Singapore Details ‘Waves’ of Cyberattacks

Officials and delegates from APEC economies were targeted ahead of last year’s Singapore meeting with malware-laden emails faked so they appeared to have been sent by Singapore government officials on the Organising Committee.

Singapore officials have said the attacks were not the first on the country. Although Singapore regularly highlights threats to national security—including Islamic terrorism—the admission that it has been the victim of cyber attacks is, according to the Straits Times, its most detailed account.

Although it’s hard to read too much into the statements made to judge who may have been behind the attacks, it’s interesting that Singapore is drawing attention to this—not least because there’s bound to be speculation about just this point. The current flood of WikiLeaks cables about this very issue is a coincidence. But the description of the attacks fits a pattern familiar to security experts:

Between September and November 2009 APEC officials, and delegates of several APEC economies were targeted with Trojan-laden emails “with the aim of infiltrating their computers and extracting privileged information.” There were at least seven waves of such attacks, focusing on members of the APEC organising committe and APEC delegates whose email addresses were published on websites or in APEC mailing lists. (APEC, Asia-Pacific Economic Cooperation, is a forum for 21 regional economies set up in 1989. Singapore hosted meetings throughout 2009 culminating in a leaders’ meeting in Singapore from November 14-15.) 

The attacks were first mentioned in a speech by Ho Peng Kee, Senior Minister Of State For Law & Home Affairs, who told a seminar on Sept 28 that “Singapore has its fair share of cyber attacks.” More details were  added in an internal but publicly accessible Ministry of Home Affairs magazine, the Home Team Journal, by Loh Phin Juay, head of the Singapore Infocomm Technology Security Authority and reported in the Straits Times on Saturday, December 4.  (The Straits Times called the perpetrators “cyberterrorists”.)

Loh wrote in the magazine article that “between 2004 and 2005, the Singapore government saw waves of Trojan email attacks which were commonly referred to as the Trojan Riler attacks.” The attacks came in four waves over a span of two years, he said, in the form of more than 900 emails targeting officials in several ministries.  

Loh Phin Juay said that the first two waves in the 2009 attacks used PowerPoint and PDF attachments to emails puportedly warning about possible terrorist attacks on the meeting. A subsequent wave included “legitimate information relevant to the APEC 2009 meetings”—in this case an invitation to an actual APEC symposium.

Some of the malicious emails “contained details of actual APEC events (date, time, venue) not known to the general public.” This suggests to me that either the first wave was successful in gaining access to some sensitive information, or, less likely, that those perpetrating the attack were already privy to it (raising the question why they didn’t use that information in the first wave.) Both officials said no significant disruption was caused by the APEC attack.

Singapore last year set up a special body, the Singapore Infocomm Technology Security Authority (SITSA), “to safeguard Singapore against infocomm technology (IT) security threats. SITSA will be the national specialist authority overseeing operational IT security. SITSA’s mission is to secure Singapore’s IT environment, especially vis-à-vis external threats to national security such as cyber-terrorism and cyber-espionage.”

Neither official speculates about the origin of the attacks. In his speech Ho Peng Kee referred separately to Operation Aurora, a cyber attack from mid 2009 to December 2009 on dozens of Western companies including Google, which alleged the attacks began in China. Loh Phin Juay referred in his article to GhostNet, a cyber espionage network which had its command and control network based in China and which penetrated government and embassy computers in a number of countries, including some in Southeast Asia. (Singapore was not mentioned in reports of the compromised computers.)

But he writes that “to date, the perpetrators of GhostNet remain unknown,” and neither man links the Singapore attacks to either event. The Trojan Riler was, according to Symantec, first discovered on September 8, 2004; It has been associated with corporate espionage but also the GhostNet attacks.

Cupid’s (Possibly) Poison Arrow

Could Valentine’s Day be a phishing day? Internet Security Systems, Inc. reckons so, saying in a press release (no URL available yet) that the number of dating sites across the world has increased by 17 per cent within the last twelve months. ISS reckons this rise “is partly attributed to the increase in malevolent websites used by developers of malicious code as an opportune moment for phishing, spam and hacker attacks on unsuspecting victims.”

Having said, that, there doesn’t seem to be a lot of strong evidence presented to back this claim up. “Organised criminal units have in the past timed their attacks to coincide with popular celebration occasions in order to achieve maximum success in compromising the integrity of computer systems,” the press release quotes Gunter Ollman, Director of X-Force at Internet Security Systems. “It is anticipated that Valentine’s Day is a day that is similarly marked on the criminals’ calendar for targeted attacks.” Makes sense, but isn’t this a tad alarmist? Should we ignore every Valentine Card we get (assuming we get any)?

ISS offers the usual suggestions about defending yourself from these poisoned Cupid arrows, as well as pointing out that it can provide its own solution, via a “Proventia Web Filter which blocks unwanted web content, optimises Internet access for employees and prevents any kind of non work related Internet use.”. Yes, of course. Ye old “press release as pitch posing as public service ad” trick.

Given that Internet Security Systems, Inc. has been, according to its own blurb, “an established world leader in security since 1994”, I guess I’d expect to see a bit more hard data to back up this kind of scaremongering. It’s not that I don’t believe that scumbags will use Valentine’s Day as a social engineering tool to pry open your gullibility, but I’m not sure security companies should just throw out warnings like this without more carefully callibrated data to justify it. Where is all the data about previous year’s attacks along these lines? Where are the examples to illustrate the problem, and the sophistication of the bad guys? What kind of data are they after? We deserve to be told if we’re going to bin potentially our only chance at happiness.

Which is Bigger? Porn Or Phishing?

Less than two years ago no one had heard of phishing and getting my editors excited about it as a problem wasn’t a cakewalk. Now, according to a report in, it’s bigger than porn spam:

Since the beginning of this year, the number of phishing scams has risen from 1pc to 8.3pc of the total volume of spam in circulation, according to the latest figures from the global team of SurfControl Threat Experts. The company found that the number of emails generated between January and June, attempting to con recipients into handing over sensitive personal information, now equals that of adult spam.

I don’t seem to be able to find the quoted report on the SurfControl website. Will post the link if and when I do.

More On Minnow Phishing

Here’s some more on the phishers targeting smaller institutions:

The Anti-Phishing Working Group has warned that smaller banks scams are surfacing with increasing frequency. The group’s monthly report warned that “hackers are modifying their attack methods by shifting away from attacking popular or large institutions.” Credit unions are increasingly baring the brunt of this new innovation. The total number of credit unions being targeted has risen from just 3 in February to 21 in May. No doubt phishers are targeting smaller banks and financial institutions because larger organizations have been strengthening their anti-phishing defenses recently.

I’d still like to know whether the targeting is just in terms of fake sites or scripts, or whether the email addresses are being targeted with more precision?

A Honeypot To Catch A Phisher

Netcraft. the British Internet security consultancy, highlight a new Honeynet Report on Traffic to Phishing Sites, showing that despite months of intensive anti-fraud education efforts by the banking industry a lot of people still click on through to fraudulent phishing sites:

The study of phishing scams hosted on cracked web servers from The Honeynet Project documented two recent attacks that attracted hundreds of click-throughs from unknowing users. A UK site mimicking a major US bank received 256 visits in 4 days, while a compromised German server redirected 721 users in just 36 hours to a PayPal phishing site hosted in Chinat.

The data from The Honeynet Project, which monitors activity on hacked computers, suggests that bank customers may exercise somewhat greater caution that PayPal users when presented with fraudulent electronic mails. Phishers’ behavior reinforces this assumption, as eBay and its PayPal subsidiary are far and away the most frequent targets in those attacks reported by the Netcraft Toolbar community. But the steady traffic to scam sites demonstrates that a significant number of bank customers are still being tricked by bogus e-mails.

Perhaps the most worrying part of all this, apart from people’s continued gullibility, is that phishing operations are becoming even more nimble in deploying scam infrastructure across networks of compromised servers, using automated attack tools and prepackaged spoof sites to speed their work. These include pre-built archives of phishing web sites targeting major online brands being stored, ready for deployment at short notice … (and) propagated very quickly through established networks of port redirectors or botnets according to the report. The report also suggests that organised groups are behind the setting up of bogus sites and the distribution of phishing email.

As Netcraft concludes: The banking industry and online retailers have emphasized customer education in their response to phishing. But the persistent traffic to scam sites underscores the importance of additional proactive defensive measures to protect customers from their own bad habits and the technical innovations of phishing scams. I would agree: I don’t claim to know much of what banks are doing in this area, but I have a strong suspicion it’s not enough. It’s certainly not enough to assume that educating the user is going to stop the problem, or even a bit of it. Banks have got to invest big time in tracking these scams, stopping them before they start (if the Honeynet project can do it, why can’t the banks?)

Phishing, And Some Advice

I was just reading the new publication put out by the U.S. Financial and Banking Information Infrastructure Committee and the Financial Services Sector Coordinating Council on “Lessons Learned by Consumers, Financial Sector Firms, and Government Agencies during the Recent Rise of Phishing Attacks” (PDF here, page on Treasury website here). A rather wordy title for a document that to me is rather thin on specifics.

In short, there’s not much here people don’t know already. And there are some bits of poor advice. One for banks and other institutions whose customers are being phished: ”Contact consumers by e-mail or postal mail warning them not to respond to suspicious e-mails. Remind consumers of the firm’s or agency’s official policy of not soliciting sensitive information through an e-mail.” How exactly is sending an email going to help? A lot of phishing emails use exactly this ruse to get the target to check in to their fake website, suggesting they suspect their account has been compromised, or something. I’d say now is the time to spend some cash on doing a proper mailing to all customers using the postal service. Now is not the time for more emails saying ‘Beware of scams. By the way this is a not a scam’.

Anyway, here are three of my own suggestions for banks to build trust with customers and minimise further confusion about what is genuine and what is phishy:

  • Don’t be tempted to fire pop-up ads at them when they visit your website, like one U.S. bank I know of, because pop-up ads can legally be hijacked by other companies like WhenU, which means they can also be hijacked by scammers.
  • Don’t outsource your marketing to email marketers, like the Singapore arm of one U.S. bank I’ve written about here before, who then send out dubious unsolicited emails inviting me to open a new Premium Deposit …and enjoy a potentially higher interest rate on your money AND a S$10 Tangs shopping voucher for every US$10,000 invested. What’s to stop a phisher mimicking the same email and then luring someone to a kosher-looking website, asking them to submit some personal data about, say their existing Internet account at another bank, and then directing them to the real website?
  • Don’t give customers an extra screen of ads for other services after they’ve logged out which uses cute but confusing language – one Hong Kong-based bank I visited the other day said something like ‘You’ve logged out but you haven’t logged off’ and then proceeded to offer the customer some more services. A lot of customers are going to be confused about that. And what for? Just to sell them a few extra services?  

All bad practice, and I think if anyone is going to draw up a ‘lessons drawn’ note it should be along those lines: specific, cautionary, and at least trying to anticipate the way this war on scamming may go.  

Beware the phisher’s revenge

Australian Daniel McNamara, who runs the hugely informative anti-phishing website Code Fish Spam Watch says he was today the victim of an attack on his website and his character, by a phishing email.

The email, spammed all around, pretends to be from him and says,  Dear Online Banking User, You should be heard about such called interned scam, also called phishing – the activity, aimed to stole your personal details. Possibly you already seen letters, asking you to verify your personal bank account details, reactivate it, or to stop illegal payment…

It then goes on to say more information can be found at his website of that of the Australian Federal Police. Of course the links don’t go there, they go to a website that, for IE users, downloads a trojan, which (probably) installs a program to log keystrokes and mail passwords back to the originator.

The phishing email not only seeks to implicate Daniel by delivering a trojan with his name in the email, it also overloads his servers. Since the email spoofs his email as the return address, those emails that do not reach their destination bounce back to his inbox. He says he has had to turn off his email server because of the traffic.

Daniel has been at the forefront of recording and investigating the phishing phenomenon, and has clearly attracted the ire of those involved. He tells me he believes it’s the same people who left a hidden message in a recent phishing email directed at Westpac; the message implied somehow Daniel and Codefish were involved in the scam. Daniel believes he “really managed to nark them.”

This kind of thing shows that one guy like Daniel can make a difference, simply by cataloging phishing attacks, since he’s provoked their authors into what appears to be a somewhat inept attempt at revenge. It’s a shame more people aren’t doing this kind of sleuth work.

Who Is Behind Bagel, NetSky and MyDoom?

Who is behind this latest crop of viruses, and variants on viruses?
Mi2g, a London-based technology security company, reckon that MyDoom and Bagle ”is not the activity of hobbyists but organised criminals” and that Doomjuice.a, which carried the source code of MyDoom.a was “clearly written by the same perpetrators” with the motive of covering their tracks.

That said, mi2g reckon the original NetSky author may merely have been “involved in a turf war with MyDoom and then another turf war with Bagel”. (Yes, it does sound like a bad police series). “That,” mi2g says, “suggests the possibility of bragging rights or intellectual challenge as a motive instead of financial gain.” Evidence? ”NetSky.d was released at the beginning of March, and whilst it has its own agenda, it also modifies registry keys to delete the “au.exe” file used by two variants of the Bagle malware.”
This large number of variants in such a short timeframe, mi2g say, “is historically unprecedented”. It’s not clear who is behind these, mi2g say, but whoever it is, “the net beneficiary is organised crime as the number of compromised computers or zombies continues to increase”. These slave computers can be used for anything, from spam to phishing scams to DDoS extortions to working as fileservers for illicit or pirated material.
My guess? Success breeds copycat attacks, and there are an awful lot of folk out there who have the knowledge and the inclination for this kind of thing. It’s no surprise that these attacks are getting worse, and that there is a clear link between virus writing and scams. Hold onto your hat.

Counting The Cost Of Online Crime

Phishing is beginning to bite.

British police at a high-tech crime congress (noted by USC Annenberg Online Journalism Review) say that 83% of Britain’s 201 largest companies reported experiencing some form of cybercrime. The damage has cost them more than £195 million ($368 million) from downtime, lost productivity and perceived damage to their brand or stock price.

Much of the damage is being done to financial companies, three of whom lost lost more than £60 million ($130 million). Phishing has hit banks like Barclays, NatWest, Lloyds TSB and 50 other British businesses, Reuters quoted Len Hynds, head of Britain’s National Hi-Tech Crime
Unit (NHTCU) as saying.

Of course, it’s probably much worse than this. Most companies don’t report ‘cyber-crime’ to the police for fear that making the matter public would harm their reputation.  The National Hi-Tech Crime Unit (NHTCU) said that of the companies hit by cyber-crime, less than one-quarter reported the matter to police. But that’s better than two years ago, when NO companies were reporting.

Security experts warn that a new wave of cybercrime attacks will be nastier than what companies have already experienced. David Aucsmith, chief technology officer for Microsoft Corporation’s security and business unit predicted criminals would target banking systems, company payroll and business transaction data.

Here are some other interestnig facts from Bernhard Warner’s Reuters report:

  •  Seventy-seven percent of respondents said they were the victim of a virus attack, costing nearly 28 million pounds.
  •  Criminal use of the Internet, primarily by employees, was reported by 17 percent of firms at a cost of 23 million pounds.
  •  More than a quarter of firms surveyed did not undertake regular security audits.

Phishing And The Future Of Banking

Could phishing kill off online banking?
Probably not, but it’s likely to force greater regulation by central banks and others which will, reckon British-based Internet security consultants mi2g, mean “the next generation of electronic banking may have to rely on deeper layers of authentication that couple passwords with biometric security and smart card authentication.”
Mi2g estimate there have been 110 unique incidents of phishing — identity theft by faked emails and/or keyboard-logging viruses — in less than a year. Here’s an abbreviated list:
  • USA (7 banks; 82 incidents)
  • UK (6 banks; 8 incidents)
  • Australia & New Zealand (5 banks; 16 incidents)
  • Canada (2 banks; 2 incidents)
  • Spain (1 bank; 1 incident)
  • Hong Kong and Singapore (1 bank; 1 incident)
  • Latvia (1 bank; 1 incident)

I have to say I think that’s an underestimate. And it’s not quite clear from mi2g’s release as to whether these are successful attempts, or just attempts. Given banks’ reluctance to admit to breaches, I’d guess it’s the latter. And mi2g point out that it’s not just banks that have been attacked: The Federal Bureau of Investigation (FBI) to eCommerce/information portals and their associated payment systems have all been hit. Mi2g counts 90 unique attacks on eBay.

Mi2g say such attacks are getting more, rather than less, successful: “Phishing scams’ success rate has risen from 0.1% on average to 0.5% in the last six months as the techniques have become more sophisticated,” it says.  This would mean thousands of victims and big headaches for banks: “In some instances the genuine web site has to be made inoperable for several hours or even days whilst the targeted bank investigates the extent of the financial fraud and related losses,” says mi2g. 
Claims by mi2g have not always been taken seriously, particularly their estimates of damage. In this case, mi2g reckon that “worldwide economic damage for 2003 from phishing scams is estimated to have been between US $13.5 billion and $16.4 billion… The damage for 2004 has already crossed $8.9 billion in the first two months of the year. ” I know they have some sort of formula for this, but as others have pointed out, these estimates seem to be more designed for grabbing headlines than serious analysis.

That said, phishing is a problem, and I would agree that online banking is going to have to add layers of security to avoid more breaches. But will customers accept that? If online banking gets too fiddly, will folk just give up? Or switch to something else?