Over the past week there have been two instances of banks and customers suing over phishing attacks. In the first, Texas-based Hillary Machinery Inc, fell victim to a phishing attack and had over $800,000 stolen from their account. Their bank, PlainsCapital, was able to recover around $600,000, but when Hillary Machinery requested the bank refund the remaining $200,000, PlainsCapital slapped them with a lawsuit. The suit asks that the court certify their security procedures to be reasonable and that it processed the fraudulent ACH transfers in good faith. Hillary Machinery was stunned.

In the second case, a Michigan supply company is suing its bank, claiming it does not adequately protect its customers from phishing attacks. Experi-Metal Inc claims that Comerica Bank encouraged phishing attacks by sending customers an email asking them to click on a link to download an update to the bank’s security software. This is a well worn trick used by phishers and the company says by doing so it made customers more willing to trust fake emails claiming to be from Comerica. Experi-Metal lost over $500,000 to a phishing attack.

In response the bank said that it was the fault of the Experi-Metal employee who fell for the phishing scheme and handed over the company’s banking credentials. Furthermore they said, the phishing site would have been obviously fake “”to any reasonably alert person who was responsible for safeguarding EMI’s financial records and digital credentials.” Ouch. Basically they are insisting it’s not their fault that the employee was stupid enough to fall for the phishing email, but does Comerica hold some responsibility for its practice of sending out emails with links directing customers to download a security update? (The bank has switched to a different system. The employee apparently trusted that the phishing email was real because of the previous one) What do you think? When a phishing attack happens who should be held responsible, the victim or the bank?

A new phishing attack launched by Zeus has taken aim at military personnel and intelligence officials in several countries including the US. The spammers behind the attack exploited a trusted security firm and sent fake messages pretending to be from the firm. Using social engineering tricks they sent messages to the same people their earlier phishing attack had targeted. The messages acknowledged the attack and asked them to download a zip file that claimed to be a security patch that would fix the vulnerability that allowed the earlier attack. The file has just a 35% anti-virus detection rate.

Unlike most phishing attacks, which tend to target banks and other financial firms with the goal of monetary gain, this attack is much more worrisome. While the kind of information that could be stolen in such an attack could be sold for huge sums on the black market, the other implications are far more serious. Should a hacker gain access to a military or intelligence computer there is no telling what kind of havoc they could wreak. It could result in a national security crisis. This should be of particular concern to the US government, which has come under fire in recent months for its poor cyber security practices. Last week, the Bipartisan Policy Center hosted a simulation of a cyber attack on the US and the government failed miserably. Security experts say the government is woefully unprepared for a cyber attack and that it’s no longer a question of if one will occur, but when.

NoScript is a free Mozilla extension that can counter drive-by infections.

One of most frightening threats facing Web surfers is the drive-by infection. The thought that their computer could be infected just by entering a Web site is a sobering one to many websters. Peace of mind, though, may be on the way, as researchers are preparing a free tool that will shield netizens from drive-by menaces.

The tool is called BLADE–Block All Drive-By Download Exploits–and is designed to protect cybernauts from the roughly 5.5 million Web pages containing drive-by malware.

“Unlike push-based approaches adopted by Internet scanning worms and viruses, contemporary malware publishers rely on drive-by exploits for silent dissemination of spyware, trojans and bots,” the researchers from SRI International and Georgia Tech’s School of Computer Science wrote in “BLADE: Slashing the Invisible Channel of Drive-by Download Malware.”

“Drive-by downloads, which result in the unauthorized installation of code through the browser and into the victim host,” they added, “have become one of the dominant means through which mass infections now occur.”

Drive-by traps typically ambush Net goers who have been tardy in keeping their computers’ operating systems and applications current with the latest security patches. Browser vulnerabilities and plug-ins like Adobe Reader and Flash are favorite targets of malicious software writers. They even have “exploit packs” that will probe a Web site visitor’s computer and intelligently determine if any number of vulnerabilities remain unpatched.

According to the researchers, BLADE is a kernel-based monitor designed to block any malware attempted to be delivered through a browser. The tool is based on a simple principle. All browser downloads fall into two categories. There are supported files–files that make Web pages, for instance, HTML, images and such–and unsupported files, EXE, ZIP and so forth. Typically, browsers fetch supported files silently and they’re supposed to alert a user if an unsupported file type is being downloaded. Nefarious Web sites subvert the unsupported file notification function so they can plant their dirty wares on a target computer. What BLADE does is introduce capabilities on the operating system level that prevents execution of all downloaded unsupported content that has not been directly consented to by user-to-browser interaction. Continue reading Boffins releasing tool to foil drive-by attacks»

It comes as no surprise that scammers have been quick to exploit the 2010 Winter Olympic Games for their own benefit. Spam claiming to have exclusive videos of events like the tragic death of Georgian Luger Nodar Kumaritashvili have been spreading. The links lead to malicious sites pushing fake anti-virus software or dropping Trojans.

In addition scammers have set up a fake Twitter account that sends out tweets disguised to look like Olympic updates. The URL has a subtle typo but at first glance looks like the official Olympics site, Vancouver2010.com  When users visit the site they are prompted to download a codec or Flash update. The fake update is actually a Trojan.

“Given the popularity of the Winter Olympics, it is not surprising that attackers are taking advantage of the event to spread malware,” said Michael Sutton, vice president of research at Zscaler. “Given the authentic nature of the attack site, lack of anti-virus signatures, use of Twitter to advertise the campaign and timing of the attack, it is reasonable to assume that it will succeed.”

Other Olympic themed spam campaigns include messages offering travel tips for those going to Vancouver or offering bus tickets and transit passes. Scammers have also used Black Hat SEO techniques to poison search results for top Olympic athletes like Bodie Miller, Sasha Cohen, and Jennifer Rodriquez.

Privacy holes in Google Buzz could attract spammers.

Google is scrambling to patch the privacy holes in its Buzz application launched last week, hopefully before spammers turn the social network into a gold mine for their repugnant activities.

When introduced last Tuesday, the yawning flaws in Buzz could be seen in its privacy agreement.

“When you first enter Google Buzz,” it stated, “to make the startup experience easier, we may automatically select people for you to follow based on the people you email and chat with most.”

Assuming a user wants to “follow” someone just because they trade emails may have seemed convenient to Buzz designers, but in fact it’s a needless usurpation of a user’s ability to choose with whom he or she associates. Sure, automating who a user follows is a quick way to build a following list, but it actually adds hassle to the process as a user must manually scrutinize who he or she is following and weed out the deadwood.

But the boners get better. “Similarly,” the Buzz privacy statement continued, “we may also suggest to others that they automatically follow you.” Automatically putting the touch on people to follow a user based on the user’s Gmail address book is an expedient way to rapidly build a socnet without the fuss of inviting people to join individually. What the Buzz designers failed to fathom is that just because a user communicates frequently with someone in his or her address book doesn’t mean that user wants to share his or her every thought with that contact. What someone might divulge through a tweet or Facebook comment isn’t always something he or she may not want divulged to a frequent email correspondent like a client or boss. Facebook understood that from the start so it’s surprising that the savvy crew at Google could make such a blunder.

Granted, a user can block any of his or her followers but why should the onus be placed on the user to comb out unwanted followers from a list created by Google?

Those inconveniences to users, though, aren’t what will be percolating the interest of spammers in the new social network. It’s the availability of a new source of public information about millions of potential marks.

Continue reading Google Buzz: socnet or spam magnet?»

The Conficker worm shut down the Manchester UK police station for 3 days earlier this month. It forced police officers to rely on other jurisdictions to access the country’s criminal data base as the Manchester station was disconnected from the UK Police National Computer Network. Investigators blame an infected USB stick for the incident. Endpoint security is fast becoming one of the most important and sought after security measures in organizations to prevent the spreading of viruses via USB ports.

          “Virus scanning has to extend beyond the PC to all types of removable storage”, Jason Holloway, Northern European sales manager with SanDisk said .”Better still, employees should only be able to use authorised flash drives that include on-board antivirus scanning. This ensures that users cant turn off, disable or work around the protection, and would stop these infections from spreading.”

Conficker has spread like wildfire across the net and has infected over 7 million computers. It was first spotted in 2008. Experts still aren’t sure what its purpose is since its botnet is seldom used.

A year ago Manchester council’s computers were attacked by Conficker, forcing the town to write off parking tickets and spend over $1 million pounds to fix the infection. It’s not yet known if the Manchester police will have to overlook any violations or void any arrests because of their infection.

An add-on program that allegedly infected the computers of 4000 users of the Firefox Web browser was clean and malware free, according to the maker of the application.

According to Sothink Software, the add-on, Web Video Downloader 4.0, was misidentified as a malware carrier due to a compression utility called Armadillo embedded in Sothink’s offering. The utility is often used by crackers to compress and hide malicious code in malware, the company explained. “That’s the reason why the [virus] scans are hitting on the file as suspicious,” it said, “[T]here isn’t any virus in Web Video downloader or in Armadillo….”

The company added that it hasn’t used Armadillo in the software for quite some time and that the latest release of the add-in, version 5.7, has been certified clean and safe by Virustotal, an independent virus detection service.

The Video Downloader add-on is a free program that allows a user to capture from Firefox Adobe Flash video from Web sites such as YouTube, Google and MSN and save it in a number of formats, including FLV, WMV, ASF, AVI, MOV, RM AND RMVB.

Last week, the Mozilla Foundation, makers of Firefox, removed Video Downloader 4.0, as well as another program called Master Filer, from its add-ons, or AMO, Web site claiming the software was infected with a bad app.

Continue reading Firefox add-on was clean, maker says»

A zero-day bug in Microsoft Internet Explorer was a key element in an attack on Google and other companies last week. The attack, designed to ransack the Gmail of some Chinese human-rights activists managed to clip some of the Search King’s intellectual property in the process.

          “In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google,” Google said in a statement issued last week. “However, it soon became clear that what at first appeared to be solely a security incident–albeit a significant one–was something quite different.”

“As part of our investigation we have discovered that at least 20 other large companies from a wide range of businesses–including the Internet, finance, technology, media and chemical sectors–have been similarly targeted,” Google added.

The attack illustrates that even the Google elite can be duped by a social engineering ploy wrapped in an email message. According to security experts, the email messages used by the attackers were targeted at specific Google employees likely to have access to valuable proprietary information on their company’s servers. The messages were carefully disguised to look as if they originated with sources the employees would trust.

Since the messages appeared to come from a trusted source, the Googlites didn’t hesitate in clicking links in the electronic epistles. Once that was done, the story took a familar turn. The links resulted in malware being downloaded to the employees’ computers. The malware exploited an unknown vulnerability in Internet Explorer and opened a back door on the compromised machines. The back door let the crackers snoop around the wounded computers and gain control over their operation, using them to identify meaty targets  and bleed valuable data from them.

Continue reading Browser flaw tied to attack on Google»

A 28-year-old Romanian man is facing 5 years in prison after pleading guilty to a charge of conspiracy to commit fraud related to spam. Cornel Ionut Tonita was involved in a phishing ring with two other men. The men set up fake websites designed to look like the account login pages of such companies as Citibank, Wells Fargo and Ebay. They stole passwords and financial information and passed it along to others who used it to make fake credit cards.

Tonita admitted to using email harvesting software and sending spam designed to lure people to the fake sites. Authorities say he sent a file of almost 10,000 addresses to one of the other men.

All three men have been convicted. One of them, Ovidiu-Ionut Nicola-Roman, was the first foreign national ever convicted of phishing in the U.S. He was sentenced to 4 years in prison. Tonita will be formally sentenced in April.

Phishing has become a multi-million dollar industry for cybercriminals and experts say there attacks are becoming more and more targeted and sophisticated.

The last few years have seen a sharp rise in the power and features of smart phones such as the Blackberry, Apple iPhone, and most recently Google Android-based phones.

Coupled with this rise is a new ecosystem of mobile application development, made mainstream by Apple’s App Store for the iPhone which boasts over 30,000 applications available for download.

This trend has reached a new, troubling milestone with the discovery of several fraudulent banking applications on the Google Android online store.  The programs were disguised as genuine mobile banking applications and were designed to steal online banking credentials from anyone using them.

Although the applications have now been removed it highlights the constant evolution of the security threat landscape.  As technology becomes more ubiquitous it extends the threats in what are frankly quite predictable directions, at least for the security-minded among us. Continue reading Phishing and Malware in the Smart Phone Era»