Over the past week there have been two instances of banks and customers suing over phishing attacks. In the first, Texas-based Hillary Machinery Inc, fell victim to a phishing attack and had over $800,000 stolen from their account. Their bank, PlainsCapital, was able to recover around $600,000, but when Hillary Machinery requested the bank refund the remaining $200,000, PlainsCapital slapped them with a lawsuit. The suit asks that the court certify their security procedures to be reasonable and that it processed the fraudulent ACH transfers in good faith. Hillary Machinery was stunned.

In the second case, a Michigan supply company is suing its bank, claiming it does not adequately protect its customers from phishing attacks. Experi-Metal Inc claims that Comerica Bank encouraged phishing attacks by sending customers an email asking them to click on a link to download an update to the bank’s security software. This is a well worn trick used by phishers and the company says by doing so it made customers more willing to trust fake emails claiming to be from Comerica. Experi-Metal lost over $500,000 to a phishing attack.

In response the bank said that it was the fault of the Experi-Metal employee who fell for the phishing scheme and handed over the company’s banking credentials. Furthermore they said, the phishing site would have been obviously fake “”to any reasonably alert person who was responsible for safeguarding EMI’s financial records and digital credentials.” Ouch. Basically they are insisting it’s not their fault that the employee was stupid enough to fall for the phishing email, but does Comerica hold some responsibility for its practice of sending out emails with links directing customers to download a security update? (The bank has switched to a different system. The employee apparently trusted that the phishing email was real because of the previous one) What do you think? When a phishing attack happens who should be held responsible, the victim or the bank?

A new phishing attack launched by Zeus has taken aim at military personnel and intelligence officials in several countries including the US. The spammers behind the attack exploited a trusted security firm and sent fake messages pretending to be from the firm. Using social engineering tricks they sent messages to the same people their earlier phishing attack had targeted. The messages acknowledged the attack and asked them to download a zip file that claimed to be a security patch that would fix the vulnerability that allowed the earlier attack. The file has just a 35% anti-virus detection rate.

Unlike most phishing attacks, which tend to target banks and other financial firms with the goal of monetary gain, this attack is much more worrisome. While the kind of information that could be stolen in such an attack could be sold for huge sums on the black market, the other implications are far more serious. Should a hacker gain access to a military or intelligence computer there is no telling what kind of havoc they could wreak. It could result in a national security crisis. This should be of particular concern to the US government, which has come under fire in recent months for its poor cyber security practices. Last week, the Bipartisan Policy Center hosted a simulation of a cyber attack on the US and the government failed miserably. Security experts say the government is woefully unprepared for a cyber attack and that it’s no longer a question of if one will occur, but when.

The last few years have seen a sharp rise in the power and features of smart phones such as the Blackberry, Apple iPhone, and most recently Google Android-based phones.

Coupled with this rise is a new ecosystem of mobile application development, made mainstream by Apple’s App Store for the iPhone which boasts over 30,000 applications available for download.

This trend has reached a new, troubling milestone with the discovery of several fraudulent banking applications on the Google Android online store.  The programs were disguised as genuine mobile banking applications and were designed to steal online banking credentials from anyone using them.

Although the applications have now been removed it highlights the constant evolution of the security threat landscape.  As technology becomes more ubiquitous it extends the threats in what are frankly quite predictable directions, at least for the security-minded among us. Continue reading Phishing and Malware in the Smart Phone Era»

Security experts have detected a new phishing campaign that uses fake Microsoft Outlook notifications to spread malware. Over a million of the spam messages have been intercepted by spam and phishing filters since Thursday.

The messages look like an alert from the recipient’s IT department notifying them that a security upgrade is available and asking them to log into their accounts to  retrieve the new settings. The link in the messages leads to a fake Outlook Web Access page which asks them to download a file containing the new security settings. The file is actually an .exe containing the Zbot banking Trojan.

What sets this spear phishing attack apart from past ones is the sheer volume of messages being sent out and the fact that the messages are highly personalized to each domain they are sent to.

In a related attack, search engine results for “office.microsoft.com” have been poisoned with pages leading to fake anti-virus software sites. 2010 has kicked off with a bang for malware distributors, hackers, and spammers. They are growing more and more sophisticated everyday, meaning 2010 could be a record year for attacks.

A doctor at the UC San Francisco School of Medicine fell for a phishing scam and turned over his log in credentials to hackers, exposing the personal information of over 600 patients. Demographic and clinical information on the patients, and in some cases, social security numbers, was compromised. The doctor got an email that was made to look like it had come from the UCSF I.T. department and believed it.

The breach occurred in September but was not announced until after the investigation had been completed. It’s not the first time UCSF has been involved in a situation concerning compromised data. In 2007 the personal information of over 6,000 patients was made available on the net for months before it was discovered. The affected patients were infuriated when they realized UCSF waited 6 months to tell them because it wanted to complete its investigation first. UCSF responded by saying they were working to improve their security practices but apparently haven’t done so.

The doctor’s name isn’t being revealed and the patients affected have been notified. UCSF said it has “re-educated” staff members on the importance of security and protecting their user names and passwords.

Sky News UK has reported on the results of research into victims of online fraud.  The survey revealed that some fraud is never reported due to embarrassment, indifference, or simply not being aware that the fraud has even occurred.

These reasons might seem strange to some people who would assume that any fraud victim would want to see justice and would immediately report the matter to authorities.  Unfortunately online fraud caused by spam, phishing, and other scams often does go unreported.  Let’s take a closer look at the reasons for this, and why those reasons should be put aside in favour of more reporting.

Embarrassment

There are a few different reasons why someone may be too embarrassed to report a fraud.  The first is if the amount of money lost is very high.  Being scammed out of your life savings would be a devastating and embarrassing event that a lot of people would feel so ashamed about they may want to keep it secret.  An attitude of “I should have known better” can sometimes play a role in this.

Another reason is when the nature of the scam is sensitive and embarrassing.  Examples of this include Russian mail order bride scams, and fake male enhancement drug scams.  In both cases a person could easily be too embarrassed to admit they were attempting to purchase those items in the first place, on top of the embarrassment of being a fraud victim.

It takes a lot of bravery to come forward and admit you were fooled.  Two things should be remembered here – firstly these are professional criminals often with very effective methods for tricking people.  Secondly, reporting your incident to authorities can help prevent other people from becoming victims in future.

Indifference

Say what you want about criminals, but they usually aren’t stupid.  It might seem strange to look at them this way but a lot of online criminals are basically malicious marketers, and have all of the skills that honest marketers have.  One of these is an understanding of human nature, and one of the natural instincts of a lot of humans is not to bother with trivial matters. Continue reading Unreported Spam Costing Billions»

Intuit is warning its customers that a new spam campaign has launched that targets users of its popular Quickbooks software. The spam messages claim to be an urgent notification from Intuit informing the recipient that the company has suffered a data breach that resulted in customer names, addresses and phone numbers being stolen. The email goes on to reassure them that no banking info was accessed and that the company has taken corrective measures, which includes a “Windows Quickbooks Update” and “Internet Explorer Plug-In”. The email urges the recipient to click on the included links and download them immediately or they will no longer be able to use the Quickbooks software.

The links, not surprisingly, lead to malware downloads, namely a Trojan Horse. Intuit has not provided any specific details as to the type of malware, but given the group of users the spam campaign is targeted at, it is likely some form of data theft malware such as Zbot/Zeus.

The company calls it a phishing attempt but it is actually a campaign that has blended characteristics of spear phishing, malware attacks and plain old spam. Since Quickbooks is designed as a way for businesses to organize their payroll and finances, it’s not surprising that cyber-criminals are targeting it. Fortunately most of the software’s users are probably well aware that Intuit pushes its updates through the program itself and not via emails. The company is asking that anyone who receives this spam forward it to security@intuit.com for investigation.

The FBI has issued a warning about a new phishing attack targeting PR firms and lawyers. The messages contain business specific subject lines designed to trick the recipient into thinking it is a legit message. The body of the message contains either a malicious link or attachment that when clicked will download a file called “srhost.exe” from a site called d.ueopen.xom (URL purposely mistyped to avoid accidental clicks). The FBI is warning IT departments to block any traffic discovered from ueopen, a domain registered in China as it is a definite sign their network has been compromised.

Security experts say attacks against legal agencies are increasing due to the large amount of personal and financial information they possess. Such personal data is highly sought after on the underground cybercrime market and can be used or sold for a handsome profit.

This latest warning came as the Government Accountability Office released a report saying that cyberattacks against the U.S. are rising sharply and that as a result of the increasing connections between the Internet and information systems, hackers are being presented with more and more opportunities to do things like disrupt telephone service or the power grid. The GAO says it is critical that the U.S. do more to protect its infrastructure and critical services and increase its level of cyber security.

NBC Chicago published a list of 5 tips for people to protect themselves from scam emails.  Although they mean well, and the tips are a step in the right direction, they are far too simple to be really effective at stopping spam.  Let’s take a look.

Tip 1 – If you don’t know the sender, don’t open it!

This tip is a carry-over from the old days of computer viruses where people were advised not to trust attachments in emails that they were not expecting.  These days the malicious payload of an email is rarely in an attachment, rather it is usually hosted on a website somewhere in the form of a product sales scam or a web browser hijack exploit.

The tip doesn’t work for two reasons:

1. Emails from people you know can be just as untrustworthy as emails from people you don’t know.  If someone you know has their email or social networking account compromised then you are likely to receive malicious email from “someone you know”.
2. Businesses could not survive if they did not open emails from people they don’t know.  An analogy in the physical world would be not opening the door to your store for anyone you didn’t recognize, cutting off all new customers from your business.

A more practical approach would be to assess emails based on their contents, and use alternate channels to verify anything that seems unusual or out of character.  A graphic designer receiving an email from someone they don’t know would be turning away a customer if they didn’t open it, whereas a person trusting the message from their friend asking for money in an emergency could easily fall victim to a scam.

Tip 2 – Watch out for emails that request personal information

This tip is oversimplified with the statement “No legitimate organization will ask for your social security number”.  Protecting your sensitive personal information such as social security and credit card numbers is important, but what about seemingly harmless information?

Let’s say you receive one of those amusing chain letter emails asking 25 questions about you such as the name of the street you grew up in, your favorite movie, your pet’s name, and so on.  Now consider that in doing so you are revealing useful information about yourself that can be used in future attacks. Continue reading 5 Tips to Protect Yourself From Spam Scams (That Don’t Quite Work)»

I came across an article today written last week that proclaimed “We won the war on spam”.  The general thrust of the article is that “despite continued hysteria, unwanted e-mail is largely a thing of the past”.

This is an interesting point of view which I happen to disagree with, but in thinking further I realize that this is mostly a matter of perspective – business vs personal, or big vs small.

The writer, Mark Gimein, approaches the matter from his own personal experience.  Mark has a slightly more complex email setup than the average person – a series of email addresses for various purposes all forwarding into a Gmail account.  In Mark’s experience spam has all but vanished from his inbox, although a few false negatives remain.

I’m not disputing Mark’s account, I don’t see very much spam slip through the filters into my inbox either, but the war on spam is most definitely not won.  Mark hints at what I’m about to say with this paragraph in his article:

Stopping spam does take effort—without a doubt Yahoo and Google devote resources to it. But that’s just part of their business, no different from all the other things they need to do to keep their e-mail systems running. What matters is that from the point of view of users like me, what’s going on under the hood to keep junk out and legitimate messages in needn’t concern us.

For an email user in a business what goes on under the hood shouldn’t concern them, but it most certainly concerns the business.  Businesses spend thousands of dollars each year on protecting their email systems from spam and malware.  This is not a trivial expense and in itself stands as solid proof that the war on spam is far from over. Continue reading We Have Not Won The War On Spam»