Category: Phishing

For more information or to download the report, please visit this press release.

A story by The Plain Dealer posted on www.cleveland.com last week sheds light on the numerous issues associated with social media and the workplace. Providing real life examples of problems experienced by companies such as Petland and Nestle, the story gives an excellent overview of many of the decisions that need to be made in the implementation of a company-wide social media strategy.

Companies can take proactive steps to strengthen their security posture and minimize potential damage from problems that arise in the social media environment. The steps start with addressing challenges effectively with a solid understanding of the authorized and vast numbers of unauthorized social media users within the company. Next, companies should have a formal education and training plan in place that meets the needs of all sides of the business. Further, documented social networking policies, ongoing monitoring and a strong organizational feedback structure are essential. For more information, see The Impact of Social Media on Corporate Security: What Every Company Needs to Know published by Cyveillance in Spring 2010.

PC World recently reviewed Norton Internet Security 2010 praising the tool as “one of the top performers in detecting and cleaning up active malware infections on a PC.” While it is important to recognize the inherent need for anti-virus (AV) security tools, reports like these published by PC World may in fact be a disservice to consumers and businesses by creating a false sense of security for those using these tools.

PC World stated that Norton “found all bad software, disabled 93 percent of it and removed all traces of two-thirds of the software—the best score of any product [they] tested.” While these may have been the best scores that they saw, according to the report, their lab environment included only known signatures, thus not representing the “real” Internet where zero-day threats and malware with unknown signatures appear in abundance every day.

Since the testing of the top AV products was conducted against known signatures, anything less than a 100% detection rate should be unacceptable. As illustrated in the graph below, we have found that even the most popular AV solutions detect less than half of the latest malware threats:

Furthermore, after at least a week from the release of a new malware threat, AV companies still only have about a 50% chance of protecting against the threat – strengthening the argument for a comprehensive proactive security approach. More information regarding our testing can be found in the Cyveillance Intelligence Report.

We strongly encourage vigilant testing of security products but the methods should be based realistic online environments, provide insight into the realities of what AV solutions can do and report an accurate level of security for those using the products.

This month, a service called Blippy was rolled out to the general public. In a CNN article this week, Blippy was described as a “financial version of twitter.com”, where users’ credit card transactions are posted to the internet much like the short tweets that people post to twitter. On twitter, users post up to 140 characters on any topic they wish to discuss. On Blippy, a posting displays how much a person paid for a recent purchase. In the image below for example, we see that Jason Calacanis of Mahalo paid $112.64 at Amazon for a SanDisk 16GB 60MB/s Extreme Compact Flash Card.

Example of a Blippy transaction. Click the image to see a larger version or see the original here.

CNN reporter John D. Sutter asks Blippy cofounder Philip Kaplan whether there are any dangers in posting this sort of information:

CNN: Is there any potential that this would expose someone to an attack on their financial information, or that it could be used against them?

Kaplan: I don’t — we’ve all been taught that this is just something you don’t do. As an aside, when I was a kid, we weren’t allowed to tell anybody we were going out of town, and we had timers in the house that would turn the lights on and off so it would look like we were home. But now you tweet when you’re at dinner. … You put your whole schedule on Facebook so people can like plan their robberies ahead of time. And I think the pros far outweigh the cons in that scenario. … I think the risks in actuality are very small. Similarly, I think we have this engrained thing that we’re taught, which is to not share this [financial] information, and we don’t really know why.

That’s not the right answer to the question. Information found in Blippy postings (“blips”?) can be used against them. Let’s go back to the example in the image above.

We find:

• a user’s name
• the name of a business with whom they had a financial transaction
• how much they spent
• for certain retailers, what they bought

Great. Now let’s examine what is presented to someone when they receive an email in a traditional phishing attack, which we know to be a very profitable endeavor for bad guys. (A recent study by Cyveillance found that average attacks can cost millions of dollars in losses). It really comes down to two things:

• The email is made to look like it comes from one’s bank or other business institution.
• A call to action, where the recipient is asked to follow a link to a website online.

Spear phishing takes things a step further by personalizing the email sent to the potential victim. The attack may address the victim by name or phone number (see example), lending credibility to the attack and greatly increasing the likelihood that the recipient becomes a victim.

From a cyber criminal’s point of view, Blippy currently offers great information to construct a highly targeted spear phishing attack. After examining the types of purchases Blippy shows for Best Buy, consider the spear phishing attack one could construct for a hypothetical Blippy user named Johann Gonzales:

Dear Johann Gonzales,

Thank you for your recent purchase of $52.99 at Best Buy. To receive credit for your purchase in our Best Buy Reward Zone program and receive valuable discounts on future purchases, click here…

Putting together such an email would require software to “scrape” information from Blippy that it would then use to send to an array of likely email addresses for Johann Gonzales, like jgonzales@gmail.com, jgonzales@hotmail.com, johanngonzales@gmail.com, johanngonzales@hotmail.com, and so on. Given that software needed to carry out such an attack is freely available online, it must be assumed that cyber criminals are preparing such an attack on Blippy users. Even if they are not yet preparing, for the sake of Blippy’s users, Blippy must plan ahead as if they are.

Conclusion

Currently banks reimburse users when they become victims of phishing attacks, but the financial industry often wonders at what point it becomes the victim’s responsibility for losses incurred during phishing attacks. The information that Blippy users currently provide to would-be cyber criminals gives businesses more leverage to say that they will not reimburse losses incurred in spear phishing attacks. After all, if the Blippy user practically hands the bad guys all the information they need to carry out an attack, how is it the bank’s fault?

Blippy does hold promise as a way for consumers to gain information about the prices of goods and services. But it also currently provides a literal wealth of information for spear phishers. Luckily Blippy can take the simple measure of hiding usernames or otherwise referring any link to users’ real names.

As always, if you think you have received a phishing email, please send it to:

reportphishing@cyveillance.com

If you think you have received a phishing email, please send it to:

reportphishing@cyveillance.com

Cyveillance will analyze the suspected phishing attack and take the necessary action the minimize the number of victims of the attack.

Background: What Are Phishing Attacks?

Phishing is a method online criminals use to try to gain access to the username and password you use for important online activities like banking and paying bills. The attackers will send an email that looks like it comes from places like your bank or financial institution. The email can look very real, and will provide a link for you to access your account online.

Unfortunately when you log in to your account using the link in that email (don’t!), you will have provided your username and password to criminals who will then use it to access your account and likely remove funds from your account.

Some types of companies that cyber criminals commonly try to impersonate to gain access to your account information:

• Banks
• Credit unions
• Online payment services like Paypal
• Hosting companies (see example)
• Software vendors (see example)
• Utilities, like your gas, electric, or internet service provider (ISP)

Further Reading

For a detailed analysis of the economics behind phishing attacks, please see Cost of Phishing: Understanding the True Cost Dynamics Behind Phishing Attacks.

Cyveillance advises consumers to exercise caution when making online charitable contributions. See the full announcement here.

Earlier today, Cyveillance detected attacks targeting Web hosting companies and their customers. As part of one of the attacks, the email below is sent to users:

As you can see, the email asks the user to “confirm your FTP details”. The user is instructed to click on the link in the email that routes him or her to the fake administrator’s Website below:

On the fake Website, the user is asked to provide login credentials. If the credentials are entered, then the user would basically hand over access to every Website controlled by that specific login. Users can avoid falling victim to this attack by never clicking on the link within the emails and only accessing online applications directly through known Web sites and pages.

The teaser appearing in the bottom corner of the New York Times print edition’s Sunday Business section looked promising: Phish foil. Digital Domain. The article’s title, Don’t Take This Bait (But You’re Safe If You Do), suggested there would be more coverage of phishing, a generic name for attempts by online criminals to gain internet users’ login credentials to online banking services by presenting them with fake login pages. Unfortunately, while Stross’ article did indeed discuss phishing and offered some tools internet users can use to keep their bank accounts safe online, the article’s main message completely misses the mark.

The article begins relaying a close encounter that FBI Director Robert S. Mueller III had with a phishing attack. Although Mueller reportedly did not fall victim to the attack, Mueller emphasizes the lengths criminals go to gain access to one’s bank funds through email-based phishing attacks. Unfortunately, the crux of the article boils down to this:

I’m not convinced, however, that online banking carries the high risk that Mr. Mueller implies. I know that as ordinary computer users, we are offered unlimited bait from phishers. But I’m not particularly worried: I’m not on the hook for losses from fraud — my bank is.

The article concludes emphasizing that banking customers need not worry about falling victim to phishing attacks because virtually all financial institutions offer full remuneration in cases where unauthorized individuals access and remove funds from an online account.

At a very narrow and superficial level this premise is true and provides some comfort to victims of an attack. However, the reality of this situation is that every time a phishing attack succeeds, it has very negative side effects for all who use online banking. Yes, the bank whose user fell prey to the phishing attack is on the hook for the stolen funds, but we have learned all too well in the past eighteen months that even the largest financial institutions do not have infinite resources. Banks do not simply create money to compensate the victims of phishing attacks – those reimbursements come from insurance policies or income the bank generates from fees levied on its customers. When the banks’ insurance premiums increase or overall costs rise – as they do when their customers get phished – the increases are passed onto consumers.

Further, many victims of successful phishing attacks who have had their money stolen probably would not agree that there is “zero liability” to online banking. The time lost while reporting the attack to their banking institutions is time without access to funds they count on to be there. While banks make an effort to minimize the time phishing victims go without their funds, the process is not immediate and the customers may be left without money needed for critical expenses like food and housing.

The New York Times is to be commended for raising general awareness about the dangers of phishing attacks . But minimizing the impact of phishing is a dangerous message that only helps online criminals.

In recent phishing attacks targeting Cyveillance and numerous other organizations, cyber criminals are exploiting outward facing Microsoft Exchange Mail Servers to customize/personalize emails in order to spoof the address of internal email addresses. Once the email addresses are spoofed, the bogus messages are sent to addresses of the organizations’ personnel. The messages ask the recipients to click on a link in order to update their Microsoft Exchange settings. Once clicked, the user is routed to a fake site that appears to be authentic. If the user clicked on the link to the executable file on the fake site, then malware was downloaded to his or her computer. After the malware is downloaded and installed, the user’s computer becomes part of a larger botnet capable of a multitude of malicious acts.

Email screenshot:

This attack type was originally reported by SANS earlier this week. The SANS report can be found at https://isc.sans.org/diary.html?storyid=7333. Since the time of the report, the attack has become even more dangerous by adding fast flux technology to the attack. Fast flux is a method of phishing where the attacks are moved throughout a group of servers in order to evade detection and takedown.

The malware used in the attack is a Trojan-Spy virus. More information about sample… It is detected by only 4 of the top 41 anti-virus vendors according to VirusTotal.

It appears on the surface that the goal of the attacks is to increase the computing power of botnets by increasing the number of bots that belong to the network. Given the numerous organizations targeted and the methods used, this approach clearly demonstrates the sophistication of modern phishers and their ability to amplify the potential danger of attacks targeted at specific victims. By being more creative in their approach, this mixing of phishing methods increase the likelihood that the phisher’s emails will successfully reach their intended recipients. Users can minimize the potential for falling victim to these types of attacks by never clicking on links within emails and only accessing their online applications through known Web sites and pages.

Antivirus and Anti-Phishing Tools Provide Inadequate Detection of Cyber Attacks During Critical First 24-Hour Period

In addition to the AV, Web browser anti-phishing and consumer protection application testing, other key findings in the report include:

• Cyveillance tracked an online “fraud chain” which included malware components that store and serve malware executables, distribute malware to consumers and receive and store confidential information collected from infected computers.
  • The United States and China continue to host the majority of malware executables representing 33 percent and 21 percent of attacks, respectively, which make up over half of the malware found during the first half of this year.
• During the first half of 2009, there was an average of over 23,000 unique phishing attacks per month, which makes phishing still one of the top threats on the Internet.
• Popular consumer applications used for detecting phishing attacks do not provide adequate protection. Initially, Symantec’s Norton SafeWeb only blocked/warned against 4.4 percent of phishing attacks and increased to only 5 percent after the first 24-hour period.
• During the first half of 2009, 200 unique brands were first-time targets of phishing attacks, which represents a 26 percent increase over new brands phished in the second half of 2008.

View the report: http://www.cyveillance.com/web/forms/request.asp?getFile=115