loose wire blog

Singapore appears to be the source of a virus cleverly designed to hoodwink U.S. executives by appearing to be an emailed subpoena which mentions them by name, as well as their title.

The SANS Storm Center said three days ago that

We've gotten a few reports that some CEOs have received what purports to be a federal subpoena via e-mail ordering their testimony in a case. It then asks them to click a link and download the case history and associated information.

One problem, it's total bogus. It's a "click-the-link-for-malware" typical spammer stunt. So, first and foremost, don't click on such links. An interesting component of this scam was that it did properly identify the CEO and send it to his e-mail directly. It's very highly targeted that way.

The report says that the server that the trojan reports back to is "hard-coded to an ISP in Singapore at this time," from where, according to Ars Technica, it "steals copies of any security certificates installed on the system."

(This, by the way, is calling whaling, since it is like phishing but is more targeted, and going for bigger phish, so to speak.)

The Inquirer says that the web servers delivering the emails are based in China, and, in language too loose to take seriously, "the cyber ruffians who later nefariously take control of the victims’ computers, based in Singapore."

There's no evidence the "cyber ruffians" are based in Singapore, as far as I can work out. The only possible connection could be the English and errors in the emails, which, John Markoff of the NYT reports, "led several researchers to believe that the attackers were not familiar with the United States court system and that the group might be based in a place that used a British variant of English, such as Hong Kong."

That said, just because an ISP may have been compromised doesn't mean that those involved are physically located in Singapore. Indeed, it would seem very unlikely they are; if they're smart enough to launch an attack like this, you'd have to bet against them being anywhere near the 'command and control' center itself.

Still, it's unsettling that an ISP may have been compromised. So far we don't know much more, though I've put in requests for more information. (The source of the information about Singapore appears to have come from someone at Verisign, whose Asian PR address bounces. So don't expect something anytime soon.)

There's quite a commotion online about a program called g-archiver that promises to back up your Gmail account, but in the process apparently harvests all users' Gmail usernames and passwords, and mails them to a separate Gmail account.

This is indeed scary, although it's possible that the person behind it wasn't collecting the passwords for nefarious purposes. But it highlights some important issues that we tend to overlook in this Web 2.0, mashup age:

• Your online email account is more vulnerable than an offline one (by which I mean, storing your old emails online, rather than downloading them to your computer and deleting the online copy.) In this sense, POP is good, IMAP and webmail bad.
• If you give your username and password to third parties, i.e., those who access your account on your behalf, you need to be more rather than less careful than with the original service. For example, services like Plaxo allow you to access your other accounts but will inevitably require you to enter your username and password, which will be stored on their server.

On top of that, it's intriguing to take a look at how legitimate this one program appears, and how little those websites helping in its distribution have vetted it. I found copies at Download.com (owned by CNET), despite a commenter pointing out it steals passwords, Shareware Junkies, BrotherSoft, Softpedia, ZDNet, Download3000, FreedownloadsCenter, the excellently named Safe Install and Filedudes.

Just out of interest, G-Archiver is apparently the work of a company called MateMedia, which registered the website hosting the software. An interview with the company's president, Russ Mate, is here.

A message on the original blog post purporting to be from Mr. Mate says "MateMedia is a legitimate company and we are absolutely horrified that this has occurred", and will be notifying any download sites hosting the software to "remove it immediately."

That clearly hasn't happened yet, but neither has the company removed it from its own website, at the time of writing. (Seeing the software alongside tools like FriendTools, which automates adding friends and comments for MySpace spammers, or TubeAdder, which does the same thing on YouTube, might give a prospective user pause for thought.)

My rules of thumb:

• Never download software without visiting the author's original site, and finding out who produced it. This applies to Facebook apps as well. (In G-Archiver's case, there is no contact page.)
• Think hard before you give your email password to any service, however legitimate. It's not so much about losing your email password but about all the other passwords and personal data that a bad guy could access inside your email account.

As Web 2.0 involves more and more cross-pollination of information, so we need to be smarter about who we give our passwords to, and what information we store behind those passwords, both in email and in social networking accounts.

It's somewhat scary that more than 10 employees of a laboratory that works on security issues (including phishing) could fall for a phishing attack. The Oak Ridge National Laboratory, or ORNL, managed for the U.S. Department of Energy by UT-Battelle, works on science and technology involved in energy production and national security. In late October the lab was targeted from Chinese websites, according to eWeek:

All of the phishing e-mails instructed lab employees to open an attachment for more information or to click on an embedded link. ORNL's investigators now believe that about 11 staff fell for the come-ons and opened the attachments or clicked on the links. That was enough for the attackers to install keyloggers or other types of malware that gave attackers access to systems and the ability to extract data.

The interesting thing here is whether this was a "coordinated attack" and a "cyberattack" as has been suggested in the media. The Knoxville News Sentinel, for example, quotes lab director Thom Mason as saying, involved the thieves making "approximately 1,100 attempts to steal data with a very sophisticated strategy that involved sending staff a total of seven phishing e-mails, all of which at first glance appeared legitimate." Meanwhile this AP article quotes Mason's memo to employees:

The assault appeared "to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions" in the United States, lab director Thom Mason said in a memo to the 4,200 employees at the Department of Energy facility.

The key here may be that the attackers were after personal information, not military secrets. As John C. Sharp writes:

The headlines keep coming about the news that several high-profile military labs - including some of the world's leading nuclear research labs - have been compromised by phishing scams. Unfortunately, many of these headlines are missing the point.

Example: In one story published today, PC World claims that Chinese Hackers "launched" a coordinated "major attack" on two US Military Laboratories.

This is almost certainly *not* what happened. According to most of the published data, this was a phishing attack, plain and simple.

The fact is that China's computers are so insecure that more or less anyone could use them to do more or less anything, from relaying spam to launching phishing attacks. So it's not proof that China, or even Chinese, were involved just because the IP addresses are Chinese.

Of course, we don't know for sure what happened yet. But if the attack was enabled by employees clicking on an email attachment or link that originated from a Chinese server, you've got to question a) the security training at a place like that, and b) wonder what kind of security filters they have on their servers that would allow such emails to get through, especially given the sheer number of emails that were sent.

Sometimes "China" is a great excuse for all sorts of incompetence and inefficiency, and "sophisticated cyber attack" is just another way of saying "sorry, we haven't got a clue about all this Internets stuff."

Oak Ridge Speared in Phishing Attack Against National Labs

It amuses me that banks talk about security but rarely apply it in a consistent enough way to save people like you and me from getting scammed. Take what just happened to me this morning:

My bank rings me up (the number is a private number so doesn't show up on my screen, but that doesn't seem to be unusual anymore; nearly half of the people who call me seem to withhold their number these days. In any case, it's not hard to fake a callerID.)

The woman on the phone tells me there's been a problem with my last phonebanking transaction. Before she can tell me more, she asks me to key in my six-digit phonebanking ID, she says. I'm just about to do so, eager to sort out the problem, when I realize that I've not confirmed that she is who she says she is. So I ask her:

"Sorry, but I need to confirm who you are first."

"Yes, I am Sheila and I work for the phonebanking division."

"Yes, but how do I know you're Sheila from the phonebanking division, and not Sheila from Phishers 'R' Us?"

Clearly Sheila hasn't faced this kind of situation before.

"Er, well, if you key in your phonebanking ID, I can tell you details about your account, and that will confirm it."

"Well, it may do, or else it would tell me you'd already succeeding in hacking into my account and were now just toying with me."

A pause.

"Yes, but the PIN number goes straight into the computer," says Sheila, a bit nonplussed now.

I try to explain that a) I'm not personally accusing her of being a scammer, only that I have no way of confirming whether she is a bank employee or a clever social engineering fraudster because she called me first and b) that technology makes it eminently possible that someone could capture my six digit PIN if I key into my phone. (A simple decoder attached to the phone will grab the DTMF signals (the beeps when you press a key) and figure out what digits they represent. I didn't tell this to Sheila because she was already beginning to sense I was a 'difficult customer.')

In the end I tell Sheila I'm going to call her back, to which she politely agrees. When I later explain to her that the bank should think about plugging the hole in their security fence, she listens politely, thanks me for my feedback, and says:

"One last thing, Mr. Wagstaff. I don't know if you've been told but we're running a promotion at the moment that for every customer you're able to bring in you get a $200 gift voucher for redemption at Takashimaya Department Store."

A bank with its priorities right, it seems.

What amazes me about this is that banks don't seem to have learned from past mistakes. A few months back I wrote about a scam in Hong Kong which uses exactly this tactic. Fraudsters stole wallets and handbags at a sporting event, removing only the ATM and business cards. The victims then got phone calls the next day pretending they're from the bank informing them they've lost their card, and asking them to approve cancellation of the card by keying in their PIN number.  Voila. If Sheila was Sheila the Scammer, someone would be at least half way into my account by now.

I wish banks would be smarter about this. I wish in particular the banks I use would be smarter about this. Scammers are clever, particular about social engineering -- the art of lulling people into a sense of false security. We ordinary people want to please, and we want to help solve a problem, especially if it's connected to us, so we're easy prey for someone at the end of the phone offering both.

The lesson is the same as the one I'm always trying to pass on: Don't give anything to anyone just because they ask you to. Find out first whether they are who they say they are. A realtor asking for a deposit? Show me the documents that prove you are authorized by the landlord. Here to check the meter? Where's your badge? Valet? How do I know you're not just a guy in a red jacket and jaunty hat about to steal my car?

Authenticate, authenticate, authenticate. And if it's someone like a banker, a real estate agent or an official, be hard on them if they seem impatient with your efforts. It's your money, not theirs.

Good grammar is important, whether you're pitching a story to a journalist or a scam to a dupe.

Here are two examples: how not to and how to. First off, a PR pitch that endangers its credibility with an error in the subject line:

And now, here's an example of getting it right: A scam that not only illustrates good grammar (right down to the correct use of the singular verb with "couple") but also how callous scammers are getting:

<...>

The Foundation is non-profit and Our Mission is to facilitate inspiring, meaningful outdoor experiences for youth who suffer life-challenging medical conditions as a result of HIV/AIDS.

We offer new hope and life skills for adjudicated youth, at-risk youth and those with disabilities and dependencies.These adventure programs build esteem, confidence, and character values that help build the foundation for a family and career.

<...>

We have a couple of Donors in CANADA and USA who has pledged but and we need a Payment/Liaison Agent urgently who will among other functions accept funds on our behalf and we will offer 10% of whatever we get in return.

<...> 

The scam, by the way, is probably seeking a phisher's mule: Someone who will allow their bank account to be used for laundering funds obtained from phishing expeditions. But it may also involve attempting to fleece the individual in time-honored 419er tradition.

I'm not suggesting, by the way, that the text is original. It's lifted from several sources, however, indicating a degree of sophistication on the part of the scammer. Some is from the Tony Semple Foundation for Hope, some from  the Wilderness Outdoor Leadership Foundation. (This explains the apparent non-sequitur from the first paragraph to the second.) The scam has used different names for its foundation, each a variation on the organizations whose words it has stolen: for example, the Foundation of Hope and the OutdoorFun Foundation UK. It seems to have been running about a month.

Despite appearances, the U.S. is still the most popular place for the bad guys to place their malware code.

StopBadware.org has listed those Internet Service Providers that wittingly or unwittingly host “badware” — an umbrella term for any kind of software that insidiously installs itself on your computer. What’s interesting is that while there is one China company on the list, by far the biggest culprit is one iPowerWeb Inc, based in Phoenix, Arizona, which has more than 10,000 infected sites on their servers. (By comparison, then next biggest culprit has a quarter that.)

Badware is usually installed on a site without the owner’s knowledge, either by exploiting holes in the software that delivers content to the site or hacking into the site by guessing the owner’s password or making use of a hole in the server software. Victims would unwittingly download the badware by either visiting the website in question or be directed there from other websites which had been infected. Here’s a case of a fake MySpace page which lures victims to an iPowerWeb-hosted site where users give up their MySpace password. Interesting detail on how these work is here.

iPowerWeb appear to have a long history of attracting accusations that it doesn’t take this kind of thing seriously. Examples are here, here and here (from two years ago). So far there’s no press statement from iPowerWeb on its website; I’ve requested comment.

The sad thing here is that when Google and organisations like StopBadware find these hacked sites the sites are flagged and removed from Google searches, or else prefaced by a warning page. While this makes sense, it causes mayhem for the owners of these sites who are either not technically savvy enough to resolve the problem, or find themselves in limbo while their site is removed from the list after they’ve cleaned it up. A recent discussion of the problem on the stopbadware Google Group is here. (StopBadware says it will respond to appeals within 10 days and says the time is closer to two.)

One can only imagine the scale of the mess caused by all this. Hosting companies need to be smarter about monitoring this problem they’ll face declining custom or lawsuits.

From my PR intray, some surprisingly interesting little odds and ends:

LocalCooling is a 100% Free power management tool from Uniblue Labs that allows users to optimize their energy savings in minutes and as a result reduce Greenhouse Gas emissions. The software "automatically optimizes your PC's power consumption by using a more effective power save mode. You will be able to see your savings in real-time translated to more evironmental terms such as how many trees and gallons of oil you have saved."

Electronic Arts Inc. today announced SimCity for mobile, which "lets mobile phone users create and manage the growth of a living city in the palm of their hands. Originally created by Will Wright, SimCity is now available on major U.S. carriers." Not sure how this works, as there's nothing yet on EA's site. It does sound a bit like milking a cash cow or is it flogging a dead horse? 

CyberDefenderFREE is "a full internet security suite that can operate  standalone, or complement existing security software to add an existing layer of early-alert security to the desktop." As far as I can work out, this is a competitor to Windows Defender although it seems to include a collaborative element, where users report either manually or automatically dodgy software and sites they've come across. I think.

The boffins have spoken, and they've spoken right: Don't use anti phishing toolbars, or at least don't rely on them. (Anti phishing toolbars sit in your browser and supposedly warn you if you've been directed to a website that's about to plunder your bank account, or at least steal your passwords.) I've been saying the same thing for a year or so, but I'm not a boffin, so it's better to listen to them.

According to VNUnet a team from Carnegie Mellon compared 10 anti-phishing toolbars and missed up to more than half of the phishing sites. D'oh.

"Overall we found that the anti-phishing toolbars that were examined in this study left a lot to be desired," wrote the researchers.

This is not the first test of such toolbars. One by 3Sharp commissioned by Microsoft concluded in September that, er, Microsoft's antiphishing toolbar in Internet Explorer was best. Mozilla released one concluding that, er, Mozilla's own Firefox 2.0 browser was better than IE. But all the possible bias aside, the figures are still sobering: Firefox blocked around 80%, IE 66% in the Mozilla study; IE blocked about 83% in the 3Sharp study. That's still a lot slipping through.

I have no idea why these toolbars are so popular. My more modest tests more than a year ago showed that most of them were poor and I concluded that

unless such tools offer really good protection against the inventiveness of phishers, they merely lull users into a false sense of security. If you want to fight the phishers, you’ve got to be smarter than this.

Yes, it's pompous of me to quote myself but there you go.

Actually what amazes me from the report (PDF file) is how many toolbars there are out there. They counted 84 on one website alone. Why so much effort? Well, the losses are big from phishing -- billions of dollars, according to the researchers. But I can't help feeling that a lot of the effort here is less altruistic and more about branding, or simply just a way to get a bit of the user's screen real estate. Nearly every toolbar pictured in the report carries a big logo of the provider of the toolbar -- who wouldn't want their brand plastered over a browser?

But unless the toolbar actually saves the user in 95% or more of cases, these things are useless, and actually counterproductive. I strongly disagree (I love strongly disagreeing, and don't do it enough) with the notion that "some protection is better than nothing at all", as argued by the 3Sharp guys. This assumes the user is an idiot, and can't learn to be suspicious and follow certain basic rules (Don't click on a link in any email or chat message that doesn't ring quite true, including one that doesn't address you by name. Call your bank if you get an email from them that contains a link).

Some things the user just has to wise up to. We don't provide security officers to accompany each shopper around a pickpocket-prone mall, so just like at the mall, online we have to just get smarter and look out for ourselves. Users should not be fooled into thinking these toolbars are in most cases anything other than a gimmick, however good the intentions of their authors.

I guess it had to happen: phishers are not only trying to snag you by setting up fake banking websites, now they’re trying to snag you by setting up fake switchboards too.

Tim McElligott writes in Telephony Online that scammers “posing as a financial institution and using a VoIP phone number e-mailed people asking them to dial the number and enter the personal information needed to gain access to their finances.” Simply put, the phishers in this case aren’t directing you to a fake website where you enter your password and other data sufficient for them to empty your account; they’re directing you to an automated phone service, where you’d give the same details.

The information comes from Cloudmark (“the proven leader in messaging security solutions for service providers, enterprises and consumers”), which claims in a press release that it has seen two separate such attacks this week:

In these attacks, the target receives an email, ostensibly from their bank, telling them there is an issue with their account and to dial a number to resolve the problem. Callers are then connected over VoIP to a PBX (private branch exchange) running an IVR [an automated voice menu] system that sounds exactly like their own bank's phone tree, directing them to specific extensions. In a VoIP phishing attack, the phone system identifies itself to the target as the financial institution and prompts them to enter account number and PIN.

As Telephony Online points out, setting up this kind of phone network is easy. “Acquiring a VoIP phone number is about as hard as acquiring an IP address or a domain name,” it quotes Adam O'Donnell, senior research scientist at Cloudmark, as saying. “Phishers figured out how to quickly and fraudulently get that information a long time ago.” An old PC with a voice modem card and with a little PBX software and you’ve got a company's phone tree which can sound exactly like your bank, O’Donnell says.

This all makes sense. Indeed, we should have seen it coming. It’ll be interesting to see how banks cope with this. Right now their argument has been that if in doubt, a customer should phone them. That no longer is as watertight an option. They could argue that customers should not respond to any email they receive, but that’s also not always true. Banks and other financial institutions need to communicate with customers.

One solution to this is the signature: Postbank last month launched a service where all its emails to customers come with an electronic signature. The only problem with this is that most email clients don’t support the service — only Microsoft Outlook. This is a bit like giving customers a lock that only works on certain kinds of door.

Perhaps banks are just going to have to pick up the phone. If customers are now under threat from automated phone trees maybe the solution is not more technology, but less? A cost the phishers are unlikely to be able to bear would be an actual voice on the other end of the line that sounded familiar and authentic. The only question then would be for the customer to establish the authenticity of the banking assistant.

I started writing about phishing a long time ago, it seems now. It must be at least two years, I think, maybe more. Then it seemed a very obscure activity, and I can recall one editor being less than impressed with the whole issue. Now it’s bigger than even I thought it might be. [Insert some statistic here to illustrate size of problem, usually cobbled together by someone hoping to make money out of scaring people.] But it remains scary, because phishers are getting better. Don’t be taken in by the rather pathetic attempts that sometimes land in your inbox. Phishing — the art of relieving you of the contents of your bank account/online auction account etc — is going to remain with us, and get more sophisticated.

So “solutions” are always interesting. And here’s another one, which reveals imagination on the part of the folk developing it, and, I suspect, how convoluted and advanced the war is going to become. BioPassword, a Seattle-based company, yesterday introduced what it’s calling “the industry’s first multifactor authentication software solution that authenticates users and reduces fraud over the Internet.” In English, this program allows companies to figure out, based on two different methods, whether you’re you signing into your account with them, or someone else. What’s interesting about it is the second method uses the way you type: Are you a pecker, a touch-typist, or what?

BioPassword are calling themselves the “first” because other methods use as their second authentication factor something that’s not actually software driven — something you know (your mother’s maiden name), something you are (a biometric) or something you have (i.e. a smart card). None of these are cheap, and once the bad guy knows it (your mom’s maiden name), or has it (a copy of your thumbprint, a smart card) he’s in for keeps. They’re also claiming their solution is cheaper than all these, because it’s built into the software. Another advantage, they say, is that it doesn’t require the user to do anything extra, other than typing in their name and password. Which presumably they’re doing anyway, unless they’re using some password storing software, or speak to their computer using voice recognition technology.

So how does this work? Well, as far as I can figure out, a pop-up window appears when you log in. You’d probably be asked to type something a few times — or, possibly, not informed at all about what is going on, to preserve the “naturalness” of your typing, since most of us type differently when we’re being, or feel we’re being, watched. The software would monitor typing speed over time, adjusting its accuracy. What is being typed is not being stored, so there’s nothing a sophisticated phisher could capture in the authentification software, but the rhythm and pattern of the way you type.

On his blog BioPassword CEO Mark Upson says the company has been trundling around the press and analyst offices. He rightly identifies the frustration users have with tokens — those little bits of plastic that spew out supposedly random numbers which act as an extra authentication for most banks and company networks. Reckons Upson: “The more token users I talk to, the more I see how frustrated they are having to deal with a piece of hardware they lose, break, and have to travel with at all times. We will get a great uptake on using our technology in lieu of the token or worst case as a backup when the token is not available for whatever reason.” (That’s not the only problem: phishers have now found a way to capture the numbers from these tokens as the user enters them using remotely installed software. The software then throws up an error message to the user, while the bad guy quickly enters the digits himself. Expect the makers of these tokens to increase the rate at which the number changes.)

He also rightly poopoos the keyboard fingerprint scanner you can find on some ThinkPads and other laptops as novelties since banks don’t use them and with good reason: “The problem is once someone has my electronic fingerprint, I’m hosed as it can be used over and over again.”

Then there’s the “profiling” approach: watching your customer’s behavior — we’re talking about when they log into their account, what they do when they’re there, etc — which he also rightly suggests is going to throw up a lot of false alarms (unless you’re a real creature of habit, you probably don’t log on at the same time or do the same things when you do log on. Maybe you do. I’m assuming here.)

I haven’t tried the BioPassword thing, but my instincts tell me it’s not a bad idea. I can think of at least one chink, though: If the bad guy has installed a keystroke monitor, it shouldn’t take too much effort to tweak such software to capture the same data as that being monitored by BioPassword — the speed and rhythm of the user’s typing. In the end it’s just another kind of data that makes up identity theft, and a bad guy could, I suspect, easily grab that data and then either mimic the user’s typing pattern, or automate the entry of username and password to mimic the user’s pattern. There are probably other problems, but it’s too early in the morning for me to think of them.

Bottom line: solutions like this are good, but they’re not really solutions. A solution implies an end to the problem. There’s no end to the problem of phishing. Where there’s people and money together on the Internet, there will always be a problem. BioPassword raises the stakes but it at best it will represent a challenge to the phishers and shut out the kiddies. But an end to the problem? Don’t bank on it.