2007

Understanding modern Internet risks means understanding how the money flows. This article describes how cyber criminals recruited bank customers to help them transfer money obtained through phishing attacks. Internet fraud involves not only the technical hackers and confidence artists, but also “mules” who carry the money.

Alleged Phishing ‘Mules’ Arrested – Desktop Security News Analysis – Dark Reading

Dutch authorities have arrested 14 ABN AMRO customers who allegedly let cybercriminals use their bank accounts to hide and transfer stolen money from other customers of the bank.

The 12 men and two women were paid for their “services” by the Russian and Ukrainian cybercriminals, but reportedly did not actually steal the information themselves. They instead acted as “mules,” storing and eventually transferring the stolen money overseas to Russia and other countries.

Here is another example of a Trojan program designed specifically for banking fraud. Once users are infected, which can happen via drive-by downloads or phishing attacks, the Trojan can launch a man-in-the-middle attack and take over a banking session. The Trojan is then able to perform transactions as if it was the legitimate user.

It is important to note the sophistication of this attack. The Trojan is centralized and dynamic, and will download customized fraud instructions once it determines which bank a customer uses.

Hackers Use Stealthy, New Prg Banking Trojan to Attack Commercial Banking Clients in Four Countries – Research – SecureWorks

SecureWorks has discovered a stealthy, new Prg Banking Trojan. This new variant is the malware behind Zbot, a new botnet designed specifically to do banking fraud. The hackers using this new malware are specifically targeting banking clients that have commercial accounts. The banking variant has been designed and is being used by the Russian UpLevel hacking group and some German affiliates. The UpLevel hackers are staging their latest attacks using data centers in Moscow, Russia, and Mumbai, India.

Here is an interesting post from Seth Godin’s blog on privacy (thanks to David Fraser for the pointer). The argument is that people don’t care about privacy, as long as their private information is handled in the way they expect. When they are surprised about how their personal information is handled, that’s when they get concerned.

Seth’s Blog: People don’t truly care about privacy

There’s been a lot of noise about privacy over the last decade, but what most pundits miss is that most people don’t care about privacy, not at all.

If they did, they wouldn’t have credit cards. Your credit card company knows an insane amount about you.

What people care about is being surprised.

The issue of network neutrality and Internet Service Provider (ISP) modification of Internet services is gaining attention. Here is an example from Lauren Weinstein where Rogers is inserting their own web page information when their subscribers visit Google’s home page, presumably without the permission of Google. We need to pay attention to what our ISPs are doing, and any modifications that will limit or modify how subscribers access one service versus another.

Google Hijacked — Major ISP to Intercept and Modify Web Pages

Will Web service providers such as Google and many others, who have spent vast resources in both talent and treasure creating and maintaining their services’ appearances and quality, be willing to stand still while any ISP intercepts and modifies their traffic in such a manner?

Here is an interesting article from the NY Times where Bruce Schneier, a well-known security guru, answers a series of questions and ends up summarizing his philosophy on security. Very interesting reading.

Bruce Schneier Blazes Through Your Questions

Last week, we solicited your questions for Internet security guru Bruce Schneier. He responded in force, taking on nearly every question, and his answers are extraordinarily interesting, providing mandatory reading for anyone who uses a computer. He also plainly thinks like an economist: search below for “crime pays” to see his sober assessment of why it’s better to earn a living as a security expert than as a computer criminal.

Here is some interesting research by Arvind Narayanan and Vitaly Shmatikovon at U Texas at Austin on privacy breaches from supposedly “anonymous” databases.

For researchers studying human behavior, getting access to data about human actions and opinions is very valuable. In some cases, such data is made available to researchers, but the data is supposed to be anonymized to protect the identity of the people involved. Netflix recently did this when they released a database of movie ratings as part of a competition. Contestants were offered a prize of $1 million of they could improve the accuracy of predictions about what movies people will like based on their past ratings.

Even though Netflix removed all personal information from the data when the released it, this research demonstrated that the pattern of ratings that the anonymous Netflix users made could be used to identify them. The issue is caused by a parallel, non-anonymous movie rating service at the Internet Movie Database (IMDb). If people rated the same movies at roughly the same time on the private Netflix service and the public IMDb service, then the patterns of ratings could be matched.

The privacy issue is that people may have made more sensitive ratings on what they thought was a private Netflix rating service, only to find that Netflix had revealed their personal data. Not only could the persons login information on the IMDb be determined, but the research also demonstrated the kinds of inferences that can be made by examining the patterns of ratings:

First, we can immediately find his political orientation based on his strong opinions about “Power and Terror: Noam Chomsky in Our Times” and “Fahrenheit 9/11.” Strong guesses about his religious views can be made based on his ratings on “Jesus of Nazareth” and “The Gospel of John”. He did not like “Super Size Me” at all; perhaps this implies something about his physical size? Both items that we found with predominantly gay themes, “Bent” and “Queer as folk” were rated one star out of five. He is a cultish follower of “Mystery Science Theater 3000”. This is far from all we found about this one person, but having made our point, we will spare the reader further lurid details.

Researchers often rely on organizations that collect data about human behavior to make the data available for research. Developing good methods of protecting privacy while allowing research is important. There are techniques that can be used to anonymize datasets for research while providing privacy, and this research illustrates its importance.

There is some interesting discussion about the research at the physics arX1v blog and Slashdot.

Apple Mac computers have often been considered safer than Windows PCs because there have been very few attacks directed at them. Here is news of a widespread, Trojan attack targeting the Mac. The attack is not new, luring people to install malware by offering something of interest (porn videos), and the result is not new (pointing people to bad DNS servers), but this may be the first widespread, professional attack on the Mac.

DNS changer Trojan for Macs

The whole Trojan is relatively simple and works almost exactly the same as its brother for Windows operating systems . In case of execution, the Trojan changes the DNS settings on the machine and reports back to the C&C server. While the Trojan is relatively simple and not a big threat, two things came to my mind immediately: the bad guys are taking Mac now seriously – this is a professional attempt at attacking Mac systems (and they could have been much more damaging really). The second thing that folks at Sunbelt noticed is that when they sent a sample to VirusTotal there were 0 (zero, nada, nilch) products that detected this.

This came up at a discussion during this week’s CapCHI meeting. It seems that the bad guys are finding interesting ways to get around those scrambled images (CAPTCHA‘s) that sites use to prove that the person applying for an account or service is really human, and not some automated process. Getting lots and lots of accounts is very useful if you are a spammer, and getting people to solve the human-proof problems lets the bad guys get those accounts.

Spammers Employ Stripper to Crack Security

Spammers are using a virtual stripper as bait to dupe people into helping criminals crack codes they need to send more spam or boost the rankings of parasitic Web sites, security researchers said Tuesday….The hackers, frustrated at their inability to come up with a way to automate account registration, are getting users to do their dirty work. “They’re using human beings in semi-real time to translate CAPTCHAs by proxy,” said Paul Ferguson, a network architect at Trend Micro. “You have to give them this, it’s clever.”