|
 |
 |
 |
 |
|
Credit Unions, Smaller Institutions Now Phishing Targets EBay and PayPal are no longer the primary targets of phishing emails; the phishers have cast their lures at customers of smaller businesses, including credit unions and other institutions, according to security vendor Sophos.
Some common sense pointers to remind your customers and your senior executives in danger of "whaling" include:
New ID Theft Scam Targets the Really Big Fish
The Solution: Protect Your Brand Name and All Variations Banks and credit union customers are at risk of falling victim to the classic-and-growing Internet scam known as cybersquatting. Cybersquatters are entities that create Web addresses remarkably similar to addresses for well-known companies, institutions or products. For example, known cybersquatting Web sites include dellcomputersystem.com instead of dell.com, and samslcub.com instead of the correctly spelled samsclub.com, or vvachovia.com instead of Wachovia.com.
Bad Guys Getting Better, Aiming Higher
While many computer users have sent them in the past, the future of E-cards (or electronic greeting cards) may be dimmed because of the recent use of them in scams targeting consumers. Financial institutions need to educate their employees and customers more about the dangers of opening electronic greeting cards. E-Cards grew to be a popular, easy and cheap, (sometimes free) way to send immediate messages to family, friends, family and co-workers. There are many companies out there offering this service, my Internet Service Provider even offers them in its service. You can add audio, video or animations to a message.
With identity theft topping the Federal Trade Commission's list of US consumers complaints, the release of a new report issued by a leading consumer advocacy group that puts a price tag of more than $7 billion on the cost of cybercrime to the US consumers is not a surprise to many familiar with the identity theft threat. The FTC's numbers show that for the seventh year in a row, identity theft tops the list of complaints that consumers filed with the Federal Trade Commission, accounting for 36 percent of the 674,354 complaints received from Jan. 1 to Dec. 31, 2006. According to the Better Business Bureau identity theft affects an estimated 10 million U.S. victims per year. A recent survey completed by Consumer Reports projects U.S. consumers have lost more than $7 billion during the last two years to viruses, spyware and phishing schemes.
It’s often said that the biggest problem with information security is the space that is filled between the chair and the keyboard. While many of us in information security at financial institutions will shake our heads in agreement with that statement, the need for education of our customers is a pressing issue.
When it comes to phishing, the smaller institutions out there that aren’t prepared for a phishing attack to hit their brands are playing “Russian Roulette” with their brand and reputation, says one leading security solutions firm. “Smaller institutions should not be complacent. Brand and reputation are on the line when a phishing attack occurs,” said Marc Gaffan, director of marketing with RSA’s consumer solutions group. “Large banks when they get hit with phishing, get the national headlines. But when small banks and credit unions are hit, they will appear in local paper or radio and TV.
The summer of spam continues with an influx of PDF spam coming into users’ inboxes. According to Symantec’s “July State of Spam” report, image spam continues its decline, and replacing it is spam with a new flavor of attachments, including PDFs with “word salad” or nonsense words strung together to fool email and spam filters. “When opened, the PDF file is an ad or some other spam message. The PDF attachments result in messages that are very large in size. We have been monitoring this throughout the past month, but it has really heated up in the past week. So far, we have observed over 25 million messages that were categorized as PDF spam,” said Symantec researchers in the report. The Symantec researchers said they also have seen a few different variants of this type of spam type.
The Federal Trade Commission’s second summit on Spam in the last four years addressed the growing problem of unsolicited emails that is creating costs for businesses and consumers alike. FTC Chairman Deborah Platt Majoras addressed the summit held July 11-12 in Washington, D.C. “The volume of spam reported by email filtering companies is rising.” She added botnets – networks of hijacked personal computers that spammers use to conceal their identities – have become the preferred method for sending spam.
Research from McAfee’s Avert Labs shows threats including phishing web sites are on the rise, as expected. But other pests such as remote-controlled bots show unpredicted signs of decrease.
With the recently discovered “plug and play” phishing kit, a relatively “non-technical” person with the right information could launch a phishing attack against any financial institution.
A new study details the psychological games and other tactics cyber criminals use in social engineering scams propagated through junk email. In a recently released study titled "Mind Games," Dr. James Blascovich, Professor of Psychology at the University of California,
For financial institutions stopping fraud and stemming phishing and crimeware from infecting their customer’s computers is a continuous battle.
It’s going to be a long hot summer for many U.S. financial institutions when it comes to online attacks. The RSA’s Anti-Fraud Command Center issued its monthly online fraud intelligence report for May, and the statistics point to attacks on U.S. nationwide banks account for 33 percent of all attacks on US financial institutions – that’s more than double since April.
Given the high cost of containing information security breaches, financial institutions have invested lots of time and money into developing incident response programs. But how do they know if their program is working properly? To assist financial institutions in this process, the Federal Deposit Insurance Corporation has published guidance on incident response program best practices—a how-to approach to keeping sensitive data from being accessed by unauthorized individuals. Many financial institutions are finding it challenging to assemble an incident response program (IRP) that not only meets minimum requirements as prescribed by financial institution regulators, but also provides for an effective methodology to manage security incidents for the benefit of the financial institution and its customers. Financial institutions are required to include incident response as part of their information security program. The federal financial institution regulatory agencies have issued interpretive guidance prescribing standard procedures that should be included in IRPs. In addition, at least 33 states have passed laws requiring that individuals be notified of a breach in the security of computerized personal information.
When identity theft occurs, 9 times out of 10 the source of where the person’s identity was taken is never fully found. Trust and money are the two things financial institutions have as their products. Once a member loses trust in your institution’s ability to protect their personal financial information, you’ll lose them as a customer. Part of the building confidence in your institution is communication with your members. Tell them what you’re doing to protect their information. While you can’t meet with every single member individually, take the lead and reach out to them with your marketing vehicles. Use your statement stuffers, fliers, posters, and your website, and put the message out there. Market your efforts on protecting them like you would a banking product. Financial institutions can use this draft memo as a place to begin the education of members about identity theft.
The best offense is a good defense, is the adage. For financial institutions part of the defense to protect your customers from becoming victims of identity theft is educating them. Here, CUInfoSecurity.com has compiled a list of some of the better known and newest Identity Theft web pages that contain easy to distribute information and links you can add to your institution’s website to further the education of your customers.
Overview: Aaron Emigh is a well-known expert in information security. He is the author of the U.S. Secret Service San Francisco Electronic Crimes Task Force Report on anti-phishing technology, as well as the reports on online identity theft countermeasures and crimeware from the U.S. Department of Homeland Security.
Financial institutions need to realize cyber criminals who target internet users with phishing attempts aren’t going away anytime soon, says information security expert Aaron Emigh. “They’re moving away from the purely deception based attacks (simple emails in your inbox with links that the phishers want you to click on saying they’re your bank) to more insidious, sophisticated crimeware attack vectors where users online identities are stolen, then transactions made with the compromised account information through several ways including DNS hijacking, and other methods.” Their target is still your customer’s money, account numbers, or credit card numbers, he explained. > Read the latest research on phishing - Why Phishing Works
LINDA MCGLASSON: Are we in information security becoming too complacent? I mean, we have a lot of zero-day threats, hundred thousand node botnet sending us virus threats and all things like that, and those of us in information security, you know, look at the situation and think that this is normal operation procedure, are we too complacent? WYATT STARNES: I think we are too complacent, and I actually think we’ve been overly, sort of, complacent and self-secure, self-assured for actually quite some time. When you kind of zoom back and look at some of the physical threats in our world, specifically, the tragic events of September 11th, 2001, where we found we were dramatically exposed to physical harm within our own boundaries, I think in the cyber-security world, we haven’t really seen our September 11th, 2001 yet. We are exposed. We continue to be exposed, and information technology is prospectively an important new attack vector for us in our industry and in our economy, and frankly, in our political system as well.
The alert from a federal regulatory agency about a 419 scam appearing to come from the US House of Representatives’ Financial Services Committee isn’t something new -- this type of scam is just a new twist to something that has been around for many years. As long as there are people who believe they can get something from little or nothing without a great deal of effort, the 419 scams will continue to wreck havoc on the American public. As financial institutions, we must help educate those who could fall under the 419 spell of easy money.
Would your customers recognize and detect a well-designed phishing site that was targeting them? The unfortunate answer is probably not. Phishing websites designed with high credibility fooled a high percentage of participants in a recent study. “Why Phishing Works,” a white paper authored by researchers from Harvard and UC Berkeley illuminates the problems of deterring phishing that all financial institutions face. Download the report now: http://www.cuinfosecurity.com/whitepapers.php?wp_id=97
Pharming" say that by viewing a malicious web page users can set off changes in a broadband router or wireless access point, making the computer connected to it susceptible to attack. The paper, authored by researchers Zulfikar Ramzan, from Symantec, and Markus Jakobsson and Sid Stamm of the Indiana University School of Informatics, shows the dangers of not changing a default password in this important part of connecting to the Internet.
Dr. Jakobsson is also Associate Director of the Center of Applied Cybersecurity Research, and the founder of RavenWhite, Inc., an RSA Security spinoff. He is the inventor or co-inventor of more than fifty patents, has served as the Vice President of the International Financial Cryptography Association, and is a Research Fellow of the Anti-Phishing Working Group. Prior to his current position, he was Principal Research Scientist at RSA Laboratories, a member of technical staff at Bell Laboratories, and Adjunct Professor at New York University. He is an Editor of The International Journal of Applied Cryptology, and a Group Editor of the ACM Mobile Computing and Communications Review. His latest book, Phishing and Countermeasures was released last year. He is co-editor and author of upcoming books on crimeware from Symantec, click fraud and cryptographic protocols. He has also served as the Editor of the RSA Cryptobytes for several years. Professor Jakobsson researches fraud, social engineering and phishing, and the prevention of these attacks.
Data breaches were hitting the headlines almost every week in 2006, with an estimated 100 million records compromised due to security breaches over the 100 million mark, according to the Privacy Rights Clearinghouse, which tracks breaches dating to the ChoicePoint incident in 2005. With all the press coverage and consumer awareness of the issue, expect Congress to take up the matter this year in earnest. We will most probably see several legislative bodies arm wrestling to assign top enforcement duties with whatever form the federal law takes. That is aside from the 30 + state laws on the books that relate to data breach notification. Secure your sensitive data now before the waves of regulations begin washing up on the walls of your institution.
Wish List from Financial Institutions to Our Customers As the weather outside gets colder and the year draws to an end, we're thinking of what would be some of the things we'd like to give and receive as gifts during the holidays. While your personal list may be longer than this, here's the 12 things we wish all of our customers and employees would do - loosely based on "The Twelve Days of Christmas". Hum along if you don't sing.
Cyber-criminals are targeting the most vulnerable access points within businesses - employees - to execute their attacks, a new study finds. In its annual closely watched security report, IBM warns that although widespread virus outbreaks are on the decline, on the whole online attacks are expected to rise in 2006. The culprit: highly targeted attacks that rely on naive users. According to IBM's 2005 Global Business Security Index Report, e-mail-borne viruses dropped sharply in 2005. In 2004, 6.1% of e-mails contained a virus; in 2005, that declined to only 2.8%. "What we're seeing is more directed targeted attacks, and we really think that's because of the financial motivation and the underground economy driving those things," an IBM security expert said.
Nearly a quarter of PC users are targeted by monthly phishing attempts, according to a national study of online security. Phishing is, of course, the practice of sending bogus but authentic-looking e-mails, purportedly from a trusted organization, to consumers in hopes of tricking them into revealing personal information. It’s one of the fastest-growing crimes in the world, and the survey conducted by AOL and the National Cyber Security Alliance indicates there’s no reason to expect that to change anytime soon. • Phishing scams’ increasing sophistication makes them tougher to spot; 70% of recipients say they initially thought the e-mails might be legitimate.
Internet-related crime,
like any other crime, should be reported to appropriate law enforcement investigative
authorities at the local, state, federal, or international levels, depending
on the scope of the crime. Citizens who are aware of federal crimes
should report them to local offices of federal law enforcement.
In our ten years’ experience in detecting, locating, and prosecuting network intruders (hackers) we have seen that, as with many offline crimes, robust law enforcement alone cannot solve the network intruder problem. To be effective, any overall strategy must include the owners and operators of the nation’s computer networks. They are the first line of defense and have the responsibility to take reasonable measures to ensure that their systems are secure. They are also in the best position to detect intrusions and take the first critical steps to respond. At the most basic level, we rely on network operators to report to us when their systems are hacked. Intrusion victims, however, are often even more reluctant to call law enforcement than other business victims. This reluctance has been reflected in the surveys conducted jointly by the Computer Security Institute and the FBI. In the year 2000 survey, for example, only 25% of the respondents who experienced computer intrusions reported the incidents to law enforcement. To better understand why and to learn how we can promote reporting, the Department of Justice has undertaken a concerted effort to reach out to the operators of our nation’s computer networks.
How likely are you to be wooed into a false sense of security by a friendly face or the promise of a cash prize?
Hackers have changed their tactics and are exploiting flaws in popular software applications – including security programs — to break into the computers of consumers, government agencies, and businesses. What’s new about this, you might ask? The key word is “applications.” Until recently, hackers focused almost exclusively on computers’ operating systems – that is, their basic nervous-system software, with Windows being the obvious example. But over the past five years, operating-system companies, especially Microsoft, have grown much more adept at quickly issuing “patches” once a security breach in their products was discovered. Moreover, the ubiquity of Internet access means these patches can be distributed automatically, often without the user even knowing his or her software has been strengthened. Result: More secure operating system software.
Most Internet users know spam when they see it, but the vast majority are unfamiliar with terms like “podcasting,” “phishing,” and “RSS,” according to a recent study. The Pew Internet and American Life Project research, based on random telephone interviews with 1,336 Internet users, was called a sobering reality check by experts. The widespread lack of knowledge of phishing, in particular, alarmed security analysts because the crime has grown so widespread in recent years. Survey Findings Here are some of the interesting results from the Pew study: • 70% of respondents either never heard of phishing or were not sure that it refers to e-mail scams that try to trick users into revealing sensitive information by masquerading as a legitimate financial institution, credit-card issuer, or other organization.
Since January 1, at least 104 data incidents have been documented in the U.S., potentially affecting more than 56.2 million individuals. And that is probably just the tip of the iceberg.
Ever inventive, cyber-criminals who specialize in phishing scams are finding new ways to hook you and your personal financial information.
TO: Chief Executive Officers and Chief Information Technology Officers of National Financial Institutions, Federal Branches, Service Providers, Department and Division Heads, and Examining Personnel PURPOSE This alert is intended to raise awareness of an increasingly common Internet fraud called “phishing” and encourages institutions to educate their customers, strengthen monitoring systems, and enhance response programs to reduce the potential risk to their organizations and customers. BA
What you will learn from this tip: How using five security best practices gets you closer to compliance with the PCI Data Security Standard and helps mitigate common threats to e-business. The media has been abuzz with a series of reports from vendors such as DSW (Designer Shoe Warehouse) and Polo Ralph Lauren regarding disturbing losses of credit card information.
Internet-related crime, fraud, and damage is going through the roof. Here we take a look at what Consumer Reports has named the four major online threats you need to defend against.
By Bill Brenner, News Writer Most users recognize -- and sometimes disregard -- the warning box that pops up when inputting personal information like credit union account codes on a trusted Web site accessed with an ironclad connection. Time to think twice about such blind trust on previously deemed safe sites, especially if it's a fin
High-tech criminal gangs with access to sophisticated keylogging viruses pose a growing threat to financial institutions. Recently, England’s High Tech Crime Unit foiled an effort to steal over $100 million from a Japanese bank in London. The gang gained access to Sumitomo Corp.’s computer systems, installed keyloggers in order to learn users’ passwords, and were getting set to transfer the money to 10 bank accounts scattered aro
We all know the threats posed by spyware to enterprise networks: user ID and password theft, financial loss, productivity drain, intellectual property theft. Security practitioners have two defenses at their disposal: the human and the technical. While the technology for combating spyware is improving, antivirus vendors have only recently started adding functionality to target it. That means the best defense is the human one – employees and end users. They can help in the battle against spywar
A phishing incident response plan for financial institutions isn’t written just for good business practice, it’s also a regulatory requirement too. While it is a challenge to put an incident response plan that meets your regulator’s minimum requirements, you also want to have a well thought out plan that can handle security incidents that may hurt your institution and its customers. So where do you want to start? The FFIEC’s Information Security Booklet is the basis for much of the incident response requirements that federal
Phishing -- It’s not a matter of if it will occur at your institution -- expect phishing to happen at your institution. Phishers are not dumb. They head toward where the money is – in the customer accounts at banks and credit unions. So what does a typical attack look like? First, they swoop in, throw up an attack against the bank’s online site with a botnet to force it off line, (a Distributed Denial of Service attack is one method used) and then they send out the phishing lines to thousands of unsuspecting internet users, most of whom aren’t even customers at the bank. The average phishing web site is only up a matter of days, netting the phishers the money they then transfer out of bank accounts here at U.S. banks into overseas accounts. By the time law enforcement catches up to the overseas accounts, they’re long gone, with only a trail of IP addresses to follow.
Given the high cost of containing information security breaches, financial institutions have invested lots of time and money into developing incident response programs. But how do they know if their program is working properly?
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
RSS Syndication