HomeAway’s Business Model Makes it a Target for E-Criminals
I joined eBay in 2003 at the height of phishing. At the time phishers were stealing passwords of eBay users (often eBay powersellers), listing items, and trying to get unsuspecting buyers to send money to them via Western Union.
Unfortunately, this scam is still alive and well. This article talks about how phishers continue to perpetrate exactly this type of scam on the HomeAway website. It makes sense that HomeAway would be a target, as their model is similar to eBay’s model in that the purchaser sends money to the seller/renter ahead of taking possession of the goods. Criminals love those types of models.
Knowing how challenging it was to battle these criminals at eBay, I hope HomeAway has lots of resources to put towards this. It’s a very lucrative activity for the criminal and, therefore, not one the criminals give up on easily.
The Business of Phishing
When I talk to other fraud prevention experts, we often comment on how the criminals have created an ecosystem that allows them to operate very efficiently. The joke I often use is that criminals probably have better power point presentations about how their business is doing than we do!
A recent report by RSA sheds some light on how criminals perform their analysis. In the report, RSA talks about how phishers installed a web analytics tool to measure how their victims were accessing their website. This gave the phishers statistics on browsers, geolocation, etc.
For those of us who have been fighting these criminals for years, this is not a surprise. The criminals will find any method they can to make their business more efficient. And keep in mind, it is just that: a business. It is a rare occurrence to get a glimpse of how they are managing their business, so the report by RSA is especially interesting as it exposes one of their tactics.
The Only Certainty: Death and Taxes (and Phishing Emails About Taxes)
That favorite spring holiday is upon us again: tax day. And the criminals have launched their usual scams to take advantage of how we are all worried about making sure we have our taxes done. Sandra Block has a great article about the various threats this year. The part of the article that is the most interesting to me is where the woman from Intuit tells people how to tell that an email supposedly from their tax preparer is legitimate. I hope that telling tax payers to look for things like generic salutations and bad grammar is helpful. I was using those same warnings to consumers almost 10 years ago and it has seemed to me that the criminals have gotten smarter and aren’t making those mistakes as often.
Not that I can come up with a better education message. We need to tell people how to protect themselves, but I’m at a lost on a simple message about how to discern a phishing email from a legitimate email. Has anyone seen anything particularly effective lately?
Finovate gets secure!
Today was my fourth Finovate conference. It has been interesting to see the morphing of the show and the content.
In the past couple of shows there has been an abundance of both mobile and iPad devices. In the spring it was amazing to see iPad devices already being demo’d since the iPad had only been out for a few weeks. There were even more today. It’s crazy what people can do with an iPad.
This time there were a few security companies demoing. I demo’d of course. But also PinPoint, SecureKey, and Guardian Analytics. It’s great to see innovation happening in the financial technology space!
Facebook bug or business logic abuse?
You may have heard of the vulnerability on Facebook that has been exposed. If you enter an email address and a password, Facebook will tell you the password is wrong, but show you the picture and full name of the person corresponding to the email address. This is a treasure trove for phishers since it gives the first and last name associated with an email address – something that is often used by companies to give their customers confidence that the email is really from the company.
I’m wondering whether this feature was a bug on Facebook’s part or if this was meant to be a helpful feature. I’m guessing some Facebook engineer thought it would be cool to show you the name and picture associated with your account if you got your email address wrong and the implications for exposing this information were never considered.
Anyone have more information on why this happened?
The emergence of cyber-insurance
First, I apologize for my absence. I have been hiking in Peru for the last couple of weeks – an absolutely amazing trip. I thought about posting here that I would be gone, but then realized that might make my home an easy burglary target. So in cases like these, I’ll just have to tell you after the fact.
During my absence there have been several items of interest that I’d like to comment on, but tonight I’ll start with one near and dear to my heart. The esteemed Mr. Krebs has posted about how helpful cyber-insurance has been in a couple of recent online thefts.
Those of you who have read my previous posts know that I have been postulating that cyber-insurance is going to become necessary. My hypothesis is that it is often difficult to determine who is at fault in cyber crimes. Is it the victim who gave away their password to the phishing site or has malware installed on their computer? Is it the bank who must take reasonable precautions to protect their customers’ accounts? Is it the AV companies who don’t detect the malware on the victims’ computers?
The answer to this question has not been resolved yet, but Krebs’ post gives some example of where cyber-insurance was used as a way to avoid having to answer this question.
Does anyone have a sense for how many businesses currently have cyber-insurance?
BTW - Silver Tail Systems will be hosting a webinar this coming Wednesday on the legal ramifications of the recent cyber crime waves. It’s the first part of our Get Real webinar series. If you’d like to participate in the webinar, you can register here.
Lawsuits => more banking regulations?
I’ve been watching the latest news about banks being sued when their small/medium business customers have money stolen from their accounts by cyber thieves. Since these accounts are not covered by regulation E, the bank does not have to give back the money.
One recent case was settled where cyber thieves had taken $800k from the bank account of Hillary Machinery. There have been more and more lawsuits like this. It’s my supposition that these types of lawsuits are going to mean that legislation gets put in place to protect these types of accounts.
Does anyone else have thoughts on this?
New phish technique: tab-napping
I’m pleased with myself because I usually end up posting topics that are weeks old. Not today! There has been a lot of press this week about a proof of concept shown by a Mozilla employee that allows a phisher to change the content of a tab in a browser. Here’s one example of an article about this.
The attack starts like most phishing attacks – the victim is tricked into going to a webpage that hosts malicious code. This code changes the contents and title of one of the inactive tabs in the victim’s browser. For example, it can change the title of the tab to “Login” and the contents of the browser for that tab would be a fake login page to an email site.
The theory is that the victim is less likely to suspect that the page would have changed the content on an inactive tab and would, therefore, fall for the attack.
Of course, having a “good guy” expose this tactic raises the usual question of whether it is ethically correct to publish known exploits before the criminals have found them.
How long before we see this attack in the wild?
Teachable Moment in Phishing Education
Brian Krebs has a post about the APWG landing page. Because I have always admired Brian’s thoroughness and knowledge of the cyber criminal society, I was thrilled and flattered to see Brian write about this.
My APWG committee (co-chaired by myself and Rod Rasmussen of Internet Identity) has taken on many tasks recently, but none have been as well received as the redirect landing page.
For those of you who don’t know about the initiative, here’s a blurb. The best time to educate someone is at the “teachable moment” – the moment they committed the act that was incorrect. For phishing, that moment is the moment they click on the phishing link. To this end, the APWG has put together a web page that educates consumers about phishing. When takedown teams (whether they are vendors or the brands themselves) contact the ISP or registrar/registry about a phishing site, instead of asking that the site be removed (in which case a 404 error would be displayed), they ask that the URL be redirected to the APWG education page.
This gives the impacted consumer the education about phishing at the most timely moment. In addition, it gives the APWG statistics on which phishing campaigns are the most lucrative (as far as victims), the number of potential victims, the life of a campaign, etc.
I’m thrilled to see such a great response to this initiative and am thankful to all of the hours volunteered by many, many people, to make this happen.
Phishing for more than $$$$
The Google Aurora attack has shown that cyber crime is moving beyond financial motivation to more politically motivated attacks.
In a similar vein, there was a phishing attack exposed this week that shows how the criminals are willing to go after very unconventional targets as long as it means they will make money.
This article talks about a phishing scam that was used to steal permits that allow the release of green house gases. The stolen permits were worth 3 million euros! That’s a lot of money in green house gas permits.
As I’ve said, online criminals are equal-opportunity fraudsters. As long as they can make money, they don’t care what they have to target.
About
Silver Tail is leading the fight against business logic abuse with 3rd generation fraud prevention.
Hackers are no longer high school kids trying to one-up their friends or criminals trying to just break-in to sites. Instead, today’s sophisticated hacker is organized crime, strategically targeting websites, stealing billions of dollars from companies and their customers. Vendors providing web application security and intrusion prevention have forced hackers to become much more innovative in their means of attacking websites. These hackers now target the legitimate business logic of websites to perpetrate their fraud, including hijack threats, velocity attacks and gaming schemes. Silver Tail is using the deep domain expertise of its team to provide software that combat business logic abuse in real-time.
Silver Tail was founded by a team of fraud prevention experts who built anti-fraud and anti-phishing tools at eBay and PayPal. Through their experience and proprietary algorithms, they have built a system that is scalable, minimizes false positive rates, and is extremely flexible to adapt to changing attack vectors.
Feedburner
RSS Feed
-
Archives
- May 2012 (5)
- April 2012 (7)
- March 2012 (13)
- February 2012 (6)
- January 2012 (4)
- December 2011 (7)
- November 2011 (8)
- October 2011 (9)
- September 2011 (5)
- August 2011 (7)
- July 2011 (7)
- June 2011 (6)
-
Categories
- behavior analysis
- business logic abuse
- Business Logic Flaw
- Business Process Abuse
- Compliance
- Cost of fraud
- Data Loss
- Detection
- education
- Fraud
- Gaming
- General
- information security
- Investigation
- Man-in-the-Browser
- Online Fraud
- Payment
- Phishing
- predictive analytics
- Prevention
- risk management
- Social engineering
- Social Networks
- Trust
- Uncategorized
- web logic abuse
- Zeus
-
RSS
Entries RSS
Comments RSS
