Fraud

Protecting Your Business from Online Banking Fraud

I’m pleased to see some professionals with clout advocating a security practice I have often recommended to my clients. Brian Krebs of The Washington Post and SANS Institute are both pushing the use of Linux live CDs for online banking. Krebs’ latest article, “Avoid Windows Malware: Bank on a Live CD,” starts off by recommending people NOT use Microsoft Windows for online banking:

An investigative series I’ve been writing about organized cyber crime gangs stealing millions of dollars from small to mid-sized businesses has generated more than a few responses from business owners who were concerned about how best to protect themselves from this type of fraud.

The simplest, most cost-effective answer I know of? Don’t use Microsoft Windows when accessing your bank account online.

Krebs has reported frequently about some of the more prominent online banking fraud incidents, including the hack against Bullitt County, Ky. and two California firms that lost a combined total of more than half a million dollars, both of which were using two-factor authentication requiring the use of a security token.

The credential-stealing Trojans used in these attacks were designed to avoid detection by normal anti-malware software, so the victims had no clues that they had been infected. With the huge amounts of money involved, it’s likely the cybercriminals have evolved their programming skills to the point where it will be difficult for security firms to keep up.

It’s not surprising, then, that SANS, as a direct result of Krebs’ reporting, issued a challenge to its students to create a white paper to determine the most effective methods for small and mid-sized businesses to mitigate the threat from these types of attacks. The report, “Protecting Your Business from Online Banking Fraud,” addresses the issue. Here’s that report’s Abstract:

Recently, small and medium businesses have lost millions of dollars from fraudulent electronic financial transactions.  This paper reviews the threat and provides guidance for mitigating the threat.  These crimes typically begin with a phishing email targeted at the comptroller or other staff in the finance department.  After the comptroller’s computer is compromised, sophisticated malware is used to eavesdrop on the comptroller’s activity and account credentials for financial systems.  Once the attackers have the required information, they begin to steal money with fraudulent transactions in amounts below $10,000.  These smaller amounts fly under the laundering detection mechanisms in the US Bank Secrecy Act.  In many cases, repeated transactions have added up to hundreds of thousands of dollars lost by individual organizations.  The paper provides a number of possible ways to mitigate these types of attacks.  A defense in depth approach is used to provide multiple mitigation recommendations.  The number one recommended mitigation is to use a read-only bootable alternative media (ROBAM) as an isolated environment for financial transactions. [emphasis added] The mitigation steps also include protecting the email address of the comptroller, network protection, endpoint protection, virtual machines, awareness training, policy changes and monitoring financial transactions.

I highly recommend that everyone responsible for security in their organization read this paper.

Malvertising an Ever-expanding Threat

As if we don’t already have enough to deal with, it seems that malvertising–a technique where malicious code is placed in an online ad to either mislead the user or infect their computer—is on the rise. Microsoft recently filed five lawsuits against unnamed individuals accusing them of posting ads containing malicious and deceptive code on its MSN advertising network. And when Microsoft stands up and takes notice against a threat, you know it has some teeth.

The lawsuits Microsoft filed allege that individuals doing business as Soft Solutions, Direct Ad, “qiweroqw.com” (that’s a randomly generated name if there ever was one), ITmeter INC, and “ote2008.info” used malverstisements to either spread malicious code or deceive users into visiting websites that peddle scareware. Microsoft hopes that by filing civil suits in the U.S., the individuals responsible will be discovered and enjoined from continuing to post malvertising.

Recall that last week, as reported in The Register, an ad appeared on the New York Times web site offering a virus scan that then attempted to sell scareware to the user (“NYT scareware scam linked to click fraud botnet”).

As always, I recommend using a secure browser (Firefox with NoScript) and keeping your OS and security software up to date. Oh, yes, and a healthy serving of general caution couldn’t hurt.

Caveat araneo-fluitator! (Let the web-surfer beware!)

What do you think? Leave a comment!

Twitter Security: TwitBlock Blocks the Spammers

Besides being a security Geek, I’m also an Internet marketer (no, not the bad kind—the good kind—I actually try to help people with what I sell). Twitter, at first blush, appears to be a great way to get your message out; it probably is, if done right, but it’s also easily abused. Yes, Twitter gets spam, too. The spammers are relatively easy to spot; you see them sending out multiple marketing messages in rapid succession, often using different profiles for the same message.

Here’s the rub: Because Twitter only allows 140 characters per tweet, the URLs are always shortened, therefore it’s difficult to identify their target. My policy is to never click on a link in a tweet from someone I don’t know, especially when I see them sending multiple tweets trying to get me to take action of some sort. That’s a dead giveaway that the person or persons controlling the profile are spammers or scammers.

Enter TwitBlock, a junk filter and bulk blocking tool for Twitter users. Here’s what they say:

You may think you have a loyal following of people who find you interesting, or amusing, but they’re probably not all real people. Among your followers will be a wide spectrum of fully automated, or computer aided Twitter accounts. They will range from reputable companies looking to profile and market to you, to fake profiles directing you to adult websites. At the very worst you will find the spammers and phishing gangs - the same junk you get in your email inbox, designed to sell you fake pharmaceuticals, or trick you into parting with your passwords or credit card numbers.

An easy way to spot the spammers on your own is to look for duplicate profile images. I have my own handsome mug posted on my Twitter profile and I’m sure no one else is using it. Spammers tend to use pics of attractive women, often “R” rated, or generic photos. TwitBlock maintains a list of the top 20 duplicate profile pics (Warning: some are inappropriate for young viewers!)

The application is still in alpha, but consider testing it. Just give it some thought before you block “Annette552” who may just be your next door neighbor in disguise, but who is more likely to be a spammer out to get your credit card info. You be the judge.

Fraud Alert: eBay, craigslist Broken?

Bruce Schneier’s June 19, 2009 post Fraud on eBay stands as a testament to the fact that all is not well with the online auction giant.

I expected selling my computer on eBay to be easy.

Attempt 1: I listed it. Within hours, someone bought it — from a hacked account, as eBay notified me, cancelling the sale.

Attempt 2: I listed it again. Within hours, someone bought it, and asked me to send it to her via FedEx overnight. The buyer sent payment via PayPal immediately, and then — near as I could tell — immediately opened a dispute with PayPal so that the funds were put on hold. And then she sent me an e-mail saying “I paid you, now send me the computer.” But PayPal was faster than she expected, I think. At the same time, I received an e-mail from PayPal saying that I might have received a payment that the account holder did not authorize, and that I shouldn’t ship the item until the investigation is complete.

That’s one example of eBay fraud. Another report in The Consumerist, “It’s Now Completely Impossible To Sell A Laptop On Ebay,” shows another variation, clearly a Nigerian scam:

So I re-listed the item. This time, I lowered the minimum bid and paid for the ‘featured item’ option (which I thought was a stupid idea, but the only way to get my auction seen by any appreciable audience). This time, the auction ended without incident. I got an email from the bidder telling me that he was glad to have won the auction, and was excited for me to ship it… To Nigeria.

Let it be known here that though I may not be the smartest person in the world, I’m not stupid. His email went on to explain (in poor English) that he was ‘on business trip to the Nigeria,’ and that he was willing to pay me $1000 through PayPal for the laptop. Shortly thereafter I received an email from ‘PayPal’ (who is now apparently sending out their customer service emails from gMail), stating that I had received a payment, but that it would not show up in my account until I emailed them back the tracking number for the parcel. Very clever, but once again, I’m not stupid.

While I haven’t had this type of problem on eBay, I have experienced similar fraud on Craig’s list. Here’s a short excerpt from one of the emails I received from the fraudster (reportedly sent by USPS):

Thanks you for using Postal Money Order, The payment for your merchandise has been paid for,we have your $500:00USD money order sent to you by the buyer of your item Lewis Jack in our database, as soon as the item is shipped, please forward us with the shipping tracking number, so your $500:00USD money order can be mailed to your address, your money order is secure and save.

We will be glad to inform you that the payment sent to you by Lewis Jack has been processed and verified, your payment is now on hold for 48 hours from the period of time you recieve this email, we will be sending you a shipment notification email as soon as we recieve the shipment tracking number for the item your buyer purchased.

Based on the blatant outpoints in grammar and punctuation, it’s pretty obvious that this didn’t come from the United States Postal Service. It’s clearly a scam and I would never see payment if I were stupid enough to ship the item.

I’m about to list a rather expensive router on eBay and if I have any experiences similar to those of Mr. Schneier and the other gentleman, I’ll post details here.

It appears, though, that unless you’re selling low value or garage sale class items, the watchwords are: “Caveat venditor” (let the seller beware).