Fraud Intelligence Newsletter
August 2008
Table of Contents
Phishers now attacking feisty victims with malware too
Pennsylvania, Ohio and Indiana hit hard by phone phishing
11 charged in largest-ever I.D. Theft case
Typosquatting turns to e-mail
New investigative series on eCrime published
Upcoming Event Schedule
September 16-19, Washington Credit Union League Convention, Vancouver, WA. We will be sponsoring the Internet Café station so you can check your e-mail!
September 22 - 24, Mail Anti-Abuse Working Group Meeting (members only), Ft. Lauderdale, FL.
September 29 - October 1, Digital PhishNet 2008 Conference (by invitation only), San Diego, CA.
October 14 - 16, eCrime Researchers Summit 2008 and APWG General Meeting (members only), Atlanta, GA.
Phishers now attacking feisty victims with malware too
A security researcher recently reported that phishing sites hosted on a
particular botnet have begun retaliating against visitors that submit
bogus information containing vulgarities or the word "phish". Visitors
that submit the phishing form with such feisty language are immediately
bombarded with attempts to infect their machines with malware to make
them part of the botnet. Interestingly, visitors that submit
apparently real information are left alone, as are those that do not
submit the form at all.
Pennsylvania, Ohio and Indiana hit hard by phone phishing
Last month, we reported about a phone phishing outbreak in Kentucky and
Indiana. This month we have seen many community banks and credit unions
in Indiana, Ohio and Pennsylvania attacked with phone phishing in a
similar manner.
In the attacks, the criminals use automated dialing to call consumers
with a recorded message that claims to be from the targeted institution
and conveys an "urgent" reason for the consumer to call a specific
telephone number. When the consumers call the number given, they are
greeted with a recording that requests their personal information.
While the reported losses have been relatively small, many
institutions, even those not directly targeted in the scams, report
being overwhelmed with customer inquiries in all channels: phone, email
and in person at the branches.
The best course of action for all institutions is to have a phishing
response plan in place and ready to execute. This plan should include
messaging for all your customer and member touch points.
11 charged in largest-ever I.D. Theft case
In early August, the U.S. arrested 11 alleged hackers accused of
stealing more than 40 million credit and debit card numbers from nine
major U.S. retailers - including TJX. Their crimes include conspiracy,
computer intrusion, fraud and identity theft, according to indictments
unsealed by federal grand juries in Boston, MA and San Diego, CA.
Three of the defendants are U.S. citizens, one is from Estonia, three
are from Ukraine, two are from the People's Republic of China and one
is from Belarus. One individual is only known by an alias online, and
his place of origin is unknown.
"So far as we know, this is the single largest and most complex
identity theft case ever charged in this country," said Attorney
General Michael B. Mukasey. "It highlights the efforts of the Justice
Department to fight this pernicious crime and shows that, with the
cooperation of our law enforcement partners around the world, we can
identify, charge and apprehend even the most sophisticated
international computer hackers."
The international law enforcement cooperation extended to making
arrests. One of the defendants was arrested in Germany, and one was
arrested in Turkey.
Security researcher Gary Warner has been following this case closely and provided a helpful summary on his blog (http://garwarner.blogspot.com/2008/08/tjx-update-san-diego-indictments.html) of some of the group's exploits detailed in the indictments, which is excepted here:
First, (Albert) Gonzalez, (Damon Patrick) Toey, and
(Christopher) Scott went wardriving around Miami, in commercial areas
such as the area around U.S. 1, identifying vulnerable wireless
networks. They targeted large retailers, "including, but not limited
to" BJ's Wholesale Club, DSW, OfficeMax, Boston Market, Barnes &
Noble, Sports Authority, and TJX.
After infiltrating their networks, they began locating and stealing sensitive files and data, including credit card numbers.
At
this point, they are just punks. This type of break-in is a dime a
dozen. But then they took it further. It says they went on to install
sniffer programs, monitoring and stealing password and account
information as well as track 2 data.
The conspiracy
broadened as they had to bring in new associates to help with
decrypting the encrypted PIN numbers on their tens of millions of Track
2 reads.
The stolen data was stored on servers in
Latvia, the Ukraine, and the United States, and encrypted to prevent
access by others. From there, the data was sold in "dumps", cashed out,
and the money was redistributed, using webmoney, ATMs, and in some
cases even mailing express packages full of cash to drop boxes!
Regarding
their technical skills, custom SQL injection attacks were developed to
take on particularly desirable web sites. The attacks were mounted
against a variety of database-driven web sites to find additional track
2 data, internal accounts, and files of large businesses.
Typosquatting turns to e-mail
At a Black Hat conference presentation in early August, Oliver
Friedrichs from Symantec remarked on the underappreciated threat to
e-mail posed by typosquatting domains. Typosquatting domains are common
mis-spellings brand names that are generally registered to present
advertising the web traffic mistakenly visiting those domains. And
typosquatting domains are often used in phishing schemes.
Friedrichs highlighted a domain that was a typo of a major defense
contractor's main domain name and was registered in China. This
typosquatted domain had no Web page, but it could receive e-mail. So
errant e-mails intended for a defense contractor could be ending up in
the hands of foreign competitors or industrial spies.
The implication for financial institutions and online businesses is
similar. By registering typosquatting domains, criminals can easily
capture e-mail that is intended for your company, but has been
mis-addressed due to a typing error. While most often that mail will be
innocuous, there will be times when these errant e-mails contain
confidential client or business information that in the wrong hands
could cause your business harm.
The response to this threat is actually pretty simple. This e-mail
threat is another reason to protect the area "around" your domain
name. By registering the top 100 to 500 most common typographical
variants of your main business domain(s), you can buy a cheap and
effective defense against typosquatting crime.
New investigative series on eCrime published
Brian Krebs of the Washington Post has recently published a series of
investigative reports about how the underground economy of online crime
functions. The hype-free series, entitled Web Fraud 2.0, looks at
topics such as Validating Stolen Goods, Distributing Your Malware, and
Cloaking Connections. We recommend reading these articles to get a
better understanding of the context in which phishers and other online
criminals are operating. You can find the series at http://voices.washingtonpost.com/securityfix/web_fraud_20/
If
you want to learn more about protecting your organization from phone
phishing, phishing, spear phishing, targeted malware and other attacks
against your customers, please contact Internet Identity.
|