phishing

phishing

Smartphones need better security safeguards

Are smartphone users more susceptible to phishing attacks than computer users? It would appear so, based on this recent case study posted by Trusteer CEO Mickey Boodaei.

Trusteer looked at the log files of several phished sites and found that mobile users were the first to visit the phishing sites and were far more likely than other users to submit private information.

The first of these is easily explained by the "always-on" nature of cell phones. The more interesting analysis is why smartphone users are more likely to be fooled than computer users. The answer, at least according to Trusteer (which, it should be noted, is trying to push its secure mobile browser), is that smartphone browsers don't have as many safeguards as desktop browsers:

It's very difficult to tell whether an email is fraudulent since the “From†field doesn't include the sender's address, but rather the name of the sender (such as ACME Bank)...In HTML mail (the most common format for fraudulent messages) when a link is embedded as a href such as hovering over the link will not reveal the actual address.
 
Boodaei goes on to point out that the browsers and/or "are you sure you want to visit [URL]" warnings, display only the beginning of the URL, which can be easily engineered to deceive.

It's reasonable to assume that the same lack of attention to security safeguards in mobile browsers puts smartphone users at risk of malware, as well. Yes, I know that mobile platforms are more likely to use sandboxing and other anti-malware measures, but exploits will be discovered eventually. In the meantime, users are at risk of being tricked by fake AV sites and other scam sites tailored to mobile phones.

Trusteer uses this discovery to recommend greater adoption of its own secure mobile browser. To me, the better recommendation is for all web browser and e-mail app creators to increase their attention on security safeguards, much like major desktop app creators have been doing in recent years.

FTC warns about bank merger phishing attacks

The U.S. Federal Trade Commission (FTC) issued an alert this week about an uptick in phishing attacks preying on people whose banks have recently failed or been purchased:

Phishers (pronounced “fishers’) may send attention-getting emails that look like they’re coming from the financial institution that recently acquired your bank, savings and loan, or mortgage. Their intent is to collect or capture your personal information, like your credit card numbers, bank account information, Social Security number, passwords, or other sensitive information. Their messages may ask you to “update,” “validate,” or “confirm” your account information.

The alert contains a bit more information, along with a number of tips to help users avoid these attacks.

Scammers Aiming Straight for the Money

Posted on June 4, 2008 - 11:50 by lmallek

Targeted "spear phishing":http://www.wordspy.com/words/spear-phishing.asp campaigns are using money to lure victims. Brian Krebs "blogged":http://blog.washingtonpost.com/securityfix/2008/06/beware_of_error_messa... this week about a two part spear-phishing attack targeting small and medium sized businesses. The attack focuses on gaining access to circumnavigating two-part authentication used in banking security.

The scam begins with an email containing specific information about the user, their business, and the bank. This email requests that users click to view or download an attached object, which installs a keylogger, according to "iDefense":http://labs.idefense.com/, and a browser helper object enabling attackers to modify webpages in real time. When a user with an infected computer attempts to log into their bank account, Krebs writes that a "message is inserted into the body of the bank's actual Web page." The interstitial message appears to originate from the bank since it is displayed within the body of the bank's website, and requests that the user wait 15-30 minutes before logging on. The attackers use this time, after they have intercepted the user's authentication information, to empty the associated bank accounts.

Quoting Matt Richard, of iDefense, "If a bad guy has malicious code on a customer's machine, no matter what you do, he's going to have some way to get in to the customer's account. The best you'll be able to do is try to stop the money transfers."

As something of a coup de grace, Krebs writes "Before the Trojan download, the attacker attempts to get the user to install their bogus root CA certificate with the 'VeriSign Trust Network' name." Combining malware with a new root certificate makes it easier for the attacker to re-infect a computer in the future. Sunbelt has also spotted "fake banking certificates":http://sunbeltblog.blogspot.com/2008/06/fake-certificates-and-phishing.html in their blog.

In "a similar attack":http://www.avertlabs.com/research/blog/index.php/2008/05/22/us-tax-court... noted by McAfee's "Avert Labs":http://www.avertlabs.com last month, a number of spear phishing emails have been playing on an ubiquitous fear: the Tax Court. So many of these emails spoofing petition requests have been received that the "US Tax Court website":http://www.ustaxcourt.gov/ provides a clear warning that "[t]he Tax Court is not disseminating any e-mail notice to anyone who currently has a case before this Court."

Kevin McGhee "writes":http://www.avertlabs.com/research/blog/index.php/2008/05/22/us-tax-court..., "The scammers do their homework when it comes to spear phishing. Instead of pumping out millions of emails to anybody and everybody, spear phishers send out their scams only to people they know will be susceptible to the scam. In this case a top executive–rather than the average employee–is much more likely to be involved in a court case of this nature."