From a cybercrime perspective, the “success” story of 2009 can be found in phishing attacks – which also caused biggest losses to the rest of us.
In a recent excellent report, security solution provider Trusteer Inc. details how data collected from “successful” phishing attacks on the banking sector over a three-month period could help cyber criminals pocket a staggering $9.4 million per 1 million bank customers if they took advantage of all the fraudulently obtained information at their disposal.
Trusteer’s report looks at phishing from a slightly different perspective that the one taken by the well-known Anti-Phishing Work Group (APWG), which twice-yearly publishes numbers on detected phishing Websites.
The APWG figures show that 49,084 unique phishing Websites were found in June 2009, the second-highest numbers since their data collection began. This data is based on the number of phishing sites found by the group, whether or not the sites have been accessed by Internet users.
Trusteer’s data complement APWG’s figures, as their findings are based on what they deem to be a successful attack -- i.e., one that reached its intended target and received a response from the recipient.
Trusteer achieved their results through a three-month study, during which the company collected data using its own Rapport plug-in, which customers use as part of a cyber-crime protection package. Data from 3 million computers was monitored on what was entered and when.
Monitoring of 10 legitimate banking Websites revealed that each week, each financial brand was subjected to approximately 16 phishing attacks, which over the course of a year amounted to a total of 832 attacks on an individual institution.
Even without actual figures, it does not take a great deal of imagination to see the scale of what is going on worldwide as a result of cyber-criminal phishing.
Researchers in this field agree that a colossal number of phishing attacks targeting financial institutions are taking place; Trusteer’s analysis is based solely on “successful” attacks, in which a fraudulent Website was actually reached by a banking customer. The data give a snapshot of the lucrative pickings available to the fingertips of these criminal gangs.
Trusteer found that out of every 1 million customers, 12.5 customers wound up on a fraudulent phishing site. That equates to 1.04 percent of banking customers surveyed, 45 percent of whom happily give out their credentials, unaware that they are not on their bank’s legitimate site. Trusteer calculated that this equates as up to the $9.4 million in annual fraud losses per 1 million online banking clients. So if we estimate 200 million using online banking worldwide, the result is a staggering $1.9 billion in fraud per annum.
There’s no sign of a fraud slowdown in sight. ICANN ’s recent move to put internationalized domain names (IDNs) on a fast-track approval process has been seen by some security professionals as potentially an aid for phishing. IDNs increase the amount of homographic possibilities, wherein a domain has more than one spelling and similar-looking URLs composed of characters like “l” substituted for the number “1,” which boosts the range of using similar-looking URLs, a key component in phishing and fraudulent Websites.
So looking forward to 2010 without too much of a crystal ball, we can see a few phishing threat vectors to note:
iPhone and smartphone users. In recent weeks, we’ve seen the emergence of viruses aimed at phishing via cellphone-based banking. As many cellphone banking applications are insecure, it is clear this route will expand greatly for the cybercriminal.
Web server hacking. With the rapid increase in server compromises via MALfi/RFI and similar exploits, we will see more rogue redirects and clone banking Websites to fool the user into divulging information.
Data breaches. These have increased greatly over 2009 and are such a jackpot for hackers that there will be a further rise in 2010.
Good old spam. While most readers of this blog may not succumb to phishing-based spam, with the advent of “snowshoe spamming” techniques, many fall in 2010.
— Jart Armin, Editor of RBNexploit.com, a watch blog on the infamous RBN (Russian Business Network), and HostExploit.com
the essay certainly helps us to understand how the abusive demand for administrator functions on the part of 3d party developers has worked to create an open path for malware
and it is a real eye-opener on where we stand in this respect with UAC in Vista or Win7. very good read, very good indeed
as you read the essay keep one thing clearly in mind: it is not enough to insure that an authorized program is requesting an update it is also necessary to insure that the update itself is authenticated.
making sure that only an authorized progam can make an update is a necessary first step because it is that authorized program that will be required to check the presents for authentication
It is worrying, and quite amazing as to the lengths the criminals will go to break & bypass stuff. Proof positive is the increased criminal activity in 2008, 2009, and projected rise in 2010 as Jart points out. Not only would smart phone users not know that they are compromised, new sophisticated malware can sneak into a brand new OS (7), bypass UAC, hide processes and even can MIMIC their Security software GUIs to show FAKE GUIs stating things are A-OK with no issues…when they’re not & malware is there running in the background. Wow, all that techno-hacker-talent - $pent on evil. Amazing.
92% of Critical Microsoft vulnerabilities are mitigated by configuring users to operate without administrator rights
Of the total published Microsoft vulnerabilities, 69% are mitigated by removing administrator rights
By removing administrator rights companies will be better protected against exploitation of 94% of Microsoft Office, 89% of Internet Explorer, and 53% of Microsoft Windows vulnerabilities
87% of vulnerabilities categorized as Remote Code Execution vulnerabilities are mitigated by removing administrator rights
YET - many, many users – STILL – RUN – AS – ADMINISTRATOR. Malware: “OK, DO THIS…NOW!” Windows Kernel/run as Administrator Level User: “YES master, I’ll do what ever you want master.”
As far as education w/ end users in this blog, here’s an example below in one of Mark Russinovich’s TechED pieces “Windows Security Boundaries” of some of the very difficult and technical examples involved in Windows security that then have to work alongside with the concept of “Ease of use” for end users. Silverlight required to view:
I thought they corrected that bug (which might have allowed UAC to be switch off by remote control). I could be wrong but I'm pretty sure I remember that being quite a stir
DC : Kurt and I have kicked this around a bit: how much is user responsibility and how much is on the software builder?
As I see it the user must have the tools needed to make proper responses -- and the education needed to make those responses needs to be available. individual "Webinars" could be made available for this -- or -- there are 100 other good ways to distribute computer educational material ( the kids in school should all be taking a computer security class every year starting in the 7th grade ( instead of some of the other crap the "educators" have come up with ) ( at least IMHO ) )
but think about this: when you connect to a secure site the protocol changes from HTTP to HTTPS and the little padlock appears in your status bar. these are pretty subtle signals. click on the padlock. does it tell you who you are talking to and who signed their certificate? people need to understand trust models if they are going to use them plus they need the software tools to work with their trust models
I think we are definitely making very good progress
one of the things we all need to focus on is that there is a huge difference between operating software and application software
operating software runs in RING0 and has complete control of your computer. application software runs in RING3 and can't to anything without permission. the operating software should be kept only a libraries designated for that purpose. RACF referred to these as APF (approved program facility) libraries. no RATS allowed in an APF library and if you ain't APF you can't run in RING0
but that is a trouble area: attackers fishing for permission to update the reserved areas (sometimes called the "trusted zone"). there should be a second layer of defense. When the user clicks OK to install a new codec -- if that wants to update the O/S area then it should be required to have an authorized signature -- otherwise it goes on report.
another area too is -- too many applications running with administrator privilege. that circumvents what is supposed to be that second defense. I think UAC may help to reduce the number of programs that are run with administrator privilege-- it's supposed to. anyway, that is why I put in my Projections for 2010 that UAC will provide the Computer Hackers their first check: a reduction in the growth of computer crime
Yes for Windows 7 pretty worrying, as I understand it there is code in the wild that totally disables Windows 7 default UAC security. I assume MS has now patched, does anyone know???
Obviously for smart phones this form of issue will be exacerbated and the user would not even know they were compromised.
kk : = "Of course the link in the email goes to a fraud site that looks and acts just like your bank."
yep
SSL* is supposed to protect you from that. But the implementation is not as robust is perhaps it should be
*SSL: Secure Socket Layer.
SSL is supposed to provide authentication, integrity, and security:
authentication: verifies that you are talking to the party you think you are talking to, - i.e. your bank -- not a scammer. No matter how good the scammer's counterfeit he will not fool the authentication provided by the public key encyrption provided by SSL
integrity: protects you from man in the middle, i.e. someone intercepting your messages and altering them and/or re-routing them
security: insures unauthorized parties are not able to read your messages
Obviously if this were all working the way it is supposed to we wouldn't have much hacking going on
So what's wrong?
Education ( yeah, OK Kurt tee hee ): we all need to learn to check for the trust signals that SSL provides: looks for HTTPS: not just HTTP. And you can look for the little padlock too, in the lower right corner of your screen. Teach those you talk with to look for these signals
Malware ( yuk ) . If people would adhere to Best Practice in Safe Computing this wouldn't be the problem that it is. Teach those you talk with to adhere to Best Practice for Safe Computing. SSL is worthless if you have malware in your system.
Group discussion question:do we have adequate control of our individual trust models?
oooops, OK
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A Trust Model is the collection of Digital Certificates that you have
in your browser. Your Browser checks these and if it finds one
it likes it will show the secure connection signals...
If you go to my profile page you will find a copy of my public key.
if you download that you can check the signature on this message
but how would you know if that is really my public key there on my
profile page?
what if Nicole signed it for me, would that help?
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use
iQA/AwUBSyp2T7RFQAr6llRtEQKhNACdFJWwo6Xt1f7ul+QWygJVNqsW8S4An3KT
uN4Z27NoHDWbefHU6JRW2NPU
=cxSO
-----END PGP SIGNATURE-----
Were it only that simple. In the beginning of the email systems, spam was an attack against a user who had incurred the wrath of some other bulletin board user. The attackers would send a couple thousand emails to the victims email account and the user's system would grind to a halt while trying to download the mail via 2400 baud dial-up connextion.
When AOL turned its users loose on the internet, the newbies misused the term "SPAM" to mean any email they found annoying. Through normal evolution the term "SPAM" became any unsolicited email of an advertising nature, and then any scam mail. Today a spam can be any emai, from greeting cards to out-right begging for money. But the kind we are discussing here are messages that pretend vto come from your bank, and then have you log in to verify your account info. Of course the link in the email goes to a fraud site that looks and acts just like your bank. Once you have typed in all your info, the site says thank you and disconnects. It looks and feels justlike the real bank. But now the bad guys have all the info they need to go and empty your real account.
Or the email may have an active element in it that once activated, will begin tosearch your hard drive for accuont info, and email that info to the crooks all without any action by you except to open the original spam message. These sophisticated attacks vare even more sinister and harder to detect on a smart phone. Plus the smart phone is not behind all the protectios of your computer, firewall, anti-virus, etc.
KK="Did I read this correctly? You are now advocating security education? I'm relieved to be on the same side of an issue with you. If you follow a logical syllogism you'll finally come to admit that users are responsible for what they do with their computers."
ok so far, but their computers should not be doing things without the knowlege and approval of the user -- which is what happens when a user has malware
I have always advocated education. But it isn't right to expect ordinary users to be network Sherlocks and detect every scam by means of a sixth sense,-
the O/S needs to do the detect and advise the operator
which is why I like the UAC. UAC combined with some user education might start to reverse the advance of malware in 2010
Tell you what: I'll risk that as my #1 projection on Nicole's poll this morning
thanks for the note
~~
This kind of thing: Symantec confirms zero-day Acrobat, Reader attack may still be a problem, however: to the extent that UAC eliminates the need for customers to "Run as Administrator" the danger of this kind of vulnerability can be neutralized: If the "reader" is running in RING3 and not as administrator it isn't going to do anything no matter how many bugs it has. except get itself abended.
~~
and this: published on Network World:
Hackers are defeating tough authentication, Gartner warns. One-time passwords, aren't enough to stop cybercrooks from plundering bank accounts... In most instances, the crooks used sophisticated keystroke logging Trojan horse programs to steal login credentials from company employees authorized to initiate funds transfers on behalf of the business, the FBI noted.
How does this crap get into these computers? it is unfair to argue it is the fault of the user: it is not. The user does not have the expertise to control that. Which is why I like the idea of using UAC to tell us whether an update is authenticated. Or not
I don't know. I am 100% sure, that if some asks the money by the Internet- it is spam. The style, the address, I just know how people would write to me if they really want to ask for money. And I am 100% sure, that any of my advisors never would ask money from me. People should delete any message where somebody asks for a money.
A similar thing happened to me five months ago. I received an email from my former Academic avdisor that he was stranded in a conferenece he was attending and was asking for a help of about $1500. That figure was enough to send shoch done my spine but i instantly know it has to be a fluke because here was a guy who possible know my financial position and would not have dare ask me for such a figure.
I later contacted him and and share the email with him, which was a big surprise for him. Embarrsingly for him also, some of his colleages also received that same email. How on earth his email was breach was simply beyond me. He was forced to have a new email!!!
Internet Evolution RSS Updates Want to stay up to date on the topics covered in this article? Use the links below to subscribe to our topical RSS feeds:
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Router hacking and modem security is in the news again, thanks to a presentation at Black Hat in Las Vegas this week and to the associated sensational press response.
Any discussions regarding the online adult, or porn, industry provoke polarized views. It is not an easy subject to approach from any angle, due to the taboo on these sites, which also has benefited cybercriminals, who very quickly learned in the early days of the Internet that users of such services were open to all manner of exploitation.
If you are anything like me, you have probably been scratching your head at the recent Russian spy saga involving the “illegals,” or a gang of more than 10 spies who apparently infiltrated themselves into American social networks, online and off.
Getting to Work on Smart Work: How IT Is Transforming the Implementation of the 'Internet of Things' Organizations in all industry sectors are becoming more instrumented, interconnected, and intelligent -- and that's changing the way they approach virtually every facet of their operations. It's up to IT to help organizations adopt a "Three I's" approach that leverages the emerging Internet of Things and enables them to work smarter. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Data mining of social networks means people might face unforeseen consequences as a result of their seemingly innocuous personal choices and associations.
Some of the "cool" people are testing a new Web service: Blippy. It could be a great data source for corporations to glean info about customers’ credit card purchases. But it has all sorts of possible privacy and security problems. Buyer beware!
Imagine being able to use your mobile phone to pay taxi and mass transit fare; use vending machines; make retail purchases; and check in at hotels. Every day, millions of citizens in Japan, S. Korea, and soon Singapore do so simply by waving their mobile phones in front of point-of-sale terminals using near-field communication or related technology. But, while the technology is readily available in the US, it will be some time before Americans can use their cellphones as mobile wallets.
The sooner purveyors of cloud computing services can pass muster, security-wise, with financial services companies, the sooner cloud computing will really go mainstream.
In the final episode of this series about the death of Internet anonymity, Saunders describes how the Internet of the future will start to attain a level of intelligence that requires no human intervention. Scary.
What can users today do to protect their online privacy? The simplest and most obvious option is to not use the Internet – at all. However, once all digital information is consolidated over the Internet, trying to protect digital identity by simply unplugging from the Internet becomes impossible – a fact that has manifest implications for civil liberties, Saunders says.
By 2011 the number of Internet-connected sensors will exceed 1 trillion, making your chances of doing anything or going anywhere unnoticed pretty much zero. Saunders talks about how the 'sensortization' of the Internet is eliminating the traditional divide between online and offline populations.
The 20th Century Internet was characterized by the ability to interact with other people and information on the Internet largely without anyone knowing who you were. The Internet of this century, conversely, will be defined by identity. Saunders explains how Internet users are unwittingly contributing to the demise of the anonymous Internet.
Earlier this year, Heartland Payment Systems was breached by Russian hackers who had also hit 300 other financial institutions. The scope of the Russian operation is mind-blowing and points to a new era in cyber attacks.
It is 20 years since the invention of the World Wide Web, and the Internet has changed beyond recognition since then. Steve Saunders peers into the future to predict what the Web will look like in another 20 years time – and he doesn’t like what he sees.
There's a public-policy war on copyright that nobody is winning, and inconsistencies in viewpoint and interpretation seem to be multiplying. We need to step back and think our policies over again, or we risk having a strategy that fails everyone.
Ultraviolet is an industry-wide attempt to standardize video content delivery across multiple platforms. Apart from the fact that it’s based in the cloud, relies on the DRM system, and isn’t backed by Apple… it sounds great!
The FCC's Sixth Broadband Report has a hidden secret. But here’s a hint: The regulatory body plans to regulate broadband as a telecommunications service.
Once defined by epic journeys, planning, and maps, the phrase "on the road" takes on new meaning in a digital age, where we can make all our decisions using our connected devices en route.
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
