Mal-Aware.org

Phishing scams for banks aren’t really new, but one received last night came with a new twist. The spam e-mail stated:

Bank of America Warning

Dear Bank of America Customer,

During our regular update and verification we could not verify your current
phone number.
Either your information has been changed or it is incomplete.
Please update your phone number by
CLICKING HERE [http://www.xxxxxxx.de/gallery/albums/userpics/boa/] or on the link: http://www.xxxxxxx.de/gallery/albums/userpics/boa/ [http://www.bankofamerica.com/updatephone]

If this is not completed by April 24 , 2007, we will be forced to suspend
your account indefinitely.

The root domain was a hacked, legitimate site running one of the commonly used photo gallery scripts.

The scam page started out with an eye-catching demand that the victim forward their phone number to the phisher’s number as part of the ‘verification’ process:

Click on Image to zoom

There were two versions of the scam page. The first had specific, numbered instructions:

To confirm you phone number please fallow the steps :

Step 1- Go to your phone and Dial *72
Step 2- Dial 707xxxxxxx (Bank of America Secure Line )
Step 3- Your phone is confirmed
You will receive a call from us in 1 h for final verification !

What followed for both was the ‘standard’ identity theft form:

Click on Image to zoom

In checking with one carrier, Qwest, the procedure followed with a forwarded number is the phone will ring at the source location first. If unanswered after a certain number of rings, it will transfer through to the forwarded number.

It’s unknown what the protocol is for all carriers. The obvious concern is that there is no ‘source’ location ring and the forwarding occurs immediately, which in many tests have proven to be standard.

Depending on how long it takes the victim to realize they’re not getting inbound calls and resolve the problem, the bank is effectively blocked from conducting fraud checks for suspicious account activity and/or attempting to advise their customer of the identity theft and the need to cancel their cards. Also, from a “cashing out” perspective, if there is any required phone verification to use the credit card on the account, the verification will succeed, as the forwarded number will be routed to the phishers.

The site has been disabled and the phone number appears to be a SkypeIN number that goes to voicemail.

 
Slashdot It!

Ripped directly from zonelabs blog site.

Earlier today, the External Threat Assessment Team at Secure Science Corp. emailed an image taken from a Phishing/Carding group website. The question is, what is this image for or what purpose does it serve?

Because these groups are comprised of people who engage in fraud, and break laws, often the biggest obstacle to them cooperating with each other is the fact no one trusts the other.

This image is apparently used to confirm and advertise this groups abilities to people who might work with them and prove they are capable of conducting fraud — it’s a kind of “show me the money” amongst criminals.

More at the zonelabs blog

Secure Science Corporation released a graph on their surveillance of a carding forum that stole a minimum of 21,000 credit/debit cards over the past 3 months. The graph highlights the top 10 financial institutions and the amount of loss. According the statute in the 9th circuit, each card is valued at $500.00 on average. This number conservatively states that one carding forum can cause over $10,500,000.00 in loss in 3 months.

Click image to enlarge.

The latest phishing tactic moves the threat of phishing from the internet to the phone, while using easily accessible Voice over IP technology. From TechWeb.com:

A security firm on Tuesday reported discovering a phishing scheme in which the scammers used Internet telephony to copy a bank’s automated voice system in order to steal customers’ passwords, account numbers and other personal information.

In the attack that occurred last week, con artists sent spam disguised as coming from a small bank in a large East Coast city, Cloudmark Inc., a messaging security firm, said. The message asked the recipient to dial a telephone number to talk with a bank representative.

The number went to an automated voice system that asked for an account number and personal identification number, or PIN, in order to access the caller’s finances. The number was obtained through a regular provider of voice over Internet protocol services.

There was no indication that the VoIP provider was aware of the scam, said Cloudmark, which declined to name the company and the spoofed bank.

The incident reflected a mutation in the tactics used by phishers to snare victims. More traditional schemes involve spam asking the recipient to visit their bank’s Web site through a link in the message. At the bogus site, the visitor is asked to input personal information.

The latest scheme, however, is the first Cloudmark has seen using Internet telephony. An investigation by the San Francisco security firm showed that the scammers had used open-source software called Asterisk to convert a computer into a PBX, or private branch exchange, running an automated telephone information system. The voice system sounds exactly like the bank’s phone tree, directing the caller to specific extensions, Adam J. O’Donnell, senior research scientist at Cloudmark, said.

Click here to continue reading the story.

Brian Krebs’ SecurityFix Blog has an article describing the “real” numbers behind the data theft business. For the samples, he targeted only one phishing group’s success and announced the numbers; over 13,000 logins stolen in one day including 3,536 credit cards, 255 paypal accounts, 1,038 ebay accounts, and 2,609 hotmail accounts.

Wired wrote 2 solid articles on the 17 million entry database supposedly belonging to “Ibill”. The first one discusses the discovery of over 17 million entries exposing internet consumers. The follow-up covers the fact that Ibill denies that this is their data, and rightfully so, since they do not entertain Diner’s Club cards. So who’s data is this? And who is specialham.com? According to google cache phishers and spammers are selling “18 million Ibill” for $1300.00.

A recent phishing email targeted at the Mountain America Credit Union has been generating a lot of news today, even reaching the front page of Slashdot. The phishing email requests that the user enroll in the Verified by Visa program, a legitimate security program offered by Visa, and includes the first five digits of the card being enrolled. These five digits are found on all Mountain America cards, however it is not likely that Credit Union members understand this. The link in the email redirects the user to www.mountain-america.com - which is of course a phishing site with a look alike URL. The real URL of the bank is www.mtnamerica.org.

What the press finds the most interesting about this story, is that the phishing site was issued an SSL certificate this morning by Equifax, which is now part of a company named Geotrust. SSL certificate issuers are supposed to have a process in place to ensure that the entity requesting the certificate is authorized to do so on the companys behalf, obviously to avoid situations like this where SSL certificates are issued to illegitimate sites. In this case, Geotrust claims that their largely automated process failed to flag the site as suspicious, because the domain name was not matched to any related financial institutions…

The Washington Post and the Internet Storm Center have more on the story.

The Tokyo Metropolitan Police Department served an arrest warrant for a 25 year old male for phishing Yahoo! Japan’s Internet auction service.

Story in detail found here

An automated method of fighting phishing - phishfighting.com

A while ago I was thinking that someone should create a way to bombard or sabotoge a phishers drop site with loads of randomly created false data. Just when I started to think that I had really thought of something entirely revolutionary… well, I found that someone else has already thought of it.

www.PhishFighting.com - Developed by Robin Grimes, is a very noble attempt at employing the public at large with the task of fighting phishers. With currently 5,271,683 fake entries to 17,305 URL’s, I imagine it could be quite difficult for any phisher to sift through all the junk data trying to find his real victims.

The site basically works like this:
1. Enter the phishers URL
2. Click go
3. Watch the site appear with the false data automatically entered
4. Data gets submitted and proccess repeats every twenty seconds

I’ve tried the site and I was quite impressed. Although not everyone is as enthusiastic about it as I was when I found it. Various blog write ups have picked it apart and found ethical faults with the idea of what this site is trying to do. But I say give the guy a break, it’s obviously a work in progress and I think he’s on to something of a worthy cause.

-GK

From SearchOpenSource

Phishers may not have won the game, but they’re definitely trammeling their opponents’ defenses, says Phishing Exposed (Syngress Publishing) author Lance James. James is the chief technology officer for Secure Science Corp., in San Diego, Calif. In this interview, he describes security failures and new anti-phishing weapons and justifies his book’s exposure of vendors’ security holes.

Are there any open source tools that help combat phishing?

James: Short answer, yes. WiKID Systems Inc. has an open source, two-factor authentication system that helps with aspects of phishing.

Long answer, yes and no. I believe people have written software that is supposed to help, but the rapid evolution [of phishing] requires in-depth, security solutions. That has yet to be seen in the open source world. There is no silver bullet for phishing.

In Chapter 5, “The Dark Side of the Web,” you mention that patches are only a cover-up for poor Web development practices. What are some examples of the latter, and what basic common-sense precautions can a user take to prevent these mistakes?

James: Follow the Comprehensive Lightweight Application Security Process or some similar framework for all operations of the software development lifecycle. If you can’t build a strong foundation, no matter how much patching you do, you’ll always keep doing that till the house just falls apart, eventually. Establish a security process from the beginning of your design phase.

SSL’s (Secure Sockets Layer’s) threat model is bad for the online banking scheme because it doesn’t address proper systems of trust to people who understand what trust is. Does a home user know what an SSL fingerprint is? No, of course not. That means that SSL was approved, deciding that that wasn’t important. Well, it is now with all this phishing going on, now, isn’t it?

How do you tell the difference between genuine software fix-its and patches masked as malware, such as a faux Red Hat patch?

James: You don’t. Trust is relative. Look at Sony and their rootkit problem. We all know Sony by name, but now we’re seeing they put a rootkit in there. [In its most basic form, a rootkit aims to disguise the presence or activities of a person or process on a target host while providing surreptitious access for later re-entry.] Validation services may help, but as I said in my book, browsing the Web is blind faith.

How do you establish trust? That [requires a] combination of trust metrics, cryptography, out-of-band communication and secure robust technology.

What are some two-factor authentication methods? How feasible or practical is this kind of setup?

James: Two-factor is coming out of the gate rather slowly. Malware will defeat it, and phishers have been using malware quite a bit now. The concept of two-factor is something you have and something you know. Your ATM card and pin code is a two-factor authentication — and, as you might have noticed, the ATM part of your card doesn’t seem to get compromised too often. The failure with that card is it usually acts as a credit card number was well.

The newer two-factor auths are designed to be moveable RSA secureID changes, thus the session gives limited access to an attacker. The RSA SecureID token — which is a 26 bit number that is appended to your password — rotates every 20 seconds, all the way up to a minute optionally.

RSA is not perfect. It’s a good start. But getting banks to deploy this to their customers doesn’t make sense. Banks don’t want to lose their customer base by adding yet another confusing thing to the already existing online banking. It’s a hard sale.

In your book, you describe exploitations of vendor vulnerabilities. Though vendors were notified of the breaches, some would claim that this crosses an ethical line. How would you respond to this?

James: Well, if they have decided not to adhere to the advisories they were given, what do I do? I believe it’s OK to apply pressure to a vendor to get them to do their actual job of protecting their customers. It’s the same as Bugtraq; in most cases, you report it to the vendor and hope they fix it and then release it. This book publicizes the vulnerabilities. I’m sure the vendors will be fixing them, if they haven’t. It’s better they were notified by someone doing good, rather than finding out in a phishing attack and possibly losing some of their customer base due to lack of confidence in their security.

What are the most effective ways to defend against phishing?

James: Common sense is the answer; but it’s not perfect. The standard answer is make sure you’re not running Windows 98 or ME, keep your 2000/XP boxes up to date. Trust your instincts. If an e-mail feels suspicious, don’t click on it. Run protective software that assists with keeping an eye on suspect e-mail. Keep your antivirus [program] up to date.

The truth of the matter is that users can’t prevent [phishing], because the ones that get hit never knew what the problem was in the first place. So, the problem can’t be dramatically reduced from their end.

Secondly, the attacks are getting way more sophisticated. Take a look at the recent .WMF exploit that is out there. A week goes by, and Microsoft just got a patch going. That’s a week where phishers probably made a lot of money, being that it’s a phisher that designed the exploit in the first place.

Demand that vendors, such as banks and e-commerce [firms], start getting smarter about phishing! They can reduce the e-mails they send that look like phishing e-mails. Something similar to eBay’s MyInbox is a great start. They should audit their Web sites for content and vulnerabilities that may lend a hand to a phisher. Stop reacting. Get proactive.

A detailed forensic case of phishing, botnets and fraud, written by Michael Hale Ligh of mnin.org and Matt Richard of mullingsecurity.com. Also available are Parts 1 and 2.

http://www.mnin.org/write/2006_phish_3.pdf

Syngress has made a PDF of Phishing Exposed Chapter 5 “The Dark Side of the Web” available on searchopensource.techtarget.com. This phishing primer sample chapter explains easily exploited dynamic HTML, features that are attractive to many hackers, as well as demonstrating how simply prominent institutions, like Bank of America or T.D. Waterhouse, were easily penetrated. Cross site scripting is also covered in this chapter, with an example attack against Yahoo using XSS-Proxy.

Read the entire chapter in this PDF.

From SearchOpenSource.com

Phisher phobia has gripped IT users and administrators, thanks to some highly publicized phishing successes — and some users and admins should be more worried than others. But phishers can be beaten, says Lance James, author of the new book, Phishing Exposed, published by Syngress Publishing. James is the chief technology officer for Secure Science Corp., in San Diego, Calif.

James describes ways phishers attack Linux and Windows platforms and which platform is more vulnerable. Plus, he warns about new threats coming in 2006 in part one of this two-part Q&A. In part two, he discusses the ways anti-phishing security has failed as well as the merits of various defenses.

What new security issues do you see arising in 2006 for Linux and Windows?

James: Well, mostly remote attacks will be the mainstay against Linux, including Linux server attacks, such as Apache, cPanel, SMTP attacks.

Phishers have a use for Linux, but it’s for the distribution of their attacks. So, we’ll see Linux servers consistently being broken into by phishers, using them to either send spam or to launch their phishing attacks.

With Windows, [expect] continued ActiveX exploits and client-side attacks. Internet Explorer bugs will be the attack point for home users. Home users are purchasing home firewalls, but phishers break that defense because they deliver their attacks at the presentation layer: e-mail and Web.

In which areas is Windows security more vulnerable than Linux?

James: The user access issue: By default most Windows users are logged in with administrator privileges. In Linux, this is the number one rule not to do and, by default, they create a user account and log in with fewer privileges. This admin role in Windows [allows] phishers to do less work to attack a Windows machine and spread malicious code to your computer.

The advantage of Linux is not just security, but it’s also the user-base awareness. The users of Windows are for everyone, whereas Linux has a certain audience that tends to be more technical. That level of technical ability, by default, changes the threat model for Linux compared to Windows due to the fact that most Linux users know what phishing is. The victim of phishing usually has never heard the word.

What about security at the browser level?

James: It’s not a war about who’s more secure, [Mozilla]; Firefox or IE; but in Linux you have multiple browsers to choose from, and in Windows the default is IE, which holds the majority of consumer base. So, while Firefox may be having some vulnerability, it’s targeted less by phishers since they want the IE user. Phishers tend to target the “default” user (i.e., the default installation of a machine — plenty of them going around).

Historically, IE is a bigger target for multiple reasons: It’s a black box, thus researchers get curious; and it’s used by the Windows user base — a significant number of Internet [users]. Thus, it gets targeted more by researchers and black hats. It’s Microsoft, and Microsoft has enemies.

Firefox has had some nasty vulnerabilities in the past, including 2005, but they [the developers] are quick to react and very open about the vulnerabilities found. This openness enables more of a gentle approach for dealing with these vulnerabilities, and it’s pretty efficient. Opera doesn’t have a strong user base, it will be examined less for bugs, and this could be bad for Opera if it were to get popular.

What is the difference in methodology between attacks on Linux and Windows?

James: Windows is one distribution. That makes it a single point of failure. If a virus author writes a virus for Linux, the propagation will be low, due to the fact that all the different distributions for Linux are configured differently. In a way, even though it’s the same operating system, its heterogeneous configuration and services makes it a bit more difficult to just write one program and infect a bunch of Linux machines.

Let me give an example: With Windows, most virus attacks are typical, found in e-mail, on the Web or using a remote attack like rpcdcom (remote procedure call, distributed component object model or IIS [Microsoft Internet Information Server]. How many other Web servers have you seen being used in Windows? IIS seems to be the main one.

When people see [a Web server on] Linux, it’s Apache in versions 1.3.31, 1.3.33, 2.0.xx or others. So, the virus attacker will have to scan the Internet looking for the right Apache version to exploit. Also, that’s a server, thus it affects systems differently. Then, the virus has to figure out how to get root as well.

Usually, when IIS is run, it is system access by default, and you can count on it. You pop IIS, and you have root, and the configuration is almost guaranteed to be the same for all the boxes you run into. With Apache, the user is nobody, and getting root on each different distribution will be difficult, as you will have to identify the situation.

It is essentially a homogeneous versus heterogeneous concept between the threat models for attacking these systems. The exploits may be similar, but the reason, the method and the steps to attack it are different.

This doesn’t mean that a PHP virus won’t hit all Linux systems, but the chances of popping root on every single box are lower. In short, the return on investment is different since the demographical data is different for each platform.

In your book, you write that Microsoft has taken the stance that stopping phishing is the user’s, not the browser’s, responsibility, and that user education is the answer. What do you make of this stance?

James: I don’t agree with it, because there are many responsibilities. The computer user is just that, the user. They are not experts. They know how to use their computers in the way that Windows or Macs train them to use it.

I’m not against education, but that’s one step in a very large process. You don’t go to battle with just one weapon. There is vendor responsibility; misplaced trust breaks all the education in the world.

I’m not trying to bash Microsoft with that statement. Microsoft believes it has a solution. VeriSign [Inc.]; believes it has a solution. The crypto groups at CAcert believe toolbars are the answers, and companies that sell virtual keyboards believe they have the answer.

The truth is education, toolbars and consumer contact doesn’t work. The people that will be getting victimized are the ones that you never reached, and the fight to educate against phishing is a losing battle. Phishers move faster. By the time we tell them what it is, they’ve owned us.