China’s Underworld of Hackers
While there is still ongoing discussion of the nationality of the hackers in the Google Aurora attack, this event has brought to light some interesting information about China’s cyber-underground.
This article gives a very interesting accounting of a day in the life of a hacker in China. The author talks specifically about how hackers have broadened their attack scope beyond just stealing money.
Internet security experts say China has legions of hackers just like Majia, and that they are behind an escalating number of global attacks to steal credit card numbers, commit corporate espionage and even wage online warfare on other nations, which in some cases have been traced back to China.
As more and more of these types of underground economies come to light, I think it is going to be increasingly obvious that criminals can use their skills and tools to attack more than just our pocketbooks.
Phishing for more than $$$$
The Google Aurora attack has shown that cyber crime is moving beyond financial motivation to more politically motivated attacks.
In a similar vein, there was a phishing attack exposed this week that shows how the criminals are willing to go after very unconventional targets as long as it means they will make money.
This article talks about a phishing scam that was used to steal permits that allow the release of green house gases. The stolen permits were worth 3 million euros! That’s a lot of money in green house gas permits.
As I’ve said, online criminals are equal-opportunity fraudsters. As long as they can make money, they don’t care what they have to target.
More Malicious Use of Social Network Sites
Satnam Narang from M86 Security has been sending me lots of interesting information about Facebook and how criminals are using it to gather email addresses – and possibly additional personal information – about Facebook users.
Each of these scams relies on one of two things. First, once you are connected to someone on Facebook you can see lots of information about them including their email address, mailing address, phone number, family members, friends, where they went to school, where they work, etc… This information can be used to create spam lists, phishing lists, instant message scams, and a plethora of other nefarious activities. Second, if the scammer can get you to go to a particular page, they could post a link to a virus on that page and get more infections for their virus. This is beneficial since it recruits more machines into botnets and gives the scammers access to personal data from the infected machines.
The first scam has to do with the crisis in Haiti. Scammers say that for each person that connects with them they will donate some amount of money ($.10 or $1) to Haiti. Facebook users likely see this as a way to contribute to the aid of Haiti without spending any money. An example of a Facebook page like this is here. Of course, I have no way of knowing whether this is legitimate or not, but that’s the point. No one else can tell if it is legitimate or not either.
The next scam Satnam told me about was one where the scammers publicized that Facebook was going to start charging for use of the site. They encouraged people to join a group to protest the upcoming fees. Of course, Facebook was not going to start charging, but the page that talked about the fees contained a link to a virus, so the goal was to get people to visit the page because they were outraged about the possibility of fees and then they would be infected with the virus. One wall posting says…
WARNING ! ! ! ! ! ! ! Don’t go into or open the group “WE’RE AGAINST THE 14.99 A MONTH CHARGE FOR FACEBOOK FROM JUNE 30TH 2010″ It has a virus in a link that opens unstoppable windows with horrific images of humans in states of mutilation. Everyone, PLEASE repost.
Google Aurora Conspiracy Theory
Since the Google Aurora exploit has been all the rage lately, it seems like it’s ok to rehash some of what has been discussed. Just this morning I was told that the evidence that the attack came from China is becoming less credible. One of the main reasons China was blamed for the attack was the claim that the malware contained code that could only be found in Chinese. An article on The Register debunks that notion and says that the code has been available in English-language programs for years. It’s hard to say who is correct in this case.
Another aspect of the Aurora attack is whether or not it was partially abetted by a back door in Google’s infrastructure that was put in place for the US government. Bruce Schneier talks about this possibility on the CNN site.
Given the amount of coverage the Aurora scandal is getting, I’m surprised no one else has picked up on the possibility of the backdoor into Google. Does that mean it doesn’t exist?
If anyone has more details about this, it would be great to hear them.
Loss of Trust in Social Networks Due to Malicious Events
Thanks to everyone who has helped us by rating Silver Tail on the RSA Innovation Sandbox website. For those of you who have not rated us yet, your support would be appreciated. You can find our page here. Your support is appreciated!
The results of a survey of internet users conducted at the behest of RSA was posted yesterday.
The survey showed that 81 percent of online users are concerned about the safety of their personal information online. It noted that social networking websites have become a hotbed for online criminals because of their global reach and the participation by hundreds of millions of active users from all walks of life.
Later in the article, it says…
On the other hand, 29% of consumers said they became victims of phishing scams in 2009, compared to only 5% in 2007.
The article talks about how the rise in people who knew they became victims of phishing is likely due, in some part, to the rise in awareness of phishing.
What’s unfortunate is that the article does not talk about the impact of these bad events on how people use social network sites. It may be that even though people are trusting websites and the entire online experience less, they are still very active on sites like social networks. I’ve definitely seen studies that showed that even knowing about a scam (without falling for it) reduced activity on a website significantly. But others say this is not the case. Has anyone seen any numbers published about reduction of activity due to awareness of online crime?
Help Support Silver Tail’s Nomination for RSA Conference Innovation Sandbox
As I’ve posted in the past, the fields of security and fraud mitigation seem to be merging. This makes a ton of sense to me since security and fraud teams are fighting the same battle – criminals try to infiltrate networks/databases/systems/websites to make money. Security groups try to protect the access points, but fraud teams are trying to prevent the actual loss or bad behavior. Having the two teams work together would only increase the efficiencies of both.
To that end, Silver Tail is participating in the RSA Conference this year. I’ll be on a panel about malware and moderating another panel as part of the eFraudNetwork.
In addition, Silver Tail has applied to be featured in the Innovation Sandbox. Here’s what the RSA website says about the Innovation Sandbox…
An experiential half-day filled with interactive white boarding sessions; ask the experts and whisper suites; a serial entrepreneur panel, plus an exciting demo area with a “top 10″ group of start-up companies, Innovation Sandbox represents today’s best new security solutions — and culminates with a shoot-out among the top 10 start-ups presenting their new companies and products to a judging panel comprised of venture capital professionals, CISOs, CTO’s and industry experts.
As you know, Silver Tail is not exactly a “security” company. We’re more of an anti-fraud company. But as part of my crusade to get people to recognize that fraud and security are fighting the same battle, we’ve applied to be part of the Innovation Sandbox. Judging is taking place now, but I’d appreciate your support in giving us a high rating and maybe making a comment about how anti-fraud solutions are very relevant to security! You can find the site to rate us here: https://365.rsaconference.com/docs/DOC-2402.
Google talks about being hacked
While it is extremely disconcerting to read about the allegations by Google that the Chinese government was responsible for the compromise of several human rights activists’ gmail accounts, it is refreshing to see a company as big as Google being willing to talk about it.
In working for and with many of the biggest internet brands, I can tell you that it is extremely rare for a company to be proactive about notifying people of a security breach that impacted them. Obviously if you are Google, you have a lot of clout behind you, but I’ve seen similarly well-respected brands be unwilling to talk openly about events like this until they were “outed” by the press or some other source.
Kudos to Google for making it clear that all brands – large and small are susceptible to malware attacks like the one in China. In the coming weeks it will be interesting to see how coming clean on this will impact Google’s users. Will they be more fearful about using Google’s applications and websites?
Micropayments: Good channel for validating stolen credit cards?
I was talking with Dave Jevans, swashbuckler extraordinaire, last night and the topic of micro-payments came up.
As most of you know, micropayments are payments of very small sums of money. Often these payments are for digital goods, such as buying your friend a cupcake on Facebook. It is thought that micropayments are going to become much more popular in the coming years due to the proliferation of digital goods and devices on which to use them.
What struck me last night is that micropayments could easily become the $1 charge at gas stations.
What do I mean by this? If you remember, ten or fifteen years ago, when a criminal would steal a credit card number they would often charge $1 worth of gas at a gas station. This allowed the criminal to see whether the credit card was still valid while staying under the detection radar of the credit card companies. It also had the added advantage of being a small enough charge that if the legitimate cardholder noticed it they would be unlikely to report it.
Of course, credit card companies got wise to this practice and started calling people if their credit card was used to charge a small amount at a gas station (I received one of these calls for a legitimate transaction).
As micropayments become more popular, this could be a great way for the criminals to validate a credit card number and it could be very difficult to detect this validation. Not only do micropayments have the advantages that the $1 gas station charge has, but if they are payments for digital goods, there is no indication of geographic location of the purchaser to help decide whether the transaction is fraudulent.
We’ll need to keep an eye on if this type of credit card validation starts to become a problem.
Predictions for Online Fraud in 2010
It’s that time of year again – when everyone makes predictions about the year to come. I’ve seen a lot of talk about how malware will continue to increase and social networks will continue to be a communication vehicle of choice for the online criminals. While I agree with both of these, there are some predictions of my own I’d like to add.
What we will see in online fraud in 2010:
- The criminals will be at approximately the same sophistication level at the end of the year as they are now. This may be counter-intuitive. Because web sites are constantly improving their protections, the criminals are constantly having to improve their methods of attack. This is true, but only to a point. Recently, the criminals have found new ways of exploiting websites – for example, Man in the Browser attacks. The security teams I work with are aware of these attacks, and some have done a good job putting mechanisms in place to fight them, but most are still scrambling to find a way to identify, defend against, and prevent these attacks. Because of this, there is currently no incentive for the criminals to innovate – what they have is working, they have just started using it, and there are many more ways to use these current techniques for financial gain than have already been exploited.
- There will continue to be an increase in the number of news stories about online fraud. Many of us who have worked in the fraud prevention area for years know that online fraud has always been a big problem. But only in the last year or so has there been a proliferation of news reports about the big fraud events. I don’t know why this has started lately. Are the data breach notification laws making more people aware of these types of fraud? Are people more willing to talk about when this happens to them? Whatever the reason, the number of news stories about fraud events – large and small, but mostly large – will continue to grow.
- Despite the increase in news stories, we will not see a large decrease in consumer confidence with the online channel. I’ve been expecting a bigger impact to online usage associated with online fraud, but that hasn’t come to fruition. And now that the demographics of online users is shifting more quickly towards those who have grown up with the internet, it becomes less and less likely that criminal events will significantly impact online usage.
- There will be an increase in “non-traditional” online fraud. In 2009 there were many cases of criminals benefiting from something other than transferring money out of a stolen bank account or using a stolen credit card. For example, we saw criminals stealing pizzas from Dominos, having Apple send them free iPods, and opening vast numbers of bank accounts to steal the money given away as an “incentive”. Because websites have put controls around the traditional ways criminals steal money, the criminals are going to continue to get creative about how they are able to make money from these websites. This may seem to contradict point 1 above, but I don’t think it does. This doesn’t require the criminal to use new technology. Instead, they will just use a different part of the website to perpetrate their crime.
- Websites will need more and more efficient means of detecting new attacks and investigating them to stay ahead of the criminals. Because websites are trying to cut costs everywhere they can, the risk and security teams for these sites will need ways to more quickly identify new attacks, and determining the extent of these attacks.
Now that I’ve listed my predictions for the year, I also want to list a prediction/concern about the decade. In the 2000-2009 decade, we saw a huge growth in how the internet is used in everyday life and business. In the next 10 years I predict that we will find more ways to use the internet and new ways to share information that go beyond the internet. With the amazing speed at which we are developing and adopting technology, I worry about whether or not our security/risk tools and processes can keep up.
Does anyone have additional thoughts on the coming year or the coming decade?
12 Scams of Christmas
This is my last post of the year and given that it is the holidays, I wanted to do something a little festive. Granted, fraud is in no way festive. But maybe protecting yourself from fraud is??
Either way, McAfee released a report on the “12 Scams of Christmas“. While this is relevant now, most of what the recommend is also relevant the rest of the year – everything except maybe the Christmas carol one, thought that would apply year-round to popular songs’ lyrics. The criminals are just trying to get you to their websites and they are going to use whatever they think will get you there.
It seems appropriate to close out the year with ways to keep you, and your loved ones, safe. Take a look at the report and hopefully it will make for a very happy (and safe) 2010.
Happy holidays everyone! I’ll look forward to talking to you in the new year.
About
Silver Tail is leading the fight against business logic abuse with 3rd generation fraud prevention.
Hackers are no longer high school kids trying to one-up their friends or criminals trying to just break-in to sites. Instead, today’s sophisticated hacker is organized crime, strategically targeting websites, stealing billions of dollars from companies and their customers. Vendors providing web application security and intrusion prevention have forced hackers to become much more innovative in their means of attacking websites. These hackers now target the legitimate business logic of websites to perpetrate their fraud, including hijack threats, velocity attacks and gaming schemes. Silver Tail is using the deep domain expertise of its team to provide software that combat business logic abuse in real-time.
Silver Tail was founded by a team of fraud prevention experts who built anti-fraud and anti-phishing tools at eBay and PayPal. Through their experience and proprietary algorithms, they have built a system that is scalable, minimizes false positive rates, and is extremely flexible to adapt to changing attack vectors.
Feedburner
RSS Feed
-
Archives
- February 2010 (3)
- January 2010 (6)
- December 2009 (6)
- November 2009 (7)
- October 2009 (8)
- September 2009 (7)
- August 2009 (8)
- July 2009 (7)
- June 2009 (6)
- May 2009 (6)
- April 2009 (14)
- March 2009 (8)
-
Categories
- behavior analysis
- business logic abuse
- Business Logic Flaw
- Business Process Abuse
- Compliance
- Cost of fraud
- Data Loss
- Detection
- education
- Fraud
- Gaming
- General
- information security
- Investigation
- Man-in-the-Browser
- Online Fraud
- Payment
- Phishing
- Prevention
- risk management
- Social engineering
- Social Networks
- Trust
- Uncategorized
- web logic abuse
- Zeus
-
RSS
Entries RSS
Comments RSS
