishing detector to flag suspicious e-mail messages.
Other e-mail applications and Web browsers have begun to implement phishing protection as well, and the industry as a whole has been calling for stronger forms of e-mail authentication.
January 19, 2006 at 10:50 PM in Phishing & identity theft | Permalink | TrackBack (4) | Top of page | Blog Home
December 09, 2005
US Internet users still falling for phishing scams
Finextra: US Internet users still falling for phishing scams
Phishers are getting better at tricking consumers into revealing bank account details, according to study conducted by AOL and the National Cyber Security Alliance, which found that two-thirds of US consumers who had received scam e-mails thought they were from legitimate firms.
According to the research, phishing attacks aimed at identity theft now affect roughly one in four Americans (23%) each month.
Around 70% of consumers who received these phishing e-mails thought they were actually from legitimate companies.
"Phishers are getting better at tricking consumers into revealing their bank account and financial information, and most Americans can't tell the difference between real e-mails and the growing flood of scams that lead to fraud and identity theft." says Tatiana Platt, Senior Vice President and Chief Trust Officer for AOL. "Consumers need to be aware of the risk, and they need to use critical protections like anti-virus software, spyware protection, and a firewall to help protect them from online threats."
Three-quarters (74%) of respondents said they used their computers for sensitive transactions such as banking, stock trading, or reviewing personal medical information. But the study found that 81% of home PCs lack at least one of the three critical protections - updated computer virus software, spyware protection and a secure firewall - necessary to help guard against viruses, spyware, hackers and other threats.
More than half (56%) of respondents either had no anti-virus protection or had not updated it within the last week. Almost half (44%) did not have a properly-configured firewall and over a third (38%) lacked spyware protection. Yet, despite these findings, the large majority of users (83%) believed that they were safe from online threats.
December 9, 2005 at 12:45 PM in Phishing & identity theft | Permalink | TrackBack (8) | Top of page | Blog Home
August 30, 2005
ID theft ring escapes shutdown
BBC NEWS | Technology | ID theft ring escapes shutdown
An ID theft ring that has hit thousands of people is proving hard to shut down.
Discovered by US security fim Sunbelt Software, the scam used keyloggers to steal data stored by Microsoft's Internet Explorer browser.
Variants of the original bug are popping up and sending data to other servers and are continuing to harvest data from unwitting victims' machines.
Tools are now appearing to help people find out if they are infected and to remove the sophisticated bug.
Victim list
Sunbelt came across the server at the centre of the ID theft ring by accident while investigating the ways that spyware can infect Windows PCs.
A search of the server revealed log files containing megabytes of data stolen from PC users by a variant of a well-known virus. Sunbelt estimates that up to 30,000 people were caught out by the keylogging bug since it appeared in late July.
Initially Sunbelt contacted those it found named in the files but the sheer number of people caught out has made it impossible to keep up. Instead, it is telling Ebay, Paypal and banks about the accounts that have been compromised.
Sunbelt contacted the FBI and soon after the server at the centre of the ID theft ring was shut down, only to return to life shortly after.
Now as this central server is shut down again, others are taking over to collect data sent to them by variants of the original keylogger.
The FBI has also reportedly started an investigation into who is behind these servers.
Sunbelt has given the malicious program the name Srv.SSA-KeyLogger and has produced a free tool that scans computers to see if they are infected. Users can check for themselves by searching for a file called winldra.exe.
Publicity around the keylogger has led many anti-virus and security companies to add the bug to the list of malicious programs their software catches.
August 30, 2005 at 07:53 PM in Phishing & identity theft | Permalink | TrackBack (0) | Top of page | Blog Home
August 27, 2005
Phishers move to counteract bank security programmes
Finextra: Phishers move to counteract bank security programmes
Online fraudsters are increasingly using sophisticated "screenscraper" software in their efforts to thwart bank anti-phishing technologies, according to the latest report from the Anti-Phishing Working Group (APWG).
APWG researchers are reporting a marked increase in the use of screenscraper technology by phishers, which has been designed to counter the graphical keyboard systems that some banks are using to protect against the keylogging Trojans.
Earlier this year Citibank said it had added an on-screen keyboard to its Internet banking service in the UK in a bid to protect customers against fraudsters that use key-logging programs. The keyboard appears on screen when customers are asked to enter passwords or answers to security questions. South Africa's Standard Bank has also introduced a virtual PIN pad log-in system to counteract the threat from spyware.
But APWG says phishers are now using screenscraper technology to neutralise these programmes. When the user mouseclicks a character on the graphical keyboard, the screenscraper takes a snapshot of the screen and sends it to the phishers' server for inspection, in one example intercepted by the researchers.
Dan Hubbard, senior director of security for Websense and APWG analyst, says crimeware continues to evolve and advanced techniques are now being used to steal information: "These Trojan horses are moving beyond keylogging to now capture screenshots to obtain end-user credentials."
The APWG says the growth in the use of ID theft crimeware is now eclipsing conventional phishing methods which use spam e-mail to direct users to fake Web sites in order to deceive them into giving personal financial data, or spyware which records customers' logins and passwords.
The organisation received some 14,135 unique phishing reports in July, down slightly from 15,050 in June. In July 2005, 71 brands were reported as being phished, down from a high of 107 different brands being phished in May 2005.
But financial institutions were still the main target of phishing attacks and made up 86% of all phishing targets, down slightly from a recent high of 91%.
The APWG is also reporting an increase in the number of variants and new banking keyloggers in July. There were some 174 phishing-based Trojans detected in July, up from 154 in June.
Phishers were also found to be moving away from traditional marquee name banks last month and targetting a wider base of smaller financial institutions. Peter Cassidy, secretary general, APWG, says phishers have employed Internet marketing practices of list creation and affinity marketing to target and leverage the trust of small institutions.
August 27, 2005 at 11:54 AM in Phishing & identity theft | Permalink | TrackBack (1) | Top of page | Blog Home
August 10, 2005
German bank launches new system to combat phishing
Postbank customers will be given code numbers, in addition to PINs, that are required for each specific transaction
By John Blau, IDG News Service
August 08, 2005
German retail bank Postbank AG has launched a new plan designed to prevent phishers from capturing and misusing transaction numbers required by online banking customers to make money transfers.
The bank, which was the victim of a major phishing attack last year, is the first in Germany to offer "indexed" transaction numbers, or iTANs, it said Monday in a statement.
Phishing attacks use spoofed e-mail and fraudulent Web sites to fool respondents into entering personal financial data such as credit card numbers, account user names and passwords, which can then be used for financial theft or identity theft.
Until now, Postbank customers transferring money from their account to another electronically have had to type in their PIN (personal identification number) followed by a TAN from a list provided by the bank for each transaction. In Germany, most banks providing online services offer a similar PIN-TAN service.
Under Postbank's new iTAN service, online customers are told by the computer which TAN to use, and only with this TAN can they complete a transaction at that very moment.
Alongside each five-digit TAN appears an index number, which the computer uses to point customers to the TAN they must use to activate the transaction.
As another precaution, Postbank customers can set a limit on the amount of money to be transferred from their accounts online.
Postbank, which was spun off of the former German public administration for post and telecommunications, is one of the country's largest consumer banks with 11 million customers of whom nearly 1.7 million have online banking accounts.
August 10, 2005 at 03:45 PM in Phishing & identity theft | Permalink | TrackBack (11) | Top of page | Blog Home
August 08, 2005
'Massive' identity theft ring uncovered
\'Massive\' identity theft ring uncovered - ZDNet UK News
Ingrid Marson
ZDNet UK
August 08, 2005, 12:40 BST
Talkback
Tell us your opinion
The FBI is reportedly investigating a criminal operation that involves the theft of confidential data from thousands of machines infected with spyware
A security firm claims to have uncovered a huge identity-theft ring that appears to be using a spyware program to steal confidential information from computers.
Sunbelt Software said the operation, which is being investigated by the FBI and Secret Service, is gathering personal data from "thousands of machines" using keylogging software. The data collected includes credit card details, social security numbers, usernames, passwords, IM chat sessions and search terms. Some of the data gathered is then saved in a file hosted on a US-based server that has an offshore-registered domain, said Sunbelt president Alex Eckelberry.
"The types of data in this file are pretty sickening to watch," Eckelberry said in a blog posting from Saturday. "In a number of cases, we were so disturbed by what we saw that we contacted individuals who were in direct jeopardy of losing a considerable amount of money."
According to Sunbelt Software, criminals have obtained access to a considerable amount of bank information, including details about one company bank account containing over $350,000 (£197,000) and another account that has "readily accessible" funds of over $11,000.
The operation appears to be linked to CoolWebSearch (CWS), a malicious program that hijacks Web searches and disables security settings in the Internet Explorer browser. Patrick Jordan, a Sunbelt employee, discovered the identity theft ring while researching a CWS variant.
"During the course of infecting a machine, he [Jordan] discovered that a) the machine he was testing became a spam zombie and b) he noticed a call back to a remote server. He traced back the remote server and found an incredibly sophisticated criminal identity theft ring," said Eckelberry. "We are still trying to ascertain whether or not this is directly related to CWS."
An FBI spokesperson was unable to confirm whether or not an investigation was taking place. Sunbelt was unavailable for further comment in time for this article.
This is the latest attempt by a criminal gang to use spyware for financial gain. In March this year the UK's National Hi-Tech Crime Unit foiled an attempt to steal £220m from the Japanese bank Sumitomo Mitsui. Keyloggers were used to relay passwords and access information to the criminals who intended to transfer the funds electronically. A man in Israel was arrested after allegedly trying to transfer £13.9m of the funds.
August 8, 2005 at 10:26 PM in Phishing & identity theft | Permalink | TrackBack (5) | Top of page | Blog Home
Identity theft ring affects at least 50 banks
Identity theft ring affects at least 50 banks - Yahoo! UK & Ireland News
By Ingrid Marson, ZDNet UK
Customers from Bank of America, PayPal and other financial institutions have had their financial details stolen by a dangerous new Trojan
A major identity theft ring discovered last week has affected the customers of at least 50 banks, according to Sunbelt Software, the security firm that uncovered the operation.
The operation, which is thought to be under investigation by the FBI and Secret Service, is currently gathering personal data from compromised machines and sending them to a server where they are saved in a file.
Sunbelt Software said on Monday that in the two days it has been monitoring the file it has seen confidential financial details of the customers of the Bank of America, PayPal and up to 50 international banks, according to Eric Sites, the vice-president of research and development at Sunbelt.
"For almost every bank that is listed [in the file], it's possible to get into the person's account," Sites said.
As well as passwords for online banking sites, information on credit cards has also been gathered. Sites said that Sunbelt had found one customer's credit card number, expiry date and security code as well as their name and address, which would allow anyone to use their credit card.
The data theft was initially reported to be carried out by a modified variant of a spyware application, called CoolWebSearch (CWS), but Sunbelt has now found that the activities are carried out by a separate Trojan, which is downloaded at the same time as CWS and a mail zombie.
The malicious code is hosted on a Web site that mainly hosts pornography, which Sites was unwilling to name. Users of Windows XP that have not installed SP2 are particularly vulnerable as the code will be automatically downloaded without the user's knowledge. Sunbelt is currently investigating whether users of earlier Windows versions, such as Windows 2000 and Windows ME, are also vulnerable.
"If you have an unpatched Windows machine, when you go to the URL it will automatically download everything from Web site, including the Trojan. All you have to do is type in the URL and you're hosed," said Sites.
The Trojan is a new variant, so antivirus and anti-spyware vendors do not yet block it, according to Sites. Sunbelt plans to send information on the Trojan to security firms as soon as possible.
The Trojan carries out keylogging, and also gathers information stored by Internet Explorer's auto-complete function. This data includes any information that has been typed into forms, including usernames and passwords.
Two variants of the data-stealing Trojan have been found, one of which sends data to a publicly available server, which is being monitored by both Sunbelt and the Secret Service, according to Sites. He claimed this server will not be shut down straight away so that the FBI and Secret Service can track down the perpetrators.
Sunbelt believes the operation has only been going on for a couple of weeks and has affected a "couple of thousand machines", according to Sites.
An FBI spokesperson was unable to confirm whether or not an investigation was taking place.
August 8, 2005 at 10:25 PM in Phishing & identity theft | Permalink | TrackBack (18) | Top of page | Blog Home
July 31, 2005
Fifteen arrested in multinational 'phishing' scam
Fifteen arrested in multinational 'phishing' scam - Yahoo! UK & Ireland News
MADRID (AFP) - Argentine authorities have detained 15 people, including a Spanish national, in connection with a multi-million euro (dollar) online banking fraud, the Spanish interior ministry said.
The Spaniard was one of 15 people arrested amid allegations of "phishing", or making illegal use of online account holders' details, following a police operation in the Spanish cities of Madrid, Barcelona, Palencia and Valencia and Santa Fe in Argentina, the ministry said.
The 23-year-old Spaniard, an information technology expert nicknamed "Tasmania", was already the subject of 14 arrest warrants.
The other suspects hail from Argentina, Italy and Romania, the ministry said, adding that house to house searches had turned up a wealth of information related to the case, covering some 150 bank accounts.
The suspects allegedly infected victims' computers with so-called Trojan viruses and worms to access account information using servers as far apart as Argentina, Canada, Russia and Thailand, according to investigators.
A computer worm, unlike a virus, does not have to travel through e-mail but can spread by itself to any unprotected computer linked to the Internet.
July 31, 2005 at 12:25 PM in Phishing & identity theft | Permalink | TrackBack (3) | Top of page | Blog Home
July 05, 2005
Some simple, cheap measures could help protect personal data
Data protection | Hot data | Economist.com
IN THE information economy, data replace oil and steel as the central input, so information becomes a target for criminals. The theft of data, often involving personal information about customers and employees, is increasing dangerously fast. After a series of huge info-heists in America, culminating this month in the disclosure that data on 40m credit-card accounts were stolen from the computers of a data-processing firm based in Atlanta, Georgia, business leaders and politicians everywhere are taking notice.
Data theft accounted for over $50 billion in losses last year in America alone, according to the Federal Trade Commission. So far this year, lax information-security practices have left vulnerable the personal information—such as financial details, health records and Social Security numbers—of around 50m Americans.
Many companies are horribly sloppy about this stuff. They fail to install the latest security software; they handle data recklessly. Earlier this month Citigroup, the world's biggest financial firm, had to admit that it had lost information on 3.9m current and former customers when some unencrypted computer tapes went astray while being handled by United Parcel Service, the firm that was shipping the data. The story left some worrying questions unanswered. Why were the tapes unencrypted? And why was such sensitive information being sent via UPS, without proper safeguards?
And it is not just financial-service firms which are at risk. With the web of interlocking business relationships that is the norm among modern firms, a fault at a big data-processing firm that never actually interacts with customers can damage the reputation of all sorts of companies who draw from and feed into this supplier. The companies who deal with customers are ones whose principal asset is brand- and customer-loyalty, so they are the ones that have most at stake. The issue of data protection has therefore ceased to be a topic best left to geeks in the computer department. These days, it is a matter for chief executives and their boards of directors in almost every type of business (see article).
One reason why firms have been so remiss is that data security seems like a costly and boring chore. There are no obvious rewards for being careful, nor penalties for being careless. That may be changing, because the rash of embarrassing cases in the past few months has sharpened public awareness of the issue. But there is a role for regulators and lawmakers as well, partly just to keep the public informed about who is misusing their personal details.
Make them confess
Europe has avoided the spectacular data breaches that have been happening in America. That may be in part because it started to take the problem seriously a decade ago, and adopted a set of rules from which America could benefit. The European Union's 1995 data-protection directive requires firms to assess their data-protection practices and to document how they handle sensitive information. These simple rules have at least encouraged firms to address the issue of data security, and to justify what they are doing. But the biggest weakness of the European directive is that it does not require firms to report privacy breaches. As a result, it is impossible to say how effective it has really been.
That leads naturally to the second remedy, which may in the end prove more powerful: letting sunlight in on the problem. In America, many of the recent disclosures have been made only because California passed a law requiring firms to notify the people who have been affected by a breach of privacy. Scores of other states are thinking of introducing similar laws. At the national level, America's Congress is considering about 20 bills related to identity theft, and most of them contain disclosure requirements as well. Japan has gone all the way already: since April Japanese companies have had to make a public announcement when such breaches have taken place. America and Europe should do the same.
Some advocate tougher, direct regulation, but it would be better first to see whether a lighter touch can work. If companies can be persuaded to be more careful, things would improve a lot. Mandatory disclosure should encourage them to protect their customers', and their customers' customers', sensitive personal information—if only to stay off the front pages of newspapers.
July 5, 2005 at 12:28 PM in Phishing & identity theft | Permalink | TrackBack (4) | Top of page | Blog Home
July 04, 2005
Computer geeks funded champagne lifestyle with £6.5m fraud
Britain, UK news from The Times and The Sunday Times - Times Online
By Jack Malvern
A CRIMINAL network that stretched from hackers in America to former KGB agents in Russia has collapsed after police discovered that its masterminds were a pair of computer geeks in Leeds and Glasgow.
Douglas Havard and Lee Elwood, who controlled a £6.5 million credit card scam, are now in prison after being the first people in Britain to be convicted of committing fraud by using credit-card numbers distributed over the internet.
Havard, 24, and Elwood, 25, may have appeared to be scruffily dressed website designers who had done well enough to buy an expensive car each. Yet they were members of two now defunct discussion websites on which advice was exchanged on how to obtain “data dumps” of stolen credit-card numbers and use them to create copies of cards. Other members included American counterfeiters who supplied blank cards and machines for writing stolen data on to them.
Russian scammers conned credit-card owners into handing over their details by sending e-mails purporting to be from banks and credit companies — a technique known as “phishing”. The e-mails would tell customers that they had been charged in error for a transaction or that their details needed to be updated and direct recipients to websites that mimicked genuine banking services.
The Russians would then give this information to Havard and Elwood in return for 60 per cent of any cash they made from counterfeiting cards.
Havard would locate blank credit cards and download the stolen data. Credit-card owners around the world found themselves presented with bills for thousands of pounds of cash withdrawals and purchases that they had not made.
Havard and Elwood “were living quite a nice lifestyle” the National Hi-Tech Crime Unit, the British agency that caught them, told The Times. “They would drink champagne in clubs and drive around in their Mercedes.”
A neighbour of Havard in Leeds who did not wish to be named said that although the American wore jeans and a T-shirt he had had expensive designer clothes in his flat. He “drove a big Mercedes Benz and his partner in crime was driving a Mercedes sports car.”
Havard, the son of a millionaire entrepreneur from Dallas, is said to have begun his criminal career as a teenager.In 2001, according to court reports, he was arrested for alleged aggravated assault when he visited a drug dealer’s house. A year later he was arrested again and accused of selling a date-rape drug to an undercover detective. His rich family could easily afford his bail, and Havard fled to Belize, and later Britain, before he could face the charges in court.
Last week at Leeds Crown Court he was jailed for six years after pleading guilty to conspiracy to defraud and conspiracy to launder money. The US authorities have begun extradition procedures.
Elwood, who ran the Glasgow connection of the business, was sentenced to four years after also pleading guilty.
July 4, 2005 at 12:41 PM in Phishing & identity theft | Permalink | TrackBack (1) | Top of page | Blog Home
July 03, 2005
Corporate anti-spyware spending tipped to boom
Corporate anti-spyware spending tipped to boom - Yahoo! UK & Ireland News
By Tom Espiner, ZDNet UK
The corporate anti-spyware market is expected to exceed 540 million users by 2009, but the industry is in disarray
An independent report released on Wednesday has forecast massive growth in the amount spent by businesses on anti-spyware products over the next few years.
The report, Corporate Anti-Spyware Market 2005-2009 by the Radicati Group, cites growing corporate concern over spyware designed to steal information. There is also concern about worker productivity being inhibited by the slow performance of machines infested with spyware.
The report, Corporate Anti-Spyware Market 2005-2009 by the Radicati Group, cites growing corporate concern over spyware designed to steal information. There is also concern about worker productivity being inhibited by the slow performance of machines infested with spyware.
The report predicts that the number of corporate users with anti-spyware tools will grow from 16 million users in 2005 to 540 million users in 2009. It also says the costs could rise to as much as $249 (£139) per user, as IT departments are swamped by users whose computers have been infected by spyware.
"Human capital costs can skyrocket as administrators are forced to re-image computers inundated with spyware and help-desk staff manage end users frustrated with slowdowns... caused by spyware," said Radicati.
Due to the growth in use of corporate anti-spyware hardware and software products, revenues are predicted to increase over the next four years from $103m to over $1bn.
However, anti-spyware vendors may not be in a position to take full advantage of this boom. The report found that the anti-spyware industry is suffering from a lack of organisation. In February the Consortium of Anti-Spyware Technology vendors collapsed in acrimony after Webroot, Aluria, and Pestcontrol withdrew from the group. They were mainly protesting against the inclusion in the group of 180solutions, a company which produces both adware and anti-spyware products.
The nascent Anti-Spyware Coalition was formed in June 2005, but this organisation is still in its formative stages, and so "has yet to have any noticeable impact upon the industry" according to the report.
There is also confusion about the definitions of spyware and adware. With no standard definition that companies can agree on, "vendors often advertise questionable spyware blocking statistics that can confuse potential customers and create unfair comparisons between products," warned the report.
July 3, 2005 at 11:37 AM in Phishing & identity theft | Permalink | TrackBack (3) | Top of page | Blog Home
June 22, 2005
Ubiquitous Technology, Bad Practices Drive Up Data Theft
Ubiquitous Technology, Bad Practices Drive Up Data Theft - Yahoo! News
By Jonathan Krim, Washington Post Staff Writer Wed Jun 22, 1:00 AM ET
Call 2005 the year of the data breach.
ADVERTISEMENT
One day, tapes with the
Social Security numbers of 1.2 million federal workers are reported missing. Another day it's hackers gaining access to private information on 120,000 alumni at Boston College. Then, last Friday, comes word that 40 million credit card numbers fell prey to computer criminals.
Collectively, nearly 50 million accounts have been exposed to the possibility of identity fraud since the beginning of the year, a significant increase from last year.
Security experts, law enforcement officials and privacy advocates agree that while computer crime is on the rise, it is hardly new.
So why the apparent escalation?
In part, organizations are telling their customers or employees about incidents more than they used to, many complying with a California notification law that is being considered as the basis of possible federal legislation.
After data broker ChoicePoint Inc. reported in February that it was infiltrated by identity thieves posing as legitimate customers, the company received a second black eye when reports surfaced that it did not notify consumers about a previous breach, before California's law took effect. Now, most organizations are choosing to notify potential victims.
Experts see other factors contributing to the data-theft siege.
A boom in data collection has created a marketplace of valuable information stored on computers in thousands of places, many with weak security.
"The current fiascos in cyber-security have been occurring for the past 10 years," said Tom Kellermann, who recently left his position as senior data risk management specialist for the
World Bank.
Kellermann and others blame poorly designed software, inattention to data security and an underappreciation of the problem by top management in corporations and other institutions.
"We've used weak practices for some time," said Chuck Wade, an Internet security and commerce consultant. "The vulnerabilities are well known, and we have not been improving the security measures . . . as we should have been."
At the same time, some hackers who used to get their kicks merely being disruptive are pooling efforts with organized criminals, said Jonathan J. Rusch, a special counsel in the fraud section of the Justice Department.
"The motivation now is money," Rusch said. In addition to using stolen data for credit card or other financial fraud, a thriving black market for the stolen data itself exists online, run in large part from Eastern Europe.
Among the most extreme examples of data for sale are offerings known in the online underground as "fulls." These reports include not only Social Security and credit card numbers, but also account passwords for Web sites that a consumer might use, such as eBay or a bank.
"There's so much information that has been leaked out over the years, it may be that there are, outside of the country, criminal elements with huge databases on American consumers," Wade said.
With more and more people getting high-speed Internet connections, and participating in online commerce and banking, the targets of opportunity for criminals only grow.
Wade and others argue that many industry players have not responded aggressively enough because they are insulated from the financial consequences of breaches.
Banks and credit card companies, for example, pay nothing when a criminal uses someone's credit card for a fraudulent charge. The same is true for credit card processing companies such as CardSystems Solutions Inc., which announced last week that it housed the 40 million credit card numbers that hackers may have obtained.
Payment processors and banks collect fees for charges that are reversed.
"They are making money on fraudulent transactions," said Brian Mortensen, head of a New Jersey company that sells telecommunications equipment. "They should not be allowed to do that."
Mortensen said that as a result of fraudulent purchases, his firm has lost $12,000 to $15,000 on equipment that will never be recovered and owes several thousand dollars more in various fees.
Although consumers generally don't have to pay for fraudulent charges on their credit cards, if their identity has been compromised it can take years and thousands of dollars to restore good credit.
Some security experts say many financial companies have been slow to adopt multiple layers of customer verification, such as requiring a password and a second identification number. Many companies also are not encrypting stored data.
But many firms argue that while data protection is a top priority, such measures could make online commerce too inconvenient for consumers without adding appreciably to security. And security already is a large business expense.
Companies must monitor their computer networks and "patch" vulnerabilities in software that are discovered regularly.
That can be especially complex when firms merge and one company's system needs to be incorporated into another's, said David Thomas, head of the
FBI's computer intrusion section.
"It's very, very difficult to stay on top of it," Thomas said.
Moreover, said Mark Rasch, a former federal prosecutor who works for an Internet security firm, "The company has to try to protect against every kind of attack. The intruder only needs to find one."
Some breaches, such as mortgage data from General Motors Acceptance Corp. that was stored on a laptop stolen from a car, leave consumers wondering how seriously companies take information security.
Sen. Dianne Feinstein (news, bio, voting record) (D-Calif.), one of several on Capitol Hill sponsoring identity theft legislation, said the CardSystems incident last week "is a clear sign that industry's efforts to self-regulate when it comes to protecting consumers' sensitive personal data are failing."
Thomas F. Holt Jr., an attorney who represents companies involved in breach cases, said he expects things to change when large class-action suits begin to get filed against firms for improperly protecting information.
"When that game is afoot . . . companies will begin to redouble their security efforts and reexamine a lot of assumptions they have regarding the gathering and storing of sensitive data," Holt said.
June 22, 2005 at 09:46 PM in Phishing & identity theft | Permalink | TrackBack (2) | Top of page | Blog Home
June 14, 2005
UK government cracks down on phishers
Finextra: UK government cracks down on phishers
The UK government is introducing new legislation that will allow the law courts to impose sentences of up to 10 years on perpetrators of phishing attacks.
The government is introducing new offences under its Fraud Bill to crack down on rising levels of cyber crime by making it easier to convict online fraudsters, particularly those convicted of carrying out phishing scams.
The revised bill now includes a new offence of fraud by false representation, which covers phishing attacks in which spam e-mail is used to direct computer users to fake Web sites in order to deceive them into giving over their personal financial data.
The bill will also make it an offence to be in possession of articles for use in frauds, such as spyware programs and credit card readers. A new offence of obtaining services dishonestly will attempt to deal with fraudsters who use stolen credit card details to make internet purchases.
Commenting on the new legislation, Attorney General Lord Goldsmith, says: "This reform is needed to enable prosecutors to get to grips with the increasing abuse of technology, particularly in relation to fake credit cards scams and personal identity theft, which cost millions of pounds every year."
According to online security services firm MessageLabs phishing incidences reached a peak point in January 2005 - when it intercepted over 7.7 million phishing e-mails - but then dropped off again.
But MessageLabs says recent months have seen a resurgence of phishing attacks due to a huge rise of zombie networks being used to pump out massive volumes of scam e-mails.
The government's new bill coincides with the launch of the Operation Spam Zombie campaign which will see international trade and government members of the London Action Plan (LAP) apply pressure on ISPs to help identify compromised machines on their networks.
June 14, 2005 at 09:32 AM in Phishing & identity theft | Permalink | TrackBack (2) | Top of page | Blog Home
Cyota signs credit union as phishers move downstream
Finextra: Cyota signs credit union as phishers move downstream
The Pennsylvania State Employees Credit Union (PSECU) has signed up for Cyota's FraudAction anti-phishing package as Internet monitors report a sharp rise in fraudulent online attacks against credit unions and smaller regional US banks.
Cyota's FraudAction service includes real-time detection of phishing and pharming attacks, shutting down fraudulent sites, conducting forensic work to help catch fraudsters, and patent-pending counter-measures. PSECU is also protected by Cyota's blocking network, which monitors for attacks, and blocks access to phishing sites via partnerships with leading anti-spam providers and ISPs.
Psecu is an early adopter of the service among credit unions, says the vendor, joining several months ago when the first signs of attacks against credit unions appeared. Cyota's Anti-Fraud Command Center (AFCC) reports that it has seen a 633 percent increase in the number of credit unions, regional and mid- to small-sized banks attacked by fraudsters in 2005.
The figures are in line with reports from the Anti-Phishing Working Group, which in February noted that phishers are using advanced software to hijack larger arrays of Internet technologies and are at the same time using them to attack smaller banks.
Amir Orad, Cyota executive vice president, says credit unions and community banks can no longer afford to take a wait and see approach to online security.
He says: "Now that some of the larger banks have implemented stronger security measures, phishing is definitely moving downstream, and for the first time we've begun to see small to mid-sized banks getting attacked more frequently than larger banks."
June 14, 2005 at 09:30 AM in Phishing & identity theft | Permalink | TrackBack (0) | Top of page | Blog Home
March 29, 2005
Stolen Laptop Exposes Data of 100,000
Yahoo! News - Stolen Laptop Exposes Data of 100,000
Mon Mar 28,10:55 PM ET
By MICHAEL LIEDTKE, AP Business Writer
SAN FRANCISCO - A thief recently walked into a University of California, Berkeley office and swiped a computer laptop containing personal information about nearly 100,000 alumni, graduate students and past applicants, highlighting a continued lack of security that has increased society's vulnerability to identity theft.
University officials waited until Monday to announce the March 11 crime, hoping that police would be able to catch the thief and reclaim the computer. When that didn't happen, the school publicized the theft to comply with a state law requiring consumers be notified whenever their Social Security numbers or other sensitive information have been breached.
The law is meant to alert people their personal information could be used by scam artists to obtain loans or conduct other business under an assumed identity.
UC Berkeley plans to advise the 98,369 people affected by the laptop theft to check their credit reports, although there has been no indication any of he personal information has been used illegally, university spokeswoman Maria Felde said.
"The campus really regrets this happened and is taking steps to strengthen security in the future," Felde said. The university has set up a hotline, 1-800-372-5110, and a Web site, http://newscenter.berkeley.edu/security/grad/ to answer questions about the laptop theft.
The UC Berkeley incident follows several other high profile instances in which businesses and schools have lost control of personal information that they kept in computer databases.
Recent breaches have occurred at: ChoicePoint Inc., a consumer data firm duped into distributing personal information about 145,000 people; Lexis-Nexis, a data storehouse where computer hackers obtained access to the personal information of 32,000 people; and Chico State University, where a computer hacking job exposed 59,000 people to potential identity theft.
Universities have accounted for 28 percent of the 50 security breaches of personal information recorded by California since 2003, said Joanne McNabb, the chief of the state's Office of Privacy Protection. That's more than any other group, including financial institutions, which have accounted for 26 percent of the breaches affecting Californians.
This is the second time in six months that UC Berkeley has been involved in a theft of personal information. Last September, a computer hacker gained access to UC Berkeley research being done for the state Department of Social Services. The files contained personal information of about 600,000 people. That security breach hasn't been linked to any cases of identity theft, Felde said.
The risks of identity theft have risen in recent years as technological advances make it easier for businesses, schools and other organizations to create vast databases containing Social Security numbers, credit card account numbers and other personal information.
All that valuable data has turned the computer storehouses into inviting targets for thieves who frequently don't have to work too hard to pull off their crimes.
Computer hackers create some of the mischief by circumventing high-tech firewalls, but 58 percent of the breaches recorded by California officials have occurred after a computer or other device containing personal information is lost or stolen, McNabb said.
The security risks of these incidents could be minimized if the caretakers of the personal information encrypted the sensitive information a process that makes it virtually impossible to read the data without a special code.
The laptop stolen from the UC Berkeley was supposed to be encrypted this month, Felde said. The computer, which required a password to operate, was left unattended for a few minutes in a restricted area of a campus office before someone walked in and stole it, Felde said. A campus employee witnessed the theft and reported it to university police.
Authorities suspect the thief was more interested in swiping a computer than people's identities. Felde said there been no evidence so far to indicate the stolen information has been used for identify theft.
The stolen laptop contained the Social Security numbers of UC Berkeley students who received their doctorates from 1976 through 1999, graduate students enrolled at the university between fall 1989 and fall 2003 and graduate school applicants between fall 2001 and spring 2004. Some graduate students in other years also were affected.
The stolen computer files also included the birth dates and addresses of about one-third of the affected people.
March 29, 2005 at 08:37 AM in Phishing & identity theft | Permalink | TrackBack (15) | Top of page | Blog Home
March 16, 2005
Online security: can you bank on it?
Online security: can you bank on it? - Connected Business - Times Online
Phishing and other financial scams carried out online can often deter customers from using financial websites. As Sara McConnell reports, providing proper security is a must for modern business
You are choosing between two online banking services. Both have similar rates, accounts and services, and both are major players on the high street.
But one has recently made the headlines because its online security has been breached and hackers have gained access to millions of customer account details. Its refusal to talk to the press or discuss the steps it will take to stop similar problems occurring in future (on the grounds of security, of course) has kept the story going longer. By contrast, its rival is happy to discuss its commitment to online security and keeping your personal and financial information safe.
Which of these two (fictional) banks would you choose, asks Richard Starnes, the director of incident response for managed security at Cable & Wireless. "If I was an internet bank, I would be happily promoting my bank as a secure place to do business."
With growing numbers of individuals and companies buying, selling, trading and banking online, a reputation for good security and tight risk management is becoming an increasingly important selling point. Customers who would have been reluctant to provide credit or debit card details to internet sites a few years ago now do so readil,y but only if they trust the site to hold the information securely, with back up systems in place so that the business can continue even if it is a victim of hi-tech crime.
Companies are starting to recognise that their brand and reputation can be severely damaged by online crimes such as hacking and data theft, especially when these become public knowledge. "If I was CEO of a bank and my website was hacked into and 500,000 stolen, thats nothing to a financial institution. What is damaged is the brand," says Mr Starnes.
In a survey carried out last year by the National Hi-Tech Crime Unit, nearly 20 per cent of firms questioned said the impact on share price and reputation of computer crime was their greatest concern, with finance and IT firms most likely to put this top of the list.
Of the UKs 42 million bank customers, 15 million now manage their accounts online. Banks are acutely aware of how quickly they can lose customers and damage their reputations if they do not act quickly when there is a problem. Sandra Quinn, of the Association for Payment Clearing Services (APACS), which speaks for the banking industry on fraud and risk management, says: "Customers dont mind banks closing down a service temporarily but theyre worried about no one taking any action. Yes, there are threats, but yes, your money is safe. Banks need to keep this at the forefront of customers minds."
Tracy Goodyer, of Barclays, which has 4.2 million online customers, says: "Were constantly reviewing our security. Risk is a game were into and we take security very seriously. Banking is part of peoples every day lives and from a reputational point of view security breaches would be very serious."
But many companies still see security as a cost and a regulatory necessity rather than as good business, says Mr Starnes. Too few companies have IT ssecurity experts in senior positions and a formal written security policy. The National Hi-Tech Crime Unit discovered that nearly half of the 201 companies questioned have no formal procedures in place to deal with computer crime and nearly a quarter did not carry out audits to check security processes and spending were working properly.
"Companies are taking security more seriously but they havent really understood the business benefits. I dont think they believe that having a good corporate asset protection programme is differentation between one company and another for customers," says Mr Starnes.
March 16, 2005 at 09:18 PM in Phishing & identity theft | Permalink | TrackBack (1) | Top of page | Blog Home
March 13, 2005
Data Under Siege
Yahoo! News - Data Under Siege
By Jonathan Krim and Robert O'Harrow Jr., Washington Post Staff Writers
Identity thieves have penetrated another company that collects and sells personal information on millions of U.S. consumers, the latest in a series of breaches that is throwing a spotlight on the practices and safeguards of a booming data-collection industry.
LexisNexis, a worldwide provider of legal and business data, announced yesterday that information about 32,000 consumers was fraudulently gathered in a series of incidents. The data include names, addresses and Social Security (news - web sites) and driver's license numbers.
The breaches occurred at the company's recently acquired Seisint Inc. subsidiary, a Florida firm that sells data amassed from extensive public records searches to law enforcement agencies, businesses, private investigators and others.
Kurt Sanford, president and chief executive of the LexisNexis corporate and federal markets unit, said company investigators discovered that fraud artists had assumed the identities and used the passwords of legitimate customers to download the customer data.
"LexisNexis very much regrets this and will be notifying all the individuals concerned and providing them with ongoing credit monitoring and practical support to ensure that any identity theft is quickly detected and addressed," the company said in a news release.
The breaches occurred in January, and the company is continuing to investigate, working with the Secret Service.
The announcement comes just weeks after a LexisNexis competitor, ChoicePoint Inc., revealed an even larger security lapse that enabled fraud artists posing as legitimate businessmen in Los Angeles to access personal information about at least 145,000 people around the country.
Investigators are exploring whether the suspect in that case also compromised LexisNexis and other information services.
The ChoicePoint disclosure last month was followed by revelations that Bank of America Corp. had lost computer tapes containing financial data on 1.2 million federal workers, including U.S. senators.
Then late Tuesday, shoe retailer DSW Inc. revealed that credit card numbers of people who shopped at 103 of its 175 stores had been obtained by hackers.
The company is not saying how many consumers might be affected but is recommending that shoppers at any DSW store monitor their credit card activity closely. The company has several stores in the Washington area.
The breaches have spurred plans for several hearings on Capitol Hill that begin today. The relatively obscure information-broker business will get particular scrutiny, with its major companies maintaining and selling names, Social Security numbers, driver's license information, credit card data and other records on virtually every U.S. adult.
Seisint alone claims to have 20 billion records in its system.
"This is the latest window on security weaknesses that jeopardize the personal information that data brokers hold . . . and the view is a chilling one," said Sen. Patrick J. Leahy (news, bio, voting record) (Vt.), the top Democrat on the Senate Judiciary Committee (news - web sites). "Data brokers are also increasingly partners with the government in important law enforcement and homeland security efforts, and their performance in protecting data is one of the important criteria in evaluating those relationships."
Sen. Arlen Specter (news, bio, voting record) (R-Pa.), who heads the Judiciary Committee, said the breaches are "becoming an epidemic. It's very serious. Privacy is one of our most prized values."
Sanford, the LexisNexis executive, said the breach at his firm was discovered in January by a team of LexisNexis employees examining the security and authentication procedures used by Seisint.
The team was trying to figure out how to "sync everything up" between the LexisNexis and Seisint computer systems, Sanford said.
LexisNexis Group acquired Seisint last summer for $775 million in cash. At the time, Seisint was best known as the company behind a counter-terrorism supercomputer called the Matrix, which enabled law enforcement and intelligence authorities to blend investigative files with billions of public records.
In buying Seisint last summer, LexisNexis aimed to compete more aggressively with ChoicePoint for lucrative homeland security and law enforcement contracts. Seisint's main product is Accurint, a service that markets the possibility of giving police, private investigators, lawyers and others access into every corner of society.
"Instantly FIND people, their assets, their relatives, their associates, and more," the company's marketing material said. "Search the entire country for less than the cost of a phone call -- a quarter."
March 13, 2005 at 12:18 PM in Phishing & identity theft | Permalink | TrackBack (1) | Top of page | Blog Home
March 11, 2005
Collecting, and stealing, personal information is big business
Economist.com | Identity theft
PLATO asked "What is man?" and St Augustine asked "Who am I?" A new breed of criminals has a novel answer: “I am you!� Although impostors have existed for ages, the growing frequency and cost of identity theft is worrisome. Around 10m Americans are victims annually, and it is the leading consumer-fraud complaint over the past five years. The cost to businesses was almost $50 billion, and to consumers $5 billion, in 2002, the most recent year that America's Federal Trade Commission collected figures.
After two recent, big privacy disasters, people and politicians are calling for action. In February, ChoicePoint, a large data-collection agency, began sending out letters warning 145,000 Americans that it had wrongly provided fraudsters with their personal details, including Social Security numbers. Around 750 people have already spotted fraudulent activity. And on February 25th, Bank of America revealed that it lost data tapes that contain personal information on over 1m government employees, including some Senators. Although accident and not illegality is suspected, all must take precautions against identity theft.
Faced with such incidents, state and national lawmakers are calling for new regulations, including over companies that collect and sell personal information. As an industry, the firmssuch as ChoicePoint, Acxiom, LexisNexis and Westlaware largely unregulated. They have also grown enormous. For example, ChoicePoint was founded in 1997 and has acquired nearly 60 firms to amass databases with 19 billion records on people. It is used by insurance firms, landlords and even police agencies.
California is the only state with a law requiring companies to notify individuals when their personal information has been compromisedwhich made ChoicePoint reveal the fraud (albeit five months after it was noticed, and after its top two bosses exercised stock options). Legislation to make the requirement a federal law is under consideration. Moreover, lawmakers say they will propose that rules governing credit bureaus and medical companies are extended to data-collection firms. And alongside legislation, there is always litigation. Already, ChoicePoint has been sued for failing to safeguard individuals' data.
Yet the legal remedies would still be far looser than in Europe, where identity theft is also a menace, though less frequent and costly. The European Data Protection Directive, implemented in 1998, gives people the right to access their information, change inaccuracies, and deny permission for it to be shared. Moreover, it places the cost of mistakes on the companies that collect the data, not on individuals. When the law was put in force, American policymakers groaned that it was bad for business. But now they seem to be reconsidering it.
March 11, 2005 at 01:44 PM in Phishing & identity theft | Permalink | TrackBack (9) | Top of page | Blog Home
February 08, 2005
Stanford Federal Credit Union signs for PassMark authentication system
Finextra: Stanford Federal Credit Union signs for PassMark authentication system
Stanford Federal Credit Union (SFCU) has implemented PassMark Security's recently-released two-factor two-way authentication system to provide its members with secure online access to accounts and eliminate the threat from phishing.
SFCU says each of its members will receive a secret PassMark - a small image and a phrase - which is displayed to members during log in. If the PassMark is correct members will know the Web site in genuine and that it is safe to enter passwords.
The vendor says the system provides two-way authentication because it verifies the user to the site and the site to the user, and two-factor because it identifies the user's computer hardware as a second factor of authentication.
John Davis, president, SFCU, says: "Online members have always had to prove their identities to us. But with the explosion of 'phishing' attacks, online service providers should have to prove their identities to the consumer. PassMarks give us an effective way to do so."
Bill Harris, co-founder and chairman of PassMark Security, says with the advent of phishing and keylogging attacks, passwords alone are no longer adequate protection for e-commerce.
He adds that the PassMark system offers security without requiring the users to have any new hardware or install any new software.
Financial firms can also use the technology to authenticate outgoing e-mail, by inserting a copy of the recipient's PassMark into the message.
February 8, 2005 at 07:15 AM in Phishing & identity theft | Permalink | TrackBack (15) | Top of page | Blog Home
Bank of America faces landmark online fraud case
Finextra: Bank of America faces landmark online fraud case
A Miami businessman is suing Bank of America over $90,000 he says was stolen from his online banking account by Latvian cybercriminals.
The 42-year old businessman says the cash was transferred from his account to Parex Bank in Latvia without his approval. About $20,000 of the money was withdrawn before the account was frozen. A subsequent Secret Service investigation detected the presence of the 'coreflood' keylogging Trojan on the businessman's computer.
Bank of America maintains that it cannot be held responsible for the loss since its systems were not hacked into and that all appropriate measures were taken to complete the transfer.
In a complaint filed with the Miami Circuit Court on Thursday, the businessman alleges that Bank of America was negligent and failed to protect him from a known online banking risk.
The action could become a test case for determining bank liability in phishing frauds. Lawyers representing the victim have told the Miami Sun-Suntinel that the complaint could evolve into a class action suit to include other online banking customers who have had smaller sums rifled from their accounts.
February 8, 2005 at 07:14 AM in Phishing & identity theft | Permalink | TrackBack (3) | Top of page | Blog Home
January 25, 2005
Rise in phishing as cyber crooks automate attacks
Finextra: Rise in phishing as cyber crooks automate attacks
The number of active phishing Web sites more than doubled in October according to the Anti-Phishing Workgroup (APWG) as fraudsters switch to using automated tools to launch attacks.
According to the report, the number of bogus phishing sites rose from 543 sites in September to 1142 in October. The study also shows that between July and October, the number of scam sites grew by a monthly growth rate of 25%.
APWG says the sudden large spike in October may indicate that criminals are using automatic tools and botnets to launch phishing attacks. Furthermore, the research shows that the number of bogus sites hosted on compromised broadband PCs has risen to more than 50%.
In October, there were 6597 new, unique phishing e-mail messages reported to the APWG, over three times the number of unique reports received in August (2158).
Financial services continues to be the most targeted industry sector, with the most unique baiting sites in October, as well as the most targeted companies.
A separate study by Internet monitoring firm Envisional shows that phishing attacks against financial services companies rose a massive 568% between June and October this year. The research shows an increase in both the number of firms targeted and the volume of phishing spam. The average number of banks hit each day rose to five in October from 2.6 in June.
At a conference in London yesterday Det Chief Supt Ken Farrow, head of the City of London Police's economic crime department, told of how criminals came close to stealing 175m from a London-based bank last week. According to a report by the FT, Farrow said the robbery was prevented only by a "quirk" in the bank's internal systems.
January 25, 2005 at 08:21 AM in Phishing & identity theft | Permalink | TrackBack (14) | Top of page | Blog Home
Banks remain top target for phishers
Finextra: Banks remain top target for phishers
Instead of targeting online retailers in the run up to Christmas, phishers continued to focus on financial institutions as the most targeted sector for spam attacks in December, according to the latest stats released by the Anti-Phishing Working Group (APWG).
The research shows that 85% of spam scams detected during December were directly focused on financial services firms, an increase on the usual 70-80% of phishing attacks targeting the sector.
David Jevans, chairman, APWG, says: "It is interesting to note that the concentration on phishing attacks against financial institutions actually increased to a new high during a time when many were concerned that opportunistic phishers would spoof retail sites, using consumers urgency to keep their e-commerce accounts in order to complete their holiday shopping in time."
APWG says the number of reported hijacked brands grew to 55 in December. Out of the nine brands first reported in the month, eight were financial institutions.
Overall there were 9019 new, unique phishing e-mail messages reported to the APWG in December, a six per cent increase on November but an average monthly growth rate of 38% since July. December also saw a 10% jump in the number of active phishing sites, with 1707 reported in the month compared to 1546 in November.
January 25, 2005 at 08:20 AM in Phishing & identity theft | Permalink | TrackBack (7) | Top of page | Blog Home
December 08, 2004
Phishing fraud losses exaggerated - TowerGroup
Finextra: Phishing fraud losses exaggerated - TowerGroup
The actual dollar value of potential fraud losses from phishing has been exaggerated, according to research house TowerGroup, which predicts that direct losses attributable to cyber scams will total just $137.1 million globally in 2004.
Research by consultancy Gartner estimates that direct losses from ID fraud against victims of phishing attacks cost US financial services firms about $1.2 billion in 2003, while more recent research from payments association Nacha estimates the monetary losses to victims of phishing incidents to total $500 million. But TowerGroup says the actual dollar value of phishing-related fraud losses is far less than commonly cited.
Beth Robertson, senior analyst, global payments research service, TowerGroup, says: "Phishing attacks can allow criminals to fraudulently obtain consumer data, but they do not as commonly result in an actual fraud event in which accounts are accessed or funds are stolen."
According to the research the number of phishing attacks - which total more than 31,000 globally in 2004 - will rise to over 86,000 by 2005, as the fraudsters begin targeting smaller financial institutions and new merchant/service-provider categories. But Robertson suggests phishing attacks only fool a small fraction of the online population and are, to many consumers, just a nuisance like spam.
TowerGroup says ultimately the total cost of managing phishing scams will be far greater than the cost of direct fraud, but admits that the increasing sophistication of phishing has the potential to knock consumer confidence in the Internet as a channel for the provision financial services.
Seperately, New York security software vendor Cyota says key findings from its recently-released anti-phishing service, FraudAction, shows that 59% of phishing attacks are hosted on hijacked computers and two out of three attacks are hosted internationally. On average targeted banks were alerted to phishing attacks four hours prior to a customer call.
Cyota says its anti-phishing system - in use at five top US and UK banks including Barclays - has shut down over 60% of attacks in less than five hours and has managed to reduce the lifespan of some phishing sites to five hours, compared to the industry average of 153 hours (6.4 days) reported by the Anti-Phishing Working Group.
The service, which was launched in January, includes real-time alerts, detailed severity assessments, site shutdown services, forensic work and proprietary counter-measures.
The vendor says one bank client benchmarked phishing-related fraud losses before and after using its service and found that FraudAction lowered its losses by over 50%.
December 8, 2004 at 08:06 AM in Phishing & identity theft | Permalink | TrackBack (5) | Top of page | Blog Home
Phishing scams soar in 2004
Finextra: Phishing scams soar in 2004
The number of phishing scam e-mails has soared in 2004, rising more than tenfold in less than 12 months, according to a report from security services firm MessageLabs which warns that the rise may lead to fraudsters conducting targeted attacks on specific individuals and companies.
MessageLabs intercepted 279 phishing e-mails in September 2003 but the figure had risen significantly to more than two million by September 2004.
In 2004 the number of phishing attacks has soared from 337,050 in January to 4.5 million in November. Overall the company intercepted more than 18 million phishing e-mails during the course of the year.
MessageLabs says phishing-related online identity theft has established itself as the principal threat of 2004 and may signal the beginning of a wave of e-mail attacks targeted at specfic individuals and small groups of companies.
In November UK online payments processor Protx was hammered by a distributed denial of service (DDOS) attack conducted by a gang of cyber criminals running an extortion racket. US electronic payments processing firm Authorize.net was hit by a similar attack in September after receiving an extortion letter from hackers. Internet gaming site Blue Square was also targeted by extortionists who demanded almost 5000 to stop thousands of spam e-mails being sent out in its name.
Mark Sunner, chief technology officer of MessageLabs, says: "Already, particular businesses are being threatened and blackmailed, which could indicate a shift from random, scattergun approaches to customised attacks."
Other stats from MeesageLabs show that 73% of all e-mail is spam, compared to 40% in 2003, while one in 16 messages contain a virus compared to one in 33 last year. The most widespread outbreak of 2004 was W32/MyDoom.A, which hit in January this year.
December 8, 2004 at 08:05 AM in Phishing & identity theft | Permalink | TrackBack (2) | Top of page | Blog Home
November 19, 2004
Operation Web Snare targets online crime
Finextra: Operation Web Snare targets online crime
The US Department of Justice has announced the arrests of more than 150 individuals in a nationwide law enforcement effort to crack down on card crime, identity theft and phishing scams.
The action, dubbed Operation Web Snare, entailed more than 160 investigations over a three month period between June and August. Investigators say they have identified more than 150,000 victims with estimated losses of more than $215 million.
More than 140 search and seizure warrants were executed as part of the operation, and prosecutors have obtained 117 criminal complaints, informations, and indictments to date. The charges have led to more than 150 arrests or convictions.
US Attorney General John Ashcroft estimates that identity theft alone costs US businesses over $50 billion each year. He says: "When you have $50 billion worth of damage being done to the economy of the United States of America, then it deserves some of our attention."
At a press conference, Ashcroft also noted that the US had worked with law enforcement officials in Cyprus, Nigeria and Romania, to track down international credit card crime rings.
November 19, 2004 at 06:55 AM in Phishing & identity theft | Permalink | TrackBack (3) | Top of page | Blog Home
Brazillian police arrest 53 for $30 million phishing fraud
Finextra: Brazillian police arrest 53 for $30 million phishing fraud
Brazillian police have arrested 53 people for allegedly stealing $30 million (16 million) from Internet bank accounts.
The suspects are alleged to have netted the loot by sending out thousands of e-mails containing a trojan virus, capable of reading user passwords and security codes.
The police swoop, which involved 160 policemen, took place across four states in the north of Brazil. According to investigators, 18 of the suspects had been imprisoned for similar offences in the past.
Banks targeted by the scamsters included Banco do Brasil, Bradesco, Caixa Economica Federal, HSBC, Itau, and Unibanco.
Graham Cluley, senior technology consultant for anti-virus firm Sophos says: "The Brazilian authorities should be congratulated for taking swift action against this activity - fifty arrests give some idea of the huge scale of this kind of organised Internet crime."
At a conference in the capital, Brasilia, in September, computer fraud experts said Brazil was now the global capital of hacking and Internet fraud. The amount of money lost in Internet financial fraud in Brazil outstripped that lost through bank robberies, the conference was told.
The latest arrests come amid a worldwide crackdown on con artists operating over the Internet. Earlier this week a dozen people were arrested in Hong Kong in connection with a banking phishing scam that is believed to have netted the fraudsters HK$600,000 (47,000). UK law enforcement authorities have also pressed criminal charges against the alleged perpetrators of a phishing scam that conned UK banking customers out of hundred of thousands of pounds.
November 19, 2004 at 06:54 AM in Phishing & identity theft | Permalink | TrackBack (3) | Top of page | Blog Home
NatWest suspends online services in response to phishing fraud
Finextra: NatWest suspends online services in response to phishing fraud
The UK's NatWest has moved to suspend some online banking services in response to a new phishing e-mail scam.
The bank has suspended the ability for customers to make new third party payments and standing orders online in an effort to foil fraudsters phishing for customer details through fake e-mails.
The bank says the pre-emptive measure should ensure that no customers lose any money as a result of the latest round of bogus e-mails, which entice individuals to enter their personal banking data into a replica bank Web site.
NatWest online banking customers wishing to arrange funds transfers to new third party recipients will have to use the branch or telephone banking services, the bank says.
The banking industry continues to cover customers for losses incurred as a result of phishing, but has warned that liability in such crimes may ultimately be pushed back to the individual as the value and volume of fraud grows and as customers wise up to the scams.
Apacs' spokeswoman Sandra Quinn, says: "While customers don't know of all the risks, the safety net exists. What we have always said is that we won't forever provide a guarantee."
November 19, 2004 at 06:52 AM in Phishing & identity theft | Permalink | TrackBack (15) | Top of page | Blog Home
November 04, 2004
First National Bank secures online banking with ActivCard
Finextra: First National Bank secures online banking with ActivCard
South Africa's First National Bank is using technology from ActivCard to provide its 250,000 Web banking customers with single-use passwords for accessing online accounts.
The bank is using ActivCard's newly-released KeyChain Token to protect against key-logging and other password scams that hit neighbouring Absa Bank last year. Fraudsters behind the keystroke-logging scam scam stole R530,000 from Absa accounts before the crime was detected.
ActiveCard says the security token generates a one time password which is recognised by the bank's server to open access to accounts. The application also allows bank administrators to set time limits on the validity of single-use passwords.
Roland le Sueur, head of Internet banking at FNB, says: "Teaming with ActivCard provided us the most cost effective solution to address all our security issues, while still remaining user-friendly to promote more widespread adoption of the solution."
November 4, 2004 at 07:58 AM in Financial Services, Payments, Phishing & identity theft | Permalink | TrackBack (13) | Top of page | Blog Home
No-Click Phishing On The Way
Slashdot | No-Click Phishing On The Way
An anonymous reader writes "MessageLabs has discovered a pretty nasty - though fairly crude - phishing scam which doesn't even require recipients to click on a link in order to hand over personal data. Simply opening the email is enough to activate a script which 'lies in wait for its victim' according to one report. The script rewrites the host files of the machine and directs users to a fake web page the next time they legitimately attempt to access an online banking page. ... However, this will only affect users who have Windows Scripting Host enabled and certain ActiveX controls, according to MessageLabs."
November 4, 2004 at 12:11 AM in Phishing & identity theft | Permalink | TrackBack (9) | Top of page | Blog Home
October 25, 2004
Web Desktop Moves Raise Security Alerts
Web Desktop Moves Raise Security Alerts
By Matt Hicks
October 22, 2004
A pair of phishing vulnerabilities this week targeted at Google Inc. point to the kind of new threat Web companies can face as they expand their services into desktop applications, security experts say.
Because of errors in JavaScript code, Google found itself susceptible to phishing scams where an attacker could mimic its popular search site using a URL with the google.com domain, multiple researchers reported.
But the potential attacks didn't stop there, according to security and analyst firm Netcraft Ltd. They also could extend to gathering information from users using the recently released Google Desktop Search application, which indexes hard-drive files, e-mails, chat sessions and Web history and can display them along with Web results.
Google confirmed Thursday that it had fixed one of the vulnerabilities, and Netcraft on Friday said Google also had fixed a second, similar flaw. Google officials didn't return requests for comment for this story.
While the vulnerabilities may be gone for now, they are not unique to Mountain View, Calif.-based Google. Google is among leading Web companies that have in