Wednesday, February 25, 2009
Last year was full of stories of criminal activity on the Internet, with hackers and phishers wreaking havoc on computer systems and consumers, causing credit and debit fraud numbers to soar.
What does this year hold for fraud against financial institutions? Here are 10 of the new and old ways criminals will be looking to commit fraud in 2009.
1. ATM Network Fraud
The number one area that institutions will see fraud growing over the next year is in ATM networks. When the criminal gets access to magnetic stripe data and associated PIN values, they are then able to create cards, and basically then it's a license to print money. Another problem for institutions is that their ability to perform risk management is significantly less on an ATM network than online transactions. This is because the ATM delivers the goods to the consumer immediately to them, which is exactly what the fraudsters want -- the cash, rather than a large ticket item they have to then fence or resell.
2. Check Fraud
The area of check fraud is also becoming continuously more sophisticated, and the underlying technological systems haven't kept pace with the sophistication of the adversaries. There won't be a solution for paper-based check fraud, until we have a technological development where the check itself can be authenticated via a chip or code. There are actions that could be taken, such as printing a code on the back of the check that the bank can verify, like a credit card.
3. 'Laser-Guided' Precision Strikes
The organization and sophistication of criminals is increasing, and so is the sophistication of their attacks. Mike Rothman, Senior Vice President of Security Strategy at eIQnetworks, sees a "laser-guided" approach to targeting precision attacks on institution's customers as the next step that these criminals will take.The criminal groups like Russian Business Network - RBN are compiling huge amounts of data in order for consumers to share account information with them. This allows them to entice those customers to "give up the goods" by divulging enough information so they feel comfortable with the scam. The victims include small businesses, which Rothman sees as the next crime front.
4. Phishing Attacks To Continue
In 2008, the financial services industry has seen an increase in the numbers of phishing attacks that are expected to continue into 2009, including sophisticated spear phishing and Rock Phish attacks. The Anti-Phishing Working Group reports that the financial services sector remains the most targeted sector being attacked, with an average of more than 90 percent of attacks being directed at financial services.
Phishers are now sending their phishing messages over cell phones via text messages. This will cause confusion among online banking users, especially those using mobile banking services. The typical banking customer will think, 'My bank won't email me, but they're sending me a text message asking me to click on this link or call a number to verify.
5. Check Image Fraud
Traditionally, after a successful phishing attack, the criminal would extract the needed information and go onto the online account and remove the victim's bank funds. This has changed for some of the more sophisticated criminals in the last year. Instead of looting the victim's account, they don't set up fake bill pay or take money directly from the account. Instead they go to the check image page, where they take a copy of the victim's check.
Many financial institutions are now offering check images as part of their online banking services to their customers. They can either take the copy and make paper counterfeit checks to distribute, or take that information and create PayPal accounts or other online payment accounts that will leave the victim on the hook for any purchases.
6. Zero Day Attacks
Another area that financial institutions will need to keep an eagle eye on is the shift in the way financial fraud is happening. The attacks will change from criminals trying one thing and increasing their attacks against a particular vulnerability or fraud strategy, to where it becomes similar to hackers attacking computer vulnerabilities, where the smartest adversaries will identify a problem, but try to keep what they learn really secret and then attack the target in a very sudden and catastrophic way.
7. Low 'N Slow Attacks
Imagine having the best firewalls, intrusion detection systems and an unbeatable monitoring system installed. But your computer systems are still compromised. What happened? It may have been a "low and slow attack" that happens not over a period of a few minutes or hours, but over a period of days, weeks, or even months. Now the criminals will compromise a machine and sit back and wait, maybe a day, week or even a month before going back to it and see what else they can compromise through it. What is their end goal? To compromise the entire network and perpetrate fraud over a long period of time.
8. Drive-By Attacks Deliver
Institutions need to educated and warn customers and employees to beware the online look-alikes and infected websites. Drive-by attacks that surreptitiously deliver keylogging Trojans to customer's computers are becoming identity thieves' weapon of choice. Machines are infected when users visit bogus bank sites that they've been directed to via phishing emails or, increasingly, legitimate sites that have been hacked.
9. Phones Will Be Ringing
All institutions need to keep a close ear and eye on their phone channel. As online banking security improves through better authentication and back-end anomaly detection, fraudsters are following the path of least resistance and turning to the phone (call centers and interactive voice response technology), where authentication procedures tend to be less stringent.
10. Insider Threat
This is one of the most important issues that financial institutions are going to face in the coming year. In this economy, people are going to be more tempted to steal inside data, to sell it or use it for their own purposes. The insider threat will be more prevalent than in the past there will be more desperate players out there. Proper monitoring of all employees, vendors and contractors with a separation of duties plan will help stop this from happening.
Tuesday, February 24, 2009
You may not realize that walking around with Bluetooth enabled on your cell phone leaves you vulnerable to hackers. They can easily connect and manipulate your phone simply by using a Bluetooth connection.
Most new cell phones have Bluetooth by default these days for things like wireless headsets, in-car connectivity, syncing with a computer and many other uses. While Bluetooth has proved to be a very useful tool for cell phones, many are unaware that it opens doors to hackers.
The fact that cell phones carry a lot of private data these days, makes “Bluetooth attacks” even more scary. While simply having Bluetooth as a feature on your cell phone doesn’t make you vulnerable to attacks, walking around with the Bluetooth function enabled and “visible” does. Many people turn on Bluetooth to use a headset or sync with their computer, and then simply forget to turn it back off when they’re done. This is why Bluetooth hacking has become so prevalent and so easy to do.
When Bluetooth is enabled on your device, it’s essentially broadcasting the fact that “I’m here, and I’m able to connect” to any other Bluetooth-based devices within range. This makes using Bluetooth simple and straightforward for the consumer, but also lets hackers know which ones to target very easily.
Here’s how it’s done; a hacker can simply download some special software and install it on a laptop or netbook. He can then install a Bluetooth antenna to that computer and put everything in a backpack, briefcase, etc. Now, all he has to do is walk around public places where a lot of people are concentrated, and let the computer running in his bag do all the work while no one has any idea what’s happening.
The software on the computer will constantly scan the nearby surroundings of the hacker for active Bluetooth connections, and when it finds them, can do a variety of things without the owner having any idea what’s going on. The entire process is automated for the hacker as well, so all he has to do is walk around for as long as he can and collect as much data as possible, which he can then manipulate. Some attacks are less damaging from others, but Bluetooth allows the hacker to do many things.
Once the hacker’s software finds and connects to a vulnerable Bluetooth-enabled cell phone, it can do things like download address book information, photos, calendars, SIM card details, make long-distance phone calls using the hacked device, bug phone calls and much more. There’s a myriad of software freely available that’s made specifically to attack cell phones via Bluetooth connections, and every time an update to the technology or certain cell phones becomes available there’s bound to be new hacking software for it. Certain attacks have become so prevalent that they even have names these days;
“Bluesnarfing” is the term associated with downloading any and all information from a hacked device, and can even allow the hacker to send a “corruption code” to completely shut the phone down and make it unusable. “Bluebugging” is an even scarier hack- it involves using special software to connect to a device and silently making it call another device, usually one the hacker is using, to act as a phone bug. The hacker can then listen in on anything you and anyone around you is saying. Beyond these attacks, hackers can use software to route long-distance calls to worldwide locations to your phone using Bluetooth, which in turn sticks you with the carrier roaming charges. Likewise, a hacked phone can even remotely be used to make “micro-purchases,” or purchases that show up on subscriber’s monthly bills.
The possibilities are virtually endless, and these are just a few examples of what can be done utilizing the Bluetooth connection on cell phones. Many think that they’re safe from such attacks because Bluetooth is such a short-range communication method- a hacker would have to be within a few feet to be able to do anything. With special antennae that’s been developed solely for this application, hackers can connect to cell phones that are up to a 1000 feet and more away. The entire process is just to easy for hackers, all they need is some special software, an antenna of some sort and some basic knowledge.
Luckily, not all Bluetooth-enabled cell phones are vulnerable to all attacks. Bluesnarfing and other attacks may work while bluebugging doesn’t on one make and model of cell phone, while only bluebugging and nothing else works on another. That’s why hackers generally setup a variety of hacks, and when they’re out and about performing their attacks on un-suspecting victims, the software will automatically identify the cell phone model and attack it accordingly in any way it knows how. The bottom line is any cell phone that has built-in Bluetooth can be hacked, it’s just a matter of what type of hacks can be performed.
The best way to avoid such an attack is to simply remember to turn off your Bluetooth when you’re not using it. A lot of people will simply put Bluetooth in “hidden,” or “private” mode which they think will hide themselves from attacks, but in reality, hackers have already figured out how to find them. Disabling the function altogether is the only way to curb an attack.
Monday, February 23, 2009
A newly discovered zero-day vulnerability within Adobe's Acrobat Reader is being actively targeted by attackers, warns researchers at Symantec Corp.
Hackers have been spreading malicious PDF Files containing the Pidef Trojan. If a person opens the malicious PDF file, the Trojan attempts to exploit an unpatched processing error in Adobe Acrobat Reader 8 and 9, which results in a buffer overflow.
"Malicious PDFs using this exploit will be detected as Trojan.Pidief.E," Symantec said in a statement. Symantec said it received reports of attacks targeting the vulnerability at government, large enterprises and financial services organizations. Exploit code is circulating in the wild in the U.S., China, Japan, Taiwan and the U.K.
Please refer here to read full details and click here to update your Adobe Acrobat Reader.
Sunday, February 22, 2009
How to Write a Linux Virus in 5 Easy Steps
It's easy for people to pick at Windows for being prone to virus and malware attacks. It's almost a given belief that if you're running a PC with a Windows operating system, you're much more susceptible to attacks than users with other operating systems.
But let's quickly look at the reasons for this. First, it isn't really Microsoft's fault. It isn't that Windows is technically inferior, it's that the majority of the world runs on Windows. This fact alone is very attractive for any virus coder or exploiter. As a vrius writer, you'd want to attack the majority, not the minority.
Secondly, because the vast majority of the world's computers runs on Windows, everyone from very tech savvy users to the greenest of novices is included in this pool. There are many who are just not as educated--for various reasons--about software and Internet safety. So here we have a huge pool of people, many of which aren't informed. These are two main reasons why a Windows desktop is the prime target for attacks.
Please refer here to read in detail step-by-step guide about How to Write a Linux Virus in 5 Easy Steps.
Friday, February 20, 2009
An exploit found to be targeting a recently patched vulnerability for Internet Explorer 7 was discovered in-the-wild. Malware crooks were quick to develop a working exploit for the vulnerability in Internet Explorer 7, which was part of the February Microsoft patch release. Microsoft rated this vulnerability critical with the possibility of a consistent exploit code.
The attack, delivered in the form of a maliciously crafted document, is sent out to unsuspecting users. This word document contains an embedded ActiveX control which upon opening, connects to a website hosting the MS09-002 exploit.
Malware authors are always working to create new and improved ways to evade detection and control compromised machines. This time, malware authors introduced obfuscation (base64 encoding) possibly to evade easy analysis and detection.
The ActiveX control facilitates connection to the malicious website to launch and execute the MS09-002 exploit.
For those who have not patched their machines, I suggest you install the MS09-002 patch immediately. It will just be a matter of time before different variants of this exploit start circulating in the wild and become incorporated into various Do-It-Yourself web attack toolkits.
The malicious word document is detected with the current DATS as Exploit-MSWord.k and the Internet Explorer 7 exploit is detected as Exploit-XMLhttp.d / Exploit-CVE2009-0075 McAfee Anti-Virus.
Tuesday, February 17, 2009
One of the updates released by Microsoft this week causes some applications using Visual Basic controls to failThe short-term solution is to remove the update, but be sure to reinstall it once your VB apps have been corrected.
If your organization's line-of-business programs use Visual Basic for Applications (VBA) controls, one of this month's Windows patches may cause your programs to misfire. The patch that's the focus of this Microsoft Security Advisory includes an ActiveX kill bit that also affects some custom VBA controls. The update is described in KB 960715.
Terry Seiberlich reports that two of his company's applications — the Office Tools Professional business-management program and Sage Software's ACT contact manager/CRM app — were affected by this ActiveX kill bit. I've been unable to determine whether the problem is present in ACT itself or only in applications that use these VBA controls and also plug into ACT.
Any applications relying on msflxgrd.ocx may also be affected. For example, if one of your line-of-business apps uses the Microsoft Access database program, you may wish to contact the program's vendor prior to installing this patch.
You may need to wait for your vendors to give you the thumbs-up before you install this kill bit. If the update has already been installed on your PC, and you need to remove it, click Start (Start, Run in XP), type appwiz.cpl, and press Enter. In Windows XP, make sure Show updates is checked at the top of the Add or Remove Programs window. In Vista, click View installed updates in the top-left pane. Look for Security Update for Windows (KB960715), as shown below:
Friday, February 13, 2009
I have been reading alot of articles and posts regarding predictions and security threats in 2009. As the recession continues and unemployment rises, we will see the top cybercrime trend for 2009 as the continued exploitation of the financial crisis to scam people with fake financial transactions services, bogus investment firms, and fraudulent legal services.
Main Threat Predictions/Trends for 2009:
• Threats on Social-Networking Sites. Cybercriminals no longer deliver threats only via spam. They are taking advantage of Facebook, MySpace, and other popular social-networking sites. In 2008, we have seen scammers already taking aid from these social networking websites. In 2009, we will see alot of progression in this area.
• Personalized Threats Speak Your Language. We will see alot of malwares originating from different countries in different languages, which will give hard job for malware researchers to perform reverse-engineering and understanding these threats. Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.
• Malware Targets Consumer Devices. We will see increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers. Apple Iphone will remain in news among the security researchers.
• Security Software Scams. The malware underworld is using mainstream practices in an effort to “sell” security software that is either misleading or outright fraudulent. We will see vendors will use FUD to their maximum level.
• Abusing Free Web-Hosting/Blogging Services. Websites such as Geocities, Blogspot, and Live.com allow anyone to create a public website for free, without the authentication necessary when purchasing a domain-name website. This gives spammers the opportunity to run their underground business with minimal expense. Spam from do-it-yourself social-website-hosting providers arrives at its destination with far greater frequency than links pointing to domain names assigned by legitimate registrars. With little to no threat of punishment for their hosted content, and the new restrictions on short-term domain tasting, the attractiveness of free bandwidth offered by these sites will undoubtedly draw greater focus from malicious parties.
• More Targeted Phishing and Corporate Blackmailing. Botnets, a.k.a. zombie computers, that spread into corporate networks and financial datacenters will increasingly be used to gather sensitive information that can be used for blackmail or sold on the underground market.
• Browser-Based Attacks. Cybercriminals will increasingly attack via web browsers as they are the least-protected and, therefore, easiest way to transfer malware.
• Security Breaches of Confidential Data. Information that is managed by partner and subsidiary companies of bigger companies will be exposed more frequently, forcing an overhaul of data-security practices.
• An Increase in Localized Phishing Campaigns. Online scammers will increasingly target specific communities, especially on college campuses, where professional-looking emails claiming to be associated with the school’s financial or scholarship department will be blasted to all the students at the school. This is a significant danger to people who are just becoming responsible for their own finances.
• More Scams Involving Home Businesses. “Legitimate” home business scams generally involve either a pay-up-front and do-it-yourself kit, or a pay-to-play shell game of training and certification. We’ll see more of it on television, and the same infrastructure that supports diploma spam and confidence fraud will adjust to the new unemployment reality and will offer people some new bait on the old check-cashing scam.
• Increase in Forging and Abuse of Free Email Services. The free email services have started to allow accounts to send mails with arbitrary “from” addresses. This has increased the usability of these services significantly to businesses, but has also increased the “abusability” by spammers.
• McColo: The Effects of a Takedown. Spam traffic took a tremendous dive in volume when ISPs pulled the plug on spam host McColo Corp., the source of up to 60 percent of worldwide spam. In 2009, we expect to see a continued shift in organizations, from passive support of law enforcement to an active role of working collaboratively with ISPs and global Internet entities such as ICANN.
• New Businesses to Replace Lost McColo Hosting. Hosting companies will be set up in countries that are eager to embrace a burgeoning Internet market and will offer services to replace the disrupted command and control centers formerly hosted by McColo. These may be used as pawns by entities that perceive strategic value in sculpting the battlefield of the future.
Wednesday, February 11, 2009
Millions of other people are also finding that they can't reach microsoft.com or can't load antivirus websites. The reason is they are infected by the Downadup worm.
Downadup (also called Downad, Kido, Conficker or Conflicker) is a Windows worm that spreads by exploiting weak administrator passwords, use of autorun on removable and network drives, and the MS08-067 exploit.
Once installed, the worm does the following things:
- Copies itself to the system directory as a randomly-named DLL file
- Adds itself as a randomly-named system service for persistence after reboot
- Disables certain Windows services that might aid in cleanup or detection of the worm
- Deletes existing system restore points
- Disables access to multiple websites related to antivirus and security, most notably Microsoft and Windows Update.
- Spreads through the local Microsoft network using password brute-forcing or MS08-067 exploit
- Adds itself to any removable/network drives using an autorun.inf file
- Adjusts the Windows TCP/IP settings to allow a greater number of simultaneous connections in order to facilitate the spread of the wrom
- Waits three hours, then attempts to download additional code by generating 250 different domain names and connecting to each via HTTP. Each day a new set of 250 domain names will be generated.
Despite using fairly old and well-known spreading vectors, and a patch being available for MS08-067 for months now, the worm is having fairly good success at spreading to networks worldwide. Estimates are currently around 10M infected machines, although it is possible that machines are being counted multiple times by some entities. Whatever the real number of infected machines, it is certainly possible that it has infected millions of machines around the world based on the sheer number of IP addresses hitting sinkhole servers that have been set up for observation.
Key indicators of an infection are:
- Network drives/USB drives with hidden autorun.inf files, especially ones that are larger than 512 bytes.
- Network logins being locked out for too many failed attempts.
- Workstations no longer able to access microsoft.com or other security/AV related websites.
The problem of Conficker/Downadup cleanup is exacerbated by the fact that the worm blocks the download of potential removal tools, including Microsoft's own Malicious Software Removal Tool (MSRT) which has been updated to remove Conficker/Downadup. It does this by hooking the system DNS and networking APIs and blocking DNS lookups where certain strings are present in the domain name.
The complete list of strings blocked in DNS requests is below:
Obviously not being able to reach any of these domains makes it difficult for an infected party to find information on or cleanup tools for the worm. However, the worm does not prevent use of a proxy server to reach the same websites, so in organizations where a proxy server is already in use for web traffic, removal may be easier.
- Use a proxy server to download Microsoft's Malicious Software Removal Tool (MSRT) from the following URL:
- Or, if no proxy is available, a workaround is needed. One can use a direct link to the MSRT on Microsoft's content delivery network server. Since this is a third party hosting company, their domain name is not on the blocked list, so one can substitute "mscom-dlcecn.vo.llnwd.net" for "download.microsoft.com" in the MSRT URL. The URL would then be:
- Or, F-Secure also has a removal tool available, however the f-secure.com domain is in the blocked list of domain names above. Using an IP address instead of the hostname will bypass the worm's blocking routines, so that tool could be downloaded by infected systems at this URL:
- Run the automated removal tool to eliminate Conficker/Downadup
Tuesday, February 10, 2009
A group of academics has succeeded in breaking a key security feature used by banks to protect online banking websites.
The exploit allows hackers to replicate trusted certificates issued by organisations called "certificate authorities". These trusted certificates are used to verify website certificates, which in turn verify the identity of a website or user for security purposes, such as during an e-commerce or online banking transaction.
Hackers can use the replicated trusted certificates to create forged website certificates. So far only certificate authorities using a cryptographic function to sign and verify digital certificates called the "MD5 algorithm" are vulnerable.
It could be used for identity theft. You might think you're going to a secure website, but in fact you could unknowingly be redirected to a site serving up malicious software. This exploit is potentially a huge problem for any organisation dealing with certificate authorities and for certificate authorities themselves.
Microsoft has issued an advisory to business customers asking them to contact their certificate authority for guidance and says it is working with certificate authorities to encourage them to upgrade to a newer algorithm.
Attacks were unlikely because of the expertise required, and only certificates signed using MD5 after the exploit was published were believed to be at risk.
My only advice to all my readers and users out there,
Please check the websites by clicking on the "padlock" to view the certificate's details, which shows the signature algorithm used.
Thursday, February 5, 2009
More than half of the security vulnerabilities disclosed during 2008 had no patches available from the vendor by the end of the year, according to a report released on Monday by IBM's X-Force research group.
Meanwhile, 46 per cent of vulnerabilities from 2006 and 44 per cent from 2007 still had no patch by the end of 2008, the 2008 X-Force Trend and Risk report said. X-Force documented a record number of 7,406 new vulnerabilities last year.
Overall, Microsoft is the vendor that tops the list in percentage of vulnerabilities disclosed, the report said. The Macintosh and base Linux kernel operating systems have dominated the top spots for vulnerabilities by operating system over the past three years, the report said. There were no breakdowns by vendor or operating system for unpatched vulnerabilities.
Most of the spam last year appeared to come from Russia (12 per cent), followed by the US (9.6 per cent), and Turkey (7.8 per cent), although the spam senders could be located in a different location, the report says.
China unseated the US as the country hosting the largest number of malicious websites for the first time last year.
Meanwhile, 46 per cent of all malware attacks last year were Trojans targeting people playing online games and doing online banking, and 90 per cent of phishing attacks targeted financial institutions, according to the report.
Two main trends attackers used last year were SQL injection attacks, in which a small malicious script is inserted into a database that feeds information to the website, and malicious URLs hosting exploits.
Tuesday, February 3, 2009
I have been warning for a long time of the issue of adding our personal information to any social network. I use them by myself (Facebook, LinkedIn, etc.) and I'm surprised at the amount of personal information that my contacts have there, even more surprised when more than the 90% of my contacts work in security related companies -yes, that means that my social life sucks, I know ;-)
Social networks are also a good communication tool, just a few days ago we could see how the Queenstown police arrested a man thanks to Facefook. But things are not black or white, and when the mankind is involved you can also see the dark side. In September 2008 we could see some news reports about terrorist using Facebook to kidnap Israeli soldiers.
But we don't need to go that far. There is another major issue: people are lazy, we don't want to have complex passwords that we can't remember, nor to have a different password for each application; so people just choose an easy to remember password or just create passwords consisting of some of their own personal information, using their birthday, wife/husband name, hometown, etc. Last week 4 people were arrested for blackmailing Spanish singer David Bisbal. Basically they had got into his mail account and used the information stored there. The head of the gang, psychologist, was able to figure out his password after studying all the personal information of the singer that can be obtained from the Internet.
We do not usually have that kind of information about ourselves available for our friends, but we have it on Facebook and similar networks. They are only visible to our friends (we should redefine the word "friend" in a social network enviroment, but I won't talk about it here). I have not tried (and won't) to figure out my friends passwords, but I could do it and I'm sure it would work in many cases. And what happens if one of our friend's accounts gets hacked, is that whoever it is will have access to all his friends info... scary at least.
So please, just follow some basic recommendations:
• Use common sense.
• Restrict viewing of your details to trusted persons.
• Don't publish your full birth date.
• Don't reveal your e-mail, phone number or postal address.
• Ignore unsolicited requests to be friends or group membership from unknown people.
• Use different passwords, and change them periodically.
Finally, you can take a look at this list, containing a list of the Top 500 worst passwords of all times, taken from the book Perfect Password (Mark Burnett, 2005). I miss some passwords in this list, as "guest", "admin" or "backup", but it is useful so that you can know which ones you shouldn't choose.