Video Screencast Help
Security Response
Showing posts tagged with Online Fraud
Showing posts in English
Vincent Weafer | 28 Sep 2007 07:00:00 GMT | 0 comments

The two most common questions I hear around this time of year are: what do you think the biggest trend of the year was and what do you think the biggest threat next year will be. After outlining a year in review, let’s spend a little time on what we may expect to see in the next 12 months.

Obviously, the debut of a new operating system brings with it new features for both the research community and malicious code authors to scrutinize. It’s simple to expect that we’ll see new attack attempts on Microsoft Vista. What’s more interesting are trends we’re likely to see that don’t even touch the physical hard drive of a computer. Web 2.0 technologies have already begun to capture attacker interest and motivation. As adoption continues to grow and dependence on these Web applications increases, the impact and frequency of these issues will rise.

Consider the...

Zulfikar Ramzan | 28 Aug 2007 07:00:00 GMT | 0 comments

Michael Dolan, a phisher who targeted AOL over the course of fiveyears recently pleaded guilty to two criminal counts that the's office brought against him. The first count was a conspiracyto commit fraud and the second count was aggravated identity theft.

Dolan's "career" spanned from 2002 to 2006 and mostly involvedgetting victims to install a Trojan program that would prevent themfrom logging into their AOL account without providing additionalsensitive information like credit card and Social Security numbers.When caught, he had private and financial information for 96individuals.

On the one hand, I think this is a great victory for the Departmentof Justice. I believe that legal actions are one of the importantchannels we need to consider when addressing the problem of phishing.After all, phishing is ultimately a financial crime, and to the extentthat we can make it more risky and less profitable, we cansubstantially reduce instances of phishing.

Candid Wueest | 16 Aug 2007 07:00:00 GMT | 0 comments

Well, we all know that playing games can influence your real life,even if it’s just the lack of sleep you get from spending whole nightsplaying online games. But there’s more to it. There are several crucialpoints that have to be considered when running around virtual fieldswith your character. Unfortunately, as in life, some people don't playby the rules.

Sometimes those virtual worlds are not as peaceful as one mightthink or hope. You, or more precisely your avatar, might getblackmailed for protection money or bullied by others. Destruction ofvirtual goods can happen if you don’t pay. The discovery of weapons ofmass destruction in Second Life confirms this point. (Yes, they doexist; search for “Jessie Massacre” if you don’t believe it.)

But, there are other entrapments to watch out for. We already reported on gold farming and the problem with in-game spam in a...

Candid Wueest | 16 Aug 2007 07:00:00 GMT | 0 comments

Have you ever “ego-Googled” yourself? That is, looked yourself up onGoogle? Chances are, if you haven’t, others have. Your employerprobably did it before hiring you, so it can’t be that bad, right? Butare you really aware of all the information that is available onlineabout you?

Nowadays, of course, one of the easiest ways to data-mine somebodyis to look them up on the many social networking sites that have sprungup over the past few years. These sites are hugely popular and you findthem for nearly every user group. You can find old buddies from schoolthat you’ve lost touch with, connect with people that listen to thesame music as you, or post your CV to attract a new employer.

For sure, they can be useful. And I admit that I, too, have usedthem several times. Sometimes it can even be very amusing. For example,I once received an email from a headhunter. Besides offering me aposition, she complained she couldn’t reach me on my listed phonenumber: ++1 234 567 890. What...

Liam O Murchu | 02 Aug 2007 07:00:00 GMT | 0 comments

Brazil is the home of the infamous Infostealer.Bancos family ofmalware. Recently, however, we have seen a more diverse number of sites- beyond just banking sites - coming into the crosshairs of theBrazilian malware gangs. Is the recent W32.Imcontactspam worm anotherof their creations?

The worm is Brazilian and spammed the infected users’ MSN contactswith email advising them that they had received an electronic greetingcard. We see these types of worms quite often; however what caught ourattention were the similarities between the techniques this worm usesand the techniques used by the Infostealer.Bancos family of trojans.

When executed, the worm does the following:

  1. Minimizes the real MSN Messenger login window;
  2. Displays a fake Portuguese language MSN login screen;
  3. Records the username and password that is typed;
  4. Displays the real MSN Messenger login window (user must re-type password);
  5. Records the email address of all...
Andrea DelMiglio | 31 Jul 2007 07:00:00 GMT | 0 comments

Since May, phishing attacks against Italian banks have been a visiblebut rather limited phenomenon. Most financial institutions reactedquickly, setting-up proper fraud management processes, educationcampaigns for end users and technical countermeasures since early 2006.But in the last three months, Italian mailboxes have been flooded bymillions of phishing emails, moving the problem to the next level.

Number of single URLs per month (July 07 data includes attacks until July 27th)
(Click image for larger view)

As the graph illustrates, the number of attacks grew 14 times since the2006 peak (127 in August) to the current 2007 peak (1735 last May).Attack source analysis shows...

Symantec Security Response | 26 Jul 2007 07:00:00 GMT | 0 comments

In the June 2007 edition of RSA Security Phishing Newsreleased on July 5th, RSA’s Anti-Fraud Command Center uncovered a newtype of phishing kit, which is “actually a single file which creates anentire phishing site on a compromised server when double-clicked on,similar to .exe installation files.” According to the report,traditional phishing kits include all of the relevant files which mustbe installed one by one in the appropriate directories on the serverthat is controlled by the phisher. The new kit instead, “saves thephishers time and effort, by automating the site installation process.”

This news received quite a bit of press coverage, but does it reallychange the rules of the game? Our feeling is that it doesn’t: mostphishing sites are currently hosted on compromised Web servers, wherephishers have been able to upload files using one of the (many)unpatched vulnerabilities lying in the Web application code. Phishingkit configuration is usually done on a phisher...

Symantec Security Response | 12 Jul 2007 07:00:00 GMT | 0 comments

In recent months, Symantec has detected a number of phishing sitesthat have been hosted on government URLs. In June alone, phishing siteswere identified on government sites from the following countries:Thailand (, Indonesia (, Hungary (, Bangladesh(, Argentina (, Sri Lanka (, Ukraine (,China (, Brazil (, Bosnia and Herzegovina (,Columbia (, and Malaysia (

This might come as a surprise to some people, as governments arethought to have very secure computer systems. However, the quantity ofphishing sites hosted on government domains around the world seems tosuggest otherwise. These fraudulent sites look like legitimate Websites and are designed to trick users into divulging personalinformation such as government-issued identity numbers, bank password,or credit card numbers. Most phishing sites are placed on governmentWeb servers by hackers who have gained access to the server...

Zulfikar Ramzan | 02 Jul 2007 07:00:00 GMT | 0 comments

The Pareto principle, sometimes known as the 80-20 rule, states thatroughly 80% of the effects stem from 20% of the causes. It was namedafter Vilfredo Pareto, an Italian economist, who observed that 20% ofItaly’s population received 80% of its income. This principle comes upin numerous other places in the social sciences and in engineering.

What does this have to with phishing? Well, recently I looked atwhich legitimate brands tend to get imitated the most in phishingattacks. I went back through data gathered from June through December2006. All in all, we found 343 brands being spoofed. Some of these werewell known banks, credit card companies, online retailers, and thelike. Others were smaller players. These included credit unions, localbanks, smaller retailers the like. Note that phishing attacks targetmany sectors beyond just the financial and retail sectors. I just choseto include these as an example.

It turns out that there is Pareto-like behavior among the...

Zulfikar Ramzan | 28 Jun 2007 07:00:00 GMT | 0 comments

I recently looked at some data collected from the NortonConfidential server on brands spoofed in phishing attacks from Junethrough December of 2006. In total, we saw phishing attacks on 343different brands. Looking further into the data, I wanted to get asense of which types of brands are consistently targeted by phishers.

I found that there 57 “core” brands that were consistently spoofedin each month from June through December. These core brands weredetermined by identifying seven lists of brands, one for each month inour data collection (June through December) in which a new Web sitespoofing that brand was reported. The core brands, then, made up theintersection of these lists.

There is a distinction between core brands and the most frequentlyspoofed brands. The former are brands that are consistently spoofedeach month. The latter are brands that are the most frequently spoofedoverall, measured by the number of Web sites that imitate these brands.

At first...