73 replies to this topic

[AplusWebMaster]

FYI...

- http://www.infoworld...kyrocket_1.html
May 18, 2004
"...The growing problem also points to increasing interest in the scams by malicious hacking groups and organized crime, Maier said. "We've had confirmation from law enforcement in the U.S. that organized crime is behind some of these scams. We also do work looking at hacker sites, and we can see that hackers and script kiddies are definitely paying attention to this phenomenon and are beginning to work together," he said..."

(The Anti-Phishing Working Group reports over 1,100 unique phishing campaigns for April 2004, an increase of 178% over the number of attacks in March. From February to March, phishing attacks increased by only 43%, particularly targeting financial services and retail. Citibank was targeted by 475 unique phishing attacks in April, with eBay at 221 and PayPal at 135. APWG has evidence suggesting that phishing webpages are traded between phishers in much the same way as spammers trade e-mail addresses. Criminal organizations are using phishing scams as well. Research from Gartner suggests that as many as 3% of phishing attacks are successful, affecting 1.78 million adult users.)

[AplusWebMaster]

FYI...

E-Mail Scammer Gets Four Years
- http://www.securityf...table/news/8711
May 19 2004
"An Internet scammer who used e-mail and a fraudulent Web site to steal hundreds of credit card numbers was sentenced to almost four years in jail Tuesday, one of the stiffest-ever penalties handed down for online fraud. Houston, Texas federal court Judge Vanessa Gilmore sentenced Houston resident Zachary Hill to 46 months in jail for his role in duping consumers into turning over 473 credit card numbers...Hill, 20, used a "phishing" scheme to make his e-mail look like it came from America Online, the nation's largest Internet service provider, or PayPal, the online payment subsidiary of auction giant eBay. The message told victims that their accounts had lapsed and that the companies required their credit card numbers and passwords to restart them. Hill prompted recipients to enter their information into Web forms designed to look like pages run by the companies, the Justice Department said. Hill then used the credit card numbers to buy $47,000 in goods and services..."

[AplusWebMaster]

FYI...

- http://www.techweb.c...WB20040615S0008
June 15, 2004
"...Using data from an April, 2004, survey of 5,000 U.S. adults who use the Internet and e-mail, Gartner estimated that nearly 2 million Americans fell victim to checking account fraud in the last 12 months. The cost to banks and consumers: a staggering $2.4 billion in direct losses, or an average of $1,200 per victim...

The top two methods scammers are using to lift bank account numbers are keyloggers planted by spyware -- software typically loaded onto a computer without the consumer's knowledge -- and phishing attacks, e-mail messages that try to trick users into divulging financial information..."What we're hearing from out clients is that keyloggers are now just as prevalent as phishing attacks..."

http://www4.gartner....et_89228_11.jsp
June 15, 2004
"...Just by clicking on a pop-up ad, Web users can inadvertently download spyware (technology that gathers information about a person or organization without their knowledge). In these situations, when users click on the ad, it traps the user ID and password for their online bank account without them ever knowing about it. "It will take time for the financial services industry to develop sophisticated back-end tools, but banks must implement stronger access controls to online and telephone banking systems...Shared-secret authentication is a good practical solution for strengthening access controls for online and telephone banking..."

In terms of absolute number of victims, checking account hijacks were the second most prevalent type of crime in the 12 months ending April 2004. The most common was the much more familiar fraudulent credit card purchase, where a thief uses a stolen credit card to buy goods or services..."

[AplusWebMaster]

FYI...June "Phishing" list available here: The Anti-Phishing Working Group

("The number and sophistication of phishing scams sent out to consumers is continuing to increase dramatically...The Anti-Phishing Working Group has compiled a list of recommendations...that you can use to avoid becoming a victim of these scams..." - http://www.antiphish...nsumer_recs.htm )

[AplusWebMaster]

FYI...

Phishers Face More Jail Time
- http://www.techweb.c...WB20040715S0004
July 15, 2004
"President Bush on Thursday signed into law a bill that stiffens criminal penalties for identity thieves, including those who purloin information electronically using phishing attacks. Known as the Identity Theft Penalty Enhancement Act (ITPEA), the new law sets punishment guidelines for anyone who obtains or holds someone else's ID-related information with the intent to commit a crime...The ITPEA's goal is to make sure that identity thieves don't walk away unpunished. It adds an extra two or five years, depending on the severity of the crime, to sentences, with the additional years served without the possibility of parole..."

[AplusWebMaster]

FYI...

AIM Phishing
- http://isc.incidents...date=2004-07-21
Updated July 22nd 2004 11:31 UTC
"Phishing is not just for e-mail anymore. A reader associated with antiphishing.org reported a new twist to this scheme that advertises malicious URLs via Instant Messaging. This scheme has been used a few times in the past to distribute viruses.
This new message reads "you have been sent a picture. To view it, Click here". In this sample, the 'From' address is four random letters. However, a 'trusted' name could be used.

It is important to understand that most instant messaging systems use only weak authentication schemes. Instant messaging is not a tool to exchange confidential information. Only few instant messaging systems allow for encryption and sophisticated authentication. If you need instant messaging to communicate confidential information, use a system which allows you to control the server and provides for encryption and reasonable authentication. Jabber is an example of a free package."

>>> http://www.jabber.org/user/

.

[AplusWebMaster]

FYI...

- http://isc.sans.org/...date=2004-07-25
Updated July 26th 2004 02:30 UTC
"...We had yet another report by fellow handler Scott Fendley of a USBank phishing email. This site collected your personal banking information including asking for your password. The site brought up two webpages, the valid USBank web page and a second webpage that appeared to be from USBank asking you to confirm your information. The information was then posted back to the site where the request originated from. This was reported to the offender's ISP and USBank. Remember to always think before you click. Any request for your personal information that you were not expecting should be verified..."

(...by -phone- contact!)

- http://www.antiphish...t_Banking).html

.

[AplusWebMaster]

FYI...

Your Daily Phish
- http://isc.sans.org/...date=2004-08-01
Updated August 2nd 2004 01:25 UTC
"...A user submitted to ISC today another phishing email scam. This one wanted the victim to change their pin number. As a general reminder, keep in mind which email address, if any, you have given to your financial institution(s) and always verify before you update any information requested via email..."

"...Always verify before you update any information..." (hopefully, your phone is still in working order)
- Words of Wisdom

[AplusWebMaster]

FYI...

- http://isc.sans.org/...date=2004-08-04
"On individual response to phishing emails:
Phishing incidents are on the rise. The handlers are receiving more and more reports of suspicious emails...recommended response procedure is as follows:
i) report the email to the impersonated company’s abuse address (typically this is abuse@victimdomain.) Include a copy of the email and the full delivery headers. Their teams will use this information to determine the source of the email, and the location of the collection server.
ii) report the incident to antiphishing.org. They are scientifically tracking these incidents and organizing responses. ..."

.

[AplusWebMaster]

FYI...scam tactics on the Web:

New phishing scam: Spoofed campaign site
- http://www.computerw...4,95030,00.html

Phishing attacks on the increase
- http://www.pcw.co.uk/news/1157086
"Phishing rose by almost a fifth in June, with 1422 unique attacks reported to the Anti-Phishing Working Group. According to a report from the Group and security firm Websense, there were an average of 47.4 phishing attacks in June, up 19 per cent from 38.6 reported in May...Criminals have honed their methods of attack and are using executable code that copies key strokes in addition to sending the more conventional emails seeking personal details...'So, they've started to deploy executable code that copies all your key strokes that sends it to a server somewhere across the world. 'To drop it, they send an email that looks like you want to open it. They try and find a subject that is serious enough for you to open it and then drop the code into your machine'..."

[AplusWebMaster]

FYI...

A New Twist to Phishing Reported
- http://isc.sans.org/...date=2004-08-16
Updated August 16th 2004 20:04 UTC
"We are starting to see more and more phishing sites which are not targeting specific financial institutes but are targeting general ecommerce. We have seen "fake" online banks, sporting good stores, and pharmacy's.

Characteristics:
* no contact information
* no domain name
* many hosted in China or S Korea.
* no secure ordering process
* reported by thousands of spam engines

Report any phishing attempts you receive to:
- http://www.antiphish...t_phishing.html ..."

[AplusWebMaster]

FYI...

Do-It-Yourself Phishing Kits Lead To More Scams
- http://www.techweb.c...WB20040819S0006
August 19, 2004 - By Gregg Keizer, TechWeb News
"Do-it-yourself phishing kits are freely available on the Internet, a security firm said Thursday, and they will lead to more scams sent to online consumers. “Until now, phishing attacks have been largely the work of organized crime gangs,” said Graham Cluley, a senior technology consultant at the U.K.-based security vendor Sophos...The problem's grown so far so fast that on Wednesday, the National Consumers League, the oldest consumer advocacy group in the U.S., said that this purloining of identity is now the fourth most common type of Internet fraud. To combat the scams, the NCL launched an awareness campaign to educate users about how phishing works, how they can protect themselves, and where to go for help. The group backed up the campaign with a new Web site:
- http://www.phishinginfo.org/

...Although Sophos isn't certain about the reason why scammers have started to distribute do-it-yourself phishing kits, it's possible, said Cluley, that they're doing it simply because they can...He recommended that end users be extra-wary of any messages asking them to confirm financial information. “Recipients of suspicious emails claiming to come from online banks should just delete them,” he said. “And certainly not click on the links contained within the messages.”..."

.

[Blacksheep]

Phishing? Protect yourself by automatically deobfuscating URLs in your browser address bar.

SpoofStick is a spiffy BHO.

http://www.corestreet.com/spoofstick/

[AplusWebMaster]

FYI...

New Scam Tactic Hits Online
- http://www.eweek.com...a=135038,00.asp
September 13, 2004
"In the escalating clash between online scammers and security vendors, the attackers have once again developed new tactics that give them the upper hand in bypassing filters and infiltrating corporate networks...The new techniques, which experts began seeing sporadically earlier this year and in large waves in recent weeks, involve the use of a process called steganography, or embedding or hiding text in an image. In the most recent cases, spam and phishing messages have incorporated complex images containing text. In some cases, the image files include hidden code designed to exploit known vulnerabilities in e-mail clients and Web browsers...The most prominent example of the steganography wave is a recent variation on the ubiquitous Citibank phishing scam that attempts to lure recipients into disclosing online banking user names and passwords. Previous versions used text and images, such as authentic-looking Citibank logos and privacy seals. But versions that began surfacing recently are made up of one large image file containing all the text..."
- http://www.antiphish...e_upgrade).html

.

[AplusWebMaster]

FYI...

Scammers use Gmail invite as phishing hook
- http://news.com.com/...g=st.util.print
September 15, 2004
"Scammers have caught on to the allure of Gmail and are using the Google e-mail service for a "phishing" scam to harvest e-mail addresses and passwords...In this case, the scammers send the phishing e-mail to existing holders of Gmail accounts, offering them the opportunity to invite three or six of their friends to join Gmail. The body of the e-mail reads "I found this e-mail very weird." It continues to read: "The Gmail Team is proud to announce that we are offering Gmail free invitation packages to the existing Gmail account holders. By now you probably know the key ways in which Gmail differs from traditional webmail services. Searching instead of filing. A free gigabyte of storage. Messages displayed in context as conversations. Just fill in the form below to claim your free invitation package." The "Gmail Team" asks users to give away their Gmail addresses and passwords to get the invites. The e-mails are currently able to make their way through Gmail's spam filters..."

.