Video Screencast Help
Security Response
Showing posts tagged with Online Fraud
Showing posts in English
Silas Barnes | 03 Mar 2008 08:00:00 GMT | 0 comments

While there are various ways for attackers to trick users intodisclosing their authentication credentials, phishing remains one ofthe most popular. Our spam traps caught a series of emails purportingto be from a disgruntled eBay user demanding an answer regarding arecent transaction. The emails contain a number of hyperlinks to theproduct in question which, when clicked, results in a browser-based FTPtransaction to a remote host which displays a carbon copy of thelegitimate eBay login page.

What caught my attention was the inclusion of one of eBay's securitytips within the fraudulent copy, instructing users to "Check that theWeb address in your browser starts with". Oneonly needs to follow this advice to see that the page they are on isindeed suspicious:


Marvin Fabuli | 27 Feb 2008 08:00:00 GMT | 0 comments

We are currently in the process of compiling the upcoming Symantec Internet Security Threat Report. I am putting together the phishing sections for the Asia-Pacific and Europe, Africa, and Middle East ISTRs. One of the things that we've noticed is that there are several instances of very small countries hosting high numbers of phishing Web sites. Obviously this raised the question of why this would be.

After we'd gone through related data—bot-infected computers, spam zombies, phishing hosts, etc.—we couldn't come up with any data that would explain this emerging phenomenon. We asked ourselves what in the political-economic profiles of these small nations would make them attractive for, or susceptible to, phishing Web sites, when one of our analysts pointed out that they are often used to host online gambling sites. In part, this is because gambling sites that use real money (as opposed to free poker sites, for instance) are illegal in the United...

Andrea DelMiglio | 22 Feb 2008 08:00:00 GMT | 0 comments

Earlier this afternoon in Italy hundreds ofthousands of people received an email from a “friend” stating(approximately) the following:

You’re under investigation! Hide everything and be quick!!!Your name appeared this morning together with 150 more persons on thewebsite of CAFF in Rome. Check it by yourself, you’re on January’slist: the website is the following:

The email is relatively convincing and Symantec believes many users have actually visited the Web site:

The Web site look and feel is very similar to other Italiangovernment Web sites and also the choice of the name—Comando...

Nishant Doshi | 21 Feb 2008 08:00:00 GMT | 0 comments

How many of us click on the links sent tous by trusted friends? Does the trust implicitly extend to the linksthey are sending? This trust is precisely what phishers take advantageof. Traditionally phishers have mainly used instant messaging (IM) andemail to take advantage of the average user. However, with the rise insocial networking sites the phishers have bought themselves a brand newplaying field.

Symantec has recently observed millions of user profiles of acertain social networking site carrying malicious links. Here is anexample of one of them:


The interesting thing here is that the malicious link appears to bea comment from a trusted friend. In most cases the trusted friend isnot the perpetrator behind these attacks. The most likely scenario isthat the trusted friend’s social networking site credentials have beencompromised and...

Candid Wueest | 15 Feb 2008 08:00:00 GMT | 0 comments

It is surely of no surprise, especially toregular readers of our Weblog, that not only banks are targeted byphishing attacks, but nearly anything that can be scammed. We alreadycommented on the rise in attacks targeting virtual worlds andespecially massively multiplayer online role-playing games (MMORPGs) inearlier posts. The growing market for virtual currency and playeraccounts does attract new scammers. It’s the nature of things that ifsomething becomes popular to use, it will also become popular toattack.

There was no exclamation of surprise then (a.k.a. Wow!) when I sawthe latest phishing email for World of Warcraft. In general, itattempted to get a reaction from me by telling me that my account wastemorarly suspended and that I need to log in to verify my details.Well actually, I would rather not log in to unlock my account but hey,it’s their story, not mine.


Silas Barnes | 25 Jan 2008 08:00:00 GMT | 0 comments

We all know that there is a certain amountof risk we have to accept when we place personal information on a Website, including the possibility that someone may use that informationwithout our explicit permission. We also know that social networkingsites are becoming increasingly popular as more and more people enjoythe convenience with which to re-establish and maintain contact withlong lost friends, distant relatives, and work colleagues. Well, now itseems as though you don't even have to go to the trouble of signing upfor a profile with one social networking site or even provide content -they can do it for you!

Douglas Rushkoff, an author and documentarian from the UnitedStates, was momentarily confused when he started receiving a suddenburst of NDR (non-delivery report) emails informing him that a numberof emails he had previously sent could not be delivered - particularlywhen he did not remember sending any such emails. And these particularemails all appeared to...

Andrea DelMiglio | 10 Jan 2008 08:00:00 GMT | 0 comments

The "referer" [sic] header is generallyused to track back-links in order to understand how a certain Web siteis being reached by its visitors (hyperlinks on other Web sites, searchengines, etc.) According to the RFC2616,“...the Referer request-header field allows the client to specify, forthe server's benefit, the address (URI) of the resource from which theRequest-URI was obtained (the "referrer", although the header field ismisspelled).”

In the online fraud arena, the referrer field can also be used todetect new phishing Web sites. Let’s use as an example the followingphishing site (which also happens to be a Rock Phish attack):


Andrea DelMiglio | 08 Jan 2008 08:00:00 GMT | 0 comments

As discussed in the past,cross site scripting (XSS) can be exploited by phishers to build reallyeffective attacks. Today we have analyzed another similar attack thatincludes some enhanced features. The attack was exploiting an injectionflaw in an Internet banking application, specifically located in themodule used to display warning messages to users.

The function took a single GET parameter:[ASCII_encoded_message_to_display]

And then returned a page with the following in the body:


Obviously the aim here is to have a single page display warningsthat are available to every module in the application. Because theinput was not properly sanitized the attackers used this...

M.K. Low | 19 Dec 2007 08:00:00 GMT | 0 comments

There’s been a lot of coverage on the FBI Bot Roast II campaignwhere they released information about eight suspects who have beenindicted for conducting criminal botnet activity. Bot herder suspectsfrom across the United States have been linked to criminal activitiessuch as DDoS attacks, conducting multi-million dollar phishing andspamming scams, and in particular stealing personal information thatcould lead to identity theft.

Thousands of pieces of personal information are sold and traded inunderground economy servers found in Internet relay chat (IRC) rooms.When I look around the servers that we monitor, it reminds me ofCauseway Bay at night in Hong Kong. Large advertisements bombard youwith capital letters and carders repeat their sales pitches acrossmultiple lines to attract people to their bargains. They list off theirbest deals and even offer cheaper prices if...

Sai Narayan Nambiar | 18 Dec 2007 08:00:00 GMT | 0 comments

Antiphishing filters basically work eitheron block listing or on heuristics. "Rock phish" attacks are quite arecent phenomenon that has posed a major challenge to both of the abovementioned antiphishing filters, simply because the unique structure ofa Rock phish attack circumvents antiphishing filters. This phishingtechnique can be traced back to somewhere around August 2006. The URLstructure was comparatively simpler then, consisting of a randomizedroot domain and three sub folders. But the principle cause in therecent surge in the number of such attacks is traced to the botnetphenomenon. So, what then is so special about Rock phish? Well, thistechnique has a trademark method of striking naïve targets.

The URLs that navigate to the fraudulent Web sites have a uniquestructure. For example, the structure of this URL is Rock phishingspecific: a matter of fact, it gets...