Tuesday, March 31, 2009
in 2008. IC3 received a total of 275,284 complaints, a 33.1% increase over the previous
year. The total dollar loss linked to online fraud was $265 million, about $25 million
more than in 2007. The average individual loss amounted to $931.
Thursday, March 19, 2009
How can this be prevented? As with most information security issues, security awareness will allow you to recognize these social engineering threats.
The originator places a 'web bug' in the message. Also called a "Web beacon," "pixel tag," "clear GIF" and "invisible GIF," it is a method for passing information from the user's computer to a third party Web site. Used in conjunction with cookies, Web bugs enable information to be gathered and tracked in the stateless environment of the Internet. The Web bug is typically a one-pixel, transparent GIF image, although it can be a visible image as well. As the HTML code for the Web bug points to a site to retrieve the image, it can pass along information at the same time.
Web bugs can be placed into an HTML page used for e-mail messages as most mail programs support the display of HTML pages.
The Web bug is inserted into the message, which is an invisible GIF with a unique name obtained from the tracker's server. When the recipient previews or opens the message, the GIF is downloaded from the tracker's server, which reads the name and notifies the sender.
The information relayed can include your email address, ISP, IP address, etc.
Again, this is called social engineering, which is described in a previous post.
So be aware of these threats, especially when forwarding email of which you have no idea who the 'original' originator is.
Thursday, March 12, 2009
According to an article in the New York Times, spear phishing attempts are not typically initiated by "random hackers" but are more likely to be conducted by "sophisticated groups out for financial gain, trade secrets or military information."
Here's one version of a spear phishing attack: The perpetrator finds a Web site for a targeted organization that supplies contact information for employees and other relevant data about the company. Using available details to make the message seem authentic, the perpetrator drafts an e-mail appearing to come from an individual who might reasonably request confidential information, such as a network administrator. Typically, a spear phisher requests user names and passwords or asks recipients to click on a link that will result in the user downloading spyware or other malicious programming. The message employs social engineering (fraudulent, non-technical) tactics to convince the recipient. If a single employee falls for the spear phisher's ploy, the attacker can masquerade as that individual and gain access to sensitive data.
Most people have learned to be suspicious of unexpected requests for confidential information and will not divulge personal data in response to e-mail messages or click on links in messages unless they are positive about the source. The relative success of spear phishing relies upon the details used: The apparent source is a known and trusted individual, information within the messsage supports its validity, and the request seems to have a logical basis.
At West Point in 2004, teacher and National Security Agency expert Aaron Ferguson sent out a message to 500 cadets asking them to click a link to verify grades. Ferguson's message appeared to come from a Colonel Robert Melville of West Point. Over 80% of recipients clicked the link in the message. In response, they received a notification that they'd been duped and warning that their behavior could have resulted in downloads of spyware, Trojan horses, and/or other malware.
IBM's Global Security Index research found that, in 2005, intercepted spear-phishing attempts rose from 56 intercepted attempts in January to over 600,000 in June.
Wednesday, March 11, 2009
The data was gathered from 32 mock phishing exercises run at companies spanning a variety of industries ˆ healthcare, financial services, government, government contracting, etc and varying sizes (ranging from companies with 100 employees to those with more than 200,000 employees). Also, the target workforce spanned 18 different countries.
Key findings of the study include:
23% of people are vulnerable to targeted/spear phishing attacks (despite the fact that they received conventional user awareness training). This explains why spear phishing is the attack vector of choice today.
Phishing attacks that use an authoritative tone are 40% more successful that those that attempt to lure people through reward-giving.
Men and women are both equally (difference of 0.3%, margin of error +-3%) susceptible to phishing.
On an average 60% of corporate employees that were found susceptible to targeted spear phishing responded to the phishing emails within three hours of receiving them. 20% of those vulnerable reacted in the first hour!
We will be continuing to mine the unique set of data to draw other interesting statistics and assist organizations in focusing their security awareness efforts in the right areas.
Sunday, March 1, 2009
The result? The hacker now has all of the e-mail addresses that you forwarded the email to, along with those of the next person and so on. Notices about grave consequences are normally send by authorities on the subject matter... For example, Symantec or McAfee (computer security companies) would send out notices about computer threats, viruses, trojans, etc.
Passing on the emails to your address list is doing exactly what the hacker wants you to do! Remember, be judicious in forwarding emails, including jokes, to the members of your address list. Following this advice will help reduce spam, identity theft, and other malicious threats to your confidentiality.