Online Fraud
Marian Merritt
|
November 20th, 2009
I had the honor recently of moderating a virtual roundtable discussion on the top Internet security trends from 2009 and what we expect to see in the security threat landscape in 2010. Funny thing about security predictions—you hope they won’t come true, but expect them to anyway. The roundtable featured expert panelists Paul Wood (Senior Analyst, MessageLabs Intelligence, Symantec) and Zulfikar Ramzan (Technical Director, Symantec Security Response). They each have unique insights into the world of cybercrime, spam, phishing attacks, and other cyberthreats that plague us all.
We want to give a big thanks to everyone who joined in to listen to our experts, and we hope you found it interesting. For those of you who couldn’t make it, please take a few minutes to listen to the podcast of the actual roundtable.
You can read more about Symantec’s top trends from 2009 and our predictions for 2010 by clicking on the following links:
Breadth of Security...
Emerging Threats, Security, Security Response, Evolution of Security, Malicious Code, Online Fraud, Security Risks, Spam, Vulnerabilities & Exploits, Endpoint Protection (AntiVirus)
0 comments
Mayur Kulkarni
|
November 19th, 2009
We are monitoring new malicious attacks that look similar to the fake "Microsoft Outlook reconfigure" spam campaign messages we have been observing for the last couple of months. That malicious campaign was followed by attacks on social networking sites, transforming from malicious code attacks into URL-based phishing attacks. These new attacks have similar traits, such as the spoofed “From” headers, which aggressively target and baffle enterprise users, and a subject line that is intended to cause panic (for obvious reasons—have a look at the example image below).
As seen in the message above, the mail attachment is a zipped file named “utility.zip” that extracts an executable detected as Trojan.Dropper by Symantec antivirus. Using HTTP, this threat contacts a known C&C server for Zeus/Zbot in Ukraine. (The Zeus/Zbot family of threats is known to distribute malware using attachments and URLs in spam campaigns.)
These attacks seem to be...
0 comments
Kevin Haley
|
November 17th, 2009
Yes, it’s a cheap trick and not even close to original. But the lesson here is that even obvious social engineering tricks can get people to click on a link. We can’t help ourselves. We love to click. Clicking on links and attachments that are accompanied by just the slightest bit of social engineering appears to be a basic human need. I expect it to show up in a revision of Maslow’s Hierarchy of Human Needs any day now—behind love, but certainly ahead of safety.
I do have a point to all this. Two actually. As we compiled the Security Trends to Watch in 2010, what occurred to me is that the people who most needed to read this information never will. At least not without some social engineering on my part. And since social engineering plays such a prominent role in future trends, it seemed appropriate. So I’ve decided to use this little trick to get people to read the list of trends below. So…
Don’t read this if you think antivirus technology...
11.x, Security, Security Response, 10.x, Evolution of Security, 9.x and Earlier, IT Risk Management, Malicious Code, Online Fraud, Security Risks, Spam, Vulnerabilities & Exploits, Endpoint Protection (AntiVirus)
0 comments
Kevin Haley
|
November 17th, 2009
The Security Response team has compiled the top security trends of 2009. We pulled data from the Global Intelligence Network and the experiences of the thousands of analysts and security experts at Symantec to come up with the top trends for the year. While none of these trends will be a surprise to anyone even casually following the threat landscape, when compiled and summarized, it is clear that the breadth of security problems in the past year was pretty stunning.
For example:
• Toolkits and threat recycling have made malware easier to create than ever
• Polymorphic technology is being applied to make threats harder to catch
• Botnets, large and small, are used as the foundation of attacks making most attacks complex
• All major news events are used for social engineering
• Major brands are being appropriated by cybercriminals to lure online victims
But, it’s the...
Security, Security Response, Evolution of Security, IT Risk Management, Malicious Code, Online Fraud, Security Risks, Spam, Vulnerabilities & Exploits, Endpoint Protection (AntiVirus)
0 comments
Liam O Murchu
|
November 16th, 2009
Finally, some help with explaining Internet security to my non-geek friends! The Guide to Scary Internet Stuff video series will hopefully make my life a little easier. Explaining the intricacies of Internet security is a challenging task. I often have difficulty explaining to my non-technical friends and relatives why they need to know about risks on the Internet. On top of that, I sometimes discover that my advice has fallen on deaf ears as I inevitably fix their computers after a click on a spam or phishing link, or after they have not run Windows Update or updated their antivirus software in a while.
Although this is not the normal technical type of material that we post here on the Security Response blog, when Dominic Cook from our UK PR team showed me these, I immediately thought they were worth a post. The animations are fun, but most of all I think my friends will understand them, remember some of the advice, and hopefully be safer online after watching them—although...
Security, Security Response, Malicious Code, Online Fraud, Security Risks, Spam, Endpoint Protection (AntiVirus)
0 comments
Samir Patil
|
November 12th, 2009
Phishing attacks jeopardize users’ personal information, including banking credentials. The huge gain that Internet miscreants receive from these attacks drives them to think of newer and more effective bait to phish users’ personal data. To carry out their plans, spammers most commonly abuse new security services/features provided by legitimate companies.
Many financial institutions have already started providing a pin/password generator device (also known as “secret reader”) for their customers to conduct secure online transactions. The device generates random pin codes after a specified interval of time. In a recent phishing attack the fraudsters promoted a similar secret reader.
This fake message claims that a bank has developed a secret reader that generates a password of 10 alphanumeric characters. The message also targets existing customers who are already using this device provided by the bank, and informs them that existing device will no longer be...
0 comments
Samir Patil
|
November 6th, 2009
Scammers based in Nigeria have long been known for using legitimate email formats for spreading infamously fraudulent 419 messages. We have already monitored e-card services, social networking invites, and various other services provided on social networking sites. Yet another example is a calendar service being abused for sending scam messages.
Sadly there is an addition to this list, where the “send link to friend” service is exploited for sending scam messages. Many news websites provide an option to send news links to another person. A text area is also provided to write personalized messages. It is a general tendency of netizens to share important news with friends by forwarding the links along with their comments on the news. In a recent spam attack we monitored a typical 419 scam message injected into the text area of a news article. With this, scammers smartly introduce a scam message in an otherwise very legitimate looking mail.
The “Subject” line of...
0 comments
Dermot Harnett
|
November 5th, 2009
October 2009 saw spam volumes averaging at 87 percent of all email messages, which is consistent with spam volumes observed in August and September 2009, but 10.6% higher than October 2008.
A notable highlight this month is the growth of spam originating from APJ (23% increase of 6% since June 2009) and South America (22% increase of 5% since June 2009) with a corresponding decline in spam originating from EMEA (28% decrease of 6% since June 2009) and North America (20% decrease of 5% since June 2009). This change can be attributed to a number of factors, including spam levels increasing; distribution networks becoming more dynamic as additional broadband connected targets are coming online every day; botnets continuing to jockey for position; and countries such as India, Taiwan, Thailand, and Chile becoming more visible as regions of origin for spam.
With respect to spam categories, Internet spam increased by 7% and now accounts for 39% of all spam messages. This category includes...
0 comments
Joji Hamada
|
November 3rd, 2009
Recently, I've been seeing phishing attacks using Web forms attached to emails making the rounds again. This type of phishing isn't so common but is used on occasion, so I want to take this opportunity to remind everyone not to fall for this trick.
Common phishing attacks include emails purporting to be from legitimate entities like financial instituions, auction sites, and SNS sites which include links to Web sites set up by the attacker to steal user information.
In this case, however, the phishing site arrives as an email attachment rather than a link to the site included in the body of the email.
Here is what one of the emails looks like:
And the attached HTML file looks like this:
When the form is filled out and submitted, the information is relayed to an external server prepared by the attacker. After the submission is processed, the user is redirected to a real site owned by the bank.
To combat phishing attacks, most web browsers have a security feature that alerts you when...
0 comments
Mayur Kulkarni
|
November 3rd, 2009
Symantec has always recommended that personal information, especially financial information such as Social Security numbers, credit card numbers, and of course your email address must not be revealed anywhere on the Internet. Many security experts also believe that disclosing an IP address to an unknown person on the Internet is equally dangerous. We also now need to be cautious of not divulging our mobile numbers or date of birth because these bytes of information are also vitally essential, and are considered part of your identity by financial institutions.
We are monitoring a new wave of phishing attacks that is attempting to extract information such as the mobile numbers and/or dates of birth of recipients by using false alerts:
A couple of the Subject lines of these alerts are:
TEXT MESSAGE ALERT
MOBILE TEXT MESSAGE ALERT
As shown above, these fake email alerts ask users to log in and update their mobile phone number. When the users click on the link they are redirected...
0 comments
Mayur Kulkarni
|
November 3rd, 2009
Symantec recently reported a malicious spam campaign against Facebook, which is now accompanied by a phishing attack. These messages look like an official Facebook invite or password reset confirmation mail.
If we place the cursor over the update button in the message, we can actually see the phishing URL in the status bar. If a user clicks on the “Update” button, he or she is redirected to a Facebook look-alike phishing site. Here, users are asked to enter a password to complete the update procedure. Unfortunately, the user’s password will be stolen if they try to log in on this page.
These attacks can be identified by the subject lines listed below:
Facebook account update
New login system
Facebook Update tool
In another observed change, we detected new malicious attacks on MySpace users as well. As seen with the attacks on Facebook users, we monitored zipped attachments containing executables in these messages—detected as Packed.Generic.261 by Symantec...
0 comments
Peter Coogan
|
October 14th, 2009
Yesterday a friend of mine sent me a copy of an email he received regarding the renewal of a domain name he owned, which was due to expire. Since the information in the email was correct, he clicked on the renewal link provided. At this point he became dubious of the email—and for good reason. As in most cases like this, at first glance you would find it difficult to spot anything out of the ordinary with this type of email and would simply presume that it was a friendly reminder from your ISP to re-register your domain name.
When the link provided in the email is clicked (in order to supposedly renew the domain) it brings you to a site where you are presented with a page like the one shown below. Again, there is nothing really out of the ordinary and all appears nice and professional:
Once you start to look at their pricing structure, however, things begin to seem a bit suspicious. According to the site Regselect.com you can renew your domain name for one year...
0 comments
Kevin Haley
|
October 7th, 2009
Every day when I walk into work I’m greeted by an avalanche of data on new malware and Internet scams. The numbers in the last few years have been staggering. And when you think about the people behind the numbers it can get quite sad—people who’ve had their computers taken over, been scammed, stolen from, and just plain abused by cyberthiefs. It can get to you. A lot of days I don’t feel so good. Today I feel better. The FBI just announced they will arrest nearly 100 people involved in a phishing scheme.
The FBI calls it Operation Phish Fry. Operation Phish Fry means that someone in the FBI loves a bad pun. But the important thing is it means that a whole bunch of bad guys are going to jail. It’s not going to eliminate all phishing attacks (we detected 55,389 phishing Web site hosts in 2008 alone). But this latest move takes a lot of bad guys off the Internet and serves as a warning to others. Even those who think they are protected because they are...
Security, Security Response, Evolution of Security, Internet Security Threat Report, Online Fraud, Endpoint Protection (AntiVirus)
0 comments
Dermot Harnett
|
October 7th, 2009
Overall spam volumes averaged at slightly over 86 percent of all email messages in September 2009, which is a decrease of 4 percent since July 2009. However, it is considerably greater than September 2008 when spam levels averaged at 78 percent of all email.
Notable this month is that the percentage of spam containing malware has increased, reaching up to 4.5 percent of all spam at one point. When compared to August 2009, Symantec has observed a nine-fold increase in spam containing malware during September. With respect to spam categories, the main movers were Internet spam, which increased by 3 percent again this month and averaged at 32 percent of all spam; and financial spam, which decreased 3 percent to account for 17 percent of all spam.
Click here to download the October 2009 State of Spam Report, which highlights the following trends:
· Spam Spotlight : Implications of the Increasing Malicious Spam September 2009:...
11.x, Security, Security Response, 10.x, 9.x and Earlier, Online Fraud, Spam, Endpoint Protection (AntiVirus)
0 comments
Hon Lau
|
September 30th, 2009
An unfortunate side effect of any news-worthy disasters of the modern day is that a wave of malware will often follow in the virtual world after the initial event in the physical world. The large earthquake (8.3 on the Richter scale) last night recorded off the coast of Western Samoa and the subsequent tsunami that followed caused much destruction and loss of life to the islands near the epicentre of the quake. As with any large scale disasters that quickly become major news events, people want to know what happened and to know that loved ones are safe. The Web, being a major source of information to many people around the world, is one of the first places to see such information-seeking activity. For many people, search engines are the gateway to the masses of information available and because of this, it is also one of the first places to be targeted by malware creators. They waste no time in getting their malicious software and web sites set up and poisoning the Web searches...
Security, Security Response, Malicious Code, Online Fraud, Security Risks, Endpoint Protection (AntiVirus)
0 comments
Mathew Maniyara
|
September 25th, 2009
Symantec has observed that most phishing URLs associated with Chinese brands attempt to trick users by stating that they are winners of a great prize. The fake websites declare that the visitors are winners for reasons such as:
1. Customers of the brand were chosen for a lucky draw and that the customer won the draw.
2. The brand wishes to thank the customer for their long time commitment by gifting them prizes.
3. The customer has triumphed in a gaming site of the brand, attaining the highest score.
The phishing site goes on to state that the customer needs to submit confidential information to receive the prize, either to prove his or her identity or for the transfer of the prize money to the customer’s bank account. The following image is an example of a Chinese phishing page for a gaming website. The page says that the customer needs to enter details to prove his or her identity so as to attain the award-winning gift....
0 comments
neil_rogers
|
September 17th, 2009
Everyone knows USB drives are a huge chance for losing data. I found a way to make that worse.
I bought a USB drive for my wife to use on her personal laptop. We all carry at least one of these. Her drive stopped be recognized, let alone work on the system.
Since it had only been used 3 times, i wanted the manufacturer to replace it under warranty. They offered to exchange it only if i send it back with drive intact. I was shocked that they required me to send it back. They had a fax number that if i was with the government and can send letterhead of such an organization asking to not send the drive, and they will exempt it.
So a new drive cost $60-$150 depending on size. Having personal, let alone any corporate data on the drive and it falls into the wrong hands, which if it is being sent in a box that says what company makes the drive or is addressed to the company, it would be easy for someone to take a look inside to...
Altiris Client Management Suite, Emerging Threats, Security, Evolution of Security, Endpoint Management and Virtualization, Online Fraud, Security Risks, Vulnerabilities & Exploits, Control Compliance Suite, Critical System Protection, Data Loss Prevention (Vontu), Endpoint Encryption
1 comments
Dermot Harnett
|
September 8th, 2009
Overall spam volumes averaged at 87 percent of all email messages in August 2009, which is a decrease of 2 percent since July 2009. Health spam, which decreased by 17 percent in July, also decreased again in August and averaged at 6.73 percent. It is interesting to note that over 29 percent of spam is now Internet-related spam. Internet-related spam attacks are those that specifically offer or advertise Internet- or computer-related goods and services. Examples include attacks promoting Web hosting, Web design, and spamware-related products and services.
Holiday spam campaigns have also begun taking advantage of Halloween and Christmas. This follows closely after Labor Day-related spam in a nod to what some economists predict will be a very difficult holiday season for legitimate retailers.
Click here to download the September 2009 State of Spam Report, which highlights the following trends:
• Holiday Spam Campaigns Begin...
0 comments
Mathew Maniyara
|
August 28th, 2009
Symantec has observed a sudden rise in phishing on Indian brands recently. The number of phishing URLs on Indian brands in the first two weeks of August was nearly 2% of all phishing attacks. In the past, the usual average was typically 0.5%. This means that the rise has grown four fold in just two weeks.
The geo-location of each phishing site was examined and it was observed that none were in India. But, it is likely that at least some of the phishers involved are in India since the confidential data stolen can be used for specific Indian needs. For instance, there are several websites dedicated to the purchasing of Indian goods and articles, which accept net banking payments only from a given list of Indian bank accounts. Hence, the attackers may be employing every means of masking their location by creating their website elsewhere and not on Indian servers.
There were five brands targeted that were all in the banking sector for the given time period. Among these five brands...
0 comments
Zulfikar Ramzan
|
August 20th, 2009
Recently, Twitter implemented technology to help stem the threat of malicious URLs being propagated though its service. This approach seems to be a great effort on the part of Twitter to prevent attackers from tweeting malicious links.
It appears as if the tool is filtering tweets and comparing any embedded URL to their list of known malicious sites. Trying to determine whether a URL points to a malicious website in a large-scale automated fashion, especially in today’s threat landscape, is a challenging problem. From my perspective, there are a few issues that need to be worked out. Twitter is likely in the nascent stages of addressing these types of issues and we expect they will try to overcome the associated limitations.
To date we've only seen a relatively small number of attack attempts involving malicious URLs on Twitter. URL-shortening services are often at the heart of these types of attacks as bad guys try to take advantage of the system to disguise malicious links...
Security, Security Response, Evolution of Security, Online Fraud, Spam, Endpoint Protection (AntiVirus)
0 comments
Suyog Sainkar
|
August 19th, 2009
The fraudsters are constantly coming up with innovative ways to deceive innocent users of the Internet. Symantec recently observed an increase in phishing attacks facilitated by spam email messages that are targeted towards a popular email client application. The spam message requests the intended victims to re-configure the email client application by clicking on the link provided in the email. The phishing spam messages previously in circulation had a malicious file attached as a setup for the bogus update.
The recent spam email messages, in an attempt to make appear legitimate, also provide a contact number for any queries regarding the update:
“If you have received this message in error, please notify us immediately by calling (310) xxx-6428 and destroy the related message.”
The spam emails have bogus From and Subject headers such as (but not limited to):
From: Mlcrosoft Outlook
Subject: Please re-configure your Microsoft Outlook again!
Subject: Outlook Express Setup...
0 comments
jmock
|
August 10th, 2009
We filter outbound mail for spam and quarantine any messages that are flagged as spam. Messages caught in the quarantine in this manner normally require additional follow up or investigation. Currently, you can only delete or release messages from the quarantine. We would like to be able to export and/or forward messages from the quarantine. This would allow us to provide messages to our forensics team and/or offload storage of message that may need to be kept at the request of legal or some other function requiring storage for any extended period of time.
5 comments
Kevin Walsh
|
August 6th, 2009
Many blogs on the Symantec website are very informative and visually explain - "what is phishing". These efforts have brought down the instances of user-mistakes (such as clicking URL in an email, submitting information to untrusted website etc..). But we have yet to see browser manufacturers addressing the root cause of phishing. Phishing is still a big concern for a new Internet user, especially kids. I see a parallel between usual phishing and Internet crime against kids. Both have same root cause - who can be trusted on the wild-wild-web?
Explaining "phishing" to a layman: The Internet scammers develop a website which looks just like your bank or merchant. Then the scammer will send you an email that appear an official email from your bank or merchant. This email will ask you to approve a transaction you recently made, or re-verify some personal information by clicking a weblink. If you are not careful and click the weblink you may not realize that you...
Security, Evolution of Security, Inside Symantec, Online Fraud, Endpoint Protection Small Business, General Symantec, Security Information Manager
5 comments
Vikram Kumar-SA...
|
August 6th, 2009
Symantec Report on Underground Economy
To know whats happening in underground business.How rapidly they are increasing and getting profited.
How they work,Who they are
Who got caught and how they get caught
What measures to follow to be protected.
A "must read" to our generation
Details about
RBN , The ShadowCrew Forum, Grifters, DarkMarket, CarderPlanet and many more and how they were busted.
11.x, Security, 10.x, Evolution of Security, 9.x and Earlier, Online Fraud, Security Risks, Endpoint Protection (AntiVirus)
1 comments
Dermot Harnett
|
August 5th, 2009
While overall spam volumes averaged 89 percent of all email messages in July 2009, spam volumes continue to fluctuate. During July 2009 image spam continued to have an impact, reaching 17 percent of all spam during one point in July. Health spam decreased by 17 percent, while product and 419 spam both saw increases of eight and three percent, respectively, month over month. Similar to tabloid magazines, spammers continue to have a fascination about certain celebrities such as President Obama, Michael Jackson, and Emma Watson (from the Harry Potter franchise)—they all featured in spam attacks in July 2009.
Click here to download the August 2009 State of Spam Report, which highlights the following trends:
· Spammer’s Opinion Poll: President Obama and Michael Jackson
· Spammers Cast Their Spells to Produce Harry Potter Spam
· ...
0 comments