Fraud Intelligence Newsletter

August 2008

Table of Contents
Phishers now attacking feisty victims with malware too
Pennsylvania, Ohio and Indiana hit hard by phone phishing
11 charged in largest-ever I.D. Theft case
Typosquatting turns to e-mail
New investigative series on eCrime published
Upcoming Event Schedule

September 16-19, Washington Credit Union League Convention, Vancouver, WA.  We will be sponsoring the Internet Café station so you can check your e-mail!

September 22 - 24, Mail Anti-Abuse Working Group Meeting (members only), Ft. Lauderdale, FL.

September 29 - October 1, Digital PhishNet 2008 Conference (by invitation only), San Diego, CA.

October 14 - 16, eCrime Researchers Summit 2008 and APWG General Meeting (members only), Atlanta, GA.


Phishers now attacking feisty victims with malware too

A security researcher recently reported that phishing sites hosted on a particular botnet have begun retaliating against visitors that submit bogus information containing vulgarities or the word "phish".  Visitors that submit the phishing form with such feisty language are immediately bombarded with attempts to infect their machines with malware to make them part of the botnet.  Interestingly, visitors that submit apparently real information are left alone, as are those that do not submit the form at all.


Pennsylvania, Ohio and Indiana hit hard by phone phishing

Last month, we reported about a phone phishing outbreak in Kentucky and Indiana. This month we have seen many community banks and credit unions in Indiana, Ohio and Pennsylvania attacked with phone phishing in a similar manner.

In the attacks, the criminals use automated dialing to call consumers with a recorded message that claims to be from the targeted institution and conveys an "urgent" reason for the consumer to call a specific telephone number.  When the consumers call the number given, they are greeted with a recording that requests their personal information.

While the reported losses have been relatively small, many institutions, even those not directly targeted in the scams, report being overwhelmed with customer inquiries in all channels: phone, email and in person at the branches.

The best course of action for all institutions is to have a phishing response plan in place and ready to execute.  This plan should include messaging for all your customer and member touch points.


11 charged in largest-ever I.D. Theft case

In early August, the U.S. arrested 11 alleged hackers accused of stealing more than 40 million credit and debit card numbers from nine major U.S. retailers - including TJX. Their crimes include conspiracy, computer intrusion, fraud and identity theft, according to indictments unsealed by federal grand juries in Boston, MA and San Diego, CA.

Three of the defendants are U.S. citizens, one is from Estonia, three are from Ukraine, two are from the People's Republic of China and one is from Belarus. One individual is only known by an alias online, and his place of origin is unknown.

"So far as we know, this is the single largest and most complex identity theft case ever charged in this country," said Attorney General Michael B. Mukasey. "It highlights the efforts of the Justice Department to fight this pernicious crime and shows that, with the cooperation of our law enforcement partners around the world, we can identify, charge and apprehend even the most sophisticated international computer hackers."

The international law enforcement cooperation extended to making arrests.  One of the defendants was arrested in Germany, and one was arrested in Turkey.

Security researcher Gary Warner has been following this case closely and provided a helpful summary on his blog (http://garwarner.blogspot.com/2008/08/tjx-update-san-diego-indictments.html) of some of the group's exploits detailed in the indictments, which is excepted here:

First, (Albert) Gonzalez, (Damon Patrick) Toey, and (Christopher) Scott went wardriving around Miami, in commercial areas such as the area around U.S. 1, identifying vulnerable wireless networks. They targeted large retailers, "including, but not limited to" BJ's Wholesale Club, DSW, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, and TJX.

After infiltrating their networks, they began locating and stealing sensitive files and data, including credit card numbers.

At this point, they are just punks. This type of break-in is a dime a dozen. But then they took it further. It says they went on to install sniffer programs, monitoring and stealing password and account information as well as track 2 data.

The conspiracy broadened as they had to bring in new associates to help with decrypting the encrypted PIN numbers on their tens of millions of Track 2 reads.

The stolen data was stored on servers in Latvia, the Ukraine, and the United States, and encrypted to prevent access by others. From there, the data was sold in "dumps", cashed out, and the money was redistributed, using webmoney, ATMs, and in some cases even mailing express packages full of cash to drop boxes!

Regarding their technical skills, custom SQL injection attacks were developed to take on particularly desirable web sites. The attacks were mounted against a variety of database-driven web sites to find additional track 2 data, internal accounts, and files of large businesses.
 Typosquatting turns to e-mail

At a Black Hat conference presentation in early August, Oliver Friedrichs from Symantec remarked on the underappreciated threat to e-mail posed by typosquatting domains. Typosquatting domains are common mis-spellings brand names that are generally registered to present advertising the web traffic mistakenly visiting those domains.  And typosquatting domains are often used in phishing schemes.  

Friedrichs highlighted a domain that was a typo of a major defense contractor's main domain name and was registered in China.  This typosquatted domain had no Web page, but it could receive e-mail. So errant e-mails intended for a defense contractor could be ending up in the hands of foreign competitors or industrial spies.

The implication for financial institutions and online businesses is similar.  By registering typosquatting domains, criminals can easily capture e-mail that is intended for your company, but has been mis-addressed due to a typing error. While most often that mail will be innocuous, there will be times when these errant e-mails contain confidential client or business information that in the wrong hands could cause your business harm.

The response to this threat is actually pretty simple.  This e-mail threat is another reason to protect the area "around" your domain name.   By registering the top 100 to 500 most common typographical variants of your main business domain(s), you can buy a cheap and effective defense against typosquatting crime.  


New investigative series on eCrime published

Brian Krebs of the Washington Post has recently published a series of investigative reports about how the underground economy of online crime functions.  The hype-free series, entitled Web Fraud 2.0, looks at topics such as Validating Stolen Goods, Distributing Your Malware, and Cloaking Connections.  We recommend reading these articles to get a better understanding of the context in which phishers and other online criminals are operating.  You can find the series at http://voices.washingtonpost.com/securityfix/web_fraud_20/


If you want to learn more about protecting your organization from phone phishing, phishing, spear phishing, targeted malware and other attacks against your customers, please contact Internet Identity.

Newsletter Archive

November 2009
January-March 2009
November/December 2008
October 2008
September 2008
August 2008
July 2008
June 2008

2010 Event Schedule

Jan 31 – Feb 3, BlackHat DC 2010 Briefings and Training, Arlington, VA

Feb 8 – 10, Credit Union Information Security Professionals Association (CUISPA) Annual Summit , Austin, TX.

Feb 15 – 18, Messaging Anti-Abuse Working Group (MAAWG) 18th General Meeting, San Francisco, CA.

March 1 – 5, RSA Conference, San Francisco, CA.

March 7 – 12, ICANN General Meeting No. 37, Nairobi, Kenya.  Rod Rasmussen will be attending as liaison for the APWG.

March 16 – 17, e-Crime Congress, London, UK.

April 12 – 14, Educause Security Professional Conference, Atlanta, GA

May 3 – 5, FS-ISAC, FSTC, BITS Annual Summit, St. Pete Beach, FL.

May 11 – 13, Anti-Phishing Working Group (APWG) Counter e-Crime Operations Summit 2010, São Paulo, Brazil.

View Full Event Schedule
© 2008-2009 Internet Identity | Privacy Policy | Home | News | Solutions | About Us | 888-239-6932 | +1 253-590-4100

Note: All advertised performance claims are based upon direct, real-world trials for clients and prospects against our competitors. References who can further substantiate these claims are available to qualified prospects upon request. We encourage you to compare our service performance against our peers head-to-head for yourself!