In a new wave of phishing attacks, companies have been receiving spam disguised to look like it’s coming from the Better Business Bureau. According to eWeek, for the scam to work, the user must click on the link embedded in the email (which we all know better not to do, right?).

Once activated, the Trojan steals all data transmitted by the victim’s browser to other sites, including information sent over SSL (Secure Sockets Layer) Web sites. This is possible because the BHO, or browser helper object, intercepts the data before it’s encrypted. Only Internet Explorer is capable of loading BHO, so other browsers are immune to the attack.

Experts have speculated that the attack was successful because it has been used selectively. Had it been spammed to the masses, it would have allowed the spam filters to pick up on it better, and it would have also attracted some press which would have made more people aware of it.

SecureWorks, a managed security services provider out of Atlanta, uncovered a cache of stolen data from the scam that included band and credit card numbers from 1,400 high-level executives. "Getting data from SSL streams is not all that new, actually—I hope people aren't under the impression that SSL encryption has been protecting them from malware stealing their data—SSL only provides privacy for the traffic out on the network," Joe Stewart, a senior analyst at SecureWorks, said. "Once someone manages to get their malware onto your system, they can pretty much see any data you are working with if they want to badly enough."

Tag: Phishing, BBB, Better Business Bureau, SSL

Posted by pschooff in Phishing | Permalink | Comments (0) | TrackBacks (0)

In a marked shift from just a year ago, security experts have noted that for the first time ever, there have been more phishing emails detected than emails infected with viruses. According to MessageLabs, in January 2007, 1 in 93 emails (1.07%) was some sort of phishing attempt, while only 1 in 120 emails (.83%) was found to be infected by a virus.

Part of this can be explained by the new viruses, and that they are much more targeted. As I’ve blogged here before, cybercriminals that launch virus attacks no longer rely on huge macro-attacks in an attempt to infect every computer in the country. This is mainly because this type of attack can be quickly quelled using blacklisting and content analysis, along with the fact that the longer the new viruses goes undetected, and unreported, the more profitable they are to the hackers.

Mark Sunner, chief technology officer at MessageLabs, said: "If you look at infected email traffic for January, it's very spiky. With Storm Worm there are clear spikes, then drops down to normal levels. It's as though someone is turning on the tap briefly, then letting it abate."

At the same time, phishing has become much more sophisticated, with man-in-the-middle attacks, though still rare, increasing. One such attack tries to hijack a user session when a user is tricked into clicking on a link, users go to a fake portal that is hosted on a compromised machine, and any information entered, such as bank details and codes, is relayed through the compromised machine to the real bank site. Once the users have validated themselves on the real system through the compromised relay, hackers kill the user connection through the relay, and take over the session.

This is possible because phishing attacks have become much more personalized and much more believable (which includes sending phishing emails to banks the victims actually use, instead of just using random phishing spam). Also, more phishing sites are using Flash content rather than HTML to avoid the anti-phishing technology deployed in web browsers.

Finally, another reason for this shift is that malware has moved more in the direction of web-based attacks., which simply means the virus level remains constant, only users are more likely to pick it up surfing the web rather than opening an email attachment.

Tags: Phishing, blacklisting, cybercriminals

Posted by pschooff in Phishing | Permalink | Comments (0) | TrackBacks (0)

I blogged on here several months ago about Phishtank and their efforts to combat phishing. As the site is reliant on users, where users both contribute potential phishing sites and then vote on their legitimacy, the more people actively engaged in PhishTank's fight the better. And as phishing is a threat to almost all legitimate types of business on the internet, people should really get involved. To join the fight, just click here.

Also, Phishtank made a recent call to developers for ideas to better the site. David Ulevitch, CEO of OpenDNS and the founder of PhishTank, said, "I want PhishTank to be the best site it can be." According to Dark Reader, PhishTank has grown from around 2,400 active members in its first month to more than 10,000 after three months. PhishTank says they have uncovered more than 35,000 phishes to this point, so who can say how many people they've saved from getting ripped off.

The only problem is that PhishTank still relies on blacklisting to ultimately be effective, and the fact that the recent explosion of botnets has pretty much rendered blacklisting ineffective. But this could be offset if anti-spam efforts continue along the content analysis route, where PhishTank could certainly help on the content side by providing proven phishing emails.

But the time has clearly come to upgrade PhishTank. As the site relies on user input, the easier the site is to use the greater the participation will be (PhishTank is actually fairly easy to use, but some have called for an easier verification process). Says Ulevitch, "I'm looking for fresh perspectives, so we're bringing in outside folks that might bring in fresh energy and ideas." I say the less phishing there is the better it is for everyone.

Tags: Phishing, Tags: Combat Phishing, Tags: blacklisting

Posted by pschooff in Phishing | Permalink | Comments (0) | TrackBacks (0)

A frightening new type of phishing fraud, described recently by Brian Krebs, is being called the “Man-in-the-Middle” scam.

In this instance, an email arrived in an inbox that looked like it was from Amazon and warned that there had been some unauthorized activity on their account. When clicking through the attached link, the browser merely passes through a secondary, man-in-the-middle, proxy site, and then proceeds directly to Amazon’s actual site. This type of scam is actually easier to create than the old type of phishing scam because the scammer has no need to make a duplicate site. Functioning as a proxy, which is like having someone standing behind you and staring over your shoulder, the phisher is able to steal whatever data the user is conned into typing in.

While this scam does have its weaknesses, in that there is no attempt to disguise the fake proxy address with Amazon’s real one in the browser's address bar, its ease of creation and believability means we will be seeing much more of it.

As I wrote in a blog earlier, the simple fact is, any true security solution in the future simply has to perfect real time client and server authentication. Because once we get that, and it's infallible, I simply cannot conceive how phishing could continue to thrive.

Tags: Man-in-the-Middle Phishing, Client Authentication

Posted by pschooff in Phishing | Permalink | Comments (2) | TrackBacks (0)

I hate to report how the bad guys are improving their methodology without immediately offering a remedy from the good guys, but this seems to be one of those cases. As always in dealing with phishing, never, ever reply to unsolicited email from even the most seemingly legitimate source. If you feel you might be having account troubles at your bank, with eBay, with Paypal, or whatever the site, simply log onto those sites directly.

In a report quoted on Brian Krebs’ Security Fix, the Anti-Phishing Working Group found that 52 percent more phishing sites were discovered this past October (bringing the total to 37,444). As if I even needed to tell you, that is the highest on record, and is 52 percent higher than September of this year, and 9 times the amount recorded from October a year ago.

Experts peg this near-exponential growth on a new phishing method called “Rockphish.” Just like botnets were started to circumvent spam blacklists (as blacklists stopped spam by denying its point of origin, but how do you deny thousands of different points of origin that are changing all the time), the tools to fight phishing are based on authenticating official webpages and shutting down those deemed illegitimate.

But as Krebs states, “In Rockphish attacks, multiple phishing scams targeting different banks are placed on the same Web server. Each individual scam page is assigned to an Internet subdomain that for a short time is tied to an Internet address of a compromised computer that the phishers control. When a would-be victim clicks on a link in a Rockphish scam, they are routed through the drone PC to the correct scam page.”

One phish-fighter stated that a single Rockphish attack generated 2,000 unique phishing Web addresses in two days. This allows them to rapidly change addresses of phishing sites, and represents a serious blow to the efficacy of the current phish-fighting tools.

Tags: Phishing, Rockphish

Posted by pschooff in Phishing | Permalink | Comments (0) | TrackBacks (0)

Using the argument that phishing is damaging Microsoft’s image, the company has started fighting phishing in court. A report at ARS Technica says that Microsoft has filed 129 lawsuits against phishers across Europe and the Middle East.

As most of the defendants in these suits are young, mostly teenagers, Microsoft has proved willing to settle for payments between 1,000 to 2,000 euros (and I bet they keep pretty close tabs on them thereafter). But a recent criminal suit involving phishing did send a Turkish man to prison for two and half years. Other criminal suits have been filed in Germany and France and Britain.

This represents a new front in the attack on phishing for Microsoft, which so far has mostly centered on improving the Internet Explorer phishing filter (which some have declared all but useless in stopping phishing). The first lawsuit against phishing was filed by the FTC in January of 2004 against a California teen. The teen was banished from sending spam for life and fined $3,500 Dollars.

Tags: Microsoft, Phishing

Posted by pschooff in Microsoft • Phishing | Permalink | Comments (0) | TrackBacks (0)

Today I came across an article at Security Fix that seems to me the most common sense approach to counter what is quickly becoming one of the most malicious threats on the internet: phishing. Phishing is a counterfeit website that tries to pass itself of as a well known and legitimate site, usually to get access to your financial or credit card data. I actually almost fell for the scam once myself.

Where old solutions tried to track known phishers and their scams, this new approach goes to the very root of the problem: what about a browser that simply tells you whether the site you are at is who they say they are.

The new solution, originated by CA/Browserforum, involves the companies who sell and verify security certificates. Any company today can purchase an SSL, or secure sockets layer, which attempts to show that the website you are at takes their security seriously. But while clicking on the padlock icon in the browser that comes with SSL certified sites gives you information about the site you are at, most users simply don't know to do it, and many certificates are hard to make sense of. Also, SSL’s can now be easily acquired by anyone and the site legitimizing process is largely automated and therefore easy to fool.

CA/Browserforum intends to create a “supercert” known as an “extended validation” SSL certificate, or an EVSSL. EVSSL’s would cost more money, but would also be more rigorously verified. And by working with the different internet browsers, they could develop a standardized and easy-to-see method of site identity verification.

You ask me, I say get it done yesterday.

Tags: Phishing, SSL

Posted by pschooff in Better Protection • Phishing | Permalink | Comments (0) | TrackBacks (0)

This list comes from CNN Money.

1. Patch early and often. With zero day attacks growing along with the number of patches being issued, test and install security patches ASAP.

2. Enforce password policies. While it’s well established that passwords should mix letters and numbers, uppercase as well as lowercase, do not let the desire for perfect passwords get in the way of good security – as the more employees are required to change their passwords, the more they are apt to write them on Post-Its.

3. Mind your VPN. Telecommuters can collect nasty viruses and malware which can then migrate to the corporate network, therefore limit virtual private network access only to company issued laptops configured to your security policies.

4. Watch your wireless. Securing Wi-Fi is only the beginning. The newest trick is the “evil twin” attack, which creates a similarly named fake wireless network in the hopes that an employee will log on and not notice the discrepancy, thereby revealing user name and password.

5. Only make promises you can keep. When the FTC investigates a company, it’s usually because the company exaggerated their claims, as in falsely claiming that customer data is only stored in encrypted form. Therefore, make sure you walk the talk.

6. Hack yourself. Hire an outside auditor to breach your network just to get a hackers eye-view of your weaknesses.

7. Sequester sensitive data. Treat customer credit card and Social Security data as top secret and keep it on compartmentalized servers and limit accessibility.

8. Encrypt it. Use strong cryptography to protect sensitive data. An encrypted database left on a city street is more secure than an unencrypted one hidden in a bank vault.

9. Collect only what you need. Delete what you don’t. More than a few companies have been embarrassed after being successfully hacked for credit card numbers years past the actual transactions. Evaluate the inherent risk, and not the potential value, of the data you collect.

10. Phear phishers. Phishing has become so profitable it is no longer just a problem for Fortune 500 companies. Set up a responsive e-mail contact for customers who’ve received messages pretending to come from you, issue website warnings about fresh attacks, and train customers not to click e-mailed login links - by not sending any yourself.

Tags: Computer Security, Phishing, Patches

Posted by pschooff in Better Protection • Hackers • Phishing | Permalink | Comments (0) | TrackBacks (0)

A new anti-phishing site, Phishtank, a service from OpenDNS, is determined to put an end to phishing - which are emails that impersonate legitimate messages from customer-service or financial or ecommerce sites but were actually created to scam you out of your password or financial information. Phishtank plans to accomplish this by creating a database of suspicious emails then having users vote on their legitimacy.

While many of the digerati think this just might be the trick to fight phishing, others are not so sure. The Browser doubts that this will motivate typical email users, who are already busy answering email and fighting spam, to take time out of their day to report on and grade suspect emails.

Some believe that for Phishtank to be successful, they need to collaborate with large email providers who already have more than their share of phishing samples. Because phishing remains a fact of life, what follows are tips to avoid ending up phish food:

1. If you get an email or pop-up message asking for personal or financial information and you have any question regarding it's legitimacy, call or contact the company directly via the phone or by going to the company's verified website (do not click on the link enclosed in the phishing email and assume that will take you to the company's actual website).

2. Always use anti-virus software and a firewall, and keep them up to date, as some phishing emails contain software that is harmful to your computer.

3. Never email personal or financial information. If you are looking to complete an internet transaction, go directly to the company's secure website.

4. Closely review credit card and bank account statements as soon as you get them.

5. Be cautious about opening any attachment or downloading any files from any emails you receive, regardless of who sent them.

6. Forward spam that you suspect is phishing to spam@use.gov and to the company, bank, or organization impersonated in the phishing email.

7. If you believe you have been scammed, file a complaint with the Federal Trade Commission.

Tags:Phishtank, Phishing

Posted by pschooff in Phishing | Permalink | Comments (2) | TrackBacks (0)