Silver Tail Systems Blog

Preventing Online Fraud Through Web Session Intelligence

HomeAway’s Business Model Makes it a Target for E-Criminals

I joined eBay in 2003 at the height of phishing. At the time phishers were stealing passwords of eBay users (often eBay powersellers), listing items, and trying to get unsuspecting buyers to send money to them via Western Union.

Unfortunately, this scam is still alive and well. This article talks about how phishers continue to perpetrate exactly this type of scam on the HomeAway website. It makes sense that HomeAway would be a target, as their model is similar to eBay’s model in that the purchaser sends money to the seller/renter ahead of taking possession of the goods. Criminals love those types of models.

Knowing how challenging it was to battle these criminals at eBay, I hope HomeAway has lots of resources to put towards this. It’s a very lucrative activity for the criminal and, therefore, not one the criminals give up on easily.

April 11, 2012 Posted by | Phishing | , | Leave a Comment

The Business of Phishing

When I talk to other fraud prevention experts, we often comment on how the criminals have created an ecosystem that allows them to operate very efficiently. The joke I often use is that criminals probably have better power point presentations about how their business is doing than we do!

A recent report by RSA sheds some light on how criminals perform their analysis. In the report, RSA talks about how phishers installed a web analytics tool to measure how their victims were accessing their website. This gave the phishers statistics on browsers, geolocation, etc.

For those of us who have been fighting these criminals for years, this is not a surprise. The criminals will find any method they can to make their business more efficient. And keep in mind, it is just that: a business. It is a rare occurrence to get a glimpse of how they are managing their business, so the report by RSA is especially interesting as it exposes one of their tactics.

April 9, 2012 Posted by | Phishing | , , | Leave a Comment

The Only Certainty: Death and Taxes (and Phishing Emails About Taxes)

That favorite spring holiday is upon us again: tax day. And the criminals have launched their usual scams to take advantage of how we are all worried about making sure we have our taxes done. Sandra Block has a great article about the various threats this year. The part of the article that is the most interesting to me is where the woman from Intuit tells people how to tell that an email supposedly from their tax preparer is legitimate. I hope that telling tax payers to look for things like generic salutations and bad grammar is helpful. I was using those same warnings to consumers almost 10 years ago and it has seemed to me that the criminals have gotten smarter and aren’t making those mistakes as often.

Not that I can come up with a better education message. We need to tell people how to protect themselves, but I’m at a lost on a simple message about how to discern a phishing email from a legitimate email. Has anyone seen anything particularly effective lately?

March 20, 2012 Posted by | Fraud, information security, Phishing | , | 2 Comments

Teachable Moment in Phishing Education

Brian Krebs has a post about the APWG landing page.  Because I have always admired Brian’s thoroughness and knowledge of the cyber criminal society, I was thrilled and flattered to see Brian write about this.

My APWG committee (co-chaired by myself and Rod Rasmussen of Internet Identity) has taken on many tasks recently, but none have been as well received as the redirect landing page.

For those of you who don’t know about the initiative, here’s a blurb.  The best time to educate someone is at the “teachable moment” – the moment they committed the act that was incorrect.  For phishing, that moment is the moment they click on the phishing link.  To this end, the APWG has put together a web page that educates consumers about phishing.  When takedown teams (whether they are vendors or the brands themselves) contact the ISP or registrar/registry about a phishing site, instead of asking that the site be removed (in which case a 404 error would be displayed), they ask that the URL be redirected to the APWG education page.

This gives the impacted consumer the education about phishing at the most timely moment.  In addition, it gives the APWG statistics on which phishing campaigns are the most lucrative (as far as victims), the number of potential victims, the life of a campaign, etc.

I’m thrilled to see such a great response to this initiative and am thankful to all of the hours volunteered by many, many people, to make this happen.

May 12, 2010 Posted by | education, Phishing, Uncategorized | , , | Leave a Comment

Traditional Password Advice: Not to be totally discarded

There is a paper that talks about how traditional advice on creating and maintaining secure passwords is somewhat dated.  The hypothesis of the paper is that since phishing and key logging is so rampant, it is no longer necessary to maintain super secure passwords.  A secure password is just as easily used by a bad guy as a weak password if the consumer gives a way the password through phishing or it is observed through a key logger.  Instead, it’s important to have a semi-secure password so that it is not vulnerable to password guessing.

The paper also talks about the need to have more secure userIDs postulating that bad guys STSpic2are moving towards horizontal password attacks (guessing the same password against large numbers of accounts).  Strong userIDs is helpful in protecting accounts.

One other thing I want to mention is that it is still important to have different passwords for all of your online accounts.  If the bad guy phishes the password for your bank account, you don’t want them to automatically have access to your social network account, etc.   Even in the case of key logging, if you haven’t logged in to a particular account in a while, if you don’t use the same password across all accounts, the bad guys won’t be able to try your standard password(s) on other accounts.

So, while some of the old password adages may not apply as much any more, some of them are still very appropriate.  Please use different passwords on all of your online accounts!

July 13, 2009 Posted by | Fraud, Online Fraud, Phishing, Uncategorized | , , | Leave a Comment

Why phishers target low value accounts

PCWorld talks about a recent phishing scam on Twitter.  The question in the article is:

In this instance, it appears the site primarily used compromised accounts to spread the phishing links further. What, if any, broader goal was behind the effort is not yet clear.

I’ve posted about this before, but it seems prudent to talk about it again.  Phishers will try to get credentials for websites that use email addresses as usernames for one main reason: people often use the same password on all accounts. 

If a user is less worried about giving away his Twitter password – since what type of value could that have? – then, that’s the best thing the phisher can target.  The user is STSpicis less likely to be worried about giving away that password and therefore the conversion rate for the phisher is likely to be higher. 

If I was a phisher, the other thing I’d think about is that the people who use Twitter are more likely to be tech savvy and, therefore, have lots of online accounts.  Therefore, the passwords that I do steal would be more likely to be useful on other sites.

Seems like a good idea to be careful about random tweets!

July 5, 2009 Posted by | Online Fraud, Phishing, Social Networks | , , | Leave a Comment

Security Consistency: Should we standardize password requirements?

STJune6I saw a presentation earlier this week where a researcher was talking about consumer education with respect to security.  The researcher said that one way to make security education more consistent would be for websites to all have consistent requirements around passwords.  For example, all websites should require that passwords have at least 8 characters and should include on capital letter, one digit, and one punctuation mark.

While I am all for having consistent messaging around security practices and even encouraging users to have secure passwords, I worry about the implications.

Imagine a world where every website had the exact same requirements for passwords.  Even if the passwords were secure, the risk is allowing people to have the same password on every website.  In this case, if the bad actors were able to phish the password for one of my accounts, and they had my email address, they would likely be able to access many of my accounts.

To make matters worse, once the bad actor has the password for one of my accounts, they will be able to login to my email account which will let them do a forgot my password function on almost any other account.

While I applaud researchers for thinking of ways to make security education more consistent, making password requirements consistent has more negative ramifications than benefits.

June 26, 2009 Posted by | education, Phishing | , , | Leave a Comment

Anti-Phishing Education Messaging

The APWG has an amazing new initiative for educating consumers.  When a phish site is shut down, ISPs are asked to redirect any clicks to the APWG’s redirect education page instead of showing a 404 error. 

may1The power of this comes from leveraging the “teachable moment”: consumers are more likely to absorb a lesson if it is presented at the precise moment of the bad action (something my colleagues – Lorrie and PK – at CMU have studied in-depth).

This initiative is starting to get real traction.  Several brands are already participating and I’ve been contacted by many more this week to get started.  It’s a very exciting initiative to give consumers a consistent message from a group like the APWG at exactly the right time in the consumer’s online experience.  American Banker has published an article about it (warning – you have to have a subscription to see the article – sorry).

In a similar vein, another colleague – Dave Piscitello – has a blog post on anti-phishing messaging on Gaia.  It’s great to see anti-phishing messaging is getting to be more pervasive, especially given that the threats are very real.

Finally, for those of you attending the APWG conference next week, there is a cool video – it gives an overview of the topics to be covered in Barcelona.

May 8, 2009 Posted by | education, Phishing | , , | Leave a Comment

“Equal Opportunity” Business Logic Exploits

There was a phishing attack against iStockPhoto a few weeks ago.  A phishing attack against a new brand isn’t interesting in and of itself.  What is interesting about this particular attack is that it wasn’t clear why the phishers were specifically targeting iStockPhoto. 

Before we get into the various speculations and the actual reason, let’s talk a bit about what happened.  The phishers used the same type of attack that they use on social network sites.  They posted messages with links to the forums and through iStockPhoto’s internal messaging system.  These messages had links in them that took you to fake iStockPhoto signin pages.  iStockPhoto took the entire website down for several hours while they cleaned up the mess on their forums and in their internal email systems.  Add that to the bad press they are getting, their brand is probably suffering a bit right now. 

istockphoto_logoThis type of attack is perpetrated daily on the social network sites, but the results on iStockPhoto were a bit different.

There were several hypotheses about why the phishers would try to steal iStockPhoto passwords.  Most of the theories I saw thought the phishers were using the credits in the iStockPhoto accounts to buy photos.  Hmmm.  Not sure why they would do that.  To make their phishing emails look better?  Phishing is all about marketing, but I’m not sure the phishers would go to those lengths when they can just copy a very well crafted email from a well known brand. 

I had a different, and equally incorrect, hypothesis.  My hypothesis was that the userID for an iStockPhoto account is an email address.  Once you have someone’s email address and password to one account, there are lots of opportunities for badness.  Since many online services use an email address as the userID and many people use the same password for all of their online accounts, you could do damage on a lot of websites with someone’s email address and password.  And imagine tricking someone to give up their email address and password on iStockPhoto.  It would probably be a lot easier than tricking them into giving up their password to their bank account.  Their suspicion level would likely be fairly low when it comes to an iStockPhoto signin page.  And then you could go try that email address/password combination all over the internet!  But, alas, I was wrong.

I read a post today from one of the victims that said their credit card was charged for more than $1500 following the incident.  Is it possible iStockPhoto showed a user’s credit card details in the clear if you went to that user’s account page?  If they used to do so, they probably don’t show that information anymore. 

If the phishers were going to the page that showed credit card information for users, this is a clear cut example of business logic abuse.  There are lots of reasons to want to show the user which credit card they have on file (though you don’t need to show them the entire number).  iStockPhoto needs that functionality as part of their business model.  And yet, the phishers were able to exploit it for their evil ways.

I see two takeaways from this incident.  First, the phishers are continuing to abuse legitimate business logic to perpetrate their crimes.  Second, the phishers are truly becoming “equal opportunity” bad guys.  No longer are they targeting only the well known brands when they can make their money off of the smaller, less popular brands.  The small and medium sized brands out there better get ready – the internet bad guys are coming after you too!

April 13, 2009 Posted by | business logic abuse, Business Logic Flaw, Fraud, Phishing | , , | 2 Comments

Sometimes the good guys win!

Sometimes the good guys do win as a 23 year old foreigner is convicted in the US for phishing. An article in PC World gave some interesting details about the conviction and the tactics he used to commit online fraud – and this is just the tip of the iceberg of what is really going on out there. Here are some interesting points from the article:

  • He was part of a larger phishing ring with six other Romanians, none of whom have been arrested
  • They found 2,600 credit and debit card numbers linked to him, and that he had probably harvested more
  • He was likely to have phished customers of People’s Bank, Wells Fargo, Suntrust, Amazon.com, PayPal and eBay, according to court documents
  • He doesn’t appear to have written software himself, but assembled a large collection of online fraud tools, including a program called Web Data Extractor, which harvested e-mail addresses [common business logic abuse]
  • He sent spam to victims using a program called Email Sender Express, which could send 30,000 spam messages per hour.
  • He was able to take an average of US$960 per card number collected, prosecutors said

blg-jlIts a mixed blessing that the US convicts this 23 year old with much fanfare, but its also frustrating that its 2009 and its the first foreigner who’s been convicted. As Laura Mather pointed out in her recent post, its very difficult to get a conviction, making it that much more compelling for overseas fraudsters to do this. We need to continue to pursue and prosecute, but in the meantime, we need every available solution to fight against online fraud.

April 7, 2009 Posted by | business logic abuse, Investigation, Online Fraud, Phishing | , , , , | Leave a Comment

« Previous Entries    

Follow

Get every new post delivered to your Inbox.