Thursday, 20 December 2007

Survey finds half of spam is lottery scams


A Microsoft-commissioned survey conducted in several western-European countries has found that fifty percent of all spam received by participants is currently lottery scam spam. Three percent of respondents reported losing money to the scam in the past year.

Fourteen money mules arrested in Holland

Source: The Register

Dutch authorities have arrested fourteen people who were allegedly operating as money mules in relation to compromised bank accounts at ABN Amro. The money was forwarded to Russia and Ukraine.

Gartner Phishing Report 2007

Source: Gartner

A Gartner survey on phishing in the USA for the year 2007 has revealed a number of trends. 3.2 billion dollars were lost to phishing in the USA, slightly up from 2.9 billion last year. The average loss per incident dropped from $1,244 to $886, but the total number of incidents increased from 2.3 to 3.6 million. Most of that increase arose from higher success rates, rather than more phishing: 3.3% of phishing targets suffered financial loss in 2007, up from 2.3% in 2006. The major method of extracting funds was the debit or check card, accounting for 47% of incidents.

Tuesday, 18 December 2007

Commercial Bank Clients Spearphished

Source: The Register

A researcher from SecureWorks has uncovered a strain of malware being used in a highly targeted manner to compromise commercial clients of banks. The malware is capable of piggybacking a fraudulent wire transfer onto a legitimate Internet banking session. The software is custom built to interface with around twenty different banking sites.

China-based web exploits in progress


Finjan is warning of a sharp increase in malicious activity coming from China. Web exploits based on multiple redirects via scripts and IFRAMEs are being placed on compromised sites, with the "mothership" hosts registered under ".cn" domain names and hosted in China.

Saturday, 15 December 2007

The Cybercrime Economy


ZDNet has a feature article on the state of the malware economy, pointing out how mature the market for exploits and underground network services has become, even to the extent of having its own affiliate model payments. The "Storm" botnet features prominently in this analysis. The article covers quite a lot of ground, and is worthwhile reading for anyone wanting an overview of cybercrime dynamics in 2007.

Postini spam report

Source: Google Enterprise Blog

Google/Postini have a report on the state of spam for 2007. Graphs show some interesting trends throughout the year in terms of messages vs bytes as spammers employed various tricks such as PDF and audio attachments. One graph showing virus attachments vividly demonstrates the intensity of "storm worm" activity around July and August.

Ipower accounts spread malware

Source: The Register

Another sophisticated and industrial-scale scheme for spreading malware has been uncovered. This one involved the compromise of thousands of web-hosting accounts at provider "", which were used to stealthily game Google search results on certain popular search terms, and then redirect visitors to malware-laden sites. The redirects only happened where visitors clicked through from Google: direct investigation of the links prompted a "404" response. (This stealth technique has been seen before: see this blog entry.)

Tuesday, 11 December 2007

Flirty chat-bot lures victims to malware


In a new twist, cybercriminals are using chat-bots to lure people to malicious web pages. From the linked article, "The software, dubbed CyberLover, is supposed to be able to conduct fully automated flirtatious conversations with users of chat-rooms and dating sites to lure them into a set of dangerous actions such as sharing their identity or visiting websites with malicious content."

Tuesday, 4 December 2007

TJX pays $41M for data breach

Source: The Register

TJX has settled with banks that were suing it, paying $41 million in damages. The settlement only relates to Visa cards; details of a settlement with MasterCard have yet to be disclosed. The case relates to a data leak which exposed around a hundred million credit and debit card details over the course of around seventeen months.

Saturday, 1 December 2007

Phishing tactics tweak: shorter domain names

Source: Frequency X

Frequency X reports that phishing gangs have recently made a shift towards shorter domain names in their phishy URLs, down from 30-37 characters to an average of 17. So whereas something like "" used to be common, they are now seeing names like "". The tactical shift is presumably an evasive manoeuvre on the phishers' part; it remains to be seen whether they stick with this strategy.

Google targeted for malware SEO

Source: SunbeltBLOG

A very large scale search engine optimisation (SEO) campaign has been taking place against Google to promote malware-laden sites under a broad variety of common search terms. Since Sunbelt reported this outbreak, Google have taken action and removed the links, but there seems to be more on the way. The malware-laden pages use stealth techniques to foil common researcher techniques for finding the pages.

FBI "bot roast" nets eight crooks

Source: FBI

"Since Operation 'Bot Roast' was announced last June, eight individuals have been indicted, pled guilty, or been sentenced for crimes related to botnet activity. Additionally, 13 search warrants were served in the U.S. and by overseas law enforcement partners in connection with this operation. This ongoing investigative effort has thus far uncovered more than $20 million in economic loss and more than one million victim computers."

Thursday, 29 November 2007

"Celebrity" spam gang significant

Source: The Register

Researchers experimentally infected a computer with malware spread through email which used a hook of "attachment has pictures of nude celebrities". The computer became part of a botnet being used to distribute spam. Analysis of the spam showed that this particular kind of spam accounted for 23% of all spam volume seen in the previous month.

Stealth defacement for SEO


Al Gore's "Climate Crisis" website has suffered "stealth defacement" (malicious modification not visible to the average viewer) for the purposes of boosting the search rank of spammers' pharmaceutical websites. We have seen this technique used to incorporate IFRAMEs which include browser exploits; this is the first notable instance of defacement as a means to boost search ranks.

Thursday, 22 November 2007

The value of passwords

Source: Frequency X

Arbitrary username/password combinations have value in the black market of cybercrime independently of where they were obtained. This is because many people choose the same combination on several sites. Thus, in many cases it's not necessary to phish for authorisation credentials: you can simply coax someone into creating an account, and then try the resulting username/password combination at various other high profile sites.

Twelve Spam Research Papers

Source: Network World

For the researchers: this Network World article gives a quick precis of (and links to) twelve current spam-related research papers. Four of the papers relate to image analysis, two to anti-phishing education, two to blacklisting, two to general improvements in filtering techniques, one to VoIP spam ("spit"), and a cybercrime-related paper called “An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants". (Note: do yourself a big favour and navigate immediately to the printer-formatted view of this article if you read it.)

Wednesday, 21 November 2007 IFRAMEd

Source: The Register

Monster's website was hacked to include malicious IFRAMEs. This technique of "hack a high profile website as a malware distribution vector" is hardly new, but the incidents are becoming bigger and more frequent. This kind of threat poses a significant challenge, since the malicious data appears to come from a reputable source.

Wednesday, 14 November 2007

Cashing out credit cards

Source: Frequency X

Frequency X is running a short article on the market for stolen credit card credentials: how the market works, and what the current going rates are like.

Factory-installed malware on Maxtor drives

SourceL The Register

An unknown quantity of Seagate's "Maxtor Basics Personal Storage 3200" drives sold after August 2007 were contaminated with AutoRun-AH malware by a manufacturing sub-contractor in China. "AutoRun-AH is a Trojan that searches for passwords to online games and sends them to a server located in China. It also disables anti-virus software."

Saturday, 10 November 2007

IndiaTimes compromised; spreads malware

Source: ScanSafe

The India Times website has recently been compromised and is now exposing readers to a range of malware infections. The extent of modification to the India Times site itself is minimal and invisible to the casual visitor: the exploits operate via embedded IFRAMEs and scripts.

Friday, 9 November 2007

eBay scams and their mules

Source: The Register

This article provides concrete details of several eBay scams in which phishers compromise eBay accounts with pristine ratings in order to defraud people. Payments are sent via money mules to sustain the illusion that there is no overseas involvement.

Wednesday, 7 November 2007 employee phished; customers spearphished

Source: The Register

A employee fell fictim to a phishing attack, which resulted in compromise of customer data through his account. This, in turn, was used to conduct spearphishing attacks against certain customers. Since then, the same data has been used to send targeted email with malware-laden attachments.

Web ads exploited as attack vector (again)

Source: The Register

A number of mainstream websites have been used to dish up malware (parading as anti-malware) via advertising slots. The payload is delivered quite selectively, making detection difficult. The victim is confronted with a pop-up warning them that their computer is compromised, and offering a service to fix it (which has exactly the reverse effect).

Tuesday, 6 November 2007

Kiddie porn ring busted

Source: The Register

An Internet-based child pornography investigation, code-named "Operation Koala", has culminated in ninety-two arrests spanning nineteen countries. The investigation commenced in July 2006, when "Australian police discovered a video depicting a Belgian father raping his daughters". "Police from 28 countries worked on the case."

Friday, 2 November 2007

PDF exploit ranked #3 for October

Source: Sophos

October's PDF-based Windows vulnerability (mentioned in this blog) was so heavily exploited in the last few days of the month that it ranked as the third most common email threat for the whole month. It accounted for 13.6% of malicious email for the month, and 66% of all malicious email during the period it was being sent, the 26th through 28th.

419 victim kidnapped, rescued

Source: BBC

An Irish victim of advance fee fraud was persuaded to go to Ghana in person to collect funds, then kidnapped and held for ransom. He was rescued by local police working in concert with Interpol.

Thursday, 1 November 2007

Circumventing CAPTCHA

Source: The Register

The concept of a "chess grandmaster" attack on CAPTCHA tests has been around for a while. This article documents in brief one such actual tool which is active in the wild. Users are invited to play a game of "undress the stripper" by solving a sequence of CAPTCHAs which actually originate on the sign-up pages of webmail services.

Wednesday, 31 October 2007

Practical Identity Theft

Source: The Times

This is really a hybrid crime, rather than a strict cybercrime, since part of the fraud involved physical intervention, but it's one of the most detailed descriptions I've seen of a practical identity theft. In this scam, the fraudsters perform an account take-over, order a new debit card on the account, intercept it, and abuse it. Internet banking was not involved in any crucial manner.

Tuesday, 30 October 2007

Supervalu harpooned in spear phishing attack

Source: Computerworld

Recently filed court documents reveal that the grocery chain, "Supervalu Inc.", fell victim to a kind of spear phishing attack in late February/early March this year. The fraudsters simply sent them email impersonating a couple of suppliers, and informed them that future payments should be directed to new bank accounts. Over ten million dollars wound up in those accounts before the problem was noticed. Egg, meet face.

FTC Report: 22% of reported fraud is net-based

Source: USA Federal Trade Commission

The FTC has released a report on fraud, revealing that 13.5% of adult Americans fell victim to some kind of fraud in the year under study. The three most common media for perpetrating fraud were print (27%), the Internet (22%), and TV/radio (21%). The most common kind of fraud was good old fashioned snake oil: fraudulent weight loss products.

Thursday, 25 October 2007

Revised estimate on TJX breach: 94 million cards

Source: The Register

According to documents filed in court, the number of credit cards compromised by the TJX breach (which came to light earlier this year) could be as high as 94 million -- more than double the figure the company has admitted in past statements.

Pump and dump is old hat


Forget pump and dump: cybercrime 2.0 for stock markets involves selling real stock tips for real money. Step one: sell stock tip that stock X will reach a certain high price at a certain time. Step two: make it happen by offering to buy the stock at that price -- using a compromised online trading account, of course. Repeat.

Wednesday, 24 October 2007

1-Day Acrobat flaw being exploited

Source: The Register

One day after the release of the secutiry patch, spammers are exploiting a flaw in Adobe Acrobat via malicious PDF attachments. "The code and servers used in the attack are nearly identical to September 2006 Vector Markup Language (VML) zero-day attacks that took place one year ago."

Malware is up

Source: vnunet

A report released by Microsoft claims that there was a 500% increase in Trojan downloader/dropper activity in the first half of 2007 relative to the prior six months. This direct "compromise the end user computer" approach appears to be gaining popularity relative to the traditional social engineering based phishing attacks, at least as far as the serious criminal enterprises are concerned.

Tuesday, 23 October 2007

Chinese Cyberespionage

Source: vnunet

Please excuse the neologism, but China has frequently been accused in recent times of cyberespionage, as in the case of this vnunet article, where Germany adopts the role of accuser. Is this really the activity of the Chinese governmnet? Or, to put it bluntly, is anyone really so dense as to use their own infrastructure when conducting an attack of this sort?

Wholesale web attack: 24/7 Real Media + RealPlayer

Source: The Register

The servers of web ad network 24/7 Real Media were compromised and laced with references to a Dutch site which was hosting malware. The malware, dubbed Trojan.Zonebac, attempted a stealth install through a security hole in the RealPlayer software (for which a patch is now available as of Friday). "Symantec discovered the tainted ads on October 8. It remains unclear how many ads Real Media served or when the problem was corrected."

Botnets as proxies

Source: Frequency X

Botnets have a thousand and one uses, one of which is to act as a general network proxy. This article gives an interesting insight into blackhat botnet services, particularly botnets as a proxy service. The tools are quite advanced, and the going rates for service quite attractive.

Friday, 19 October 2007

Stock Spam using MP3s

Source: Sophos

Pump-and-dump stock spam has frequently been at the leading edge of spam trends. As I recall, it was an early adopter of image spam, and then PDF attachments. Now they're pumping out dubious stock tips in distorted voice recordings attached as MP3s. If history repeats itself again, other forms of spam will also adopt this technique, but it won't last long.

Tuesday, 16 October 2007

eBay and PayPal phishing way down

Source: Sophos

According to Sophos, eBay and PayPal aren't copping the lion's share of phishing attacks anymore: a year ago 85% of incidents targeted these two, and now it's a mere 21%. Either the services have been overphished, or their countermeasures are proving effective, since the phishers are now spreading their nets more widely.

Thursday, 11 October 2007

Online Gambling + Botnets = Money Laundering

Source: The Register

Bot herders are becoming increasingly active in online gambling as a means to launder money (e.g. from stolen credit cards) or simply make money.

Friday, 28 September 2007

Botnets downsize

Source: vnunet

The current trend in botnets is towards a larger number of smaller networks, so that fewer machines are lost when a command and control host is taken down. The article also mentions a phishing trend away from spoof websites and towards keystroke loggers. I noticed such a trend about two months ago -- almost no phishing email, but no corresponding drop in job scams.

Wednesday, 19 September 2007

TD Ameritrade compromised

Source: The Register

Online brokerage, TD Ameritrate, has suffered a security compromise resulting in the installation of a backdoor and major leakage of private client data. Sophos reports the unsurprising news that Ameritrade customers are being targeted in phishing attacks.

Friday, 14 September 2007

Four pump-and-dumpers plead guilty

Source: Sophos

Four men aged from 26 to 63 have pleaded guilty to charges relating to their pump and dump spamming operation, which allegedly netted them on the order of twenty million US dollars. They face five to ten years in prison: sentence has yet to be passed.

Gang of ten arrested in Germany

Source: Sophos

A cybercrime gang of eight men and two women operating out of Germany has been arrested. Their modus operandi has been to impersonate various well-known organisations via email, sending attachments containing malware. Their targets were also primarily German, so their arrest represents no new triumph in cross-jurisdictional cooperation.

Monday, 3 September 2007

Phishing is Old Hat

Source: SunbeltBLOG

Why phish when you can install malicious IFRAMEs directly on the bank's website? Bank of India is the first I've heard of to suffer this indignity.

Wednesday, 22 August 2007

26 Phishers Caught


"Italian police last week apprehended 18 Italians and eight East Europeans in an operation dubbed 'Phish & Chip' by the Italian press." They are allegedly responsible for a massive phishing attack against Poste Italiane customers a month or two back.

Thursday, 16 August 2007

"Online Safety" proposed for US school curriculum


"The US National Cyber Security Alliance (NCSA) has called on state leaders to work with schools and colleges to ensure that cyber-security, online safety and ethics lessons are integrated into every classroom."

Personally, I'd like to see some teaching about the dangers of cybercrime, with particular reference to scams. University students are a popular target for money mule scams, given as how they usually have the appropriate time, facilities, and need for cash. Warn the kids before they leave school, since it may be too late soon after that.

Thursday, 9 August 2007

Six arrested in 419 scam with Australian victim


A 49 year old Australian man has been swindled out of AU$1.76M in a classic 419 scam before figuring out he was being conned. When invited to meet the scammers in Amsterdam, he tipped off the Dutch police, and they were able to arrest six of the scammers.

Wednesday, 8 August 2007

Storm Worm Epidemic

Source: The Register

SecureWorks claims that the number of hosts infected with the Storm Worm has gone from thousands (in January through May) to millions (in June and July) -- a nigh-thousandfold increase. They offer some speculation on the impact of this.

I speculate that it is primarily driven by phishing, and that the worm is primarily being used as spyware to obtain authentication credentials. I say this because I have noted a distinct drop in phishing email at the same time I've seen the increase in "e-card" spam characteristic of the Storm Worm.

Domain Registrants Being Phished

Source: CircleID

Edward Falk reports on CircleID that GoDaddy customers are being phished. He suggests that this is to obtain administrative access to domain names, but it seems to me just as likely that they want simple access to hosting accounts. Perhaps there are other details not revealed in the article which make the aims of the phishers clearer.

Tuesday, 7 August 2007

Current Malpractice: Single Webserver


The article is titled "Boffins find way to fight spam scams", but that's misleading. The boffins in question are presenting at USENIX Security 2007, and their findings relate to websites advertised via spam. What they find is that the vast majority are hosting sites on a single server, as opposed to proxying through a botnet. Such techniques are prone to change in reaction to countermeasures, of course.

Monday, 6 August 2007

The Malware Marketplace

Source: The Register

The Register has written a short report on research conducted by Thomas Holt, a professor of criminal justice at the University of North Carolina at Charlotte, in which the black market for malware is described as having a similar dynamic to eBay or other online marketplaces.

Friday, 3 August 2007

Russian pair phish $500k from Turks

Source: via The Register

Two Russians, based in Togliatti, have been phishing Turkish bank accounts for the past two years or so. Their method for obtaining credentials involved malware, although it's not clear from the report whether the malware was installed on bank computers or customer computers (presumably the latter). Funds were transferred to the accounts of mules, who then forwarded it via Western Union: a total of 265 transfers totaling $508,000 between February 2005 and April 2007. One of the phishers has been arrested, the other remains at large.

Wednesday, 1 August 2007

Frequency X talks Mules

The Frequency X blog has published an entry on the subject of Money Mules, which also links to a webinar presentation on the subject. The webinar requires RealPlayer, and didn't work for me with Helix Player 1.0.6.

Friday, 20 July 2007

Ransomware revival

Source: The Register

Ransomware is an old idea, but it has never really become mainstream. The idea is that you infect a computer with a virus and encrypt files, demanding money for a decryption tool, or just threaten to delete files, or similar. Malware authors are trying the concept again with a new malware strain called Gpcode-AI (AKA Sinowal-FY), which "encrypts data on compromised machines before demanding money from users to decrypt it."

Tuesday, 17 July 2007

Complex iPhone phish in the wild


According to this report, there is a piece of malware backed by a significant botnet dedicated to subverting the Apple iPhone purchase process. It seems bizarrely elaborate and specific.

26 arrested for Poste Italiane phishing attack

Source: Sophos

"The Guardia di Finanza have apprehended 18 Italian citizens and 8 foreign nationals from Eastern Europe in an operation dubbed "Phish & Chip", following a widespread phishing campaign that targeted internet users of Poste Italiane's home-banking services."

Why did the crooks choose to operate out of Italy while attacking Italy?

Monday, 16 July 2007

Two Texans charged with pump-and-dump offences

Source: Sophos

Darrel Uselton, 40, and his uncle, Jack Usleton, 69, both from Texas, have been charged with offences relating to their alleged pump-and-dump spamming of at least 13 penny stocks between May 2005 and December 2006.

Wednesday, 27 June 2007

RSA says "no technological solution to phishing"

"Uriel Maimon, senior researcher in the office of the chief technology officer at RSA, said that technology solutions could never provide a cure for phishing and online fraud because technical fixes could always be subverted. Such measures also depend on the end user to operate and, as such, are vulnerable to error or incompetence."
Maimon also rejects "education" as "possibly the least effective method of stopping phishing." His preferred approach: law enforcement, and lots of it.

Friday, 22 June 2007

Pump and Dumpers try PDFs

Source: Sophos
Sophos reports that they've now seen pump and dump spam using PDF attachments instead of images. Pump and dump spam was an early adopter of text-as-images, and this technique may be picked up by other spammers, such as the job scam crowd. It's not too hard to extract plain text from a PDF, but obfuscation techniques are possible.

Thursday, 21 June 2007

McAfee Avert Labs reviews their 2007 predictions

Source: McAfee Avert Labs Blog
Having made a customary list of ten predictions for the coming year six months ago, the researchers at Avert Labs have done a bit of a reality check to see how well they are faring so far in 2007. The safe bets have proved safe: "Password-stealing web sites are on the rise", "Identity theft and data loss will continue to be a public issue", "Vulnerabilities will continue to cause concern." Not so obvious but predicted correctly: "Parasitic malware will make a comeback." Seemed a safe bet, but didn't really eventuate: "Spam, particularly image spam, is on the increase", "The use of bots will increase." Completely wrong: "Mobile phone attacks will become more prevalent."

Wednesday, 20 June 2007

10,000 websites compromised with malware links

Source: The Register and
On the order of 10,000 websites have been invisibly modified with IFRAME links to a site hosting an exploit package called "MPack". It's not currently known how the mass defacement was effected. None of the exploits employed by this particular MPack installation are zero-day flaws. "MPack" is a general browser-exploit service coded in PHP, similar to "Web Attacker" which is written in Perl.

111 suspected "419" scammers arrested in Amsterdam

Source: AFP (via Yahoo!)
Police in Amsterdam arrested 111 West Africans on Saturday, June 16th, for being in the Netherlands illegally. Those arrested are now under further investigation as suspected Internet fraudsters. Eight of those arrested were carrying false papers, and have been prosecuted. The others were detained and then released unless there were any extra charges against them. Dutch police believe over 2,000 Internet fraudsters are active in the country.

Wednesday, 13 June 2007

10 reasons why the Black Hats have us outgunned

More like a basic introduction to the marketplace of cybercrime services than a list of ten reasons.

Saturday, 9 June 2007

Most phishing sites are kit-based

Source: Frequency X Blog
Gunter Ollmann of IBM points out that simple counts of the number of phishing incidents are now skewed by the widespread use of "phishing kits" which make it trivial to set up multiple phishing sites on a single host. For example, of the mere 3,544 new phishing sites identified by the X-Force researchers in the week prior to this report, 3,256 were associated with phishing kits (>90%). Further, the kit-based sites mapped to 100 registered domains (compared to the 288 non-kit sites that used 276 domains).

Friday, 8 June 2007

Anti-spam services under attack

Source: Usenet (
Spamhaus, SURBL, and URIBL are presently the target of a DDoS attack, allegedly the work of the same group responsible for the DDoS attacks against BlueSecurity last year. The attack is being produced by a botnet running malware known as "Storm", which was widely distributed as an attachment to spam in January this year.

Wednesday, 6 June 2007

Web Exploits Getting Stealthy

Finjan security's latest "Web Security Trends Report" notes an increase in stealth techniques being used by sites hosting browser exploits. To avoid analysis, the site only sends malicious code once per IP address.
On a related matter, this interesting post to Slashdot talks about a stealth technique that malware distributors are using to avoid detection when using ads as a distribution vector.

Wednesday, 30 May 2007

BBB Spear Phishing Trojan

Source: SecureWorks
This story has been reported on and off for a few days, but this source is the most informative to date. Someone has carefully crafted a list of executives at companies, then sent them a forged Better Business Bureau complaint, correctly personalised with the name and company of the executive. The aim of the phish is to install a trojan IE "browser helper object" which leaks all data submitted in all forms (regardless of SSL encryption) to the phisher.

Sunday, 27 May 2007

Map of 713 "419" Scammers in the UK

Source: Times Online
A Dutch company called "Ultrascan" has created a Google map showing the locations of 713 Advance Fee Fraudsters in the UK (mostly the greater London area) that they tracked down in 2006. The fraudsters always target victims in other countries, and these were primarily targeting the middle and far eastern countries. The UK police almost completely abandoned prosecution of these scammers in 2006, saying that "they preferred to disrupt 419 scammers by taking down their websites and stopping their internet access."

Saturday, 26 May 2007

Malware-based phish attack seen in the wild

Source: The Register
A reader of The Register wrote in to report a somewhat inscrutable phishing technique. Apparently his computer has been infected with malware capable of recognising a number of online banking sites and other popular phishing targets, and inserting a phishing page into the usual stream of activity. This bypasses all the usual checks for known phishing sites, since the browser isn't actually being directed away from the legitimate site: it's just not displaying data from the legitimate site. The victim's copy of IE was affected by this hack, but Firefox was not.

Monday, 30 April 2007

E-Gold Indicted for Money Laundering

Source: US DOJ (brought to my attention by F-Secure)
A federal grand jury in Washington, D.C. has indicted E‑Gold Ltd; Gold & Silver Reserve, Inc. and their owners on charges of money laundering, conspiracy, and operating an unlicensed money transmitting busines.

Thursday, 26 April 2007

Phishers add call forwarding to their arsenal

Source: The Register
Part of a recent phishing scam has instructed potential victims to dial a particular code on their phone which would activate "call forwarding" to a different number. Presumably this is to aid the phishers in impersonating the customer.

Malware vector: abandoned USB sticks

Source: The Register
Malware purveyors deliberately left USB sticks loaded with a Trojan in a London car park in a bid to trick users into getting infected. The attack was designed to propagate Trojan banking software that swiped users' login credentials from compromised machines.

Drug dealers move into online fraud

According to a source at the FBI, drug cartels are increasingly abandoning or scaling down their narcotics operations and using their existing network of workers to commit large-scale credit card fraud. The risks are lower, and the profits are about the same.

Thursday, 19 April 2007

SMS phishing in SE Asia

Source: F-Secure
F-Secure reports a plague of SMS-based lottery winning notifications. They contact the phisher by phone and string him along to see where the scam goes. It's not entirely clear at this stage how the attack works.

Phishing attack circumvents two-factor authentication

This is the first time I've seen a real, live, successful phishing attack targeted at an institution with two-factor authentication. The attack is a "man in the middle" attack, of course, and the institution in question is the Dutch bank ABN Amro.

Top 10 Internet Crimes of 2006

Source: Bad Guys
A highly US-centric look at complaints relating to crime on the Internet. The article is a summary of a US govt report. By far the number one issue is "auction fraud", then "non-delivery". Is the latter category the result of buying what spam is selling? A distant third is "check fraud", which may well cover a lot of the money mule scams directed at the USA.

Wednesday, 18 April 2007

Details of a Spear Phishing attack

Source: The Register
Phishing is usually a game of large numbers: send enough email, and some of it is bound to hit the mark. An alternative approach, "spear phishing", involves obtaining information about your targets up front and sending carefully targeted email. This short article gives information on how a compromised university computer was used as a source of information to target members of that university's credit union in a spear phishing attack.

Friday, 13 April 2007

Man-in-the-middle attack against "personal seal" protection

Source: slight paranoia
Presenting a customised image to the user during the login process is not effective against phishing for two reasons: first, most users are unobservant easy victims; second, a man in the middle attack, such as the one demonstrated in this article, can subvert the system.

Thursday, 12 April 2007

Money Mules in Singapore

Source: Sophos
Under the guise of an "aid agency", mules have been forwarding cash from Australia to Singapore and thence to Russia and Latvia. Transactions were around 5,000 Singapore dollars.

Wednesday, 11 April 2007

WoW accounts more valuable than CC details

Source: The Register
Keyloggers targeting World of Warcraft account login details are alive and well. According to Symantec, WoW account logins are worth about $10, more than the going rate of $6 for verification details on credit cards.

Friday, 30 March 2007

Renewed call for ".safe" domain

Source: F-Secure
Summary: F-Secure (anti-virus company) has renewed the call for a top-level domain name for banks and other targets of phishing. It's interesting that F-Secure is advocating this particular approach, but to me it looks like a fairly hollow press release backed by no real intention of pushing the process any further.

Keyloggers: How they work and how to detect them

Summary: first part of a two-part article on keylogger technology -- one of the most commonly used tools in cybercrime and phishing in particular. This is a relatively basic introduction to the subject.

Wednesday, 28 March 2007

12% of adults in UK have experienced fraud online

Source: Get Safe Online
Summary: a survey of UK internet adult users found that 12% had experienced online fraud in the last year, losing an average of £875 each. The survey also looks at the attitudes of Internet users as regards responsibility for their online safety, and the popular view is that it's someone else's responsibility. Most felt that there should be lessons in schools to help young people understand the risks.

Education failing to fight phishing

Source: vnunet
Summary: Joseph Sullivan, associate general council of PayPal, told the e-Crime Congress in London today that relying on education alone will not stop phishing and that an integrated campaign is needed to stamp out the menace. William Beer, European director of Symantec's security practice, says that education needs to be varied and targeted to particular demographics. Mention is made of a phishing attack in which targets were directed to phone a fake call centre rather than visit a fake website.

Experts rubbish two-factor authentication

Source: vnunet
Summary: opinion at the e-Crime Congress in London is that two-factor authentication will not help soaring phishing levels because it is vulnerable to man-in-the-middle attacks. Apparently there is a rising demand for two-factor systems nonetheless.

Wednesday, 21 March 2007

Anatomy of an eBay scam

Source: The Register

Summary: an email exchange between an eBay fraudster and a reporter posing as an interested buyer. The first step in the fraud involves phishing an eBay account with a good reputation. An auction is then posted under this phished ID with instructions to contact the seller directly via email (in contravention of eBay acceptable usage policy). If a buyer contacts the fraudster in this manner, the fraudster will spoof an email from eBay instructing the buyer to send money to an agent via Western Union.

Tuesday, 20 March 2007

FBI Internet Crime Report 2006

As reported in The Register, the FBI have released their 2006 Internet Crime Report. This contains useful facts and figures on the types and scales of cybercrime reported in the USA in 2006.