39 replies to this topic

[AplusWebMaster]

FYI...

Phishers Spoof Record Number Of Brands
- http://www.techweb.c..._section=700028
Sept. 11, 2006
"Phishers counterfeited a record number of commercial brands as the criminals reached into ever smaller corners of the Internet, the Anti-Phishing Working Group (APWG) reported Monday. The APWG's monthly cyber-crime summary said that 154 brands were hijacked by e-mailed phishing campaigns during July, a jump of 18 percent over June and 12 percent over the previous record, set in May. "Criminals are spoofing the brands of smaller financial institutions, ISPs [Internet service providers], and even government agencies," said Dave Jevans, the chief executive of IronKey Inc.," and the chairman of the APWG. A year ago, the APWG recorded only 71 brands that were spoofed by phishers. "The number of brands has more than doubled, illustrating that online criminals are simply not settling for the large, popular organizations and financial institutions," added Dan Hubbard, the head of research at security vendor Websense Inc., in a statement. The increase in the number of victimized brands was joined by an even larger bump in the number of new phishing sites detected in July: the APWG reported 14,191 bogus sites, another record. The July count marked a 41 percent increase over June, and was 18 percent higher than May's former record of 11,979 sites. "Nobody is immune from attack," said Jevans..."

> http://www.antiphishing.org/

.

[AplusWebMaster]

FYI...

Email Fraud Using Brazilian Gol Airlines Crash
- http://www.websense....php?AlertID=646
October 02, 2006
"Websense Security Labs™ has received reports of a fraudulent email which targets Brazilian users. Users receive an email with a link to a malicious website containing pictures of the recent Gol Airlines Boeing 737 crash in Brazil. This website contains a Trojan downloader which is used to install a banking keylogger..."

(Screenshots available at the Websense URL above.)

[AplusWebMaster]

Good reference. Great charts.

- http://phishregistry.org/
"Secure Computing monitors phishing activity for over a thousand financial institutions and large online organizations using a collaborative network of over 4000 appliances... PhishRegistry.org is a free resource provided by Secure Computing, Inc. to help businesses know when they are at risk of being phished..."

[AplusWebMaster]

FYI...

Quality, quantity of phishing kits on the rise
- http://news.com.com/...g=st.util.print
Oct 16, 2006
"The marketplace for phishing toolkits, which can allow technophobe criminals to quickly and easily set up spoofed versions of banking Web sites, is booming, with kits changing hands for as little as $30. Although phishing kits are nothing new, in the past year their quantity and quality have increased dramatically, according to Dan Hubbard, vice president of security research for Websense and a representative of the Anti-Phishing Working Group. Phishing kits "have been around for years, but the volume is one of the big changes," Hubbard said. "The kits available are better designed." In particular, Hubbard noted that the kits were vaunting their immunity to common defensive techniques. These include detection by signature-based defensive programs, which look for the signature, or the "fingerprint," of known malicious software. Another is heuristics, which use pattern recognition to identify threats. "The kit makers publish and test against signature detection as part of their advertising portfolio--'not detected by antivirus, not detected by heuristics, not detected by signatures'"... "The obfuscation techniques they use are very difficult to detect with antivirus because JavaScript can be tuned, changed on the fly and every user can have a different version of the content," Hubbard said. With a kit like "Webattacker, for example, every single person who installs it has their own personal version, and each user who connects to the Web site--depending on their browser--is served up with their own exploit code," Hubbard said. "There is no consistency with regards to heuristics."

[AplusWebMaster]

FYI...

Scams Target Latest Upgrades in E-Banking Security
- http://blog.washingt...web_bankin.html
October 27, 2006
"Financial institutions across the country are scrambling to meet a Dec. 31 deadline set by banking industry regulators to have security processes in place for online banking that go beyond simply requiring customers to enter a user name and password. While some of the protections being adopted should help people -feel- more confident about online banking, there are signs that criminals already are adapting their techniques to defeat those measures... Take, for example, a phishing e-mail from earlier this week targeting Bank of America customers with the usual message urging the recipient to "update their account information," in this case due to a supposed "server update" by the bank. Users who click on the included link are brought to a page that prompts the visitor to reset their account data by supplying their "old" password and user name, as well as their "previous" two SiteKey questions and answers... It would be interesting to compare the results of the anti-phishing technology built into the latest releases of both Microsoft's Internet Explorer 7 and Mozilla's Firefox 2.0 browsers. When I visited this particular site in Firefox, I received a pop-up alert from Netcraft's anti-phishing toolbar, but also from Firefox, which flagged the scam site as a "suspected web forgery" and included links I could click on to earn more about phishing scams. When I visited the Bank of America scam site in IE7, I received no such alert."

[AplusWebMaster]

FYI...

"Monster" Phish Bait
- http://isc.sans.org/...hp?storyid=1842
Last Updated: 2006-11-10 19:26:04 UTC
"A reader recently submitted for review a new phish attempt which asks readers to download the "new Monster Job Seeker Tool". The email looks authentic, as the HTML source code is pulling images from monster.com, as well as having links to other monster.com pages, however the download does not come from monster.com. The download software link pulls the download from monster-freesoftware.com. Of course, what is downloaded is not something monster.com would approve of. I have sent a copy of the email to abuse@monster.com for their records as well."

:wtf:

[AplusWebMaster]

FYI...

Social Security Admin warns of e-mail scam
- http://www.ssa.gov/p...hingScam-pr.htm
November 7, 2006
"The Agency has received several reports of an email message being circulated with the subject “Cost-of-Living for 2007 update” and purporting to be from the Social Security Administration. The message provides information about the 3.3 percent benefit increase for 2007 and contains the following:

“NOTE: We now need you to update your personal information. If this is not completed by November 11, 2006, we will be forced to suspend your account indefinitely.”

The reader is then directed to a website designed to look like Social Security’s Internet website... Once directed to the phony website, the individual is asked to register for a password and to confirm their identity by providing personal information such as the individual’s Social Security number, bank account information and credit card information... To report receipt of this email message or other suspicious activity to Social Security’s Office of Inspector General, please call the OIG Hotline at 1-800-269-0271. (If you are deaf or hard of hearing, call the OIG TTY number at 1-866-501-2101)..."

[Fatso913]

Man i knew myspace was being phished. Somebosy told me about that a couple of weeks ago or i dont remember how long , but i know i was warned about that. very interesting.

[AplusWebMaster]

FYI...

MS brings 129 lawsuits against phishers
- http://preview.tinyurl.com/ymuv6e
Nov 22, 2006
"AMSTERDAM (Reuters) - Microsoft is helping law enforcers hunt down criminals who try to steal bank account details on the Internet and has initiated 129 lawsuits in Europe and the Middle East, the U.S. software company said. One court case in Turkey has already led to a 2.5-year prison sentence for a so-called "phisher" in Turkey, and another four cases against teenagers have been settled out of court, Microsoft said on Wednesday, eight months after it announced the launch of a Global Phishing Enforcement Initiative in March... Of the 129 lawsuits that have been initiated, 97 are criminal procedures in which Microsoft and other technology companies have provided information... Phishing has mushroomed over the last few years, with the number of attempts to trick citizens into handing over their bank account details almost doubling in the first half of 2006 to 157,000, according to a recent report from security software vendor Symantec... (Microsoft) has an investigative team at its headquarters in Redmond, Washington, which uses Web-crawling software and customer complaints to find out where attacks are taking place... Before legal action was taken, 253 cases were investigated. Most of the investigations and 50 of the criminal complaints were filed in Turkey. Germany was second with 28 criminal complaints and France third with 11..."

.

[AplusWebMaster]

FYI...

Google flaw adds phishing hole to Web sites
- http://news.com.com/...g=st.util.print
Nov 27, 2006
"A security flaw in Google's search appliances could expose Web sites that use the products to information-stealing phishing attacks, experts warned Monday. The Google Search Appliance and Google Mini are used by organizations including banks and universities to add search features to Web sites. A flaw in the way the systems handle certain characters makes it possible to craft a Web link that looks like it points to a trusted site, but when clicked serves up content from a third, potentially malicious site. "This vulnerability affects a lot of very large Web sites," John Herron, a security expert who maintains the NIST.org site, said in an e-mail. "It basically allows a virtual defacement of a Web site when following a malicious link." The vulnerability provides cybercrooks a hook for phishing attacks, scams that try to trick people into giving up sensitive information such as credit card data and Social Security numbers. Phishing scams typically use spam e-mail with a link to a fraudulent Web site... One way Internet users can protect themselves against attacks that attempt to exploit the flaw in the Google appliances is to inspect Web links. The rigged links will be very long, according to security experts. Users of the Google appliances who have not heard from Google should contact the company for a fix. "Web site owners must be diligent about finding and fixing vulnerabilities, (since) even products supplied by well-known brands possess these extremely common issues," Grossman said."

[AplusWebMaster]

FYI...

Phishing by proxy
- http://isc.sans.org/...hp?storyid=1895
Last Updated: 2006-11-28 23:42:21 UTC by William Salusky
"...I had been investigating reports of phishing and miscreant web sites being hosted in specific user land network IP space, only to discover they were not in fact malicious users and in fact innocent users who had somehow been duped and computers compromised, resulting in a proxybot infection that would phone home announcing the availability of anonymous proxy redirect services offering controllable port TCP port 80 and 443 redirects to an upstream mothership. These bots/agents also offer DNS service at the phishers whim in acting as authoritative NS targets with fast flux domain resolution techniques often found used in short lived phishing attacks or by any other type of garbageware pushers. All that functionality [in this variant] comes in an 11k footprint, and hasn't been well detected by AV vendors either. The AV vendors that do offer detection [for this specific variant I am referring to] unfortunately offer only innocuous names like "Trojan-Downloader.Win32.Small.dho", or "W32/Malware" which does nothing to improve awareness of the threat... I had received notice of various european financial services being proxied via these proxybotted agents, but by the time I had acquired malware samples the proxying for phishing sites had ceased and in it's stead came a wave of Money Mule recruitment sites being redirected via these proxies. I suppose that upstream phishers ran out of individuals they could abuse in financial fraud, hence had to go on a recruitment/hiring binge. What I have found that works reasonably well in my situation to identify these infection types going forward, is to search DNS cache dumps/logs for DNS A records that point into dynamically provisioned IP space for host domain records not belonging to any typical dynamic DNS provisioning services. More often than not, an isolated and suspiciously named A record association pointing into wildly dynamic IP space [in my experience] implies that something wicked that way goes. I looked at alerting based on discovered target ip/hostname phone home destinations, but that seems to me to be a game that only the running man can play.
> It's an obviously serious issue when it comes to combatting the phish problem where a successful takedown of a reported phish site that is only proxy will just be removing one node from the farm, while the upstream mothership continues with a typically long shelf life due to the effective anonymity offered by proxybotted hosts..."

Alternative detection method:
- http://www.safer-net...tory/index.html
Updates - 17. November 2006
"...+ Win32.Small.doh..."

[AplusWebMaster]

FYI...

U.K. banking scams up 8,000 Percent in 2 Years
- http://news.bbc.co.u...ics/6177555.stm
13 December 2006
"The UK has seen an 8,000% increase in fake internet banking scams in the past two years, the government's financial watchdog has warned. The Financial Services Authority (FSA) told peers it was "very concerned" about the growth in "phishing"... The amount stolen is still relatively small but it is set to go up by 90% for the second year running, peers heard. Between January and June 2005, the number of recorded phishing incidents was 312, the Lords science and technology committee was told. The figure for the same period this year was 5,059, according to banking trade body Apacs figures. The amount of cash stolen in the first half of 2006 was £23.2m, the committee was told, and was likely to be £22.5m in the second half of the year..."

[AplusWebMaster]

FYI...

G-mail phish...
- http://www.viruslist...logid=208187298
December 22, 2006
"We always expect a rise in cyber crime in the holiday season. This year, for instance, we have seen a noticeable rise in spam, along with a rise in phishing. I have even received a phishing email in my Gmail mailbox – the first one in ages. The phish was nothing special; the usual notification about a new payment system for an online bank with a link to the spoofed website. What caught my eye was how Google handled the phish. The Gmail interface added a number of relevant paid advertising links to the email... I think that adding such links increase user trust in fraudulent emails. Users see that Google has included keyword-related links, so they are liable to trust the email – and fall victim to the phishing scam..."

(Screenshot available at the URL above)

[AplusWebMaster]

FYI...

Not Your Average Phishing Scam
- http://blog.washingt...zon_phishi.html
January 3, 2007 - "One of the first phishing scams to catch Security Fix's eye in the new year -- a counterfeit Amazon.com login page -- may set the tone for the sophistication of online schemes involving fake bank and e-commerce sites in 2007. The bogus site, which was active as of early Tuesday morning, makes use of the real Amazon.com site in an effort to fool visitors into entering their real usernames and passwords. This type of trick, known as a type of "man-in-the-middle" attack, logs the user into his or her account at Amazon.com, then it displays the data that Amazon serves up once the user is logged in. Visitors who supply bogus or otherwise incorrect usernames and passwords are shown a copy of the page Amazon users normally see if they mistype either of their credentials. The lure in this phishing attack is an e-mail that warns the recipient about supposed unauthorized activity on his or her Amazon account and directs the user to reset the account's credentials. Anyone who enters a real Amazon username and password is asked to provide their date of birth, address and Social Security number. Security Fix first learned of this scam site from Paul Laudanski of Castlecops.com..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

Locating new phishing sites
- http://www.f-secure....7.html#00001067
January 3, 2007 ~ "Phishing sites are easy to locate once the bad boys start spamming out thousands of mails linking to their site. But how can such sites be found before that?... At the time of posting this entry, none of the common browsers (IE, Firefox, Opera) detected this site as a phishing site with their built-in filters. Soon they will."

Flash Phishing
- http://www.f-secure....7.html#00001066
January 3, 2007 ~ "We've now seen several phishing web sites that are using flash-based content instead of normal HTML. Probably the main to reason to do this is to try to avoid phishing toolbars that analyze page content. Two recent examples, both targeting PayPal: ... ppal-form-ssl. com and ... welcome-ppl. com . These sites look like the real PayPal front page, but they are actually Flash recreations..."

(Screenshots available at the URLs above.)