Fraud Intelligence Newsletter
July 2008
Table of Contents
Phone phishing outbreak targets over a dozen institutions
Kaminsky DNS Exploit revealed - What you should do
Romanian phishing gang arrested
Credit union websites hacked, host phish
Internet Identity and Fraud Net join to deliver seminars in Oregon
Upcoming Event Schedule
August 6 -7, Black Hat USA 2008 Briefings and Training , Las Vegas, NV.
September 16-19, Washington Credit Union League Convention, Vancouver, WA. We will be sponsoring the Internet Café station so you can check your e-mail!
July 30, August 7, and August 19, Educational Webinars presented by Oregon Bankers Association . (OBA members only).
September 22 - 24, Mail Anti-Abuse Working Group Meeting (members only), Ft. Lauderdale, FL.
September 29 - October 1, Digital PhishNet 2008 Conference (by invitation only), San Diego, CA.
October 14 - 16, eCrime Researchers Summit 2008 and APWG General Meeting (members only), Atlanta,
GA.
Phone phishing outbreak targets over a dozen institutions
In the past two weeks, over a dozen banks and credit unions have been
targeted by phone-to-phone phishing. For several of those
institutions, it was the first time they have been victimized by
phishing.
In the attacks, the criminals used automated dialing to call consumers
with a recorded message that claimed to be from the targeted
institution and conveyed an "urgent" reason for the consumer to call a
specific telephone number. When the consumers called the number given,
they were greeted with a recording that requested their personal
information. Almost all the numbers used by the phishers have started
with the 515 area code (central Iowa). Several victims who disclosed
their information reported immediate fraudulent transaction activity in
Spain and Romania, with significant monetary losses.
Several Internet Identity clients have been among the victims of these
attacks. Fortunately, the phone providers being exploited have
responded fairly quickly to our requests to shut down the phone numbers
involved. We are continuing to work with those providers to help them
improve their front-end fraud detection and respond more quickly once
attacks are identified. One provider has gone so far as to stop
accepting new account signups "due to fraud".
For our clients, phone phishing is up 63% over the past three months.
Since May 1, Internet Identity has shut down 80 phone phishing attacks
against our clients. In the three months prior to May, we shut down 49
attacks.
The criminals were found to be cashing out accounts
In an interesting coincidence, we have noticed that the incidence of
institutions being targeted for the first time by e-mail based phishing
has gone down considerably during this phone phishing outbreak. It
could be that one or more phishing gangs have changed the focus of
their modus operandi to phone phishing.
Kaminsky DNS Exploit revealed - What you should do
In recent weeks, the so-called "Kaminsky exploit" for DNS servers has
garnered much attention. The exploit makes it relatively easy for an
attacker to execute a "cache poisoning" attack on a DNS cache server.
These cache servers are what a user's browser relies on to tell it what
IP address is hosting the content for a particular hostname. In a DNS
cache poisoning attack, an exploit can create false entries for
legitimate hostnames and thus direct unsuspecting users to fake sites
controlled by the attacker. From the user's point of view, the fake
site would have the proper URL.
For several weeks now, the DNS and security communities have been
urging all ISPs, large companies and others that maintain DNS caching
servers to install the software patches that have been quickly
developed since this exploit was first discovered by security
researcher Dan Kaminsky several months ago. At that time, Kaminsky
quietly informed leaders in the DNS community about the problem and
together they organized a secret, industry-wide, coordinated effort to
develop and release the software fixes before the details of the
exploit became publicly known.
As of now, the details of the exploit and the patches are publicly
known. A fairly straightforward explanation of the exploit may be
found in this blog entry.
Basically, the patches add the feature of randomizing the source port
for a server's DNS requests. Since the Kaminsky exploit relies in part
on a predictable source port, adding source port randomization makes
the exploit impractical to execute and renders it effectively useless.
However, on unpatched DNS servers, the Kaminsky exploit would be highly
effective. As of now, well over 50% of DNS servers remain unpatched,
including those at some very large ISPs.
If you are a phishing target, your customers are vulnerable to this
exploit if the ISP they rely on for DNS has not patched its servers.
Internet Identity recommends that you determine which ISPs are used by
your customers, and that you urge those ISPs to implement the
appropriate patches immediately. You should also make sure your own
corporate networks' DNS servers (and any upstream servers they rely on)
are patched so attackers cannot redirect your employees to phishing,
malware or other sites where they could have their computers or
credentials compromised.
Romanian phishing gang arrested
On July 15, Romanian authorities arrested over 20 people allegedly
involved in a major phishing ring that targeted eBay, Craigslist, and
others. The investigation that led to these arrests was a joint effort
between the FBI, the Brigada Specială de Intervenţie a Jandarmeriei,
and DIICOT (Romanian organized crime and anti-terrorism squad). The
suspects allegedly staged fake Internet auctions and used forged credit
cards, according to Romanian prosecutors specialized in organized crime
and terrorism.
Credit union websites hacked, host phish
In the past two weeks, Internet Identity has discovered two
phishing sites that were hosted on legitimate credit union websites.
Neither phishing site was targeting the credit union where it was
hosted; instead, the sites were targeting multi-national banks.
However, there was nothing to prevent the phishers from targeting the
CUs whose sites had been hacked.
Upon discovering the sites, we immediately notified the FBI and Secret
Service. We then contacted the compromised institutions. In one case,
involving a Wisconsin-based CU, the CEO we spoke to didn't believe the
compromise was her problem, rather it was her web host's problem. She
also suggested that our call, and the call she had received moments
earlier from the FBI, were actually being made by the criminals!
Fortunately, the FBI received much better cooperation from the site
host and was able to get the site taken down quickly and collect good
evidence.
These cases point out two issues. First, your site is your
responsibility, even if you outsource the hosting of it. After all, it
is your name on the site, not the web host's. So you need to make sure
your web hosting provider employs strong security practices. Second,
many of your peers that have not been attacked by phishing remain
dangerously ignorant about what it is and how it impacts them and your
industry as a whole. It would be a bold phisher indeed to call a
financial institution claiming to be the FBI or a security company, yet
this incident is not the first time we've gotten such a reaction.
Internet Identity strongly recommends to our clients that you educate
and inform your peers about phishing. Just as educating your customers
is a key component in your anti-phishing efforts, so too is educating
your peers.
Internet Identity and Fraud Net join to deliver seminars in Oregon
In July, Internet Identity joined with Fraud Net and the Florida
Bankers' Association (FBA) to present educational seminars about fraud
prevention and mitigation to community banks and law enforcement agents
in Oregon. Fraud Net
is an online information exchange resource provided by the FBA for
banks and law enforcement in 21 states that allows them to share
information to help prevent fraud. Fraud Net is a valuable resource
that we encourage you to learn more about. The educational sessions
were organized by the Oregon Bankers' Association (OBA). Internet
Identity is working with the OBA on a series of educational events
designed to increase Oregon banks' awareness and understanding about
phishing.
If
you want to learn more about protecting your organization from phone
phishing, phishing, spear phishing, targeted malware and other attacks
against your customers, please contact Internet Identity.
|