Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Online Fraud
Showing posts in English
Andrea DelMiglio | 08 Jan 2008 08:00:00 GMT | 0 comments

As discussed in the past,cross site scripting (XSS) can be exploited by phishers to build reallyeffective attacks. Today we have analyzed another similar attack thatincludes some enhanced features. The attack was exploiting an injectionflaw in an Internet banking application, specifically located in themodule used to display warning messages to users.

The function took a single GET parameter:

https://www.well-known-bank.com/popup.asp?msg=[ASCII_encoded_message_to_display]

And then returned a page with the following in the body:

document.writeln([decoded_messages]);

Obviously the aim here is to have a single page display warningsthat are available to every module in the application. Because theinput was not properly sanitized the attackers used this...

M.K. Low | 19 Dec 2007 08:00:00 GMT | 0 comments

There’s been a lot of coverage on the FBI Bot Roast II campaignwhere they released information about eight suspects who have beenindicted for conducting criminal botnet activity. Bot herder suspectsfrom across the United States have been linked to criminal activitiessuch as DDoS attacks, conducting multi-million dollar phishing andspamming scams, and in particular stealing personal information thatcould lead to identity theft.

Thousands of pieces of personal information are sold and traded inunderground economy servers found in Internet relay chat (IRC) rooms.When I look around the servers that we monitor, it reminds me ofCauseway Bay at night in Hong Kong. Large advertisements bombard youwith capital letters and carders repeat their sales pitches acrossmultiple lines to attract people to their bargains. They list off theirbest deals and even offer cheaper prices if...

Sai Narayan Nambiar | 18 Dec 2007 08:00:00 GMT | 0 comments

Antiphishing filters basically work eitheron block listing or on heuristics. "Rock phish" attacks are quite arecent phenomenon that has posed a major challenge to both of the abovementioned antiphishing filters, simply because the unique structure ofa Rock phish attack circumvents antiphishing filters. This phishingtechnique can be traced back to somewhere around August 2006. The URLstructure was comparatively simpler then, consisting of a randomizedroot domain and three sub folders. But the principle cause in therecent surge in the number of such attacks is traced to the botnetphenomenon. So, what then is so special about Rock phish? Well, thistechnique has a trademark method of striking naïve targets.

The URLs that navigate to the fraudulent Web sites have a uniquestructure. For example, the structure of this URL is Rock phishingspecific: http://www.xxx.xxx.user123990.com/login/challange/2b593cba/login.php.As a matter of fact, it gets...

Sai Narayan Nambiar | 11 Dec 2007 08:00:00 GMT | 0 comments

The second half of 2007 has seen a suddensurge in the number of phishing attacks on financial puddles likeregional banks, credit unions, and small- to mid-sized credit unions.But why are fraudsters focusing on localized financial institutions?The answer is simple; they are highly profitable and have lessresources to protect them from phishing when compared to largerinstitutions. Larger institutions have secured themselves byimplementing stronger Internet security measures. Even the customersfrom larger financial institutions are quite familiar with phishing.

Furthermore, credit unions have always been major competitors withlarger financial institutions. The sub-prime problem in the UnitedStates has triggered a financial stress. To give some respite to thisdifficult situation the Feds had planned out cuts in interest rates.These cuts in interest rates have become a blessing in disguise forcredit unions because valuations of the first three quarters of 2007show robust...

Masaki Suenaga | 05 Dec 2007 08:00:00 GMT | 0 comments

There have been many viruses discoveredthat have the direct purpose of stealing online bank account andpassword information. It has been determined that a good majority ofthese have originated in Brazil and in these cases the viruses areknown to be part of the infostealer.bancos family. They run without anyuser interface and attempt to capture all of the user information thatis being sent to a target bank's Web page. In some cases there arevariants that show fake login dialog boxes, almost all of which areJPEG image files stored in the virus. The important thing to rememberhere is that the people serving up these viruses are thieves and haveto hide.

In contrast, a fraud does not need to hide. The fraud interacts withhis or her victim without hiding. Recently we received an .exe filefrom a customer in Brazil. When the .exe is run, it shows a visiblemessage box with the title "Patch 2.25 - Correcao de Falhas." It claimsto be a patch for a particular "fault" and the...

Davide Veneziano | 03 Dec 2007 08:00:00 GMT | 0 comments

Computer forensics is a powerful instrumentavailable to financial institutions in the battle against online fraud.During the analysis of a phishing attack many players need to beconsidered. As illustrated by Andrea Del Miglio,the role of email service providers is fundamental, but hostingcompanies as well as individual owners of compromised Web sites canreally help in enhancing the effectiveness of the analysis. Theinformation found within the log files of a compromised Web server cansupport forensics operations; precious details such as IP addressesbelonging to end-users, timestamps, and the visited URLs are allrecorded into these files. Additionally, the total number of visitorscan contribute to the evaluation of the real risk associated with eachsingle attack. That is to say, the more visitors a fraudulent Web sitehas, the higher the risk.

During the last...

Zulfikar Ramzan | 27 Nov 2007 08:00:00 GMT | 0 comments

On November 2, 2007 I had the opportunityto participate in a panel at the Federal Trade Commission on the futureof online behavioral advertising. While this topic is not one that isnormally associated with information protection issues, there are someinteresting implications that I touched upon at the panel and that Ithought I’d reiterate here.

First, let’s think about some of the overall trends related to Webadvertising. To begin with, the Web has certainly exploded inpopularity and people are spending more and more time each day surfingtheir favorite sites.

Second, online advertising has proven itself to be a viable businessmodel for many companies. Countless Web sites display ads that areviewed by an even greater number of people.

Third, along these same lines the online advertising supply chain isfairly complex. In the simplest incarnation, an advertiser might workwith an ad network who will arrange to have the ad published throughone or more...

Vikram Thakur | 27 Nov 2007 08:00:00 GMT | 0 comments

Earlier today there was a report about AlGore's site, climatecrisis.net, being hacked. The site contained linksthat weren't visible to the visitors, which pointed to variouspharmaceutical products. The links could be viewed by looking into thesource code of the page being displayed. The fact that Al Gore's sitegot hacked or compromised, while definitely of significance, uncovers amuch bigger technique now being used by spammers. Here is a snapshot ofthe links from the hacked climatecrisis.net site:


(Click for larger image)

As you can see, there are loads of links to a university's server.None of the links work. However, the hackers were able to get to thetop of search results by creating links such as these. No one visitingthe...

M.K. Low | 21 Nov 2007 08:00:00 GMT | 0 comments

When I logged into my online banking Website last week, the login screen was different than what I was used to.My first reaction was that I had been hacked and the site was a spoof(a consequence of working in this field). Once I realized that it wasin fact the genuine login screen, I proceeded to enroll in the bank’snewly enhanced sign-in security.

The concept is pretty easy; banks realize that card numbers and PINsare not enough to verify someone’s identity so they have added extralayers of security. To set up the enhanced login process, users areasked to pick an image and to type in a phrase. For example, a usercould select the image of a green apple and the phrase “The fox is inthe hen house.” These will be displayed to the user whenever they entertheir bank card number so that they can verify the legitimacy of thesite. Users are then asked to select three pre-determined questions andenter the answers. If the user logs into their online banking from acomputer that...

Jitender Sarda | 02 Nov 2007 07:00:00 GMT | 0 comments

Imagine Google’s search engine being exploited for sending spam URLs. Unbelievable? Believe it!

Google is the one of the most widely used search engines on the Webtoday. To make life easier, it supports a few advanced query wordswhich narrow the scope of a search to a great extent. It appears thatspammers have found a way to exploit this facility to direct the enduser to a URL advertising their products or services, using Google’sadvanced search operators.

Recently, we came across few offer spam mails which had the following URL in it:
http://www.google.com/search?hl=en&q=inurl:replica%20intext:%22Perfect+cheap+replica+watches+online.%22&btnI=

A first glance, it appeared to be a “Google search results” link andwe were expecting it to take us to the search results page. However,when...