Slashdot Mirror
IBM Reports On Spear Phishers
FrenchyinOntario writes "IBM reports that while "regular" phishing is declining the black hats are now engaging in targeted spear phishing to glean as much information about a specific identity as they can for all the usual cybercrime reasons. It concerns authorities because the usual suspects - criminal and terrorist organizations - will want to take advantage of this, but the chilling part is how your identity will now be dependent on multiple institutions protecting your personal information, as opposed to eBay, PayPal, your bank, etc."
click me, click me!
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Didn't see that coming. Maybe their old tactics weren't working so well, so they had to adapt?
Naw, it's an intelligent design!
...by 'multiple institutions...as opposed to ebay, bank, etc.' Isn't that multiple institutions? I think what the summary is really trying to say is, to the phishers' advantage, a chain is only as strong as its weakest link.
Take off every sig. For great justice.
There is one way around this, that's to go to the 3 large credit companies and tell them to "Freeze" your credit (I think it costs $5-$10). Anyway nobody can open an account in your name, and as long as you remember to "thaw" your account before getting a loan, you'll be ok. It's no perfect, and I'd argue that all credit information should be purged from people who don't need it (this includes SSN numbers). Heck none of this should even be on file...
And this is probably the easiest fishing they'll be able to do.. Until companies are made liable for any damages that occurr when they "lose" their information, this will probably be an extremely easy method of fishing..
Social Engineering, anyone??
... I think it's kind of hilarious how stuffed-shirt companies like IBM, and the news organizations that report on them, have tried to adopt hacker slang. "Spear phishing"? It kind of reminds me of Christian pop music that desperately tries to be cool but always looks and sounds ten years behind the times.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
i've found a gang of romanian scammers on a popular IRC server because a friend's machine was compromised for spamming. i joined the chan and just monitored for a few hours.. i logged everything, e-mailed them to the IRC administrator, and absolutely nothing has been done.
lameness filter thwarted.
Wasn't it a company's responsibility to protect your personal information already? I don't understand how this new method of phishing changes that (not including the technical aspects of said protection).
I'm starting to feel like the right to privacy might be a red herring. The benefits of technology and a truely collaborative and just society might only be fully realized if we completely give up privacy... and that that might actually be a good thing. I know that I've read an essay or something about this before, but I can't find a link - anyone know who wrote about this or where I can find some references? (Actually, Robert J. Sawyer wrote a series of books where one of the societies is like this... but it's not what I'm thinking of.)
Helping with organizational effectiveness is our job.
'Spear phishing'? Oh great, what's next? Bass phishing - searching for orders made at koss.com Phly phishing - searching for info in TRL posts Net phishing - Oh, wait...
Because the server is being /.ed, heres TFA:
A report published this week from IBM Corp. suggests that phishing schemes are growing in sophistication, allowing would-be Internet criminals to target their victims by name. A targeted or "spear phishing" attack is designed to extract data from a specific individual or organization, maximizing damage caused and financial gain. IBM estimates that these types of attacks have grown ten-fold this year alone. According to the company, they can be used for identity theft, extortion, fraud and to steal specific intellectual property. "We're seeing it as a targeted security threat within financial institutions as well as government regulatory bodies," said Michael Small, security practice leader for IBM Canada. "It's very targeted with a specific purpose to ensure that they try to get access to privileged information for, usually, profit. Its concerns are linked to cyberterrorism as well as obviously organized crime." Until now, the most common form of phishing attacks were those that attempt to disguise themselves as e-mail from banks or common consumer Internet services like eBay or its payment arm PayPal. They aren't addressed to a specific person but are sent out as widely as possible in an attempt to snare a few unfortunates who are willing to part with bank account information or their eBay identities. Mary Kirwan, CEO of Toronto-based security firm Headfry Inc., said that these types of attacks may be on the decline but agreed with IBM that spear phishing is a growing concern. "These are higher payoff crimes, so it's in their interest to follow the money, essentially," she said. "There's no real consensus among the global banks as to how to deal with that right now. Some of the banks are acknowledging that you don't have to be a dummy to fall for these scams." This isn't the first time banks have been identified as a lucrative target. In 2003, Symantec Corp. noted that a virus called Win32.Bugbear.B was sent by likeminded criminals to financial institutions such as J.P. Morgan Chase, Citibank and American Express. Security experts believed that Bugbear was designed to scan an inbox for any indication that it belonged to a bank employee. Recovery from targeted attacks and malware in general costs a Canadian organization an average of $30,000 to $40,000, said Small. He added that IBM is sharing its research with customers, partners and vendors to help them prevent such attacks. Nuisance e-mail like spam appears to be leveling off, according to the IBM report. In January of this year, spam accounted for 83 per cent of global e-mail. That number had fallen to 67 per cent by June. There are new problems on the horizon, however. In March, a new threat called Domain Name Service (DNS) cache poisoning was discovered. Cache poisoning can hijack a user's browser and direct them towards a specific site or advertisement by corrupting a DNS server's ability to map machine host names to a correct IP address. Variations of these types of attacks have been around for years, but cache poisoning is becoming more sophisticated and a DNS server that isn't configured properly is particularly susceptible.
+1 funny, -2 overrated. Life isn't fair.
Why not phunting or gaphering, hmmm? Isn't this whole thing rather fish-centric? I prefer to think of the rubes taken in by these cons as vegetables, thus I think we should use the term gaphering.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
I've always thought that someone with a strong opinion on the pitiful state of privacy laws in the US would ... how do you say it ... demonstrate just how easy it is to steal someone's identity in this country (using, of course, selective politically connected individuals as test cases). Nothing like getting a senator interested in stronger privacy protection after they get the bill for that $5000 digital camera someone "bought" using their credit card.
The NSA: The only part of the US government that actually listens.
The real question is: Would this still be news if they hadn't come up with such a catchy name (spear phishing)?
Have you ever wondered How to Take Over
The way I see it, all personal information I send to a particular company should be confidential and protected. Some if it they simply don't need. For instance, why the hell did the clerk at Hollywood Video ask for my SSN to open a damn account to rent movies?! They did not need my SSN and I sure as hell didn't give it to him either, but it makes me wonder how many people actually *have* given out their SSN just for a Hollywood Video account. Not good.
If a company does not protect my personal information and it gets stolen and/or misused, you bet your ass they'd see some backlash from me. The only bad thing is, it's hard to figure out exactly *which* company that held your personal information was compromised. It's certainly not like they're going to volunteer the fact that they were comprimised, otherwise you might take your business elsewhere (to a more responsible company). Just look at the millions of people who had their information on backup tapes "misplaced" by a UPS driver (posted on slashdot a while back) after the company was stupid enough to send that info via UPS to begin with.
Companies that have our personal information need to be held accountable on how they handle it and should be prosecuted to the fullest when they mishandle it.
Content Management System: A pretentious way of saying "text editor."
Spear fishing is kinda hard, I prefer using a shotgun or dynamite.
Is your terror cell living in terror? Is your safe-house not so safe? If so, read the New York Times, the jihad journal.
Surreptitiously organized crime may be involved also, but they keep such a low profile that it's hard to tell.
I don't care if it's 90,000 hectares. That lake was not my doing.
It's not that the French ID cards can'tbe forged, it's that NOBODY wants to pretend to be French!
A serious attack has a specific target and attacks it quietly. Serious attackers aren't going to show up in the "top 10 virus" lists. They're probably not going to use an attack that appears in some known signature list. They may have the ability to craft their own attacks, or at least modify known ones beyond recognition. The volume-oriented defense techniques won't work.
Military security people are very aware of this issue. You don't want to tie up all your resources chasing kids who are throwing rocks at the airfield fence. The real threat is probably being quietly mounted elsewhere.
The scary part, however, was that it greated me with my first name, suggested I log on to their site, then ended with a paragraph going roughly like this:
"To make sure you c"n recognise genuine e-mails from us, we will always include the post code of your registered account with us"
Now, it does stop a phisher from firing off a million random e-mails. What it doesn't do is prevent someone from following your local mail man a couple of days and writing down who gets a statement from said bank (which is one of the worlds largest credit institutions) and firing off messages. That is worse than a random phisher as the bank itself is teaching it's clients to trust messages that include their postcode, even though their postcode is an easily available piece of information, so people are more likely to take the e-mail at face value and not scrutinise it as well as they should. What's worse is that the e-mail included links instead of asking people to go to the site listed on their statements, or similar, teaching people that hey, it's ok to click on links in mails that claims to be from their bank...
The worst thing is that this kind of behaviour is the norm for British banks. The fuckwits deserve everything they get from these phishers. What sucks is that their customers will get screwed over in the process.
I've twice been called up by one of my other banks fraud department because they wanted to verify transactions. In both cases they wanted me to provide the security information for my account over the phone when they had called me and I had no way of verifying that they were who they said they were (caller id is trivial to fake, and you wouldn't even need that if the number is unknown but looks plausible to the person taking the call). So again, the fraud department of my bank is teaching its customers that it's ok to give out the very same security details that are sufficient to a) do transfers, b) get passwords for online banking reissued, c) get credit cards reissued.
Just the other day I overheard a woman on the train to work complaining to her boyfriend about the same thing. In my cases I know it was genuine calls because I called back on numbers I knew belonged to the bank.
This same bank also tends to accept corporate id cards to let you sign for your credit cards if they're ordered to an office. So, trick people with a phony call, get the credentials, call the bank to get the card reissued, create your own plastic laminated id card, and order it sent to a serviced office somewhere where you rent a room with cash for a day or two... The same bank have twice refused to deliver cards to my home address because dropping it through the letter box was apparently too insecure.
The great thing about getting a credit card reissued, is that many banks here will accept it as ID. So get a credit card reissued, and voila, instant access to all the poor persons other accounts as well, and from past experience they'll happily offer to let you do over the counter cash withdrawals of however much you want from your credit card accounts.
They're so clueless it's scary to think I trust them with my money (but the rest of them are just as bad).
Why did I have to move to a country with a banking system from the dark ages?
I wonder how long before some company comes out with an identity proxy service. You sign up for, say $10/month, and create your virtual identity complete with a real credit card number that's mapped to yours through the service, then sign up to eBay, PayPal, etc using the virtual identity. If it gets compromised, you get a free switch to a new identity.
You'd end up having to trust that one company, but a single company could quite easily put in place policy and technology to keep your identity safe... that would be their primary focus. That's unlike eBay and others who really just want to do business with you and happen to also have your personal information. Their policies aren't as good as they need to be.
Besides, with your info only at one place it'd make spear phishing much harder: no relying on little bits of info from many places as a hacker would need to get all your personal info from one place.
The global economy is a great thing until you feel it locally.
The Solution is already contained in the "Fair Debt Collection Practices Act of 1979." The only problem here is that it is only applied to credit. Being one who likes solutions here it comes!
The solution is to make the feduciary agent (bank) responsible for 100% of all false charges to the account with triplicate damages plus collection costs and legal fees if you have to collect. (This isn't funky law it already works) Application of this to DEBIT accounts would solve the problem to a very large extent.
The next part of the solution is to require all banks to provide you with 3 account numbers. One is for the actual account where you store your money. Another is an "Incoming Account" which you can publish to the world. Anyone like this friend could have a check deposited this way and no danger because the account is nothing but a key to put money in. The other is an "Out going" account where a person may place a limited amount of money for outgoing epay type or othe draws. This "Out Going" account could be closed and changed at will. That way one could lock out those skunks who try to autopay forever etc. This way one could protect their account.
A few other notes: We should end the "Overdraft" and bounced check laws. If a check does not have money, it should just be a refused transaction. Coupled with this the provision to immediately transfer funds... This way nobody goes to jail for bad checks, we just refuse them the goods because we can validate their check and charge the funds immediately.
Of course Banks would have a piss fit over these changes because no more overdraft fees etc. Well Tough Luck to them. Tell them to get a life and start earning their money serving their employers rather than screwing them. We would get fired if we treated our employer with such disrespect. This is only a proposal of good business practices. Nothing else. Skip the lectures about "Free Enterprise" because if a bank cannot make money under a good common set of laws they should go to hell. Mods this is good stuff, get a life if you don't like it!
Never Politically Correct ~ I prefer the facts If you don't like what I say, get a life, or comment yourself.
Comment removed based on user account deletion