Slashdot Mirror
IBM Reports On Spear Phishers
FrenchyinOntario writes "IBM reports that while "regular" phishing is declining the black hats are now engaging in targeted spear phishing to glean as much information about a specific identity as they can for all the usual cybercrime reasons. It concerns authorities because the usual suspects - criminal and terrorist organizations - will want to take advantage of this, but the chilling part is how your identity will now be dependent on multiple institutions protecting your personal information, as opposed to eBay, PayPal, your bank, etc."
click me, click me!
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
I think many black hats would be upset with you calling them phishers..
Didn't see that coming. Maybe their old tactics weren't working so well, so they had to adapt?
Naw, it's an intelligent design!
...by 'multiple institutions...as opposed to ebay, bank, etc.' Isn't that multiple institutions? I think what the summary is really trying to say is, to the phishers' advantage, a chain is only as strong as its weakest link.
Take off every sig. For great justice.
There is one way around this, that's to go to the 3 large credit companies and tell them to "Freeze" your credit (I think it costs $5-$10). Anyway nobody can open an account in your name, and as long as you remember to "thaw" your account before getting a loan, you'll be ok. It's no perfect, and I'd argue that all credit information should be purged from people who don't need it (this includes SSN numbers). Heck none of this should even be on file...
No comments yet...and I still can't read the article.
And this is probably the easiest fishing they'll be able to do.. Until companies are made liable for any damages that occurr when they "lose" their information, this will probably be an extremely easy method of fishing..
Social Engineering, anyone??
... I think it's kind of hilarious how stuffed-shirt companies like IBM, and the news organizations that report on them, have tried to adopt hacker slang. "Spear phishing"? It kind of reminds me of Christian pop music that desperately tries to be cool but always looks and sounds ten years behind the times.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
i've found a gang of romanian scammers on a popular IRC server because a friend's machine was compromised for spamming. i joined the chan and just monitored for a few hours.. i logged everything, e-mailed them to the IRC administrator, and absolutely nothing has been done.
lameness filter thwarted.
Wasn't it a company's responsibility to protect your personal information already? I don't understand how this new method of phishing changes that (not including the technical aspects of said protection).
I'm starting to feel like the right to privacy might be a red herring. The benefits of technology and a truely collaborative and just society might only be fully realized if we completely give up privacy... and that that might actually be a good thing. I know that I've read an essay or something about this before, but I can't find a link - anyone know who wrote about this or where I can find some references? (Actually, Robert J. Sawyer wrote a series of books where one of the societies is like this... but it's not what I'm thinking of.)
Helping with organizational effectiveness is our job.
'Spear phishing'? Oh great, what's next? Bass phishing - searching for orders made at koss.com Phly phishing - searching for info in TRL posts Net phishing - Oh, wait...
Because the server is being /.ed, heres TFA:
A report published this week from IBM Corp. suggests that phishing schemes are growing in sophistication, allowing would-be Internet criminals to target their victims by name. A targeted or "spear phishing" attack is designed to extract data from a specific individual or organization, maximizing damage caused and financial gain. IBM estimates that these types of attacks have grown ten-fold this year alone. According to the company, they can be used for identity theft, extortion, fraud and to steal specific intellectual property. "We're seeing it as a targeted security threat within financial institutions as well as government regulatory bodies," said Michael Small, security practice leader for IBM Canada. "It's very targeted with a specific purpose to ensure that they try to get access to privileged information for, usually, profit. Its concerns are linked to cyberterrorism as well as obviously organized crime." Until now, the most common form of phishing attacks were those that attempt to disguise themselves as e-mail from banks or common consumer Internet services like eBay or its payment arm PayPal. They aren't addressed to a specific person but are sent out as widely as possible in an attempt to snare a few unfortunates who are willing to part with bank account information or their eBay identities. Mary Kirwan, CEO of Toronto-based security firm Headfry Inc., said that these types of attacks may be on the decline but agreed with IBM that spear phishing is a growing concern. "These are higher payoff crimes, so it's in their interest to follow the money, essentially," she said. "There's no real consensus among the global banks as to how to deal with that right now. Some of the banks are acknowledging that you don't have to be a dummy to fall for these scams." This isn't the first time banks have been identified as a lucrative target. In 2003, Symantec Corp. noted that a virus called Win32.Bugbear.B was sent by likeminded criminals to financial institutions such as J.P. Morgan Chase, Citibank and American Express. Security experts believed that Bugbear was designed to scan an inbox for any indication that it belonged to a bank employee. Recovery from targeted attacks and malware in general costs a Canadian organization an average of $30,000 to $40,000, said Small. He added that IBM is sharing its research with customers, partners and vendors to help them prevent such attacks. Nuisance e-mail like spam appears to be leveling off, according to the IBM report. In January of this year, spam accounted for 83 per cent of global e-mail. That number had fallen to 67 per cent by June. There are new problems on the horizon, however. In March, a new threat called Domain Name Service (DNS) cache poisoning was discovered. Cache poisoning can hijack a user's browser and direct them towards a specific site or advertisement by corrupting a DNS server's ability to map machine host names to a correct IP address. Variations of these types of attacks have been around for years, but cache poisoning is becoming more sophisticated and a DNS server that isn't configured properly is particularly susceptible.
+1 funny, -2 overrated. Life isn't fair.
Why not phunting or gaphering, hmmm? Isn't this whole thing rather fish-centric? I prefer to think of the rubes taken in by these cons as vegetables, thus I think we should use the term gaphering.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
One development I see this coming from is how phisers will try to 'spear phish' to get the most detailed information out of an individual then pose as that individual to phish out the rest of the pool. Suppose a phisher was able to get very detailed information about a xyz CEO. Impersonating said CEO could give the phiser much more valuable information from the other employees. Spear phishing can catch small fish so that they can use it for bait for larger fish.
I've always thought that someone with a strong opinion on the pitiful state of privacy laws in the US would ... how do you say it ... demonstrate just how easy it is to steal someone's identity in this country (using, of course, selective politically connected individuals as test cases). Nothing like getting a senator interested in stronger privacy protection after they get the bill for that $5000 digital camera someone "bought" using their credit card.
The NSA: The only part of the US government that actually listens.
The real question is: Would this still be news if they hadn't come up with such a catchy name (spear phishing)?
Have you ever wondered How to Take Over
The way I see it, all personal information I send to a particular company should be confidential and protected. Some if it they simply don't need. For instance, why the hell did the clerk at Hollywood Video ask for my SSN to open a damn account to rent movies?! They did not need my SSN and I sure as hell didn't give it to him either, but it makes me wonder how many people actually *have* given out their SSN just for a Hollywood Video account. Not good.
If a company does not protect my personal information and it gets stolen and/or misused, you bet your ass they'd see some backlash from me. The only bad thing is, it's hard to figure out exactly *which* company that held your personal information was compromised. It's certainly not like they're going to volunteer the fact that they were comprimised, otherwise you might take your business elsewhere (to a more responsible company). Just look at the millions of people who had their information on backup tapes "misplaced" by a UPS driver (posted on slashdot a while back) after the company was stupid enough to send that info via UPS to begin with.
Companies that have our personal information need to be held accountable on how they handle it and should be prosecuted to the fullest when they mishandle it.
Content Management System: A pretentious way of saying "text editor."
This is great!!! With my credit history, I'm safer than ever now! Nobody in his right mind would try to use my identity for any money-making venture! ;^D
The "spear" dubnym surprises me. Why is it we're not out on the theft ledge just as yet? So, I feel a little ill coming down off the server room floor, and I read this, and I'm glad the air is on. So many little busy unlaid phisher bitches out there want to steal my identity. Hey, I'll hand it to you and give you a 200 dollar shopping spree if you want to come fight me for it in person. And I don't mean your bosses in the mob paying you for your efforts...I mean you. If you're bigger than me...well, I guess I'm screwed. Doogs. I know one thing though, the blue color is dark and pinpricked as with stars at the very point where we meet. Look, it's like a faded poster for the old 80's classic.
Spear fishing is kinda hard, I prefer using a shotgun or dynamite.
Is your terror cell living in terror? Is your safe-house not so safe? If so, read the New York Times, the jihad journal.
Make it about 2000. Christianity died with Christ.
Could the "spear phishing" analogy be extended into salmon as one example. Now, I'm not so ambitious or overwrought to try and work in the differences between pharm- and wild-raised salmon.
By the way, have you thought of being a psychic? You predicted the flaming. ;-)
Evil people don't think they're evil. - George Lucas, Making of Ep III
This is a classic prisoner's dilemma. Your idea is a great one -- as long as EVERYONE plays by the same rules and opens up. If one person (or entity) does not, then they have an advantage over the rest of us.
And this is why your idea will not work. As long as there is incentive NOT to open up, then someone, someplace won't do it.
And for those that don't know what a priosoner's dilemma is, let me try to explain. It goes something like this: 2 prisoners are in jail and awaiting trial. The expected outcomes of their sentence are are:
a) if person A cooperates and the other doesn't, the one who cooperated gets 0 years and the other gets 5 years.
b) if they both cooperate w/ authorities and turn on each other, the will both receive 2 years.
c) if they both don't cooperate, they both get 0 years
This creates an interesting problem because the natural reaction is to rat each other out and assure their own minimal sentence. However, if they both do that, then they both get screwed with a 2 year sentence. The best of all outcomes is that they both keep quiet and get 0 years --- but the likelihood of that happening is small because there is such an incentive to rat the other guy out.
It's still a hot debate, but some Republicans definitely perked their ears up when Ron Reagan's family started getting involved with stem cell lobbying.
All it takes is one high-profile, CNN-covered major story to get our government's attention and get some changes done.
You just know that something would be done to limit sharing of financial and personal information if a bunch of high ranking congresspeople had their identites stolen. Perhaps then they would think of someone other than the corporations who insist on "the right" to share whatever information they want about anybody.
M
Oh, I wish there was a way to explain humor or a poor attempt at it to the mods.
And Goddam /. for inventing "Troll" and "Flamebait"
Famous "Troll"s and "Flaimers:" people:
Thomas Paine
Thomas Jefferson
Ben Franklin
Karl Marx
Dr. Rev. Martin Luther King
Martin Luther
etc ...
People who spoke what they truly believed and got Fucked for it!!!
More like the billionth time. As Willie Sutton never said when asked why he robbed banks: "Because that's where the money is."
We are the 198 proof..
Thank you! I was just trying to illustrate why a national ID card would be folly. I guess one of the modderators was from Germany or something.
Evil people don't think they're evil. - George Lucas, Making of Ep III
Surreptitiously organized crime may be involved also, but they keep such a low profile that it's hard to tell.
I don't care if it's 90,000 hectares. That lake was not my doing.
Just last week, a friend of mine's bank account was overdrawn on her payday even though she had direct deposit.
What happened is that someone used a fake id and her bank account number to cash $15,000 in fake money orders at two local banks. She didn't have even a thousand dollars in her account, but the banks gave the cash in "good faith". Well, now the bank is refusing to remove the 15,000 debit on her account and their only advice to her is to "borrow the 15,000 from your relatives and pay us back". She has already opened a new account at another bank, but I fear she may never get her paycheck the bank swallowed or the 15,000 off of her credit report.
On top of all that, after contacting the FBI, she was told that they won't even bother to investigate this crime. The agent said that other people have been scammed for millions and that her 15,000 isn't even worth it.
She is having a hard time getting any information on what the bank is doing to investigate this, but from what she can tell they are saying it's her problem because it is her account.
The only way to protect our info is through a combo of tech and law. We need to keep control of our personal info ourselves, through crypto client databases which issue one-time password access to counterparties which need to authenticate us. We need to minimize the authentication transactions to only those necessary for actual authentication, encapsulating the transactions as much as possible - passing only money to counterparties, rather than our identites, for example. We need to log accesses to our personal info, to audit unauthorized accesses.
And we need to protect those transactions with clear laws with real teeth. Jail time for people commiting unauthorized use of our identities. Copyright protection of personal info passed in a transaction, which prohibits further distribution beyond the authorized transaction, even within the momentarily authorized organization.
We've been living an adolescent bliss of low risk and unaccoutability. But now that we've grown up, we need to act our age.
--
make install -not war
Mod paretn up!
It's not that the French ID cards can'tbe forged, it's that NOBODY wants to pretend to be French!
It's not always necessary to pay a fee to protect your information. Certain states have passed laws allowing you to request the freeze for free - check your state regs for the details.
Folks should be aware that the credit industry is starting to push for legislation at the federal level that will be far weaker than, and will automatically trump, these state laws. God forbid they lose the ability to extend "valuable offers" from their affiliates and business partners.
Another alternative approach is to file a fraud alert on your credit report. Doing this is not as restrictive as a freeze, and it will severely limit the amount of people who get access to your files. Anyone attempting to establish a credit account in your name will be advised to contact you directly. The fraud alert can be left on your reports for as long as seven years, or until you request that it be removed (in writing). As an added bonus, you'll also be removed from a lot of junk mailing lists (!) - an instant opt-out, if you will.
I'm not tense. I'm just terribly, terribly, alert.
A serious attack has a specific target and attacks it quietly. Serious attackers aren't going to show up in the "top 10 virus" lists. They're probably not going to use an attack that appears in some known signature list. They may have the ability to craft their own attacks, or at least modify known ones beyond recognition. The volume-oriented defense techniques won't work.
Military security people are very aware of this issue. You don't want to tie up all your resources chasing kids who are throwing rocks at the airfield fence. The real threat is probably being quietly mounted elsewhere.
The scary part, however, was that it greated me with my first name, suggested I log on to their site, then ended with a paragraph going roughly like this:
"To make sure you c"n recognise genuine e-mails from us, we will always include the post code of your registered account with us"
Now, it does stop a phisher from firing off a million random e-mails. What it doesn't do is prevent someone from following your local mail man a couple of days and writing down who gets a statement from said bank (which is one of the worlds largest credit institutions) and firing off messages. That is worse than a random phisher as the bank itself is teaching it's clients to trust messages that include their postcode, even though their postcode is an easily available piece of information, so people are more likely to take the e-mail at face value and not scrutinise it as well as they should. What's worse is that the e-mail included links instead of asking people to go to the site listed on their statements, or similar, teaching people that hey, it's ok to click on links in mails that claims to be from their bank...
The worst thing is that this kind of behaviour is the norm for British banks. The fuckwits deserve everything they get from these phishers. What sucks is that their customers will get screwed over in the process.
I've twice been called up by one of my other banks fraud department because they wanted to verify transactions. In both cases they wanted me to provide the security information for my account over the phone when they had called me and I had no way of verifying that they were who they said they were (caller id is trivial to fake, and you wouldn't even need that if the number is unknown but looks plausible to the person taking the call). So again, the fraud department of my bank is teaching its customers that it's ok to give out the very same security details that are sufficient to a) do transfers, b) get passwords for online banking reissued, c) get credit cards reissued.
Just the other day I overheard a woman on the train to work complaining to her boyfriend about the same thing. In my cases I know it was genuine calls because I called back on numbers I knew belonged to the bank.
This same bank also tends to accept corporate id cards to let you sign for your credit cards if they're ordered to an office. So, trick people with a phony call, get the credentials, call the bank to get the card reissued, create your own plastic laminated id card, and order it sent to a serviced office somewhere where you rent a room with cash for a day or two... The same bank have twice refused to deliver cards to my home address because dropping it through the letter box was apparently too insecure.
The great thing about getting a credit card reissued, is that many banks here will accept it as ID. So get a credit card reissued, and voila, instant access to all the poor persons other accounts as well, and from past experience they'll happily offer to let you do over the counter cash withdrawals of however much you want from your credit card accounts.
They're so clueless it's scary to think I trust them with my money (but the rest of them are just as bad).
Why did I have to move to a country with a banking system from the dark ages?
WTF is Spear Phishing? I read TFA and it says:
"A targeted or "spear phishing" attack is designed to extract data from a specific individual or organization"
Well uhhh so what, just because it says "Welcome John we need your info" instead of "Welcome user we need your info" I'm going to cough up my information easier? And if they're exploiting companies.. well then that's hacking. Haha.. that's how I read it. SO WTF IS SPEAR PHISHING?
> It's still a hot debate, but some Republicans definitely perked their ears up when Ron Reagan's family started getting involved with stem cell lobbying.
Yep, like Bill Frist. Using a veto when your party controls congress is an embarassing display of disunity -- using it against your own senate majority leader is mortifying. Karl Rove must be getting really distracted by the grand jury to not be greasing the wheels here.
I am no longer wasting my time with slashdot
I wonder how long before some company comes out with an identity proxy service. You sign up for, say $10/month, and create your virtual identity complete with a real credit card number that's mapped to yours through the service, then sign up to eBay, PayPal, etc using the virtual identity. If it gets compromised, you get a free switch to a new identity.
You'd end up having to trust that one company, but a single company could quite easily put in place policy and technology to keep your identity safe... that would be their primary focus. That's unlike eBay and others who really just want to do business with you and happen to also have your personal information. Their policies aren't as good as they need to be.
Besides, with your info only at one place it'd make spear phishing much harder: no relying on little bits of info from many places as a hacker would need to get all your personal info from one place.
The global economy is a great thing until you feel it locally.
I challenge anyone to name a single time that terrorists have been shown to have used identity theft. The usual suspects are common crooks stealing electronics gear, not political dissenter extremists.
where will they stop?
I predict we'll see :
- deep sea phishing
- game phishing
- phish mongers
- and so on ad naseum...
There is a similar service for one-off credit card transactions, but it's not a whole "identity." Sorry for no link or even a searchable name, but it's been a long time since I read the article.
In news today, IBM has captured one of the notorious spear phishers. Here is a picture of the dubious scum, the Spear Phisher.
"It's very targeted with a specific purpose to ensure that they try to get access to privileged information for, usually, profit. Its concerns are linked to cyberterrorism[..]"
I find it laughable that a profit-driven crime is first linked, inexplicably, to "terrorists". Lacking substantiation, this seems to have the effect of promoting terror, which makes our intrepid research drone a terrorist himself. Really, could someone create a Bayesian bull$h17 filter for claims that do not actually provide any evidenciary proof of a link to terrorism? Perhaps a filter that could also trigger electroshock?
Ok, sure I'm busting an open door here on /. but I wonder (aloud) why does amazon or ebay ever need to have my credit card data on their db? To lure me into 1-click compulsion shopping? I'm not that stupid and of course I ALWAYS go for kart transaction style and still, it irritates me that amazon doesn't ask me for my visa or shipping every time or better, routes me to visa.com with a session code on visa's servers.
An estore shouldn't need to keep my CC, personal bio and address at all, on the same tables. Can't they profile me just as well during the transaction query anyway? Shipping data shouldn't last for more than what's necessary to print the invoice or at most be tied to an anon account; credit data shouldn't transit on man in the middle servers, even if legitimate. In the future we'll all have asymmetric smart cards and convenient slots on our digital digestive terminals but until then, CC data should remain on visa's servers and everyone else just receive a boolean + return code... if there's one sound and valid claim for exclusive copyright claims this is it. Hey, I just invented a new technology for secure transaction and customer protection... call the USPTO...
Mi domando chi à il mandante di tutte le cazzate che faccio - Altan
"Subverting" us in our music? Funny. You go right ahead believing that. Here are some random thoughts from someone who's worked on Music Row for the majors and hosted an award-winning show on a major FM station (WRVU-Nashville, 91.1) in a top market, so I probably know more about this subject than you. Plus I have a little time to kill & feel like ranting until my date arrives.
...which finally brings us to the religious stations; they have always been a niche market in that there's very little crossover in either direction; they are already preaching to the choir (pun intended), so their listeners tend not to listen to anything else, and no one who isn't already tuning in regularly to religious stations wants to listen to their content either.
The charts are for record label execs and commercial radio playlist programmers, and all they really measure these days is payola, ad rates, product placement, how many units were pressed and shipped to stores - *not* how many cds were bought by actual paying customers, or how many people are actually hearing the chosen "hits" on radio. It's a scam.
"College alternative" is a demographic; there is no "secular alternative" listing in the industry trade journals (ie - Billboard, etc), though I wouldn't be surprised if the xtians made up a category for their own marketing purposes in their internal industry reports.
"College alternative" was created as a demographic in the early 1990s when the major labels finally figured out that Gen-X was *not* listening to "top 40 classic rock" stations that were still playing Boston and Journey, and that the major labels had missed out on almost an entire decade of truly underground (at the time) college music, ie - Sonic Youth, Husker Du, Negativland and the whole 1980s SST Records catalog; the dance/industrial scene - Skinny Puppy, Front 242, FLA, Ministry, Coil, Nine Inch Nails, etc; misc acts like the Red Hot Chili Peppers, Jane's Addiction, Love & Rockets, the Butthole Surfers - *this* was the real underground college scene.
When "college alternative" finally wound up in Billboard in the early 1990s, Nirvana and grunge were taking off, and *this* is what the labels decided the underground college music scene was supposed to sound like, forever and ever, amen. The major labels are big corporations, and big corporations hate change, partially because they are slow to react. This is also why the "college alternative" charts have been dominated by the same-sounding, easily forgotten grunge-ish retread acts for almost 15 years, and why what you actually hear on college radio stations has little resemblance to the industry trades. As long as the majors can keep turning a profit by marketing product under this label, they don't care if it accurately reflects what people are listening to in the demographic, or if anyone is actually listening to it period.
Commercial radio in the US is dying a well-deserved death, losing listeners to commercial-free college and community stations, XM, streaming internet radio (especially for non-US news) and podcasts, LPFM and (of course) mp3 trading. I'm forced to endure typical commercial radio stations a few times a week in the gym, and I can't believe how horrible it's become, or that anyone can leave it on even as background noise for more than a few minutes. Unfunny morning shock-jocks, the same limited playlist cycling every 90-120 minutes, and over half the content is advertising that's screamed at you in as obnoxious a fashion as possible. Good luck sneaking Jeebus in that mess anywhere and actually getting anyone to hear it.
Which brings us back to the whole "subverting" non-xtian secular music by Jeebus bands pretending to be something else. It just doesn't work. People who don't want to be preached to can spot it a mile away, plus the xtian rock acts are mind-numbingly boring, unoriginal and derivative (IMO); gimmie an xtian band that does something crazy-interesting like, say, Einsturzende Naubauten, or Tom Waits, or even mid-60s John Co
...from the Big Blue Whale. Does this release have a catch?
i thought we were the good guys - please someone explain!!! crackers/haCKERS/WHITEHATS/BLACKHATS AHhhhhhhh!!!!!!!!!!!!!!!
kybred
And with only a 2.5 year sentence that was probably simply a pizza delivery. To get any real action several senators need to be robbed, and the criminals need to be more professional. If the transaction is done just right it's not possible to catch someone... that's why identity theft is so serious.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
You can do that if you live in California. In some other states you have to be an ID theft victim first. In most the option doesn't exist at all. Write your legislator.
Comment removed based on user account deletion
Your scheme is ingenious!
1. Post mirror links to slashdot
2. Check the browser string to see what OS they are running, which includeds SP level.
3. Since most slashdot users probably run pirated copies of XP, they couldn't load SP1.
4. Microsoft only distributes patches for SP1 and SP2 now.
4. List of rootable hosts!
That, and i've got Gibby Haynes screaming American Woman into a megaphone running through my head.
"Our interests are to see if we can't scale it up to something more exciting," he said.