"Social Engineering" and "Phishing"...

AplusWebMaster · Sergeant Joined: Mar 14, 2004 Posts: 124 Location: USA

FYI...

"Social Engineering" is a relatively "new" term in use nowadays, unfortunately, -not- in a good way.

'Thought it might be a good idea to start a thread on the subject for familiarization purposes. It was briefly spoken about in this thread ( http://computercops.us/postlite24671-.html ) with regard to "phishing", an -ugly- technique used by those who would like to -steal- your personal information, for unscrupulous purposes.

And just within the last day or so, two new pieces of malware were unleashed on unsuspecting e-mail users:
- http://www.securitypipeline.com/news/sh...ticle=true
"...Both Sober.f and Netsky.s arrive as file attachments in e-mail messages that sometimes claim that they've been scanned for viruses, and that no malicious code has been detected. "The ploy of adding a 'No virus found' message at the bottom of the e-mail is deliberately designed to appeal to those who are too impatient to practice safe computing..."

And today:
Online phishing uses new bait - One click sends unwary users to fake websites
- http://www.vnunet.com/News/1154101
April 06, 2004
"A new phishing attack is being used to hook unwary web users...When a phishing victim clicks on a link in an email pretending to come from their bank or another company, they are sent to a fake website which will then try to steal bank account details or other information...The new trick uses software that detects the user's browser and applies custom JavaScript to replace the look and feel of the web address bar with an appropriately designed working fake, to fool people into thinking they are visiting a legitimate site...Phishing attacks are increasing in frequency and sophistication. February recorded the busiest month with 282 email attacks, a 60 per cent rise on January's record total, according to the APWG..."

...More to come. Be aware, and maybe a bit wiser, to these scams.

phratkie · Corporal Joined: Apr 04, 2004 Posts: 59 Location: Canada

A really good book on social engineering is "The Art of Deception" by Kevin Mitnick

AplusWebMaster · Sergeant Joined: Mar 14, 2004 Posts: 124 Location: USA

FYI...

Billions of 'Phishing' Scam E-Mails Sent Monthly
- http://www.reuters.com/newsArticle.jhtm...ID=5062666
May 6, 2004
"...Over the past nine months, the monthly volume of phishing e-mails has risen nearly ten-fold to 3.1 billion worldwide in April, San Francisco-based e-mail filtering firm Brightmail said. Brightmail said its spam filters sift through 96 billion e-mails each month. Police suspect organized crime gangs from Eastern Europe are the main culprits in the multi-billion dollar racket...Brightmail added that a recent sinister twist to the phishing scam has emerged in which the e-mails contain Trojan programs capable of installing themselves on an unwitting computer user's machine to steal information by logging key strokes. The phenomenon is weighing on consumer confidence in e-commerce, anti-fraud firm Cyota said. According to a recent Cyota survey of online bank account-holders, 74 percent said they were less likely to shop online due to the threat of phishing attacks."
Sad

AplusWebMaster · Sergeant Joined: Mar 14, 2004 Posts: 124 Location: USA

FYI...

Phishing Jumps Almost 500 Percent In Five Months Sad

- http://www.securitypipeline.com/news/sh...ticle=true
May 14, 2004
"More bad news about phishing attacks arrived Friday via message filtering firm SurfControl when it unveiled numbers showing the scams have increased nearly 500 percent since January. Phishing attacks are spam messages that pose as legitimate mail from big-name banks, credit card companies, and retailers. Links within the messages entice recipients to bogus Web sites, where they're told that their account information needs to be updated. Users who fall for the con divulge personal financial data...used by the attacker to siphon funds, purchase goods, or steal identities...the hackers have used Javascript code to overlay a fake address bar that shows the real US Bank URL on the browser's real address bar. The new tactic makes the spoof more realistic, Larson said, than earlier phishing attacks, which exploited an Internet Explorer bug to display the URL of the spoofed company. A patch exists for the flaw, but the new technique can target even those systems which have been patched. According to Gartner, victims of phishing attacks are three times more likely to suffer some form of identity theft than the general population."

AplusWebMaster · Sergeant Joined: Mar 14, 2004 Posts: 124 Location: USA

FYI...

- http://www.infoworld.com/article/04/05/...ket_1.html
May 18, 2004
"...The growing problem also points to increasing interest in the scams by malicious hacking groups and organized crime, Maier said. "We've had confirmation from law enforcement in the U.S. that organized crime is behind some of these scams. We also do work looking at hacker sites, and we can see that hackers and script kiddies are definitely paying attention to this phenomenon and are beginning to work together," he said..."

(The Anti-Phishing Working Group reports over 1,100 unique phishing campaigns for April 2004, an increase of 178% over the number of attacks in March. From February to March, phishing attacks increased by only 43%, particularly targeting financial services and retail. Citibank was targeted by 475 unique phishing attacks in April, with eBay at 221 and PayPal at 135. APWG has evidence suggesting that phishing webpages are traded between phishers in much the same way as spammers trade e-mail addresses. Criminal organizations are using phishing scams as well. Research from Gartner suggests that as many as 3% of phishing attacks are successful, affecting 1.78 million adult users.) Sad

AplusWebMaster · Sergeant Joined: Mar 14, 2004 Posts: 124 Location: USA

FYI...

E-Mail Scammer Gets Four Years
- http://www.securityfocus.com/printable/news/8711
May 19 2004
"An Internet scammer who used e-mail and a fraudulent Web site to steal hundreds of credit card numbers was sentenced to almost four years in jail Tuesday, one of the stiffest-ever penalties handed down for online fraud. Houston, Texas federal court Judge Vanessa Gilmore sentenced Houston resident Zachary Hill to 46 months in jail for his role in duping consumers into turning over 473 credit card numbers...Hill, 20, used a "phishing" scheme to make his e-mail look like it came from America Online, the nation's largest Internet service provider, or PayPal, the online payment subsidiary of auction giant eBay. The message told victims that their accounts had lapsed and that the companies required their credit card numbers and passwords to restart them. Hill prompted recipients to enter their information into Web forms designed to look like pages run by the companies, the Justice Department said. Hill then used the credit card numbers to buy $47,000 in goods and services..."

AplusWebMaster · Sergeant Joined: Mar 14, 2004 Posts: 124 Location: USA

FYI...

Catch Them If You Can
- http://www.crn.com/Components/printArti...leID=50445
May 25, 2004
"If you think identity theft is a problem now, just wait a minute. That was the sage warning offered up to solution providers by Frank Abagnale, a consultant to the FBI on forgery and identity theft whose early life was the subject of Steven Spielberg's film, "Catch Me If You Can"...With today's technology access, Abagnale claimed he could find enough information to use any audience member's identity within 30 minutes to open a credit account, buy a car or even apply for a mortgage. "Every person is this room has a minimum of 22 pieces of information on the Internet," he said. Any average identity thief needs only two or three of those data points to perpetrate an identity theft. In 2000, the government reported there were roughly 750,000 victims of identity theft, resulting in a loss of $5 billion by banks and credit-card companies. Last year, there were approximately 9.9 million victims, resulting in an associated loss of $47 billion. Consider that more than 253,000 PDAs were left in airports alone during 2003, as an example, and it doesn't take a genius to realize the situation is only going to get worse, he said...Abagnale encouraged solution providers to adopt identity management tools that can help their corporate customers manage this access -- or risking allowing the information to find its way into the wrong hands, by accident or by design..."

AplusWebMaster · Sergeant Joined: Mar 14, 2004 Posts: 124 Location: USA

FYI...

Catch Them If You Can
- http://www.crn.com/Components/printArti...leID=50445
May 25, 2004
"If you think identity theft is a problem now, just wait a minute. That was the sage warning offered up to solution providers by Frank Abagnale, a consultant to the FBI on forgery and identity theft whose early life was the subject of Steven Spielberg's film, "Catch Me If You Can"...With today's technology access, Abagnale claimed he could find enough information to use any audience member's identity within 30 minutes to open a credit account, buy a car or even apply for a mortgage. "Every person is this room has a minimum of 22 pieces of information on the Internet," he said. Any average identity thief needs only two or three of those data points to perpetrate an identity theft. In 2000, the government reported there were roughly 750,000 victims of identity theft, resulting in a loss of $5 billion by banks and credit-card companies. Last year, there were approximately 9.9 million victims, resulting in an associated loss of $47 billion. Consider that more than 253,000 PDAs were left in airports alone during 2003, as an example, and it doesn't take a genius to realize the situation is only going to get worse, he said...Abagnale encouraged solution providers to adopt identity management tools that can help their corporate customers manage this access -- or risking allowing the information to find its way into the wrong hands, by accident or by design..."

AplusWebMaster · Sergeant Joined: Mar 14, 2004 Posts: 124 Location: USA

FYI...

Catch Them If You Can
- http://www.crn.com/Components/printArti...leID=50445
May 25, 2004
"If you think identity theft is a problem now, just wait a minute. That was the sage warning offered up to solution providers by Frank Abagnale, a consultant to the FBI on forgery and identity theft whose early life was the subject of Steven Spielberg's film, "Catch Me If You Can"...With today's technology access, Abagnale claimed he could find enough information to use any audience member's identity within 30 minutes to open a credit account, buy a car or even apply for a mortgage. "Every person is this room has a minimum of 22 pieces of information on the Internet," he said. Any average identity thief needs only two or three of those data points to perpetrate an identity theft. In 2000, the government reported there were roughly 750,000 victims of identity theft, resulting in a loss of $5 billion by banks and credit-card companies. Last year, there were approximately 9.9 million victims, resulting in an associated loss of $47 billion. Consider that more than 253,000 PDAs were left in airports alone during 2003, as an example, and it doesn't take a genius to realize the situation is only going to get worse, he said...Abagnale encouraged solution providers to adopt identity management tools that can help their corporate customers manage this access -- or risking allowing the information to find its way into the wrong hands, by accident or by design..."

AplusWebMaster · Sergeant Joined: Mar 14, 2004 Posts: 124 Location: USA

FYI...

Hackers prey on Internet banking
- http://www.taipeitimes.com/News/taiwan/...4478/print
Jun 10, 2004
(Taiwan's Criminal Investigation Bureau has arrested Chen Chung-shun, 30, on charges of stealing more than 45 million e-mail addresses, 200,000 online bank and auction site account numbers and passwords, and information on three figurehead bank accounts. Officials suspect Mr. Chen has been working with hackers from mainland China to plant Trojans on personal computers to steal bank account passwords. Mr. Chen told police he transmitted details on 100,000 bank accounts to the mainland hackers, and did not have back-up copies. Mr. Chen gathered the 45 million e-mail addresses in February 2004, and had sent 18 million Trojan infected e-mails within a month. Losses from unauthorized fund transfers are estimated to be around several million Taiwanese dollars, though full numbers are not yet known.)

AplusWebMaster · Sergeant Joined: Mar 14, 2004 Posts: 124 Location: USA

FYI...June "phishing" schemes: Sad

'eBay account verification needed':
- http://www.antiphishing.org/phishing_ar...eded).html
11-Jun-2004

Citibank and various other banks:
- http://www.antiphishing.org/phishing_ar..._map).html
10-Jun-2004

Fleet cardmember security update:
- http://www.antiphishing.org/phishing_ar...date).html
09-Jun-2004

e-gold - 'Please Verify Your Account':
- http://www.antiphishing.org/phishing_ar...ount).html
04-Jun-2004

Microsoft - 'current network critical patch'
- http://www.antiphishing.org/phishing_ar...atch).html
01-Jun-2004

Sad

AplusWebMaster · Sergeant Joined: Mar 14, 2004 Posts: 124 Location: USA

FYI...add another:

eBay - 'TKO NOTICE: Pay your fees to eBay.com'
- http://www.antiphishing.org/phishing_ar....com).html
14-Jun-2004

Sad

AplusWebMaster · Sergeant Joined: Mar 14, 2004 Posts: 124 Location: USA

FYI...

- http://www.techweb.com/wire/story/TWB20040615S0008
June 15, 2004
"...Using data from an April, 2004, survey of 5,000 U.S. adults who use the Internet and e-mail, Gartner estimated that nearly 2 million Americans fell victim to checking account fraud in the last 12 months. The cost to banks and consumers: a staggering $2.4 billion in direct losses, or an average of $1,200 per victim...

The top two methods scammers are using to lift bank account numbers are keyloggers planted by spyware -- software typically loaded onto a computer without the consumer's knowledge -- and phishing attacks, e-mail messages that try to trick users into divulging financial information..."What we're hearing from out clients is that keyloggers are now just as prevalent as phishing attacks..."

AplusWebMaster · Sergeant Joined: Mar 14, 2004 Posts: 124 Location: USA

FYI...

- http://www4.gartner.com/5_about/press_r...228_11.jsp
June 15, 2004
"...Just by clicking on a pop-up ad, Web users can inadvertently download spyware (technology that gathers information about a person or organization without their knowledge). In these situations, when users click on the ad, it traps the user ID and password for their online bank account without them ever knowing about it. "It will take time for the financial services industry to develop sophisticated back-end tools, but banks must implement stronger access controls to online and telephone banking systems...Shared-secret authentication is a good practical solution for strengthening access controls for online and telephone banking..."

In terms of absolute number of victims, checking account hijacks were the second most prevalent type of crime in the 12 months ending April 2004. The most common was the much more familiar fraudulent credit card purchase, where a thief uses a stolen credit card to buy goods or services..."

AplusWebMaster · Sergeant Joined: Mar 14, 2004 Posts: 124 Location: USA

FYI...recent add(s) to June "Phishing" list:
("The number and sophistication of phishing scams sent out to consumers is continuing to increase dramatically...The Anti-Phishing Working Group has compiled a list of recommendations...that you can use to avoid becoming a victim of these scams..." - http://www.antiphishing.org/consumer_recs.htm )

eBay - 'Ebay(R) Re-Activation Unit'
- http://www.antiphishing.org/phishing_ar...Unit).html
17-Jun-2004

Fleet - 'Online banking - protect yourself from internet fraud'
- http://www.antiphishing.org/phishing_ar...raud).html
15-Jun-2004


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 1029 pages served in previous 5 minutes. Page Rendered: 0.500 seconds.