Categories
Archives
- September 2008
- August 2008
- July 2008
- May 2008
- April 2008
- March 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005
- July 2005
- June 2005
- May 2005
- April 2005
- March 2005
- February 2005
- January 2005
- December 2004
- November 2004
Don’t be misled by the title - phishing is not on its way to disappear - just the big publicity and negative emotion surrounding phishing has led phishers to adopt different, and in many cases - better, techniques.
Although according to the Anti-Phishing Working Group phishing has increased by only 1.8% in February, the number of pharming attacks increases. The bad news is that pharming is much harder to detect due to the fact that only some users’ traffic gets re-directed, and only temporarily.
Previous
phishing attacks lured a user in through social engineering, primarily
spoofed e-mail and websites. Now, not only are phishers beginning to
use Instant Messaging (IM) to spoof companies, but phishing without a
lure is becoming more prevalent. There are several variations. The most
common is malicious code, which either modifies a host file to point
commonly accessed sites to a fraudulent site (called "pharming") and
malicious code that logs a user’s keystrokes based upon a set of
predetermined URLs that are accessed (known as "keylogging"). DNS cache
poisoning is an alternative technique that can be used to resolve
information to non-legitimate pharming web sites.
[Via eMarketer, NY -]
It is not only the college kids - it’s their parents too. And on top of this - at work. On top of huge bandwidth costs (article mentions 1/3 bandwidth loss due to illegal downloading) the company is exposed to copyright infringement lawsuit,
"The potential vicarious employer liability does not get the employee
off the hook," said Mark Smith, solicitor for legal firm Olswang. "What
it means is you have the choice of suing the employer, who has lots of
money, or the employee. Chances are you will choose the employer."
[Via ZDNet.com.au, Australia -]
Where do phishers host their sites? More likely than not, a given phishing site is hosted in China.
Security professionals in the Chinese National Computer Emergency
Response Team (CNCERT) said this week that 223 fraudulent Web sites
were discovered in China last year, compared to only one reported in
2003.
What is the correct name anyway - phishers or phishermen? Does anyone know?
[Via ZDNet UK, UK -]
A new high-tech company alliance was recently announced. The Fingerprint Sharing Alliance which includes BT, Cisco, EarthLink, MCI and NTT is aimed to sharing critical real-time information among its members which would be then used to respond to cyber incidents.
Members of the Fingerprint Sharing Alliance will automatically send one
another data on computer hackers as they observe or experience new
attacks. By immediately alerting other communications companies when
they’re being threatened, members of the group hope they can more
effectively guard against online attacks and infrastructure hacks that
cross network boundaries.
Hopefully the information sharing will lead also to increased collaboration on the enforcement level - preventing an attack is only one step of the fight against hackers.
[Via ZDNet UK, UK -]
CNET writes about how Microsoft is partnering with law enforcement to go after cyber criminals. According to the article, Microsoft is to provide specialized tools to law enforcement agencies that would allow better tracking and investigation of computer crimes.
"We are looking at making our internal tools available to law
enforcement agencies," Stone said. [Greg Stone, the national technology officer at Microsoft Australia and New Zealand] "I’m not talking about commercial
shrink-wrapped products that we would put out onto the market. I am
talking about very specialized bits of technology, like artificial
intelligence and data mining, that would be safe in the hands of
extremely competent individuals".
Nice move by Microsoft - instead of hiring its own private investigators, give the tools to law enforcement, train them to use the tools, and reap the public relations benefits. Hopefully this would also put a dent into the growing level of cyber crimes.
[Via CNET News.com -]
The anti-spam community is celebrating the bankruptcy filing of Scott Richter, one of the most famous "Spam Kings." According to The Register, Richter’s OptInRealBig.com filed for bankruptcy after it was attacked by NY Attorney General Spitzer and Microsoft for his spamming operations. Apparently OptInRealBig.com has assets of $10M and liabilities of $50M, and after he settled with Spitzer for $19M the company was unable to pay his bills.
This case shows that lawsuits by state attorney generals and ISPs with legal muscle can help in eliminating the biggest spammers. I am not sure whether OptInRealBig’s bankruptcy is the entire story. A sophisticated spammer is very likely to have transferred assets offshore and maybe Richter just wanted to get rid of the lawsuits, charter a plane to a caribbean country, and continue his operations from there.
[Via Register, UK -]
Aaron Greenspan has a thought-provoking editorial about what are we doing to "make our nation’s databases are protected?" Answer is, "Nothing." He describes his experience with downloading a W-2 form (I assume for tax return purposes) from a payroll provider,
I learned this the hard way. In the process of downloading my 2004 W-2
from a Web-based payroll company, I discovered I could also download
the W-2 of every person who had ever been a customer, as far back as
1999.
As it happens, IRS Form W-2 is the perfect tool for blackmail,
containing one’s Social Security number, annual salary, home address,
employer’s federal identification number and employer’s state tax ID.
With one keystroke, without breaking into any systems, without
hacking–really, without even trying–I could have pretended to be
anyone I desired to be out of a potential pool of up to 100,000 people.
Although an isolated example, this story shows how little attention is paid by companies and government agencies to customer information security.
[Via CNET News.com -]
No surprise in the recently releases phishing statistics for the month of February.
There were 13,141 unique phishing e-mail messages
reported to the Anti-Phishing Working Group (APWG) during February, up
2% on the number reported to the group in January. The number of
phishing Web sites supporting these activities rose 1.8% to 2,625
compared with the prior month, according to the group. The APWG
compiles its data using information from Internet service providers,
network administrators, law enforcement agencies and individuals.
[Via ComputerWorld -]
Recent Posts
- Virginia Supreme Court Strikes Down State’s Anti-Spam Law
- Travelers’ Laptops May Be Detained At Border
- File Sharing Data Breach
- No download? Maybe no infringement in another Federal District Court
- CAN-SPAM Rules Modified
- CFAA Damages Calculation Includes Cost of Tracking Hacker
- Courts split on whether making a copyrighted song available for download violates copyright law.
- How to Respond to Data Breach
- Border Agents Can Search Laptops
- What is your return address?
- Proposed FRE 502 is good for electronic discovery, but it is not going to drastically reduce the cost of litigation as the authors are hoping.
- British Authorities: Insult to Injury
- Introduction to James Paulick
- TXJ Costs Continue Increasing
- Proposed Amendments to Section 1030