Search

About

Enter your email address:

Delivered by FeedBurner

Categories

Westfield Links

Westfield Blogs

InfoSec Favorites

24 posts categorized "Phishing"

New phishing attacker pretends to be a journalist

Last week, we began a series on particularly targeted phishing attacks - scams using personalization to try to convince you to click on their link. A recently reported case targeted workers at a specific bank and was based on correct email addresses and personal names. The email read:

"Dear John, I am a reporter for Finance News doing a follow up story on the recent leak of customer records from ABC Bank. I saw your name come up in the article from Central News and would like to interview you for a follow-up piece. If you have time I would greatly appreciate an opportunity to further discuss the details of the above article. Regards, Gordon Reily."

The message included what appeared to be a link to the Central News story. The URL included the bank’s name in its characters.

The names in this copy have been changed but the rest of the message is unchanged. Note that there are no misspellings, grammatical errors or typos in the message. It is personalized, professional and has all the earmarks of a legitimate message. This message will sail right through the spam filters.

The message appeals to the natural vanity or curiosity of recipients. A high proportion of readers want to see their own names in print and click on the link.

The link in the email actually took the reader to a website in China. Clicking on the link automatically installed a keystroke logger on the user's machine. The clear goal was to compromise the computer account of a bank employee – an insider who likely has deep access to accounts and customer information. Hackers know that even if the first employee didn't have direct access to sensitive information, they can use the compromised account as an entry point to attack other points of the company's network.

In this case, the bank was able to quarantine its infected computers and blacklisted the chinese website but similar attacks are occurring every day. Hackers are using increasing sophistication in their attempts to compromise the accounts of employees at financial institutions like Westfield. Never click on the link in an unsolicited email. If you are unsure about the message, forward it to InfoSec for investigation.

Read more at CSOonline.

on 13 November 2006 | | Comments (0) | TrackBack (0)

| | | | | |

Pink slip scam

Email scammers have been developing some creative new attacks lately which play on human fears, insecurity and/or vanity. We will be discussing several of these attacks over the next few weeks. First, a scam using fraudulent pink slips.

In this attack, the phisher sent emails to some employees at the target company telling them that they had been laid off. The subject line read "Urgent – employment issue". The from: line was successfully spoofed so that the message appeared to come inside the company. Other content in the message was consistent with the target company's operations (a hospital) and reinforced the victims' belief that this was a real message.

The message included a link to a website where the victim could get career-counseling information. Concerned about their employment status and being justifiably upset over being laid off by email, at least two employees at the target company clicked on the link. In fact, opening that website loaded a keystroke logger on the victims' computers.

Spam and phishing attacks are being increasingly customized to the specific company under attack. Because the content is so customized and because this particular message was so intimidating, the scammer knew that he/she could send out far fewer fraudulent messages and still find an unwary victim. Such low volume, highly targeted attacks are almost impossible for the spam filters to identify and block ahead of time. You must remain on guard when you see a suspicious message.

No reputable company will notify you of any such personnel action solely by email. If you receive a message that concerns you, talk to your manager or to HR department directly. Never click on any link in a suspicious email or IM message.

on 06 November 2006 | | Comments (0) | TrackBack (0)

| | | | | |

Trends in Phishing

A survey by First Data Corp. in 2005 found 43% of US adults had received at least one fraudulent email, in most cases purporting to be a financial institution. Of those, about 1 in 20 – or 4.5 million people – provided the requested information and about half of those ended up being victims of theft or identity fraud. According to antiphishing.org, 89.3% of all phishing attacks target financial institutions.

Those are some large numbers but I have to admit that my first reaction was to ask "who are those lucky 57% who have not yet received a phishing email?" Many of them simply do not have email. For the remainder, unfortunately the question answers itself. They are the people who have not yet received their first phish.

Phishing emails attempt to trick the reader into believing that the message is from a trusted source and following their "convenient" link to a fraudulent site which looks and feels just like the official site but which is designed to steal the user's private information. Even though this doesn't fool most consumers, phishers rely on "spam economics" – they can make money even if only a fraction of a percent of their scams succeed.

Phishers are beginning to add to their tactics. Many are providing a fraudulent telephone number in the email rather than just a fraudulent hyperlink. The criminal then sets up his/her own IVR system to steal your information when you call in. Others are making increased use of trojan horses – programs which are covertly installed onto your computer and which either log all your keystrokes or install a backdoor through with the criminal can take control of your computer.

Never trust anything sent in an unsolicited email. Never directly answer any request for your private information. If you think the request might be legitimate, type the company's address into your web-browser yourself. If this is a real request, expect it to be prominently displayed on your account page on the company's real website. If you are going to call them by phone, get the phone number off of your last paper statement. Never trust the "convenient" number on the email. Finally, remember that no reputable financial institution will ever ask for your personal information via email.

Incidentally, in 2005 the Federal Trade Commission estimated that 9.93 million persons were affected by identity theft, causing a loss to financial institutions of $46.9 billion. Combining that with the statistics above, phishing accounts for only about one quarter of all identity theft cases. This is consistent with other studies which show that most ID theft is based on paper documents. We should still be vigilant against these kinds of scam messages but we should be even more vigilant about making sure that our paper waste is properly destroyed.

on 23 October 2006 | | Comments (0) | TrackBack (0)

| | | | | |

Banking Authentication Scam

Banks and other financial institutions have until 1 January to implement multi-factor authentication to confirm the identities of their customers when accessing internet-based services. That means that banks can no longer rely on a single PIN or password to give you access to your account. They must use some other method in addition to the PIN or password.

Some banks have recently implemented the new procedures. Others are in the midst of changing their procedures. In the meantime, a large number of scams are attempting to exploit these changes in authentication procedures. They are trying to take advantage of the natural confusion of users during the transition.

Banking regulators are warning the public to be alert for scams attempting to exploit the change in authentication procedures. One popular scam describes the federal requirement for the new procedures and then asks the reader to re-register his/her online banking accounts.

  • You should never respond to any email that is requesting information that your bank already has in its possession.
  • Never click on the "convenient" link provided in the email. Too often, it takes you to an imposter site run by the scammer. Type the bank's URL into your web browser yourself.
  • Keep your online password secure – even your banker should not know your password!

As the deadline approaches, you should receive communications directly from your bank with details of any new procedures. When in doubt, play it safe and contact your financial institution.

on 02 October 2006 | | Comments (0) | TrackBack (0)

| | | | | |

« Previous