General Discussion

[Social Engineering]

FYI...

"Social Engineering" is a relatively "new" term in use nowadays, unfortunately, -not- in a good way.

'Thought it might be a good idea to start a thread on the subject for familiarization purposes. It was briefly spoken about in this thread ( http://boards.cexx.org/viewtopic.php?t=4991 ) with regard to "phishing", an -ugly- technique used by those who would like to -steal- your personal information, for unscrupulous purposes.

And just within the last day or so, two new pieces of malware were unleashed on unsuspecting e-mail users:
- http://www.securitypipeline.com/news/showArticle.jhtml?articleId=18900136&printableArticle=true
"...Both Sober.f and Netsky.s arrive as file attachments in e-mail messages that sometimes claim that they've been scanned for viruses, and that no malicious code has been detected. "The ploy of adding a 'No virus found' message at the bottom of the e-mail is deliberately designed to appeal to those who are too impatient to practice safe computing..."

...More to come. Be aware, and maybe a bit wiser, to these scams.

[Online phishing uses new bait - One click sends unwary users to fake websites]

FYI...

Online phishing uses new bait - One click sends unwary users to fake websites- http://www.vnunet.com/News/1154101
April 06, 2004
"A new phishing attack is being used to hook unwary web users...When a phishing victim clicks on a link in an email pretending to come from their bank or another company, they are sent to a fake website which will then try to steal bank account details or other information...The new trick uses software that detects the user's browser and applies custom JavaScript to replace the look and feel of the web address bar with an appropriately designed working fake, to fool people into thinking they are visiting a legitimate site...Phishing attacks are increasing in frequency and sophistication. February recorded the busiest month with 282 email attacks, a 60 per cent rise on January's record total, according to the APWG..."

.

[Billions of 'Phishing' Scam E-Mails Sent Monthly]

FYI...

Billions of 'Phishing' Scam E-Mails Sent Monthly
- http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=5062666
May 6, 2004
"...Over the past nine months, the monthly volume of phishing e-mails has risen nearly ten-fold to 3.1 billion worldwide in April, San Francisco-based e-mail filtering firm Brightmail said. Brightmail said its spam filters sift through 96 billion e-mails each month. Police suspect organized crime gangs from Eastern Europe are the main culprits in the multi-billion dollar racket...Brightmail added that a recent sinister twist to the phishing scam has emerged in which the e-mails contain Trojan programs capable of installing themselves on an unwitting computer user's machine to steal information by logging key strokes. The phenomenon is weighing on consumer confidence in e-commerce, anti-fraud firm Cyota said. According to a recent Cyota survey of online bank account-holders, 74 percent said they were less likely to shop online due to the threat of phishing attacks."
 

[Phishing Jumps Almost 500 Percent In Five Months]

FYI...

Phishing Jumps Almost 500 Percent In Five Months
- http://www.securitypipeline.com/news/showArticle.jhtml?articleId=20301083&printableArticle=true
May 14, 2004
"More bad news about phishing attacks arrived Friday via message filtering firm SurfControl when it unveiled numbers showing the scams have increased nearly 500 percent since January. Phishing attacks are spam messages that pose as legitimate mail from big-name banks, credit card companies, and retailers. Links within the messages entice recipients to bogus Web sites, where they're told that their account information needs to be updated. Users who fall for the con divulge personal financial data...used by the attacker to siphon funds, purchase goods, or steal identities...the hackers have used Javascript code to overlay a fake address bar that shows the real US Bank URL on the browser's real address bar. The new tactic makes the spoof more realistic, Larson said, than earlier phishing attacks, which exploited an Internet Explorer bug to display the URL of the spoofed company. A patch exists for the flaw, but the new technique can target even those systems which have been patched. According to Gartner, victims of phishing attacks are three times more likely to suffer some form of identity theft than the general population."

[here]

FYI...

- http://www.infoworld.com/article/04/05/18/HNphishingskyrocket_1.html
May 18, 2004
"...The growing problem also points to increasing interest in the scams by malicious hacking groups and organized crime, Maier said. "We've had confirmation from law enforcement in the U.S. that organized crime is behind some of these scams. We also do work looking at hacker sites, and we can see that hackers and script kiddies are definitely paying attention to this phenomenon and are beginning to work together," he said..."

(The Anti-Phishing Working Group reports over 1,100 unique phishing campaigns for April 2004, an increase of 178% over the number of attacks in March. From February to March, phishing attacks increased by only 43%, particularly targeting financial services and retail. Citibank was targeted by 475 unique phishing attacks in April, with eBay at 221 and PayPal at 135. APWG has evidence suggesting that phishing webpages are traded between phishers in much the same way as spammers trade e-mail addresses. Criminal organizations are using phishing scams as well. Research from Gartner suggests that as many as 3% of phishing attacks are successful, affecting 1.78 million adult users.)

[E-Mail Scammer Gets Four Years]

FYI...

E-Mail Scammer Gets Four Years
- http://www.securityfocus.com/printable/news/8711
May 19 2004
"An Internet scammer who used e-mail and a fraudulent Web site to steal hundreds of credit card numbers was sentenced to almost four years in jail Tuesday, one of the stiffest-ever penalties handed down for online fraud. Houston, Texas federal court Judge Vanessa Gilmore sentenced Houston resident Zachary Hill to 46 months in jail for his role in duping consumers into turning over 473 credit card numbers...Hill, 20, used a "phishing" scheme to make his e-mail look like it came from America Online, the nation's largest Internet service provider, or PayPal, the online payment subsidiary of auction giant eBay. The message told victims that their accounts had lapsed and that the companies required their credit card numbers and passwords to restart them. Hill prompted recipients to enter their information into Web forms designed to look like pages run by the companies, the Justice Department said. Hill then used the credit card numbers to buy $47,000 in goods and services..."

[Hackers prey on Internet banking]

FYI...

Hackers prey on Internet banking
- http://www.taipeitimes.com/News/taiwan/archives/2004/06/10/2003174478/print
Jun 10, 2004
(Taiwan's Criminal Investigation Bureau has arrested Chen Chung-shun, 30, on charges of stealing more than 45 million e-mail addresses, 200,000 online bank and auction site account numbers and passwords, and information on three figurehead bank accounts. Officials suspect Mr. Chen has been working with hackers from mainland China to plant Trojans on personal computers to steal bank account passwords. Mr. Chen told police he transmitted details on 100,000 bank accounts to the mainland hackers, and did not have back-up copies. Mr. Chen gathered the 45 million e-mail addresses in February 2004, and had sent 18 million Trojan infected e-mails within a month. Losses from unauthorized fund transfers are estimated to be around several million Taiwanese dollars, though full numbers are not yet known.)

[June "phishing" schemes]

FYI...June "phishing" schemes:  

'eBay account verification needed':
- http://www.antiphishing.org/phishing_archive/06-11-04_eBay_(eBay_account_verification_needed).html
11-Jun-2004

Citibank and various other banks:
- http://www.antiphishing.org/phishing_archive/06-10-04_Citibank,_LLoyds_TSB,_Barclays_(image_map).html
10-Jun-2004

Fleet cardmember security update:
- http://www.antiphishing.org/phishing_archive/06-09-04_Fleet_(Fleet_cardmember_security_update).html
09-Jun-2004

e-gold - 'Please Verify Your Account':
- http://www.antiphishing.org/phishing_archive/06-04-04_e-gold_(Please_Verify_Your_Account).html
04-Jun-2004

Microsoft - 'current network critical patch'
- http://www.antiphishing.org/phishing_archive/06-03-04_Microsoft_(current_network_critical_patch).html
01-Jun-2004

 

[add another]

FYI...add another:

eBay - 'TKO NOTICE: Pay your fees to eBay.com'
- http://www.antiphishing.org/phishing_archive/06-14-04_eBay_(TKO_NOTICE_-_Pay_your_fees_to_eBay.com).html
14-Jun-2004

 

[keyloggers]

FYI...

- http://www.techweb.com/wire/story/TWB20040615S0008
June 15, 2004
"...Using data from an April, 2004, survey of 5,000 U.S. adults who use the Internet and e-mail, Gartner estimated that nearly 2 million Americans fell victim to checking account fraud in the last 12 months. The cost to banks and consumers: a staggering $2.4 billion in direct losses, or an average of $1,200 per victim...

The top two methods scammers are using to lift bank account numbers are keyloggers planted by spyware -- software typically loaded onto a computer without the consumer's knowledge -- and phishing attacks, e-mail messages that try to trick users into divulging financial information..."What we're hearing from out clients is that keyloggers are now just as prevalent as phishing attacks..."

[Shared-secret authentication]

FYI...

- http://www4.gartner.com/5_about/press_releases/asset_89228_11.jsp
June 15, 2004
"...Just by clicking on a pop-up ad, Web users can inadvertently download spyware (technology that gathers information about a person or organization without their knowledge). In these situations, when users click on the ad, it traps the user ID and password for their online bank account without them ever knowing about it. "It will take time for the financial services industry to develop sophisticated back-end tools, but banks must implement stronger access controls to online and telephone banking systems...Shared-secret authentication is a good practical solution for strengthening access controls for online and telephone banking..."

In terms of absolute number of victims, checking account hijacks were the second most prevalent type of crime in the 12 months ending April 2004. The most common was the much more familiar fraudulent credit card purchase, where a thief uses a stolen credit card to buy goods or services..."

[recent add(s) to June "Phishing" list]

FYI...recent add(s) to June "Phishing" list:
("The number and sophistication of phishing scams sent out to consumers is continuing to increase dramatically...The Anti-Phishing Working Group has compiled a list of recommendations...that you can use to avoid becoming a victim of these scams..." - http://www.antiphishing.org/consumer_recs.htm )

eBay - 'Ebay(R) Re-Activation Unit'
- http://www.antiphishing.org/phishing_archive/06-17-04_eBay_(Ebay(R)_Re-Activation_Unit).html
17-Jun-2004

Fleet - 'Online banking - protect yourself from internet fraud'
- http://www.antiphishing.org/phishing_archive/06-15-04_Fleet_(online_banking_-_protect_yourself_from_internet_fraud).html
15-Jun-2004

[Bank One - 'Online banking issue']

FYI...another for the "June" List:

Bank One - 'Online banking issue'
- http://www.antiphishing.org/phishing_archive/06-18-04_Bank_One_(Online_banking_issue).html

 

[U.S. Bank - "U.S. Bank Fraud Verification Process"]

FYI...they're still at it, so we have to keep up with them:

U.S. Bank - "U.S. Bank Fraud Verification Process"
- http://www.antiphishing.org/phishing_archive/06-21-04_US_Bank_(U.S._Bank_Fraud_Verification_Process).html
21-Jun-2004

 

[U.S. Bank - 'U.S. Bank Consumer Alert']

FYI...they won't quit, so neither will we:

U.S. Bank - 'U.S. Bank Consumer Alert'
- http://www.antiphishing.org/phishing_archive/06-22-04_US_Bank_(U.S._Bank_Consumer_Alert).html
22-Jun-2004