 |
 |
 |
 |
 |
|
Credit Unions, Smaller Institutions Now Phishing Targets EBay and PayPal are no longer the primary targets of phishing emails; the phishers have cast their lures at customers of smaller businesses, including credit unions and other institutions, according to security vendor Sophos.
Some common sense pointers to remind your customers and your senior executives in danger of "whaling" include:
New ID Theft Scam Targets the Really Big Fish
The Solution: Protect Your Brand Name and All Variations Banks and credit union customers are at risk of falling victim to the classic-and-growing Internet scam known as cybersquatting. Cybersquatters are entities that create Web addresses remarkably similar to addresses for well-known companies, institutions or products. For example, known cybersquatting Web sites include dellcomputersystem.com instead of dell.com, and samslcub.com instead of the correctly spelled samsclub.com, or vvachovia.com instead of Wachovia.com.
Bad Guys Getting Better, Aiming Higher
While many computer users have sent them in the past, the future of E-cards (or electronic greeting cards) may be dimmed because of the recent use of them in scams targeting consumers. Financial institutions need to educate their employees and customers more about the dangers of opening electronic greeting cards. E-Cards grew to be a popular, easy and cheap, (sometimes free) way to send immediate messages to family, friends, family and co-workers. There are many companies out there offering this service, my Internet Service Provider even offers them in its service. You can add audio, video or animations to a message.
With identity theft topping the Federal Trade Commission's list of US consumers complaints, the release of a new report issued by a leading consumer advocacy group that puts a price tag of more than $7 billion on the cost of cybercrime to the US consumers is not a surprise to many familiar with the identity theft threat. The FTC's numbers show that for the seventh year in a row, identity theft tops the list of complaints that consumers filed with the Federal Trade Commission, accounting for 36 percent of the 674,354 complaints received from Jan. 1 to Dec. 31, 2006. According to the Better Business Bureau identity theft affects an estimated 10 million U.S. victims per year. A recent survey completed by Consumer Reports projects U.S. consumers have lost more than $7 billion during the last two years to viruses, spyware and phishing schemes.
It’s often said that the biggest problem with information security is the space that is filled between the chair and the keyboard. While many of us in information security at financial institutions will shake our heads in agreement with that statement, the need for education of our customers is a pressing issue.
When it comes to phishing, the smaller institutions out there that aren’t prepared for a phishing attack to hit their brands are playing “Russian Roulette” with their brand and reputation, says one leading security solutions firm. “Smaller institutions should not be complacent. Brand and reputation are on the line when a phishing attack occurs,” said Marc Gaffan, director of marketing with RSA’s consumer solutions group. “Large banks when they get hit with phishing, get the national headlines. But when small banks and credit unions are hit, they will appear in local paper or radio and TV.
The summer of spam continues with an influx of PDF spam coming into users’ inboxes. According to Symantec’s “July State of Spam” report, image spam continues its decline, and replacing it is spam with a new flavor of attachments, including PDFs with “word salad” or nonsense words strung together to fool email and spam filters. “When opened, the PDF file is an ad or some other spam message. The PDF attachments result in messages that are very large in size. We have been monitoring this throughout the past month, but it has really heated up in the past week. So far, we have observed over 25 million messages that were categorized as PDF spam,” said Symantec researchers in the report. The Symantec researchers said they also have seen a few different variants of this type of spam type.
The Federal Trade Commission’s second summit on Spam in the last four years addressed the growing problem of unsolicited emails that is creating costs for businesses and consumers alike. FTC Chairman Deborah Platt Majoras addressed the summit held July 11-12 in Washington, D.C. “The volume of spam reported by email filtering companies is rising.” She added botnets – networks of hijacked personal computers that spammers use to conceal their identities – have become the preferred method for sending spam.
Research from McAfee’s Avert Labs shows threats including phishing web sites are on the rise, as expected. But other pests such as remote-controlled bots show unpredicted signs of decrease.
With the recently discovered “plug and play” phishing kit, a relatively “non-technical” person with the right information could launch a phishing attack against any financial institution.
A new study details the psychological games and other tactics cyber criminals use in social engineering scams propagated through junk email. In a recently released study titled "Mind Games," Dr. James Blascovich, Professor of Psychology at the University of California,
For financial institutions stopping fraud and stemming phishing and crimeware from infecting their customer’s computers is a continuous battle.
It’s going to be a long hot summer for many U.S. financial institutions when it comes to online attacks. The RSA’s Anti-Fraud Command Center issued its monthly online fraud intelligence report for May, and the statistics point to attacks on U.S. nationwide banks account for 33 percent of all attacks on US financial institutions – that’s more than double since April.
A phishing incident response plan for financial institutions isn’t written just for good business practice, it’s also a regulatory requirement too. While it is a challenge to put an incident response plan that meets your regulator’s minimum requirements, you also want to have a well thought out plan that can handle security incidents that may hurt your institution and its customers. So where do you want to start? The FFIEC’s Information Security Booklet is the basis for much of the incident response requirements that federal
Phishing -- It’s not a matter of if it will occur at your institution -- expect phishing to happen at your institution. Phishers are not dumb. They head toward where the money is – in the customer accounts at banks and credit unions. So what does a typical attack look like? First, they swoop in, throw up an attack against the bank’s online site with a botnet to force it off line, (a Distributed Denial of Service attack is one method used) and then they send out the phishing lines to thousands of unsuspecting internet users, most of whom aren’t even customers at the bank. The average phishing web site is only up a matter of days, netting the phishers the money they then transfer out of bank accounts here at U.S. banks into overseas accounts. By the time law enforcement catches up to the overseas accounts, they’re long gone, with only a trail of IP addresses to follow.
Given the high cost of containing information security breaches, financial institutions have invested lots of time and money into developing incident response programs. But how do they know if their program is working properly?
The best offense is a good defense, is the adage. For financial institutions part of the defense to protect your customers from becoming victims of identity theft is educating them.
Overview: Aaron Emigh is a well-known expert in information security. He is the author of the U.S. Secret Service San Francisco Electronic Crimes Task Force Report on anti-phishing technology, as well as the reports on online identity theft countermeasures and crimeware from the U.S. Department of Homeland Security.
Financial institutions need to realize cyber criminals who target internet users with phishing attempts aren’t going away anytime soon, says information security expert Aaron Emigh. “They’re moving away from the purely deception based attacks (simple emails in your inbox with links that the phishers want you to click on saying they’re your bank) to more insidious, sophisticated crimeware attack vectors where users online identities are stolen, then transactions made with the compromised account information through several ways including DNS hijacking, and other methods.” Their target is still your customer’s money, account numbers, or credit card numbers, he explained. > Read the latest research on phishing - Why Phishing Works
LINDA MCGLASSON: Are we in information security becoming too complacent? I mean, we have a lot of zero-day threats, hundred thousand node botnet sending us virus threats and all things like that, and those of us in information security, you know, look at the situation and think that this is normal operation procedure, are we too complacent? WYATT STARNES: I think we are too complacent, and I actually think we’ve been overly, sort of, complacent and self-secure, self-assured for actually quite some time. When you kind of zoom back and look at some of the physical threats in our world, specifically, the tragic events of September 11th, 2001, where we found we were dramatically exposed to physical harm within our own boundaries, I think in the cyber-security world, we haven’t really seen our September 11th, 2001 yet. We are exposed. We continue to be exposed, and information technology is prospectively an important new attack vector for us in our industry and in our economy, and frankly, in our political system as well.
The alert from OCC about a 419 scam appearing to come from the US House of Representatives’ Financial Services Committee isn’t something new -- this type of scam is just a new twist to something that has been around for many years. As long as there are people who believe they can get something from little or nothing without a great deal of effort, the 419 scams will continue to wreck havoc on the American public. As financial institutions, we must help educate those who could fall under the 419 spell of easy money.
Would your customers recognize and detect a well-designed phishing site that was targeting them? The unfortunate answer is probably not. Phishing websites designed with high credibility fooled a high percentage of participants in a recent study. “Why Phishing Works,” a white paper authored by researchers from Harvard and UC Berkeley illuminates the problems of deterring phishing that all financial institutions face. Download the report now: http://www.bankinfosecurity.com/whitepapers.php?wp_id=97
Authors of a proof of concept paper called "Drive By Pharming" say that by viewing a malicious web page users can set off changes in a broadband router or wireless access point, making the computer connected to it susceptible to attack. The paper, authored by researchers Zulfikar Ramzan, from Symantec, and Markus Jakobsson and Sid Stamm of the Indiana University School of Informatics, shows the dangers of not changing a default password in this important part of connecting to the Internet.
Dr. Jakobsson is also Associate Director of the Center of Applied Cybersecurity Research, and the founder of RavenWhite, Inc. He is the inventor or co-inventor of more than fifty patents, has served as the Vice President of the International Financial Cryptography Association, and is a Research Fellow of the Anti-Phishing Working Group. Prior to his current position, he was Principal Research Scientist at RSA Laboratories, a member of technical staff at Bell Laboratories, and Adjunct Professor at New York University. He is an Editor of The International Journal of Applied Cryptology, and a Group Editor of the ACM Mobile Computing and Communications Review. His latest book, Phishing and Countermeasures was released last year. He is co-editor and author of upcoming books on crimeware from Symantec, click fraud and cryptographic protocols. He has also served as the Editor of the RSA Cryptobytes for several years. Professor Jakobsson researches fraud, social engineering and phishing, and the prevention of these attacks.
Data breaches were hitting the headlines almost every week in 2006, with an estimated 100 million records compromised due to security breaches over the 100 million mark, according to the Privacy Rights Clearinghouse, which tracks breaches dating to the ChoicePoint incident in 2005. With all the press coverage and consumer awareness of the issue, expect Congress to take up the matter this year in earnest. We will most probably see several legislative bodies arm wrestling to assign top enforcement duties with whatever form the federal law takes. That is aside from the 30 + state laws on the books that relate to data breach notification. Secure your sensitive data now before the waves of regulations begin washing up on the walls of your institution.
Wish List from Financial Institutions to Our Customers As the weather outside gets colder and the year draws to an end, we're thinking of what would be some of the things we'd like to give and receive as gifts during the holidays. While your personal list may be longer than this, here's the 12 things we wish all of our customers and employees would do - loosely based on "The Twelve Days of Christmas". Hum along if you don't sing.
Cyber-criminals are targeting the most vulnerable access points within businesses - employees - to execute their attacks, a new study finds. In its annual closely watched security report, IBM warns that although widespread virus outbreaks are on the decline, on the whole online attacks are expected to rise in 2006. The culprit: highly targeted attacks that rely on naive users. According to IBM's 2005 Global Business Security Index Report, e-mail-borne viruses dropped sharply in 2005. In 2004, 6.1% of e-mails contained a virus; in 2005, that declined to only 2.8%. "What we're seeing is more directed targeted attacks, and we really think that's because of the financial motivation and the underground economy driving those things," an IBM security expert said.
The rising number of phishing attacks involving the hijacking of the brands of financial institutions poses a genuine threat to the integrity of the financial system. Fortunately, there exist defenses to deter attacks or to render them harmless. Some of these employ technology to foil would-be scammers, and other techniques rely on consumer and employee education. An effective counter-phishing program will utilize both. The Federal Deposit Insurance Corp. enumerates a four-point program:
Phishing scams—the use of fake E-mails to dupe people into yielding up their account numbers and passwords—is on the rise. Hijacking brand names of banks, e-retailers and credit card companies, phishers often convince recipients to respond. Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware. During the month of November, according to the Anti-Phishing Working Group, 17,000 unique phishing reports were received and 1,000 password-stealing code URLs identified—both records. Financial services continues to be the most-targeted sector accounting for 90% of all attacks.
Nearly a quarter of PC users are targeted by monthly phishing attempts, according to a national study of online security. Phishing is, of course, the practice of sending bogus but authentic-looking e-mails, purportedly from a trusted organization, to consumers in hopes of tricking them into revealing personal information. It’s one of the fastest-growing crimes in the world, and the survey conducted by AOL and the National Cyber Security Alliance indicates there’s no reason to expect that to change anytime soon. • Phishing scams’ increasing sophistication makes them tougher to spot; 70% of recipients say they initially thought the e-mails might be legitimate.
Internet-related crime,
like any other crime, should be reported to appropriate law enforcement investigative
authorities at the local, state, federal, or international levels, depending
on the scope of the crime. Citizens who are aware of federal crimes
should report them to local offices of federal law enforcement.
Caused As Much As $20 Million in Losses to Software Industry WASHINGTON, D.C.—The owner of one of the largest for-profit software piracy websites to operate in the United States has pleaded guilty to operating a software piracy website, Assistant Attorney General Alice S. Fisher for the Justice Department's Criminal Division and U.S. Attorney Paul J. McNulty for the Eastern District of Virginia, announced today. Nathan Peterson, 26, of Antelope Acres, California, pleaded guilty in Alexandria, Virginia before U.S. District Court Judge T.S. Ellis to two counts of criminal copyright infringement for selling pirated software over the Internet and through the mail. Peterson, who is scheduled to be sentenced on April 14, 2006, at 9 a.m., faces a maximum sentence of 10 years in prison and a $500,000 fine.
The United States Attorney for the Northern District of California announced that Suibin Zhang, 37, of San Jose, California, was charged late yesterday by a federal grand jury in San Jose in a nine-count indictment alleging computer fraud; theft and unauthorized downloading of trade secrets; and the unauthorized copying, transmission and possession of trade secrets. In particular, the indictment charges three counts of computer fraud in violation of 18 U.S.C. § 1030(a)(4); three counts of theft, misappropriation and unauthorized downloading of trade secrets in violation of 18 U.S.C. §§ 1832(a)(1), (2) and (4); two counts of unauthorized copying and transmission of trade secrets in violation of 18 U.S.C. §§ 1832(a)(2) and (4); and one count unauthorized possession of stolen trade secrets in violation of 18 U.S.C. §§ 1832(a)(3) and (4).
"Botnet" Investigation Led by U.S. Secret Service’s Electronic Crimes Task Force and the Computer Hacking and Intellectual Property Unit of the U.S. Attorney’s Office SAN JOSE – United States Attorney Kevin V. Ryan announced that Anthony Scott Clark, 21, of Beaverton, Oregon, pleaded guilty yesterday afternoon in federal court in San Jose to launching a computer attack against the Internet auction site eBay in July and August 2003 with an army of infected computers he had amassed by using a computer worm program.
By Anne Saita, News Director 09 Dec 2005 | SearchSecurity.com SAN DIEGO -- So much for trade secrets. Not long ago, a company unwittingly tipped its hand when planning to buy another business. How? Lawyers, investment bankers, consultants, executives and directors suddenly hammered the investor relations section of the targeted firm's Web site. Their IP addresses gave them away. Realizing it was going to be bought, the targeted firm called another company and shared its rival's still-secret plans, thus launching a bidding war. In the end, the first company won the battle, but it paid $15 million more than it should. A more covert search for information may have prevented that. "This seems to be a very common scenario," explained Lance Cottrell, founder, president and chief scientist for San Diego-based Anonymizer Inc., at Thursday's Usenix Large Installation System Administration conference. Though his 11-year-old company is best known for consumer privacy, enterprise interest has surged regarding cloaking online activity used to gather intelligence and prevent information leakage.
In our ten years’ experience in detecting, locating, and prosecuting network intruders (hackers) we have seen that, as with many offline crimes, robust law enforcement alone cannot solve the network intruder problem. To be effective, any overall strategy must include the owners and operators of the nation’s computer networks. They are the first line of defense and have the responsibility to take reasonable measures to ensure that their systems are secure. They are also in the best position to detect intrusions and take the first critical steps to respond. At the most basic level, we rely on network operators to report to us when their systems are hacked. Intrusion victims, however, are often even more reluctant to call law enforcement than other business victims. This reluctance has been reflected in the surveys conducted jointly by the Computer Security Institute and the FBI. In the year 2000 survey, for example, only 25% of the respondents who experienced computer intrusions reported the incidents to law enforcement. To better understand why and to learn how we can promote reporting, the Department of Justice has undertaken a concerted effort to reach out to the operators of our nation’s computer networks.
How likely are you to be wooed into a false sense of security by a friendly face or the promise of a cash prize?
Hackers have changed their tactics and are exploiting flaws in popular software applications – including security programs — to break into the computers of consumers, government agencies, and businesses. What’s new about this, you might ask? The key word is “applications.” Until recently, hackers focused almost exclusively on computers’ operating systems – that is, their basic nervous-system software, with Windows being the obvious example. But over the past five years, operating-system companies, especially Microsoft, have grown much more adept at quickly issuing “patches” once a security breach in their products was discovered. Moreover, the ubiquity of Internet access means these patches can be distributed automatically, often without the user even knowing his or her software has been strengthened. Result: More secure operating system software.
Most Internet users know spam when they see it, but the vast majority are unfamiliar with terms like “podcasting,” “phishing,” and “RSS,” according to a recent study. The Pew Internet and American Life Project research, based on random telephone interviews with 1,336 Internet users, was called a sobering reality check by experts. The widespread lack of knowledge of phishing, in particular, alarmed security analysts because the crime has grown so widespread in recent years. Survey Findings Here are some of the interesting results from the Pew study: • 70% of respondents either never heard of phishing or were not sure that it refers to e-mail scams that try to trick users into revealing sensitive information by masquerading as a legitimate bank, credit-card issuer, or other organization.
Since January 1, at least 104 data incidents have been documented in the U.S., potentially affecting more than 56.2 million individuals. And that is probably just the tip of the iceberg.
By Eric B. Parizo, News Editor That's the message from Boulder, Colo.-based Webroot Software Inc. According to the antispyware vendor's quarterly "State of Spyware" report released this week, the spread of secret nefarious and malicious programs has quickly become a "global pandemic." Webroot CEO C. David Moll said spyware is no longer confined to a handful countries or a single continent. In fact, it's everywhere. Moll said his customers have reported spyware problems in 223 countries. What's more, unlike spam, which he said took nearly two years to plague users around the world, spyware has become the scourge of Internet users everywhere in just a matter of months.
What's your estimate of how many of your institution's customers have installed anti-spyware on their computers? If you estimated anything higher than 10-15%, your nickname's probably Pollyanna. In truth, a terrifyingly high percentage of computers are not protected against the spyware threat and as a data cache uncovered last weekend by Sunbelt Software shows, accounts are at risk as a result -- and that could spell losses for your institution unless you take measures to protect against them.
Skimming credit and debit card cardholder information has become an easy way for criminals to steal identities, thanks to new technologies being offered via the Internet.
Ever inventive, cyber-criminals who specialize in phishing scams are finding new ways to hook you and your personal financial information.
qqq
TO: Chief Executive Officers and Chief Information Technology Officers of National Banks, Federal Branches, Service Providers, Department and Division Heads, and Examining Personnel PURPOSE This alert is intended to raise awareness of an increasingly common Internet fraud called “phishing” and encourages banks to educate their customers, strengthen monitoring systems, and enhance response programs to reduce the potential risk to their organizations and customers. BA
What you will learn from this tip: How using five security best practices gets you closer to compliance with the PCI Data Security Standard and helps mitigate common threats to e-business. The media has been abuzz with a series of reports from vendors such as DSW (Designer Shoe Warehouse) and Polo Ralph Lauren regarding disturbing losses of credit card information.
Internet-related crime, fraud, and damage is going through the roof. Here we take a look at what Consumer Reports has named the four major online threats you need to defend against.
By Bill Brenner, News Writer Most users recognize -- and sometimes disregard -- the warning box that pops up when inputting personal information like bank account codes on a trusted Web site accessed with an ironclad connection. Time to think twice about such blind trust on previously deemed safe sites, especially if it's a fin
New data shows that on average, businesses are spending an eye-popping amount of money every month in IT resources to fight the spyware plague. FaceTime Communications, an IT security provider, surveyed more than 1,000 IT managers and end users. The key finding: spyware and other unsanctioned downloads are resulting in average monthly costs of $130,000. The survey also found that spyware incursions appear to be growing at a rate twice that of computer virus incidents. Much of
Popular E-Greeting Card Carries Trojan
A. RISK DISCUSSION Introduction A significant number of financial institutions1 regulated by the financial institution regulatory agencies (Agencies)2 maintain sites on the World Wide Web. Many of these websites contain weblinks to other sites not under direct control of the financial institution. The use of weblinks can create certain risks to the financial institution. Management should be aware of these risks and take appropriate steps to address them. The purp
High-tech criminal gangs with access to sophisticated keylogging viruses pose a growing threat to banks and financial institutions. Recently, England’s High Tech Crime Unit foiled an effort to steal over $100 million from a Japanese bank in London. The gang gained access to Sumitomo Corp.’s computer systems, installed keyloggers in order to learn users’ passwords, and were getting set to transfer the money to 10 bank accounts scattered aro
We all know the threats posed by spyware to enterprise networks: user ID and password theft, financial loss, productivity drain, intellectual property theft. Security practitioners have two defenses at their disposal: the human and the technical. While the technology for combating spyware is improving, antivirus vendors have only recently started adding functionality to target it. That means the best defense is the human one – employees and end users. They can help in the battle against spywar
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
RSS SyndicationCopyright © 2007 BankInfoSecurity.com