|
Fraud Intelligence Newsletter
January 2008
Introducing the PowerShark FIN!
Please enjoy the first edition of the monthly PowerShark Fraud Intelligence Newsletter (FIN). The FIN is focused on providing our customers understandable and actionable information about the rapidly evolving phishing and fraud landscape.
Also, please join us at the CUISPA Summit in Austin, TX on February 3-5, 2008. We hope to see you there!
Rise in Phone Phishing, aka Vishing
Phone phishing (sometimes called “vishing”) has quickly become an attractive venue for fraudsters. The attacks we are seeing use branded fraudulent emails targeting multiple financial institutions simultaneously that solicit the victims to telephone their institution at a number provided in the email. When the victims call the number, they get a voice recording that asks them to say or input account numbers, PINs and other personal information. This attack method enables a criminal with a single telephone number to collect the most identities from the most financial institutions per attack. We have also seen attacks that do not use email as the lure, but rather use text messaging or outbound autodialers to deliver recorded messages to a list of telephone numbers in the market area of the targeted institution(s).
As with website-based phishing, quick detection and response is crucial for mitigating attacks. Phone phishing attacks can be detected early by watching spam and listening to customer complaints. And phone phishing can be deactivated much in the same way as the more common website-based phishing attacks.
Even though most phone numbers used in attacks are based in North America, it is more difficult to track down the provider(s) involved since telephone number registration system is not as open nor as well-documented as the IP address registration system. Also, there is no alert network for phone numbers analogous to our phishing alert network that includes Internet Explorer 7, Firefox 2 and other major consumer providers.
Internet Identity has deactivated numerous phone phishing incidents in the last several months. We encourage targeted institutions to contact us if you would like assistance with this very serious problem.
Serious Implications Following Attacks on Credit Bureaus
On-going high volume phish campaigns against credit bureaus have multiple serious implications for other financial institutions. All financial institutions are at greater risk of spear phishing attacks because of the campaigns against credit bureaus. The criminals know where their victims have car loans, mortgages, credit card accounts, and checking accounts. This ammunition will lead to round after round of targeted spear phishing attacks against those same victims and their financial institutions.
Access to online credit reports reveals critical personal and financial information that can be used to improve future attacks. Current active bank and credit card accounts can be identified for each victim. The balances and statuses (paid, past due, inactive) for these accounts help the fraudster target personalized spear phishing attacks. Telephone numbers can be collected to conduct targeted spear phone-phishing attacks. Last known addresses collected from the report can be used to enhance social engineering efforts, either through phone or email phishing attacks. Credit scores tell the fraudster which victim’s identities are most valuable for loan application fraud.
Credit Union Hacked (and hosted phishing attacks!)
In mid January 2008, Internet Identity uncovered a legitimate Credit Union website that had been seriously compromised. The victimized Credit Union not only had their own customers at risk for a period of time but they also ended up unwittingly serving fraudulent content.
For several hours the website served both Verified by Visa and eBay phishing attacks. It is not known at this time how many potential victims landed on these pages. Working with Internet Identity’s deactivation teams, the Credit Union was able to identify the various phish and kill them immediately.
It is critically important for financial institutions to secure their own network, employ strong password schemes, and make sure they are up-to-date on system patches.
Implications of Compromised Hosts
Hosting company Layered Technologies notified its customers in September of an incident that hackers were able to access a client support database. According to Layered Technologies’ spokesperson Todd Abrams, “The Layered Technologies support database was a target of malicious activity on the evening of 9/17/2007 that may have involved the illegal downloading of information such as names, addresses, phone numbers, email addresses and server login details for 5 to 6,000 of our clients.”
Layered Tech immediately advised its customers to change their login credentials on all hosted servers and services including web mail, SSH access, MYSQL databases, etc. The reported 5 to 6,000 clients compromised indicate the possibility of at least 5 to 6,000 domains being compromised if each client only had one domain. This is a very serious problem.
If the criminals were able to gain access to Layered Tech accounts they could wreak havoc on domain owners. Internet traffic could be directed elsewhere, including to competing companies, to negative propaganda websites, or even to pornography websites. Hackers could access email associated with that domain to reset passwords for other services and to conduct other types of criminal mischief. Emails could be sent out to employees of any company that owned the now compromised domain for a very specific spear-phishing attack. The criminals would also potentially be able to access customer databases of the domain owners that could include personal and financial information. This would provide another source of spear phishing targets.
Perhaps one of the greatest dangers is that the hacker does nothing, at least nothing obvious. He allows the compromised domain owner to continue business as is, while quietly watching and collecting emails, vital corporate information, personal and financial data. This could continue for months if not years with no one suspecting that the domain was indeed compromised. Poor security practices at many hosting companies rarely enforce routine password changes or two factor authentication. If an account is compromised with no one aware, it is unlikely that the criminal’s access to that account would be interrupted.
Unfortunately, the fact that this and other hosting companies have been compromised and warning emails have gone out to domain owners will only lead to further hacking attempts of this type. The email notifications of the breach will also lead to another attack vector against hosts, phishing attacks against hosting companies!
If you want to learn more about protecting your organization from phone phishing, phishing, spear phishing, targeted malware and other attacks against your customers, please contact Internet Identity.
To learn more about how PowerShark can help you
please contact Internet Identity at (888) 239 6932 or
e-mail us at info@internetidentity.com
|
