Your Cyber Intelligence Source

This month, a service called Blippy was rolled out to the general public. In a CNN article this week, Blippy was described as a “financial version of twitter.com”, where users’ credit card transactions are posted to the internet much like the short tweets that people post to twitter. On twitter, users post up to 140 characters on any topic they wish to discuss. On Blippy, a posting displays how much a person paid for a recent purchase. In the image below for example, we see that Jason Calacanis of Mahalo paid $112.64 at Amazon for a SanDisk 16GB 60MB/s Extreme Compact Flash Card.

Example of a Blippy transaction. Click the image to see a larger version or see the original here.

CNN reporter John D. Sutter asks Blippy cofounder Philip Kaplan whether there are any dangers in posting this sort of information:

CNN: Is there any potential that this would expose someone to an attack on their financial information, or that it could be used against them?

Kaplan: I don’t — we’ve all been taught that this is just something you don’t do. As an aside, when I was a kid, we weren’t allowed to tell anybody we were going out of town, and we had timers in the house that would turn the lights on and off so it would look like we were home. But now you tweet when you’re at dinner. … You put your whole schedule on Facebook so people can like plan their robberies ahead of time. And I think the pros far outweigh the cons in that scenario. … I think the risks in actuality are very small. Similarly, I think we have this engrained thing that we’re taught, which is to not share this [financial] information, and we don’t really know why.

That’s not the right answer to the question. Information found in Blippy postings (“blips”?) can be used against them. Let’s go back to the example in the image above.

We find:

• a user’s name
• the name of a business with whom they had a financial transaction
• how much they spent
• for certain retailers, what they bought

Great. Now let’s examine what is presented to someone when they receive an email in a traditional phishing attack, which we know to be a very profitable endeavor for bad guys. (A recent study by Cyveillance found that average attacks can cost millions of dollars in losses). It really comes down to two things:

• The email is made to look like it comes from one’s bank or other business institution.
• A call to action, where the recipient is asked to follow a link to a website online.

Spear phishing takes things a step further by personalizing the email sent to the potential victim. The attack may address the victim by name or phone number (see example), lending credibility to the attack and greatly increasing the likelihood that the recipient becomes a victim.

From a cyber criminal’s point of view, Blippy currently offers great information to construct a highly targeted spear phishing attack. After examining the types of purchases Blippy shows for Best Buy, consider the spear phishing attack one could construct for a hypothetical Blippy user named Johann Gonzales:

Dear Johann Gonzales,

Thank you for your recent purchase of $52.99 at Best Buy. To receive credit for your purchase in our Best Buy Reward Zone program and receive valuable discounts on future purchases, click here…

Putting together such an email would require software to “scrape” information from Blippy that it would then use to send to an array of likely email addresses for Johann Gonzales, like jgonzales@gmail.com, jgonzales@hotmail.com, johanngonzales@gmail.com, johanngonzales@hotmail.com, and so on. Given that software needed to carry out such an attack is freely available online, it must be assumed that cyber criminals are preparing such an attack on Blippy users. Even if they are not yet preparing, for the sake of Blippy’s users, Blippy must plan ahead as if they are.

Conclusion

Currently banks reimburse users when they become victims of phishing attacks, but the financial industry often wonders at what point it becomes the victim’s responsibility for losses incurred during phishing attacks. The information that Blippy users currently provide to would-be cyber criminals gives businesses more leverage to say that they will not reimburse losses incurred in spear phishing attacks. After all, if the Blippy user practically hands the bad guys all the information they need to carry out an attack, how is it the bank’s fault?

Blippy does hold promise as a way for consumers to gain information about the prices of goods and services. But it also currently provides a literal wealth of information for spear phishers. Luckily Blippy can take the simple measure of hiding usernames or otherwise referring any link to users’ real names.

As always, if you think you have received a phishing email, please send it to:

reportphishing@cyveillance.com

If you think you have received a phishing email, please send it to:

reportphishing@cyveillance.com

Cyveillance will analyze the suspected phishing attack and take the necessary action the minimize the number of victims of the attack.

Background: What Are Phishing Attacks?

Phishing is a method online criminals use to try to gain access to the username and password you use for important online activities like banking and paying bills. The attackers will send an email that looks like it comes from places like your bank or financial institution. The email can look very real, and will provide a link for you to access your account online.

Unfortunately when you log in to your account using the link in that email (don’t!), you will have provided your username and password to criminals who will then use it to access your account and likely remove funds from your account.

Some types of companies that cyber criminals commonly try to impersonate to gain access to your account information:

• Banks
• Credit unions
• Online payment services like Paypal
• Hosting companies (see example)
• Software vendors (see example)
• Utilities, like your gas, electric, or internet service provider (ISP)

Further Reading

For a detailed analysis of the economics behind phishing attacks, please see Cost of Phishing: Understanding the True Cost Dynamics Behind Phishing Attacks.

Cyveillance advises consumers to exercise caution when making online charitable contributions.  See the full announcement here.

Earlier today, Cyveillance detected attacks targeting Web hosting companies and their customers. As part of one of the attacks, the email below is sent to users:

As you can see, the email asks the user to “confirm your FTP details”. The user is instructed to click on the link in the email that routes him or her to the fake administrator’s Website below:

On the fake Website, the user is asked to provide login credentials. If the credentials are entered, then the user would basically hand over access to every Website controlled by that specific login. Users can avoid falling victim to this attack by never clicking on the link within the emails and only accessing online applications directly through known Web sites and pages.

The teaser appearing in the bottom corner of the New York Times print edition’s Sunday Business section looked promising: Phish foil. Digital Domain. The article’s title, Don’t Take This Bait (But You’re Safe If You Do), suggested there would be more coverage of phishing, a generic name for attempts by online criminals to gain internet users’ login credentials to online banking services by presenting them with fake login pages. Unfortunately, while Stross’ article did indeed discuss phishing and offered some tools internet users can use to keep their bank accounts safe online, the article’s main message completely misses the mark.

The article begins relaying a close encounter that FBI Director Robert S. Mueller III had with a phishing attack. Although Mueller reportedly did not fall victim to the attack, Mueller emphasizes the lengths criminals go to gain access to one’s bank funds through email-based phishing attacks. Unfortunately, the crux of the article boils down to this:

I’m not convinced, however, that online banking carries the high risk that Mr. Mueller implies. I know that as ordinary computer users, we are offered unlimited bait from phishers. But I’m not particularly worried: I’m not on the hook for losses from fraud — my bank is.

The article concludes  emphasizing that banking customers need not worry about falling victim to phishing attacks because virtually all financial institutions offer full remuneration in cases where unauthorized individuals access and remove funds from an online account.

At a very narrow and superficial level this premise is true and provides some comfort to victims of an attack. However, the reality of this situation is that every time a phishing attack succeeds, it has very negative side effects for all who use online banking. Yes, the bank whose user fell prey to the phishing attack is on the hook for the stolen funds, but we have learned all too well in the past eighteen months that even the largest financial institutions do not have infinite resources. Banks do not simply create money to compensate the victims of phishing attacks – those reimbursements come from insurance policies or income the bank generates from fees levied on its customers. When the banks’ insurance premiums increase or overall costs rise – as they do when their customers get phished – the increases are passed onto consumers.

Further, many victims of successful phishing attacks who have had their money stolen probably would not agree that there is “zero liability” to online banking. The time lost while reporting the attack to their banking institutions is time without access to funds they count on to be there. While banks make an effort to minimize the time phishing victims go without their funds, the process is not immediate and the customers may be left without money needed for critical expenses like food and housing.

The New York Times is to be commended for raising general awareness about the dangers of phishing attacks . But minimizing the impact of phishing is a dangerous message that only helps online criminals.

In recent phishing attacks targeting Cyveillance and numerous other organizations, cyber criminals are exploiting outward facing Microsoft Exchange Mail Servers to customize/personalize emails in order to spoof the address of internal email addresses. Once the email addresses are spoofed, the bogus messages are sent to addresses of the organizations’ personnel. The messages ask the recipients to click on a link in order to update their Microsoft Exchange settings. Once clicked, the user is routed to a fake site that appears to be authentic. If the user clicked on the link to the executable file on the fake site, then malware was downloaded to his or her computer. After the malware is downloaded and installed, the user’s computer becomes part of a larger botnet capable of a multitude of malicious acts.

Email screenshot:

This attack type was originally reported by SANS earlier this week. The SANS report can be found at https://isc.sans.org/diary.html?storyid=7333. Since the time of the report, the attack has become even more dangerous by adding fast flux technology to the attack. Fast flux is a method of phishing where the attacks are moved throughout a group of servers in order to evade detection and takedown.

The malware used in the attack is a Trojan-Spy virus. More information about sample… It is detected by only 4 of the top 41 anti-virus vendors according to VirusTotal (http://www.virustotal.com/analisis/95583b5228d16750aa81a8c8ba6d29455b89297560fbb65b53638bc6b3b9c188-1255547944).

It appears on the surface that the goal of the attacks is to increase the computing power of botnets by increasing the number of bots that belong to the network. Given the numerous organizations targeted and the methods used, this approach clearly demonstrates the sophistication of modern phishers and their ability to amplify the potential danger of attacks targeted at specific victims. By being more creative in their approach, this mixing of phishing methods increase the likelihood that the phisher’s emails will successfully reach their intended recipients. Users can minimize the potential for falling victim to these types of attacks by never clicking on links within emails and only accessing their online applications through known Web sites and pages.

Antivirus and Anti-Phishing Tools Provide Inadequate Detection of Cyber Attacks During Critical First 24-Hour Period

In addition to the AV, Web browser anti-phishing and consumer protection application testing, other key findings in the report include:

• Cyveillance tracked an online “fraud chain” which included malware components that store and serve malware executables, distribute malware to consumers and receive and store confidential information collected from infected computers.
  • The United States and China continue to host the majority of malware executables representing 33 percent and 21 percent of attacks, respectively, which make up over half of the malware found during the first half of this year. 
• During the first half of 2009, there was an average of over 23,000 unique phishing attacks per month, which makes phishing still one of the top threats on the Internet.
• Popular consumer applications used for detecting phishing attacks do not provide adequate protection. Initially, Symantec’s Norton SafeWeb only blocked/warned against 4.4 percent of phishing attacks and increased to only 5 percent after the first 24-hour period.
• During the first half of 2009, 200 unique brands were first-time targets of phishing attacks, which represents a 26 percent increase over new brands phished in the second half of 2008.

View the report: http://www.cyveillance.com/web/forms/request.asp?getFile=115

In a recent phishing attack discovered by Cyveillance, cyber criminals used an individual Web site to attack over 160 banks and credit unions. For the attack, the phisher launched an email campaign soliciting users to click on a link within the email referencing a trusted brand (Neteller). Once clicked, the user would be routed to a Web site that asks the user to select their Bank or Credit Union from a list of 162 institutions. If the user selected an institution and clicked on the continue button, he or she would then be asked to enter personal information related to their account. The information given would later be used by the phisher for purposes of identity theft and other criminal activity.

Screenshot of phishing Website:

Given the numerous financial institutions targeted, this approach clearly demonstrates the sophistication of modern phishers and their ability to go beyond simple one-off attacks targeted at specific victims. By being less discriminative in their approach, these growing bundled phishing attacks significantly increase the likelihood that the phisher’s emails will successfully reach their intended recipients. Users can minimize the potential for falling victim to these types of attacks by never clicking on links within emails and only accessing their online banking applications through their financial institutions’ primary Web site.

Phishers have been targeting software updates to distribute malicious software (malware). In the example below, the phisher sent the email from a spoofed Microsoft account to a Cyveillance email address, prompting the user to click on the update link in the body of the message. The link itself appears to be a legitimate Microsoft update site (update.microsoft.com). However, the link is actually obfuscated and when clicked, routes the user to a malicious Website infected with malware.

While attacks such as the one above are not new, it is only recently that this method has truly become a mainstream vector. It is likely that we will continue to see more of this type of attacks in the future.

Clicking on links within emails presents potential danger to users. Cyveillance recommends only updating software from the update feature within the application or actually downloading the update from the software vendor’s Website.

During the past couple of weeks Cyveillance has noticed an increase in the amount of phishing activity targeting Internet Service Providers (ISPs). While credentials stolen from the ISP-targeted attacks do not offer much direct financial gain for the phishers, they do offer a wealth of user information that can be leverage in other phishing or spear phishing attacks.

Commonly, phishers will utilize information obtained from non-financial attacks such as ISPs to launch other social engineering attacks. For example, information such as the potential victim’s email address, telephone number, physical address and other information can be obtained from a compromised ISP account. The phisher will incorporate this data in a direct email or phone call to the potential victim in order to establish credibility. Once the credibility has been established, the likelihood for the victim to divulge sensitive information increases substantially.