Site Sponsor:
Ask the Expert
Search this site
Entries from Realtime Community | Messaging and Web Security tagged with 'phishing'
Low-Tech Attacks on The Rise
Phishers are re-working old attacks and coming up with some variations on past attacks as they continue to try to scam social networking site users. This isn't new, but as Symantec points out, the attacks are on the rise....
More on Facebook Phishing
Symantec has been following the trends in Facebook phishing and the current wave of attacks looks similar to previous ones. Of course no one goes to this much trouble to vandalize Facebook pages, there is money to be made (stolen)...
Researchers Hijack Botnet Gain Insight to Bots and Their Victims
Researchers from the Security Group at the UC Santa Barbara Computer Science department hijacked the Torpig botnet for 10 days. In that time the found what you'd expect (some users are very lax with security) and some things not so...
Facebook Phishing Continues
The last couple of days have not been good ones for Facebook users getting phishing lures with messages like "check this out" linking to fake login pages. The attacks continued yesterday....
Trying to Explain Security Threats to SMBs? A Picture is Worth a Thousand Words
I've written many words (more than a thousand for sure) about security and many of them directed to SMBs but I have to admit I wish I had come up with the elegant diagram in GFI's new whitepaper Security Threats:...
Phishing on Twitter
It was only a matter of time....
More Bank Bad News: Cybersecurity
Describing the increasing threat from phishing, identity theft and other forms of online fraud, the bank industry is being described as blindsided by some....
Malware and Cybercrime for All Ages
The suggestion by Gene Hodges that the big sociological driver in malware that we've all missed is that young, reclusive hackers have grown up, gotten married and taken on mortgages. Sure, they've grown up but as Allysa Myers points out,...
Where Does Apple Really Stand with Anti-Virus?
CNET reports Apple has pulled a knowledge base article advocating Mac users run anti-virus software. It's a mistake to think even devices running established, well designed operating systems don't need malware protection....
Browser Sniffing
We've just posted an article in the Digital Library on browser sniffing. Here is an excerpt:...
Study of Cybercrime and Underground Economy
A new study from Symantec (pdf) tries to get a picture of the underground economy for cybercrime by monitoring publicly available sites and channels. This type of survey provide insight into the exposed side of cybercrime but as the report...
Time to Give Up on "Professional" Security Training?
What can we do to stem phishing scams given that 3.6 million Americans fell for phishing scams at a cost of $3.2 billion last year? Security awareness is too often dismissed with a "it would have worked by now if...
Microsoft: Weakest Link Isn't the Operating System
Microsoft's 150-page Security Intelligence Report for January to June 2008 demonstrates that even if one part of an application stack is secure, attackers will still go after the weakest link. In this case, that would be third party applications....
Perfect Storm for Online Banking Fraud
Economic downturn, bank mergers, and consumers shifting accounts around looking for the best deal is an ideal situation for phishers....
Collecting Online Intelligence
Collecting information about individuals and businesses isn't difficult, especially when you have the right tools....
Google Mail and Frame Injection Attacks
Phishers can inject fake pages into a session while still displaying a legitimate URL in the browser address bar....
YouTube Fakes Push Malware
A kit is now available on the Internet to help build fake YouTube sites which can be used to push malware....
Browser Malware Threatens Online Banking
Trojans and keyloggers aren't working just at the operating system level - the browser can now be used to capture banking details....
The Benefits and Risks of Social Networking
The information we share with friends on social networking sites may be used in unintended ways, such as providing details for a spear phishing attack. In this podcast we look at the benefits as well as the risks in social...
Consume Reports Gives Thumbs Down to Apple Safari
It's somewhat ironic that Macs are perceived to be more secure than Windows devices yet the default browser on Mac OS X regularly gets bottom honors when it comes to security....
Who Are You? EV SSLs Not Engouh to Say For Sure
SearchSecurity has a compelling read in "EV SSL certificates won't stop phishers, researchers say" which isn't just a "No, it won't work" critque of extended validation SSL certificates. Researchers Billy Rios and Nitesh Dhanjan call EV SSLs commendable, but not...
The Basics of Vishing
A new article on vishing has just been added to The Essentials Series: Messaging and Web Security - Volume III. Here is an excerpt:...
Yet Another Form of Injection Attack: Web Redirects
Brian Kreb's Security Fix discusses some research out of Indiana University on how phishers and others can use open redirects in legitimate Web sites. In addition to the clear examples of hacked redirects Krebs provides, I add that this is...
You Are Being Targeted: Common Ground of Phishers and Polticial Strategists
It was a bit strange reading F-Secure's latest IT Threat Summary and having a feeling that I've heard part of this story before. I had, sort of....
Study: Focus on Fundamentals to Prevent Data Loss
A study on data breaches across a range of industries conducted by Verizon Business paints an ugly picture of just how preventable a lot of data loss incidents are....
If an Identity Falls in the Forest No One Reads the Notification Letter, Does It Make a Sound?
Identity theft is a hot topic for those pushing monitoring services but it looks like just about no one else cares. I occasionally get comments in this blog promoting identity theft monitoring services and I have to give credit to...
Localized Malware
We've just posted a new article on localized malware. Researchers are finding more region and culture-specific malware; here's an excerpt:...
Paypal: Friends Don't Let Friends Surf with Unsafe Browsers
PayPal is fed up with phishing and they plan to prevent transactions originating in "unsafe" browsers. If you don't have a browser with anti-phishing measures or support for Extended Validation (EV) SSL certificates, don't expect to use PayPal much longer....
Anti-Phishing Measures: How Effective Are They?
Anti-phishing measures like customer selected site-images and Extended Validation SSL green bars are not the panacea we may have hoped for. Why? Partly because of the adaptive behavior of computer users and partly because of a lack of information about...
This Week in Phishing: Taxes and the IRS
Phishing lures change like the weather. With tax time, come phishing scams promising tax refunds or threatening actions by the IRS....
Googling for Vulnerabilities
Phishers and other attackers can use Google to find sites with known vulnerabilities so if you thought you could get by with out vulnerability scanning, better read on....
Detecting Automatically Registered Domains
Bots are now being used to register domains giving attackers more options for pushing malware and launching phishing attacks. Fortunately, some basic text analysis techniques seem to the key to detecting when a machine registers a domain instead of a...
Paper Trails Matter
I commented this morning on lack of a paper trail when I voted in Virginia yesterday. Then I thought of all the ATM receipts that are left near the bank machines - maybe I'm making too much of this. Now,...
Reports Show Threats from Cybercrime and Insiders
According to two reports, both cybercrime and self-inflicted security incidents were up last year. The IBM X-Force report shows camouflaging techniques are now used almost 100% of the time by malware attackers, and the Storm worm typifies the problems tracked...
Laws Need to Catch Up With Cybercrime
Art Coviello, executive vice president of EMC Corporation, and Robert Hollyeman, president and CEO of the Business Software Alliance, argue in an op ed piece in the San Jose Mecury News that federal legislation is required to stem the increasingly...
Firefox 3 Brings More Security Features
Firefox 3 is in beta 2 now and with the new release comes some welcome features, like better protection against some forms of cross site data leaks, easier access to SSL certificate details, and anti-malware protection (via blacklists). Support for...
Phishing for the Holidays
The holiday season brings is a busy time for all of us and phishers are no exception to the rule. This is a prime time to target online shoppers and others online. The last year has had good news in...
Pew Survey: Online Identity Not Much Concern but What About Phishing?
The Pew Internet & American Life Project just released a survey entitled Digital Footprints: Online identity management and search in the age of transparency (pdf) that finds not much concern about personal information available online. From a release about the...
AI Finds another Niche: Chat Rooms and Information Theft
When I think of all the time and resources that have gone into artificial intelligence (AI) research over the past 40 years, it's disheartening to hear about a program that chats with women on line with the intent of luring...
New DNS Poisoning Scheme Uncovered
Researchers at Google and Georgia Tech have discovered a significant number of open recursive DNS servers, which respond to DNS lookup requests from any computer, have been compromised with malicious mappings. A victim that depends on one of these to...
Sophisticated Attack on Nuke Lab - Spam and Phishing Lures Still Malware Threat
The browser is a prime method for distributing malware, especially through drive by downloads from compromised sites. This doesn't mean email is no longer a problem as a couple of stories make clear. The first is from the New York...
Survey Shows Our Irrational Reaction to Phishing
A survey out of the UK shows that our reactions to security threats isn't always rational. The Register describes a survey by YouGov on responsibility for spam. Suprisingly Two in five UK adults (42 per cent) quizzed feel that their...
Cyber Monday Brings Out More Scams
The National Retail Federation coined the term "Cyber Monday" to describe a kick off to the online holiday shopping season but it has come be more associated with the increase of scams that occur at this time of year. We...
Hacking for the Holidays
The holiday spam and phishing lures are on the way. As sure as stores will open early on Friday and shoppers start their annual treks to the mall or Amazon.com, the scammers will be pushing wares. From ComputerWorld we get...
Good Tips for the Security Novice
I was a little hesitant to click through on a BusinesssWeek article entitled "Looming Online Security Threats in 2008". It isn't even Thanksgiving yet and already Christmas decorations are in the stores and doom and gloom predictions for 2008 are...
Salesforce.com Leaks Data, Customers Get Phished
A Salesforce.com employee feel victim to a social engineering attack and revealed a password that allowed attackers to steal customer data. Some of those customers were later scammed by what appeared to be legitimate invoices from Salesforce.com. From The Register:...
Cybercrime Goes After Political Donors
It's not surprising to see that cybercriminals are setting up fake campaign sites to scam would-be campaign donors. Findings from WebRoot, reported in ComputerWorld, show a growing problem with political scams: "What we are seeing is a real explosion in...
Extended Validation SSL Certificates and Phishing
Phishing is a threat to consumers and businesses alike. One response to this is a new type of digital certificate known as the Extended Validation (EV) certificate. IT requires stronger identification and authentication measures and takes advantage of improved users...
Companies Get Phished, Too
ComputerWorld is reporting that Supervalu Inc., a U.S. grocery chain, is a victim of corporate phishing. It seems the phishers posed as partner businesses and requested that payments for their products be sent to new bank accounts. I'm not sure...
Social Enginnering Techniques Changing
Another article has been added to the Messaging and Web Security library. This one is on how social engineering techniques are changing to lure more victims. Here's an excerpt from the article: Phishing is a well-known and established fact of...
How Much is Known About You? Protecting Privacy Online
Are you concerned about protecting your privacy online? This podcast provides tips on practices you can use your reduce the risk leaking private information while online as well as tools that can help protect against information collection techniques you might...
eBay Members Phished Again
Perhaps we're not completely over hacking for bragging rights and it's not just about the money. Earlier this week, information on 1,200 eBay members was posted on a company forum. The posting included bogus credit card information which appeared real...
OpenID and the Phishing Gold Rush
A major French Telecom yesterday announced support for the OpenID lightweight identity management standard. Some people are really excited about this. I'm sorry to say a lot of those are probably phishers who are thinking the great Phishing Gold Rush...
Phishing and Countermeasures - Part 2
In Phishing and Countermeasures - Part 1 I reviewed an introduction to phishing, phishing attacks, spoofing and countermeasures, and pharming from Jakocsson and Myers Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Today I'd like to turn...
Skype Phishing
Google mail is usually quite good at catching spam and phishing but a Skype phishing lure just got through to me. It the usual kind of message which claims my account needs to be updated by Sept. 16 and even...
5 New Anti-Phishing Techniques
Controlling phishing with spam filtering and user awareness are effective to some degree but other technologies and techniques promise to improve on these. In this podcast, we discuss trusted paths, 2-factor authentication, password hashing, transaction analysis and anti-phishing toolbars. For...
Phishing and Countermeasures Part 1 - A Comprehensive Resource
I've just started Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft edited by Markus Jakobsson and Steven Myers, and so far there is every indication it will be a solid resource. For starters, Jakobsson and Myers edit...
Phishers Steal Monster.com Data - Shows Challenges in Database Monitoring
Taking a page from marketing practices, attackers have stolen information on 1.6 million individuals from Monster.com which is then used for phishing attacks, according to Symantec. The attack uses employer credentials to login to the employer only section of the...
Better Malware and Phishing Detection in the Browser
Mozilla Firefox 3, as it is currently planned, will include better malware and phishing detection according to Security News. These are welcome additions, especially if they are as easy to use as intended. We've seen too many examples of poor...
Blocking New Kinds of Spam: Check Content not File Types
The recent a drop in image spam and an increase in PDF spam is no surprise. Once detection rates improve beyond a certain point, its worth the time and effort of spammers to find another tactic. It also means we're...
Beating Phishers the Old Fashioned Way
Tracking down phishers is difficult because they often hide behind botnets and spoofing techniques but one bunch of phishers was nabbed because of old fashioned paperwork. ComputerWorld is reporting Italian authorities arrested 26 in a scam involving the Poste Italiane,...
RSA Discovers Instant Phishing Sites for Script Kiddies
Here is a story that reminds us cybercrime is a lot like regular business: you develop a product and make its creation and distribution as efficient as possible. For Web admins, system admins, network managers, DBAs, etc. this often means...
Cybercrime Getting Worse for Victims, Easier for Criminals
In yesterday's post I talked about speech by Richard Clarke, former cybersecurity czar, in which Clarke argued that cybercrime and industrial espionage is worse than many of use think. Today I thought I'd run down some examples, research and other...
Summary of Latest Spam News: Some Good, Some Bad
Quick note, a new article on application security metrics has just been posted at the community site. Ok, back to spam,spam and more spam. Reading security news is like watching the stock market: some days are good, some are bad...
Threats to Mobile Devices Growing – Tipping Point on the Horizon
Kris Lamb, a security researcher at IBM, describes emerging threats to mobile devices in a lengthy article in Computerworld. He points out that mobile threats (mostly annoyances) are more common in Europe and Asia but he sees five trends that...
Beating Anti-Phishing Filters
IE 7 fials to catch a new phishing techniqe discussed in Strange spoofing technique evades antiphishing filters. The problem was reported to the Register by Marty Hall, who was suprised when he tried to log into PayPal....
Anti-spam Specification from IETF
Implicit trust is a problem with a number of Internet protocols. By exploiting that trust, spammers and phishers have had their way with spoofed emails. The pending adoption of DomainKey Identified Mail looks more likely with the Internet Engineering Task...
Symantec-Veritas Merger Improves Anti-Malware
Radical improvements in anti-malware detection isn't going to come from marginal tweaks to existing algorithms and techniques. We need fundamental changes. The Symantec Veritas merger is showing how this can be done. By combining disk scanning techniques that can bypass...
Effective Security Can Be Simple (sometimes)
Yesterday I advocated for a simple approach for controlling botnets: turn off your PC. It's simple and even the least technical user can handle that one. Mike Knight, an IT consultant in the UK, has a similar keep it simple...
Botnets & Earth Day: A Common Solution
Strange as it may seem the botnet plague and environmental concerns have a common, partial solution: turning off all those PCs. Botnets, those distributed mass generators of spam, phishing attacks, and denial of service attacks, are getting more and more...
5 New Anti-Spam Techniques: Promising Technologies for Dealing with Spam and Phishing
Increasing volumes of spam and phishing messages, along with more sophisticated techniques for avoiding detection, has prompted the development of new kinds of spam management. This podcast examines five new techniques for combating spam: duping, image spam detection, filter combination,...
More Phishing Attack with DNS Vulnerability?
Microsoft released a security advisory (935964) last week acknowledging a vulnerability in Domain Name System (DNS) in Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. The vulnerability is...
Feds Aren't All Bad At Security: What Makes the Difference
Every year U.S. Federal agencies get graded on their information security, and this year is a mixed bag. Some agencies did well, others failed. Assuming private sector enterprises have the same range of the good, the bad, and the ugly,...
Phishing: Who’s Problem is it Anyway?
A MessageLab report on the increase in phishing is getting a lot of play: there are more phishing attacks than Trojan horse and worm attacks. This also looks like the inevitable response from attackers to improved security measures. Here’s one...
Are Phishing Kits the Latest Toys for Script Kiddies?
History is repeating itself and it’s not good. Phishing kits are being used to rapidly deploy phishing attacks in ways reminiscent of virus kits. Remember the days when virus writers actually knew how to code and then virus generation kits...
Trends and Techniques in Phishing and Anti-Phishing
Phishers have plenty of techniques to lure information from the unsuspecting, but there are plenty of ways to control the threat of phishing. This podcast covers some tried and true as well as emerging phishing techniques and looks at new...
Arrests in Card Theft, Phishing
Looking for a silver lining can be a tough job some days in the world of information security and today we may get as close as we will for a while. Today the FBI announced dozens of arrests in the...
Botnets Growing in Size and Sophistication
There was a time that attackers seemed to limit the size of botnets to "keep below the radar" but vnunet.com is reporting the creation of a million-bot botnet. No one knows for sure the purpose of the botnet, but phishing...
From Cross-Scripting to Cross-Technologies: New Phishing Technique
We know phishing scams will continue to get more sophisticated and there has been notable change in tactics with some phishers. Michael Urban’s “The Evolution of Phishing” in the September 2006 issue of the ISSA Journal (http://www.issa.org/, membership required) describes...
Who Can You Trust? Another Way to Block Spam and Phishing Messages
Many of the techniques used to combat spam have focused on trying to classify messages either based on their content or by comparing the sender to blacklists. Spammers and phishers will of course try to work around these detection methods...
Browser Security: Anti-Phishing in Firefox 2.0
Keeping ahead of phishers just got a little bit easier. An upgrade of the popular Firefox browser from Mozilla includes anti-phishing protection. The browser by default is enabled with anti-phishing features turned on. When browsing, Firefox will check the sites...
Not Much Good News on the Phishing Front
The Anti-Phishing Working Group has released a report on phishing trends as of August, 2006. The bad news is the number of phishing reports is up from the previous month. The good news is the trend has slowed slightly. Another...
Anti-Phishing Best Practices Report
The Messaging Anti-Abuse Working Group (MAAWG) and the Anti-Phishing Working Group (APWG) have published Anti-Phishing Best Practices for ISPs and Mailbox Providers. The report characterizes phishing messsages and makes recommendations for detecting and containing them. It also includes a section...
Feed Subscription
If you use an RSS reader, you can subscribe to a feed of all future entries tagged 'phishing'. [What is this?]
