Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

Security Response

Showing posts tagged with Online Fraud
Showing posts in English
Andrea DelMiglio | 31 Jul 2007 07:00:00 GMT | 0 comments

Since May, phishing attacks against Italian banks have been a visiblebut rather limited phenomenon. Most financial institutions reactedquickly, setting-up proper fraud management processes, educationcampaigns for end users and technical countermeasures since early 2006.But in the last three months, Italian mailboxes have been flooded bymillions of phishing emails, moving the problem to the next level.

Number of single URLs per month (July 07 data includes attacks until July 27th)
(Click image for larger view)

As the graph illustrates, the number of attacks grew 14 times since the2006 peak (127 in August) to the current 2007 peak (1735 last May).Attack source analysis shows...

Symantec Security Response | 26 Jul 2007 07:00:00 GMT | 0 comments

In the June 2007 edition of RSA Security Phishing Newsreleased on July 5th, RSA’s Anti-Fraud Command Center uncovered a newtype of phishing kit, which is “actually a single file which creates anentire phishing site on a compromised server when double-clicked on,similar to .exe installation files.” According to the report,traditional phishing kits include all of the relevant files which mustbe installed one by one in the appropriate directories on the serverthat is controlled by the phisher. The new kit instead, “saves thephishers time and effort, by automating the site installation process.”

This news received quite a bit of press coverage, but does it reallychange the rules of the game? Our feeling is that it doesn’t: mostphishing sites are currently hosted on compromised Web servers, wherephishers have been able to upload files using one of the (many)unpatched vulnerabilities lying in the Web application code. Phishingkit configuration is usually done on a phisher...

Symantec Security Response | 12 Jul 2007 07:00:00 GMT | 0 comments

In recent months, Symantec has detected a number of phishing sitesthat have been hosted on government URLs. In June alone, phishing siteswere identified on government sites from the following countries:Thailand (, Indonesia (, Hungary (, Bangladesh(, Argentina (, Sri Lanka (, Ukraine (,China (, Brazil (, Bosnia and Herzegovina (,Columbia (, and Malaysia (

This might come as a surprise to some people, as governments arethought to have very secure computer systems. However, the quantity ofphishing sites hosted on government domains around the world seems tosuggest otherwise. These fraudulent sites look like legitimate Websites and are designed to trick users into divulging personalinformation such as government-issued identity numbers, bank password,or credit card numbers. Most phishing sites are placed on governmentWeb servers by hackers who have gained access to the server...

Zulfikar Ramzan | 02 Jul 2007 07:00:00 GMT | 0 comments

The Pareto principle, sometimes known as the 80-20 rule, states thatroughly 80% of the effects stem from 20% of the causes. It was namedafter Vilfredo Pareto, an Italian economist, who observed that 20% ofItaly’s population received 80% of its income. This principle comes upin numerous other places in the social sciences and in engineering.

What does this have to with phishing? Well, recently I looked atwhich legitimate brands tend to get imitated the most in phishingattacks. I went back through data gathered from June through December2006. All in all, we found 343 brands being spoofed. Some of these werewell known banks, credit card companies, online retailers, and thelike. Others were smaller players. These included credit unions, localbanks, smaller retailers the like. Note that phishing attacks targetmany sectors beyond just the financial and retail sectors. I just choseto include these as an example.

It turns out that there is Pareto-like behavior among the...

Zulfikar Ramzan | 28 Jun 2007 07:00:00 GMT | 0 comments

I recently looked at some data collected from the NortonConfidential server on brands spoofed in phishing attacks from Junethrough December of 2006. In total, we saw phishing attacks on 343different brands. Looking further into the data, I wanted to get asense of which types of brands are consistently targeted by phishers.

I found that there 57 “core” brands that were consistently spoofedin each month from June through December. These core brands weredetermined by identifying seven lists of brands, one for each month inour data collection (June through December) in which a new Web sitespoofing that brand was reported. The core brands, then, made up theintersection of these lists.

There is a distinction between core brands and the most frequentlyspoofed brands. The former are brands that are consistently spoofedeach month. The latter are brands that are the most frequently spoofedoverall, measured by the number of Web sites that imitate these brands.

At first...

Pukhraj Singh | 21 Jun 2007 07:00:00 GMT | 0 comments

Recently, a DeepSight honeypot was compromised by a rogue websitethat served a variety of malicious scripts to users. From the dozens ofWeb sites that we investigate everyday, what makes this case special isthe fact that this is the first detected instance of in-the-wildexploitation of Microsoft Internet Explorer Speech API 4 COM ObjectInstantiation Buffer Overflow Vulnerability (BID 24426).This exploit appears to be a derivation of the publicly availableexploit released at The vulnerability lies in the way twoCOM objects in the Speech API 4, namely Windows DirectSpeechSynthesisModule (XVoice.dll, EEE78591-FE22-11D0-8BEF-0060081841DE ) andDirectSpeechRecognition Module (XListen.dll,4E3D9D1F-0C63-11D1-8BFB-0060081841DE), handle certain user input. Themalicious attacker can instantiate these COM objects via InternetExplorer, and pass overly long arguments to certain routines. In thiscase...

Ron Bowes | 14 Jun 2007 07:00:00 GMT | 0 comments

In my recent article about Spam in Multiplayer Online Games(smog), I talk about how spammers sell resources such as gold. Theseresources can be obtained with minimal user interaction, by using anautomated program to control characters and play the game. By doingthis, gold can be collected and either used or sold for real money.

As a massively multiplayer online game develops, an economydevelops. The value of rare items tends to emerge, and people will makefair trades or purchases from each other. People who play the game fora reasonable amount of time are able to purchase the same items asothers, by collecting gold (or whatever currency is used). Ideally, theeconomy will balance and end up at a fair point.

However, automated programs can be used to for this collection. Aprogram can run 24/7, doing nothing but harvesting gold. This gold...

Marc Fossi | 11 Jun 2007 07:00:00 GMT | 0 comments

There have been numerous proposals for ways to prevent phishing scams. Suggestions ranging from EV certificatesto new specialized top-level domains seem to imply that the end ofphishing would be brought about through their implementation.Unfortunately, this isn’t likely to be the case.

Let’s look at a phishing scam for what it really is – an onlineversion of the classic confidence scam. The reason it’s called aconfidence scam is that the perpetrator has to gain the confidence oftheir intended victim in order to reap the rewards. Some of these scamsare so thinly veiled that only the extremely gullible will fall victimwhile others are so elaborately played that even some of the mostcautious individuals are fooled. The same goes for the online version.

Some phishing attacks are so poorly crafted (I’m sure most companiesdon’t misspell their own names) that many...

Zulfikar Ramzan | 01 Jun 2007 07:00:00 GMT | 0 comments

Recently, Mikko Hypponen proposed the idea of a .bank top-level domain extension as a way to combat phishing attacks (see 21 Solutions to Save the World: Masters of Their Domain). The proposal garnered some significant interest including two Slashdot threads: A Foolproof Way To End Bank Account Phishing? and F-Secure Responds To Criticism of .bank.Since phishing is a topic that I spend a considerable amount of timethinking about, I thought I’d spend some time considering the benefitsand drawbacks of Mikko’s proposal.

First, let me summarize my understanding of the proposal. The ideawould be to have a top-level domain along the lines of .bank (inaddition...

Candid Wueest | 28 May 2007 07:00:00 GMT | 0 comments

“Because that's where the money is” was apparently the reason givenby Willie Sutton when asked why he kept robbing banks. Even though thatstatement may be correct, Willie Sutton never said it like this – as heexplains in his book “Where the Money Was.” Still, it evolved into oneof those urban myths, quoted many times. But there is an even betteranalogy to be made between the life of this bank robber from the 1940sand today’s online crime.

One of his nicknames was “The Actor,” which he gained aftercommitting robberies in broad daylight, impersonating trustedpersonnel. He varied his disguise from telegraph messenger tomaintenance man to policeman. He had realized that an acetylene torchwas not the best way into a safe – it was much easier to abuse people’strust, as no one really expected such assaults from within their ownranks. It was like an insider job, but without actually belonging tothe team in the first place. Those old-school social engineering tricksare comparable...