Phishing is not particularly directed at financial accounts’ information, but phishers certainly love to get their hands on some juicy brokerage account account information. SEC is aware of this and taking steps to prevent it..

The SEC published an investor guide Thursday, warning users of keystroke-logging software, phishing scams and traditional snoops as ways fraudsters could obtain access to online brokerage accounts and steal money. The agency suggests beefing up security to protect against such thieves.

The Security and Exchange Commission seems to aim at two targets with this guide. Although individual investors need to be reminded to be vigilant with their account information, the Commission should concentrate its efforts on beefing up the security and practices of the financial institutions. Banks and brokerages are best equipped to prevent theft of personal account information - 1) they have the resources; 2) the know-how; and 3) the business interest to protect their customers from being phished out of their password.

[The SEC Investor Guide]

Education is useful. And tricky. What you want to do is educate people about the dangers of the Internet and how to stay safe, but don’t scare the users from spending time online.

The FBI, Monster Worldwide, the National White Collar Crime Center, the U.S. Postal Inspection Service, Target Corp. and the Merchant Risk Council established LooksTooGoodToBeTrue.com, a Web site containing a variety of educational tools to keep consumers safe from fraudsters.

"In this virtual world, every day is Halloween," said Lee Heath, chief postal inspector at the U.S. Postal Inspection Service, at a press conference. "Cyber-criminals hide behind their masks concealing their identities, holding out an ample bag of tricks and very few treats for legitimate consumers."

The site provides some questionnaires to help users determine whether they are victims of different common types of Internet fraud. Good start, hopefully this site would not turn out to be a one-week story.

[Via InternetNews.com -]

A British man was sentenced for four years for masterminding an eBay Internet auction scam to steal computer account details from users and assumed their online identities. Levi, 29, led a gang who tricked eBay traders between July 2003 and
2004 into giving away their passwords and account details by sending
emails to them pretending to be from the California-based company.

Levi led six others in a gang which scooped almost $355,000
through a "phishing" fraud–the practice of stealing goods after
tricking computer users into revealing their bank details.

[Via CNET News]

What makes this hacker conviction story interesting is the circumstances under which a British computer consultant found its way on a tsumani relief site and how he "hacked" into it. The conviction was in a District Court in the UK under the British Computer Misuse Act of 1990.

According to the story, Cuthbert [the convicted hacker] initially told authorities that he donated money to the tsunami relief efforts by using the text-only browser Lynx, which in some cases may have a different footprint than a normal graphics-based browser. However, in court on Wednesday, Cuthbert changed his story and said that he made a £30 donation to the website after clicking on a banner ad. When he didn’t received "thank you" or any other confirmation, he suspected that he might have fallen victim to a phishing scam so he decided to check himself and carried out two tests to check the security of the site.

Cuthbert’s defense then was that he only "knocked" on the door of the site, without entering, even though he had the skills to enter, if he wished to do so. However, Judge Purdy found him guilty despite his spotless record and ambiguous story - one of the main arguments that the judge put forward was that Cuthbert had changed his story and tried to mislead the police during the investigation.

The British Computer Misuse Act of 1990 [Wikipedia], §1 states that it is an offence to make "unauthorized access to computer material." In addition to an extremely broad wording, the act does not place any burden on the prosecution to prove that the accused had intended to cause any damage.

A District Court in Wisconsin agreed with claims by ISP Earthlink that a bank whose website was incorrectly flagged as "potentially fraudulent" by Earthlink’s toolbar cannot sue the provider because Earthlink was not the publisher of the information in terms of US law..

“Imposing liability on [Earthlink] for the inaccurate
information provided by a third-party content provider would treat
[Earthlink] as the publisher," he wrote, pointing out that
Earthlink is therefore immune from suit under the
relevant section of the Telecommunications Act.

The full ruling here.

[Via News.com]

More and more financial institutions adopt a two-factor authentication - in this case, Bank West has chosen to use an authentication token (a little device with rapidly changing authentication keys that is in possession of the user) along with a password to authenticate its online customers..

The system is designed to provide customers with greater protection
than that afforded by using static, reuseable passwords. BankWest
Business plans to distribute the free tokens to all customers by the
end of 2005.

This is good news for the financial (and security) industry - two factor authentication is likely to prevent individual account security breaches, and eliminate the threat of phishing - because of the quickly changing authentication code on the security token device, even if a phisher is able to trick a user into submitting his password + token key, the authentication information will be "valid" for the duration of the token key, which usually changes within seconds or few minutes.

[Via ZDNet.com.au, Australia -]

Not necessarily illegal under current laws, but highly annoying and potentially dangerous practice by online scammers is gaining speed and attention. Typosquatters are people who register a domain name which is just a slight variation (usually misspelling) of a famous domain name hoping to attract users inadvertently misspell the name of a large or popular domain name. After being shown a page full of sponsored links, often provided by Google AdSense, the user often clicks on one of the paid links and generates a profit for the typosquatter.

Typosquatters register hundreds or thousands of domain names with variations of popular domains hoping to attract a larger number of users and obtain a larger profit of misspelled domain names. While in most cases there is no damage to the user (who only has to make an extra click to go to the desired site,) a typosquatter can easily deliver a page that looks like the intended domain and then possibly phish the users to submit personal or financial information.

The individual companies and domain name owners have little recourse other than buy the domain names themselves (if they thought about this early enough) or fight the typosquatter under the domain registrar agreements (usually arbitration) for each domain name - a costly and time-consuming endeavor, considering the amount of typosquatted domain names that an organization might have.

Iowa police and FBI arrested a suspect who allegedly "phished" Microsoft (MSN) customers out of their personal information. The indictment lists 75 counts of wire fraud for allegedly stealing credit card numbers and user personal information.

What is interesting in this case is that although the arrest was made by FBI, the information was supplied by Microsoft’s Internet Safety Enforcement Team who tracked down the activities and obtained the necessary information to allow the FBI to act upon it. It is a sad fact that state and federal law enforcement agencies often do not have the resources and expertise to conduct these investigations on their own, so they have to rely on ISPs’ security teams to identify and track suspects.

Often the "digital pursuit" of cyber-criminals is so quick that only an agency with large resources can afford to conduct a successful and thorough cyber-surveillance of a criminal’s activities and track him down.

"What you essentially need to do is follow the money, but the links disappear so quickly that law enforcement needs to be really jumping on it as the attack is happening," Cranton [from Microsoft's Internet Safety Enfrorcement Team] said.

[Via InternetNews.com -]

ISPs vs. Zombie PCs. Round X.

In the next few months, ISPs in the United States will begin receiving
reports on the zombies, or PCs open to control by hackers, that lurk on
their networks. The data will be sent out by the Federal Trade
Commission, which said in May that zombies have become such a serious problem that more industry action is required.

The Federal Trade Commission has called on ISPs to identify and take action against "zombie" computers on their networks. There are many proposals on how to deal with innocent users’ PCs that become zombies - from cutting their Internet access altogether, to distributing "good" worms to fix the problems, but the number of zombies does not seem to decrease.

[Via CNET News.com -]

Interesting piece of statistics,

In the twelve months ending in May 2005, an estimated 73 mln US adults
who use the Internet said they definitely, or think, they received an
average of more than 50 phishing e-mails.

The people who received a phish email, clicked on it, and entered their personal information without even realizing that they identity just got stolen are not accounted in this number. Even without this, the number is staggering/.

[Via IT Facts -]

« Previous entries Next entries »