Tag Archives: Citibank

Driver Phishing

Maybe because it’s early in the morning, but I fell for this little scam pretty easily. I’m going to call it “driver phishing” because it has all the hallmarks of a phishing attack, although it’s probably legal.

I’m looking for the latest drivers for my Logitech webcam, so I type in Logitech QuickCam driver in Google.

An ad above the results looks promising: a website called LogitechDriversCenter.com:

image

So I click on it.

It takes me to a site with a Logitech logo, lots of shareware and PC Magazine stars, Logitech product photos and three options for getting the right driver:

image

DriverRobot, the first one, sounds promising. Maybe, I think, Logitech have consolidated all their driver downloads into one program. Good idea, given I’ve got quite a few of their products hanging around the computer. So I download and install it.

Looks OK so far. A window appears prompting you to start scanning your computer. Lots of green arrows and ticks to reassure you:

image

Once the scan is done you’re told how many drivers you need, with another green arrowed button indicating what you should do to get them (“Get drivers”):

image

(I should have been forewarned at this point. Plenty of warnings, but one key one: None of the drivers it suggested were Logitech ones. Certainly nothing to help me with my webcam.)

Click on that and you’re told you’ve got to “Register” which is “quick and easy”.

Notice there’s no other option, unless you can see the little Close Window X in the top right corner of the window:

image

Try to click on the other radio button (“Allow 11 drivers to remain out of date (not recommended). Critical updates for your computer will not be installed. Your computer may be vulnerable to crashes, performance problems, freezes and “blue screens.””) and then click Continue and the window disappears, but nothing else. It’s like those supermarkets where you can’t get out unless you buy something.

Click on the Continue button and your browser fires up with page requesting your Name and Email to register:

image

Notice all the seals, locks, starts and 100% guaranteed things going on. Reassuring, eh? Except there’s no link on the page, nothing for the casual user (or a slow-witted guy who got up too early) to click on to get more information.

So the slow-witted guy enters his name and email address, thinking that’s going to get him registered. Of course not. Instead he’s asked to shell out cash–$30—for the software:

image

Once again, no links to explain who is behind this, or what other options there may be.

As far as the casual user knows, this is either a Logitech product or one approved by them.

But it’s not. The software comes from a company called Blitware. The Complaints Board website has several complaints about the company and software:

The Driver Robot software does not work and the company tricks consumers in to believing that it is freeware. Am trying to get a refund of my purchase price now.

And worse: For some of those who do buy the software and follow its driver updates, it only makes things worse:

My computer completely crashed after using driver robot when it installed a generic mouse driver every time I touched my mouse I had a blue screen crash with a driver check sum error … It has also installed an elan touch tablet driver which is now in the toolbar. I dont have this device on my machine. This software is completely useless and will be going for a refund.

Others found they had no way of getting support:

Useless garbage–no contact info given. I attempted use and could see it doing nothing. What now, am I really out $39.90?

So who is Blitware? Its website says

Blitware (or Blitware Technology Inc., to be precise) is a small Canadian software vendor from Victoria, BC, Canada. Blitware’s mission is to take great software products to market and bend over backwards for our partners who help promote them.

(Notice how the company doesn’t say it’s a developer, and stresses the marketing, rather than the consumer, in its literature. That should probably tell you all you need to know, if you hadn’t gotten up too early.)

There is an encouraging link on the home page inviting you to click for Support (“Need support for a Blitware product? Our expert technical support staff is standing by to help you”) —

 image

— but far from take you to that helpful support staff, the link takes you to a Frequently Asked Questions page, and only at the bottom to a link for contacting technical support.

That in turn takes you to a link demanding you register at Blitware first, and then, when that is done, to a page for you to file your question.

Do that and you’re told:

We will reply to this message soon! You will receive an email when we do.

OK, so, what’s wrong with all this, and why call it phishing?

Well, phishing is the art of using social engineering tricks to lull a victim into thinking s/he is interacting with a legitimate site/product and to get him/her into coughing up passwords or cash.

Usually with banks, or emails, or accounts etc.

To me this Driver Robot is no different.

From the Google search—where a website with the word Logitech in it—everything is designed to make you think you’re dealing, if not with Logitech, then at least with a company/product that Logitech has endorsed.

The website’s title—the bit that appears in the browser’s top-most bar indicates it’s a Logitech site:

image

Even the website’s favicon—the little log before the web address—is Logitech’s:

image

To me this is no different to a scammer putting “Citibank” or “Paypal” somewhere in a web address to fool the user into thinking they’re dealing with someone kosher.

Anything the tricks the user, either into thinking they’re dealing with the real thing, or thinking they have no other option, is, in my view, a scam.

That the software doesn’t seem to work—it found no Logitech drivers or updates, and seems to crash computers—only makes matters worse.

I’m going to find out what Logitech make of their logos and name being used for dodgy purposes.

(more on Driver Phishing here.)

Banks, Phishing And A Dereliction Of Responsibility

Online commerce suffers from one major flaw: It’s online. That means we need to use computers (or computer-like devices, such as cellphones). It means we need to use the Internet. Together this is a lethal cocktail. And for online banking, it just may mean it is fatal.

Online banking, for example, is not like using an ATM. Or a credit card. Or a cheque. Or even cash. All these types of transaction are vulnerable to fraud but they are relatively easy to protect yourself against. If you lend your credit card, cheque book or ATM card to strangers then you are probably not taking the right precautions. For banks, deciding whether you as a customer have taken ‘reasonable precautions’ is quite an easy calculation to make, and they will make it in assessing whether or not they will compensate you for losses.

But what about phishing? Online fraud is — and will become — a lot more complex than offline fraud. Firstly, most folk don’t really know what’s going on in their computer, so how can they take reasonable precautions? I bet, for example, that if you ask most people to identify the icons in their system tray they won’t be able to get all of them. Secondly, if you use broadband, you are connected to the Internet most of the time. It’s a bit like hanging out overnight on a street corner in a bad part of town: You can’t reasonably assume that you won’t attract the attention of some bad guy at some point.

These are calculations of risk the individual should make when he or she conducts any kind of transaction online. But they are hard. We can look around for suspicious type when we stand at an ATM machine, or hand over a credit card to a store clerk, but online we have no really easy way to measure our security and safety. Online banking is not the same as undertaking other transactions.

Which is why I think banks are wrong if they try to pretend it is. The BBC quotes Britain’s payments association, the Association for Payment Clearing Services (APACS) as saying that in a few years’ time “compensation could be denied if people had safety information but ignored it”. Apacs director of corporate communications Sandra Quinn is quoted thus: “What we have always said is that we won’t forever provide a guarantee. A good parallel might be with something like card fraud – if you act reasonably, you are covered.” The bottom line: where a customer had “not acted with care and been negligent”, the BBC quotes her as saying, banks in three or four years’ time could begin refusing refunds.

I’m sorry, but I think this is daft and the wrong way around. Banks were very, very slow to get off the mark over phishing. If I was a customer and had been phished I would have sued the pants off my bank for not warning me about it. Banks have a duty to monitor their website, their name, in fact the whole Internet, to protect their customers. For example, one company I spoke to gave me a list of website names registered that appeared designed to impersonate legitimate banks — Citibank was a favourite, with hundreds of names that could be mistaken for a legit Citibank site. Most banks, he told me, weren’t interested in subscribing to this service. Why? Because they didn’t feel monitoring these names — and the accompanying websites — was worth their time or their money. If I was a customer I would be livid: If a scammer set up a fake bank in the high street to defraud customers, you would hope the bank in question would be on top of it within seconds, warning customers everywhere to watch out and doing its damndest to close the operation down. The Internet is now the high street and banks need to start patrolling it, not ignoring it.

Sadly, I think banks still don’t get it. They think phishing is a static problem that will recede as more people know about it. But that’s not it at all. Phishing is the thin end of a new wedge that will lead to increasingly sophisticated efforts to use technology and social engineering to part consumers with their data and money. The banks’ role is not to put a few silly little warning notices on their website and set up silly little websites nobody visits (like this one) but to throw serious resources at protecting their customers: by building secure sign-on systems, by monitoring the bad guys, by offering well-staffed and accessible customer support hotlines. Anything less is a dereliction of responsibility.

When Phishing Cuts Communications

Phishing has made it inadvisable for institutions like banks and financial sites to use email to communicate with customers. Doing so would just confuse them more and raise the likelihood they would be fooled by a phish. But what about ordinary institutions like schools and colleges?

The Worcester Telegram & Gazette reported earlier this week (payment required) that officials at the local college, Assumption, “will no longer send e-mail to alumni until it can avoid a repetition of a computer-system invasion Friday in which scammers obtained the e-mail addresses of alumni, parents and employees”.

It’s not quite clear how the scammers got hold of the mailing list. But once they did they appeared to have used the list to send out a Citibank phishing email, with the college’s domain name somewhere in the header. It’s not clear how many people fell for the scam.

The problem here is that an institution like a college is much more likely to use email to communicate with alumni, students and staff. Indeed, that was how Thomas E. Ryan, Assumption’s vice president of institutional advancement, warned alumni, parents and employees about the scam.

You can imagine the confusion: First they get an email that seems to be from Citibank (or the college) warning of a “large number of identity theft attempts” on Citibank customers and requiring them to “confirm your banking details.” Then they get an email from the college warning of an email scam. Now, the college says, it won’t use email to communicate with alumni: “Until the cause is determined and fail-proof virus and scam protections are in place, no alumni e-mails will be sent from the college,” Ryan was quoted as saying. The reality, though, is that there is no fail-proof protection and institutions like Assumption may find they have to use something other than email to communicate with their alumni or whatever. That raises troubling questions about how institutions, companies and bureaucracies communicate, even internally.

Update: The Citibank Robbery

  A bit more on that backdoor Trojan that made me think Citibank didn’t like me anymore: Symantec’s website says it’s a brand new version, and seems to only appear in a Citibank form. No wonder I couldn’t find it on Google. Symantec call it Backdoor.Berbew. Other names: 
  • Downloader-DI [McAfee]
  • TrojanProxy.Win32.Webber.10 [KAV]
  • Troj/Webber-A [Sophos]
I thought everyone had agreed to use the same names for all these things. My advice: watch out. Trojans are getting smarter, unlike the Monty Python Trojan Rabbit.
 
 

News: Beware The Trojan

 I got my first password stealing trojan yesterday. My, they’re good. I’ve never shopped at Citibank (sorry, Ditta) but for a moment I thought that maybe I had . This was what the email looked like:
 
Dear sir,
 
Thank you for your online application for a Citibank Home Equity Loan. In order to be approved for any loan application we pull your Credit Profile and Chexsystems information, which didn’t satisfy our minimum needs. Consequently, we regret to say that we cannot approve you for Citibank Home Equity Loan at this time.
 
*Attached are copy of your Credit Profile and Your Application that you submitted with us. Please take a close look at it, you will receive hard copy by mail withing next few days.
 
The email came with all the right headers, and my virus checker didn’t notice anything wrong, but the folks at Sophos have identified the attachment as a two component backdoor Trojan, specifically, Troj/Webber-A. The first bit attempts to connect to http://www.joro71.addr.com, download a file to rtdx32.exe in the Windows system folder and execute it. The second bit is a password stealing Trojan that attempts to extract sensitive information from several locations on the system and sends them to CGI scripts at http://weyrauch.addr.com. Yuck. Beware.