Category Archives: Phishing

Press 4 To Give Us All Your Money

I guess it had to happen: phishers are not only trying to snag you by setting up fake banking websites, now they’re trying to snag you by setting up fake switchboards too.

Tim McElligott writes in Telephony Online that scammers “posing as a financial institution and using a VoIP phone number e-mailed people asking them to dial the number and enter the personal information needed to gain access to their finances.” Simply put, the phishers in this case aren’t directing you to a fake website where you enter your password and other data sufficient for them to empty your account; they’re directing you to an automated phone service, where you’d give the same details.

The information comes from Cloudmark (“the proven leader in messaging security solutions for service providers, enterprises and consumers”), which claims in a press release that it has seen two separate such attacks this week:

In these attacks, the target receives an email, ostensibly from their bank, telling them there is an issue with their account and to dial a number to resolve the problem. Callers are then connected over VoIP to a PBX (private branch exchange) running an IVR [an automated voice menu] system that sounds exactly like their own bank’s phone tree, directing them to specific extensions. In a VoIP phishing attack, the phone system identifies itself to the target as the financial institution and prompts them to enter account number and PIN.

As Telephony Online points out, setting up this kind of phone network is easy. “Acquiring a VoIP phone number is about as hard as acquiring an IP address or a domain name,” it quotes Adam O’Donnell, senior research scientist at Cloudmark, as saying. “Phishers figured out how to quickly and fraudulently get that information a long time ago.” An old PC with a voice modem card and with a little PBX software and you’ve got a company’s phone tree which can sound exactly like your bank, O’Donnell says.

This all makes sense. Indeed, we should have seen it coming. It’ll be interesting to see how banks cope with this. Right now their argument has been that if in doubt, a customer should phone them. That no longer is as watertight an option. They could argue that customers should not respond to any email they receive, but that’s also not always true. Banks and other financial institutions need to communicate with customers.

One solution to this is the signature: Postbank last month launched a service where all its emails to customers come with an electronic signature. The only problem with this is that most email clients don’t support the service — only Microsoft Outlook. This is a bit like giving customers a lock that only works on certain kinds of door.

Perhaps banks are just going to have to pick up the phone. If customers are now under threat from automated phone trees maybe the solution is not more technology, but less? A cost the phishers are unlikely to be able to bear would be an actual voice on the other end of the line that sounded familiar and authentic. The only question then would be for the customer to establish the authenticity of the banking assistant.

The Gates Are Open, Phishers Welcome

I’m probably naive, but I’m gobsmacked that, nearly 24 hours later, a phishing website is still active despite my alerting the registrar and host of the domain in question. The only access was via a form so I’m not able to record my email to them but it was shortly after I posted the comment above.

I’ve not been able to contact the bank in question because there’s no media contact that I can find on their website. The scam has been recorded here and the Halifax website seems to be down so perhaps something is happening. But why is the original phishing site still up? And why don’t banks have an easy way for members of the public (or journalists, for that matter) to alert them to such scams? Millers Miles, which records phishing attacks, has recorded more than a dozen against the Halifax in the past year. 

technorati tags: ,

Phishing and the Peril of Fonts

I’m amazed at how lax domain registrations still are, despite the fact that phishing is now so much a household word that even my mum’s heard of it. But here’s another trick being used to try to dupe those people who still remain gullible: change the “o” in online to “c” because in many email readers it will look more or less the same:

Halifax2

Which it does, actually. Quite a neat trick, if you like that kind of thing. (There really is a Halifax Online, and the website address is exactly the same, minus the o/c thing. Even the homepage is the same Javascript login page as above, and everything looks the same minus a note at the bottom saying the bank never asks for personal details via email.)  Clicking on this link will take you to a webpage, that, surprise, surprise, looks very much like the UK’s Halifax Building Society:

Halifax3

I haven’t investigated it further, but I’m assuming the data entered quickly finds its way into the pockets of scumbags, and there’s probably some other nice bits and bobs being loaded onto one’s computer as it happens. The site is still live as of writing, with the address in the first screenshot above.

What amazes me is that the registrar won’t bat an eyelid at what is obviously a very dodgy domain name — Halifax being quite a well-known brand in the UK — and, indeed, even accepts the registration as a “private” one, and therefore allows the person registering the domain to not submit any address or phone number:

The registrant is a non-trading individual who has opted to have their address omitted from the WHOIS service.

The registrar in this case is PIPEX Communications Hosting Ltd, also known as 123-Reg.co.uk, whom I’ve asked to comment on this. Halifax is also being told about it, just in case they don’t know.

Microsoft’s Spyware Gate

Microsoft have launched a new version of their Antispyware application, now rebuilt and renamed Windows Defender. Initial reports are favorable, including Paul Thurrott, who is good on these kind of things:

Windows Defender Beta 2 combines the best-of-breed spyware detection and removal functionality from the old Giant Antispyware product and turns it into a stellar application that all Windows users should immediately download and install. Lightweight, effective, and unobtrusive, Windows Defender is anti-spyware done right, and I still consider this to be the best anti-spyware solution on the market. Highly recommended.

Expect this program to become part of the next Windows operating system, meaning that spyware is going to be kept out of most computers by default. This is a good thing. What is less good is that it lets Microsoft decide what is and what isn’t spyware, giving them one more gate to control. Also, spare a thought for all the companies that have been selling antispyware software for the past few years; I can’t see many of them surviving past Windows Vista.

Keeping the Keyloggers out of the Basement

Here’s a product about to be announced that claims to really protect users against keylogging — when bad guys capture the keystrokes you make and then transmit it back to base: StrikeForce’s WebSecure (PDF file):

The basic idea, StrikeForce’s PR guy Adam Parken tells me, is that “keystrokes are encrypted at the hardware driver and delivered directly to the browser.” This, he says, “gets around the OS, messaging service, etc. where keyloggers normally hide.” It looks a bit like this (from a WebSecure presentation):

Websec

If that makes any sense. The grey boxes are the bits in between the keyboard and the network, and they’re all places that keyloggers hide. Anti-keylogging programs, as I understand them, are usually merely programs that try to guess what’s going on, and, if they see something sleazy, warn the user. Usually this is based on a prior knowledge, or library, of known keyloggers or known keylogging tricks.

WebSecure, instead, according to the press release, “automatically encrypts every keystroke at the keyboard level, then reroutes those encrypted keystrokes directly to the Web browser, bypassing the multiple communication areas that are vulnerable to keylogging attacks.”

WebSecure is going to be demoed at DEMO here sometime in the next 24 hours or so. If they do the job seamlessly and as promised, WebSecure could be quite a useful tool for companies and end users. But it’s an area long tackled and never conquered by security software developers, so I’m not holding my breath.

The First U.S.-China Cyberwar?

There’s growing coverage of China’s Internet ‘cyberwar’ against the U.S., which seems to have been going on for more than two years with neither side wanting to go public. The U.S. is calling the attack Titan Rain, and as Bruce Schneier points out, the attackers are very well organized. This from AFP:

A systematic effort by hackers to penetrate US government and industry computer networks stems most likely from the Chinese military, the head of a leading security institute said. The attacks have been traced to the Chinese province of Guangdong, and the techniques used make it appear unlikely to come from any other source than the military, said Alan Paller, the director of the SANS Institute, an education and research organization focusing on cybersecurity. “These attacks come from someone with intense discipline. No other organization could do this if they were not a military organization,” Paller said in a conference call to announced a new cybersecurity education program. In the attacks, Paller said, the perpetrators “were in and out with no keystroke errors and left no fingerprints, and created a backdoor in less than 30 minutes. How can this be done by anyone other than a military organization?”

So what are they after? Paller says they’re after sensitive information, and may have gotten it, including military flight planning software from its Redstone Arsenal. Here’s a bit more detail about how these guys work, from a TIME story quoting Shawn Carpenter, the hacker who uncovered the attacks:

Carpenter had never seen hackers work so quickly, with such a sense of purpose. They would commandeer a hidden section of a hard drive, zip up as many files as possible and immediately transmit the data to way stations in South Korea, Hong Kong or Taiwan before sending them to mainland China. They always made a silent escape, wiping their electronic fingerprints clean and leaving behind an almost undetectable beacon allowing them to re-enter the machine at will. An entire attack took 10 to 30 minutes.

More on Carpenter in a Wikipedia entry here, and on his whistleblowing experience here. There’s an interesting piece by SearchSecurity’s Bill Brenner which looks at an August report by LURHQ dissecting the Myfip worm which appears to have been used by Chinese hackers to ferret around and grab PDF files. The worm has been around since August 2004. Later variants looked for Word documents, AutoCAD drawings, templates, Microsoft Database files, etc:

[Joe] Stewart [senior security researcher with Chicago-based security management firm LURHQ Corp] said his team was easily able to trace the source of Myfip and its variants. “They barely make any effort to cover their tracks,” he said. And in each case, the road leads back to China. Every IP address involved in the scheme, from the originating SMTP hosts to the “document collector” hosts, are all based there, mostly in the Tianjin province.

China, according to AFP, yesterday denied its military was involved in hacking:

“We have clear stipulations against hacking. No one can use the internet to engage in illegal activities,” foreign ministry spokesman Qin Gang told a regular briefing on Tuesday. “The Chinese police will deal with hacking and other activities disturbing social order in accordance with law.”

Doesn’t make a lot of sense as a denial. Is he saying no one is doing it? Or no one official? Or that it’s going on and the police will deal with it? Not the first time a Chinese spokesman has uttered something meaningless. But I guess so long as the U.S. doesn’t make any official, public complaint this guerrilla war will remain unacknowledged by both sides. I guess the obvious lesson here is that security is not just against sleazeballs after your money, but after your PDF files too. And don’t think that because you’re not military you’re not affected. If you’re any kind of company you might have something that is valuable in the corporate and government espionage world.