Tag: phishing

Lithuanian phishes two big US tech companies

A 48-year-old Lithuanian scammer named Evaldas Rimasauskas managed to trick two American technology companies into wiring him $100 million.

According to the US Department of Justice, Rimasauskas  masqueraded as a prominent Asian hardware manufacturer and tricked employees into depositing tens of millions of dollars into bank accounts in Latvia, Cyprus, and numerous other countries.

What is amazing about this rather bog standard phishing scam is how much cash he walked away with and the fact it was the IT industry, which should have known better.

The indictment does not name and shame the companies.  The first company is “multinational technology company, specializing in internet-related services and products, with headquarters in the United States”. The second company is a “multinational corporation providing online social media and networking services”.

Both apparently worked with the same “Asia-based manufacturer of computer hardware,” a supplier that the documents indicate was founded some time in the late ’80s.

Representatives at both companies with the power to wire vast sums of money were still tricked by fraudulent email accounts. Rimasauskas even went so far as to create fake contracts on forged company letterhead, fake bank invoices, and various other official-looking documents to convince employees of the two companies to send him money.

Rimasauskas has been charged with one count of wire fraud, three counts of money laundering, and aggravated identity theft. In other words, he faces serious prison time of convicted — each charge of wire fraud and laundering carries a max sentence of 20 years.


Half of users click on everything a phisher sends

nemoSecurity experts were shocked to discover that half of internet users are so stupid that they click on everything anyone sends to them.

The study by German researchers found that about half of the subjects in a recent experiment clicked on links from strangers in e-mails and Facebook messages. What is worse is that they had previously indicated that they were aware of phishing risks.

The researchers at the Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany  revealed the initial results of the study at this month’s Black Hat security conference. Simulated “spear phishing” attacks were sent to 1,700 test subjects—university students—from fake accounts.

The e-mail and Facebook accounts were set up with the ten most common names in the age group of the targets. The Facebook profiles had varying levels of publicly accessible profile and timeline data—some with public photos and profile photos, and others with minimal data. The messages claimed the links were to photos taken at a New Year’s Eve party held a week before the study. Two sets of messages were sent out: in the first, the targets were addressed by their first name; in the second, they were not addressed by name, but more general information about the event allegedly photographed was given. Links sent resolved to a webpage with the message “access denied,” but the site logged the clicks by each student.

The messages that addressed the targets by name scored clicks from 56 percent of e-mail targets and 37 percent of Facebook message recipients. But while the less-targeted messages in the second test only yielded 20 percent results for the e-mails, they scored 42 percent via Facebook messages.

FAU Computer Science Department Chair Dr Zinaida Benenson  was stunned by the results as more than 78 percent of participants stated in the questionnaire that they were aware of the risks of unknown links.  But 45 percent had clicked on the links.

For those who admitted to clicking on the link, the majority said they did so out of curiosity. Half of those who didn’t were warned off because they didn’t recognise the sender’s name, and a small minority avoided clicking because they were concerned about the privacy of the person who may have accidentally sent them the link.

“I think that with careful planning and execution, anyone can be made to click on this type of link, even if it’s just out of curiosity,” Benenson said.


UK cybercrime figures soar

Houses of Parliament, Wikimedia CommonsA report from the UK Office of National Statistics (ONS) estimates that there were 2.5 million cyber crime offences this year.

Fraud offences in general were up, but the ONS thinks that cybercrime, including hacking, is on the rise.

The ONS sampled 2,000 people to come up with its cybercrime figure, which includes frauds committed online.

It is the first time the ONS has delivered data about cybercrime, which includes not just hacking and phishing but virus infection too.

It also includes email hacking or hacking of social media accounts, such as Facebook and Twitter.

The ONS said that its figures don’t necessarily indicate a massive rise in crimes because of the number of offences that previously weren’t part of its counting methods.

IBM opens up its threat database

IBM logoBig Blue said that it will make a huge library of security intelligence available using the IBM X-Force Exchange.

That’s powered by IBM Cloud.

IBM said that will give access to volumes of IBM and third party threat data from around the world, in a bid to defend people against cyber crime.

The company said trusted threat intelligence is more important than ever before because 80 percent of attacks are initiated by crime rings which share data, tools and intelligence.

The data comprises over 700 terabytes of raw aggregated data which includes 15 billion monitored security events a day, malware threat intel from over 270 million endpoints, threats based on over 25 billion web pages and images, intelligence on over eight million spam and phishing attacks, and reputation data on close to one million malicious IP addresses.

The idea is that organisations will collaborate to provide information and to access information from the IBM database.

Iranians get phished before election

Google is warning its Gmail users in Iran that they are being targeted by phishing attacks, which appear to be politically motivated.

The Iranians are coming up to a general election and Google is worried about a significant jump in malicious activity.

Writing in its Online Security bog, Google said that the timing and targeting of the campaigns suggest that the attacks are politically motivated in connection with the Iranian presidential election.

The campaigns originate from within Iran, represent a significant jump in the overall volume of phishing activity in the region.

The new campaign is a simple lure to get unsuspecting users to enter their credentials into another site, without resorting to more sophisticated measures such as faking security certificates.

Given that opposition groups rightly feel that the elections will be stolen and create some unrest after the result, it might be that the phishing campaign is to net some hard data on those likely to cause trouble. Those using Google accounts are perceived as more likely to be pro-democracy.

Still it is a very hit and miss approach, and if the phishing numbers are big enough for Google to notice then the people hit are going to include large numbers of people who do not support the opposition.

The Iranians are talking about building their own internal internet and disconnect from the worldwide wibble. This would mean that its government would control all forms of communication and render any underhand tactics unnecessary. 

Financial Times hacked by Syrian Electronic Army

The Syrian Electronic Army, which is basically the cyber branch of Assad in Syria, has managed to hack the Financial Times.

Pro-Assad hackers have targeted numerous news sites in the past, including parody news site The Onion, with mixed success. On Friday they managed to hack FT’s Twitter account and Tech Blog. We are not sure about the latter, but it might indicate that Assad’s followers aren’t huge Apple fans, unlike their leader. 

The FT said the accounts were seized after a phishing attack targeting company emails. The Syrian Electronic Army used the exact same approach after it hacked The Onion. It also hit the Associated Press, the Beeb, Al Jazeera and The Guardian, reports Ars Technica

The success of the FT and Onion attacks seems to indicate that even big outfits aren’t very good when it comes to phishing attacks, which are one of the oldest tricks in the book.

Banks may not have to pay for phished users

If you are dumb enough to fall for a phishing scam, you have only yourself to blame and your bank does not have to bail you out, a top German court has decided.

The German Federal Court of Justice in the southwestern city of Karlsruhe has ruled that clients, and not banks, are responsible for money lost in online phishing scams.

A German retiree lost $6,608 in a bank transfer fraudulently sent to Greece as part of a phishing scam.

According to the The Local, the man gave phishers 10 transaction numbers, also known as TAN codes, which are commonly used in German banks, on a site which looked like his bank’s site, Sparda Bank.

The court ruled the bank had specifically provided warnings to its customers against this practice, so the man was responsible.

The customer argued that the bank had a duty to protect its customers from the abuse of these codes. So far, however, the courts have not agreed.

Sparda Bank had warned that it was “widely known” that being asked to input multiple TAN codes was a sure fire sign of phishing.

It is not clear at this point how influential this ruling will be in the rest of the EU. Certainly we expect the court’s arguments will be touted in similar cases thoughout the region. 

RSA says hackers used a Flash hole

The infamous breach of RSA, which has basically stuffed up the insecurity outfit’s two-factor authentication SecurID tokens, was a simple phishing expedition.

The company has told the world that the attack, which shook the insecurity industry, was managed by phishing e-mails and an exploit for a previously unpatched Adobe Flash hole.

Apparently, the hacker sent two phishing e-mails over a two-day period with a subject line of “2011 Recruitment Plan.”

The mail ended up in the baskets of two small groups of employees who weren’t considered particularly high-profile or high-value targets.

Writing from his bog  Uri Rivner, head of new technologies in consumer identity protection at RSA, said that attached to the e-mails was a poisoned Excel file.

This exploited a hole in Adobe Flash which installed a backdoor that allowed the attacker to take control of the computer, he wrote.

Adobe fixed the vulnerability after the RSA’s announcement but failed to mention to the world that it was used in the RSA attack.

The type of attack RSA was hit with is known as an “Advanced Persistent Threat” (APT). To do this you have to know a lot about the outfit’s operations, network, and employees.

Normally, attackers have months to snuffle around the network, but the RSA stopped this attack early. The attacker managed to “identify and gain access to more strategic users” but only had time to harvest access to some data.

They raised privileges on non-administrative users and then moved on to gain access to key high value targets. Data was copied and moved to servers inside the company where it was compressed, and encrypted and then sent to a server at a hacked hosting provider.

It is still not clear what information was stolen in the raid. 

Microsoft develops Internet Fraud Alert

Microsoft has teamed up with the National Cyber-Forensics and Training Alliance (NCFTA) and several other organisations to form Internet Fraud Alert, a system designed for reporting and recovering account credentials that were stolen online.

The other companies participating in the new scheme are Accuity, the American Bankers Association, the Anti-Phishing Working Group, Citizens Bank, eBay, the Federal Trade Comission, the National Consumers League, and PayPal.

Microsoft has developed new technology specifically for this program which will swiftly inform any of the above companies about stolen account details, allowing the insitutions to take the necessary action to lock or close accounts and inform customers of the fraud.

Researchers working for the security industry have been spotting stolen credentials on the internet for ages, but there is no single system in place for reporting them to the relevant bodies. Internet Fraud Alert is intended to bridge the gap and ensure that phishing attacks and other means through which people’s credentials are stolen are spotted and dealt with as early as possible.

Phishing attacks are on the rise, with over 410,000 unique phishing e-mail reports received by the Anti-Phishing Working Group in 2009 alone. With the Internet Fraud Alert system in place that means a substantial number of people’s details will be reclaimed as soon as the fraud is discovered – in theory.

TechEye talked to Graham Cluley, Senior Technology Consultant of Sophos, about the new endeavour. He believed it was “a great initiative”, saying that he “hoped the new system will make it easier to report securely information about online fraud and share data with the relevant authorities and institutions when stolen information is stumbled upon by security researchers.”

“Our hope is that systems like this will help to shut down security holes quickly and limit the amount of information about innocent individuals that cybercriminals are able to steal,” he added.

However, he was quick to state that users should not rely solely on this as a defence against online fraud. “Both consumers and online businesses have to invest in protection mechanisms to reduce the threat – but this initiative certainly has a part to play.”


Financial Fraud Action UK tells us that Microsoft’s on the right track here:

“The IFA initiative is a step in the right direction, however in the UK, banks already have arrangements in place to identify and recover stolen card data and customer credentials. Investing in these systems, which minimise the damage when information is stolen or gets into the wrong hands, is only one form of protection in our multi-layer approach. In the UK we focus on preventing the fraud from occurring in the first place.

“To this end we work with a number of stakeholders, both governmental and industry, such as Microsoft, to inform consumers about possible threats and provide them with advice to stay safe. We also run a number of consumer awareness campaigns on behalf of the industry.”

Financial Fraud Action UK recommended that if you’re interested in finding out more, you should head to: www.banksafeonline.org.uk, www.becardsmart.org.uk, www.cardwatch.org.uk and www.identitytheft.org.uk.

O2 warns of shady marketing phishing scam

O2 is warning customers not to give out any personal information if they are called by people pretending to be part of the company and asking about web browsing habits.

The warning comes as TechEye spotted a Tweet by Dan Lane from Pibbix. He wrote: “Had a strange call from @O2 saying ‘we notice you’ve been looking at the HTC desire on our website’.. very strange!!”, before adding: “(to be fair to @o2, I was probably logged in).”

We contacted Dan who told us he was an O2 customer and had been looking at the HTC desire page the other day so he could advise a colleague on his purchase. “I haven’t had a call like this from them before,” he told us. He also added he hadn’t been logged on at the time but he was unsure if the site had used cookies present in his browser that linked to his account which they could have used to identify him.

We had never heard of a company doing this before so we called up O2 as a concerned customer. An employee at customer services told us: “We never call customers who have been looking at products on the site even if they are signed in or not.

“The only calls we’ll ever make is an automated billing one or a call back following a request. This call seems to be a phishing escapade and could have been as a result of someone hacking into a wireless account and trying to obtain information.”

He warned customers never to give out any personal details if they come across such a call.

However Dan says that his wireless connection is secure. He also says that caller ID revealed the company which called him is a marketing agency called LBM which claims that O2 is a client for outbound marketing campaigns. We tried to contact this company to see what it had to say and whether it felt OK that a client, O2, reckons it’s running a “phishing scam”. However, it seems it’s too busy making more of these calls as we haven’t heard back.

We also contacted Graham Cluley, Senior Technology Consultant at Sophos to get his view but he was baffled as to how Dan’s details could have been taken from the website. He suggested that perhaps O2 did actually have a widget that identified customer’s views and sent them through to the marketing agency. He also said that another possibility, although unlikely, was that the PC had spyware that monitored the sites he was looking at and fed them through to a company.

“I’d have to look at the machine he was using to be sure though,” he told us.