Posted by Dylan Sachs on Thu, Jun 10, 2010
We've all heard the warnings about malware: don't click links in emails from unknown senders, don't click suspicious links on facebook, install software found online at your own risk. What you likely haven't heard about is how mobile malware is on its way, and will change the way you think about your phone.
For years now, phones have been moving beyond simply placing and receiving calls - you can get email, play games, listen to music, download or stream full-length movies, read ebooks, surf the web, do your online banking, control the lights or garage door or door locks or temperature in your house, or videochat with a 
friend. And those are just the common tasks - I'm not going to start listing all the quasi-useful mini-apps you can kill time with. While these functionalities are a gold mine from a commercial standpoint, the average user still doesn't take full advantage of all these features. Regardless, the ability for the end user to install applications on their phone makes the phone more of a portable computer than a phone, in the traditional sense. Unfortunately for them, most users still consider their iPhones and BlackBerrys phones, and not portable computers.
I say "unfortunately", because this mentality is what the malware writers will bank upon - people don't think that their devices are at risk, simply because they are using phones, and not computers.
Until recently, there has been little to no reason for a malware author to expend any effort to write a piece of malware for a phone - there was little reward for their efforts. All of this added functionality - combined with a sharp drop in the learning curve - has brought forth a veritable horde of potential victims. Because of this, new tactics are being used - the malware is not only being designed to steal your information and send it to the perpetrators, but can be used as "ransomware" (applications which lock out some or all functionality until you pay a "ransom"), give full control of your phone to the perpetrators, or force your phone to call premium long distance numbers which rack up your phone bill.
Now, I know there are many readers saying to their screens "but I have an iPhone - Apple's ‘walled garden' approach protects me from applications like that!" - and you are correct. For the time being, iPhones are exempt from malicious applications due to Apple's development policy. Well, not all iPhones, only about 90% of them. The other 10% are "jailbroken" - essentially, users have installed an alternative operating system on their phones which allows them to customize the interface, run multitasking (this feature was recently announced as being included in the new iPhoneOS, however multitasking has been available on the "grey market" for several years), or install applications that have not been reviewed by Apple.
Jailbroken iPhones, BlackBerrys, Android devices, and Windows Mobile devices are all susceptible to mobile malware, since anyone c
an write and release an application for them. An Austrailian teenager wrote the first iPhone malware a few months ago, as a Proof of Concept, and that resulted in some nefarious characters altering the code and releasing it into the wild. Thousands of jailbroken iPhones were infected, with all data that was on the phones being accessible by the perpetrators, and the phones were held hostage until the user paid a ransom. Spanish security company firm S21sec wrote an app for jailbroken iPhones (also as a Proof of Concept) which showed that the device could be infected and used as a node in a botnet, for doing things like Denial of Service attacks or distributed computing (sometimes used for cracking complex passwords). In the past few weeks, both Android and Windows Mobile devices have been compromised, and malware released in the wild. BlackBerrys have remained relatively untouched at the time of writing this, however it is only a matter of time before someone invests the time to write malware for that platform.
To give you an idea of how much data can be acquired by these apps, here's a list of what S21sec was able to do with their mobile malware:
At present, there is little stopping malware authors from creating these applications and releasing them for public consumption. If you consider how little people have thought about the security of their devices, and how quick and easy it is to try out the latest hot app, there are likely a lot of users out there setting themselves up for a surprise. Let's just hope that we don't all have to start paying for anti-virus applications for our phones.
Posted by Minal Pithia on Wed, Mar 03, 2010
How do you feel when you lose or forget your iPhone or Blackberry? I asked my friend Sarah the same question a
nd her response was "I would be ‘techno-stressed' and sit in a corner and cry". Our phones have become an extension of our body - it's something we need to have on us all the time. Smartphone's are all the rage and highly in demand. With the availability of countless number of apps that make everything available at the click of a button; online shopping, micro-blogging, and making financial transactions are much easier. This brings us to look at the future of Smart phones and the vulnerabilities that come with it.
Did you know that Google ships out 60, 000 Android phones every day? Which means they send out 21.9 million every year. These phones are in high demand and critiques predict that the new trend for 2010 will be "Mobile Malware". We've already seen potential malicious mobile apps available via the Apple store and Android Market. Recently, Google removed about 50 apps from their Android Market which also targeted a few financial institutions. Here, at Brand Protect our Incident Response Team removed unauthorized apps from a website targeting our clients. 10, 0000's of new apps are submitted everyday to these popular app stores creating a hot spot for the hacking community, leading to more phishing, malware and identity theft. Mobile banking is also growing throughout the world. Recently Barcelona hosted the GSMA - Mobile World Congress 2010, where YellowPepper a leading provider of mobile financial services in Latin American announced the launch of YellowPepper Mony. "YellowPepper Mony enables financial institutions and corporate clients to deliver secure, convenient and easily accessible financial services to consumers, such as mobile money transfers, international remittances, mobile bill payments and pre-paid cell phone service". This signifies that mobile banking is going to spread fast throughout the world - fraudsters, phishers and malware authors are already putting on their "thinking caps" ; thinking of ways to turn banking services offered on mobile phones into cash for themselves. While mobile banking is still in its infancy in North America, we know that it will grow fast. CIBC is already one of the first banks in Canada to offer a mobile banking app for the iPhone. Although, Canada has a slower adoption rate for mobile banking; as more banks jump the bandwagon, the masses will follow.
This also brings us to look at the open source market available for application developers. For instance, Google and Apple are open to anyone and many critiques fear the deficiencies in the testing process which could bypass malware apps. Apple does require that all apps sold in the store are verified and signed by them which give them the power to withdraw the certificate so no one can install it anymore. However, with Apple there is also the risk of "jail breaking" which allows iPhone and iTouch users to run any code on their device without authorization from Apple. Once your iPhone or iTouch is "jailbroken", you can download apps from anywhere - this could lead to malicious content installed on to your phone that can steal all your personal information. Moreover, the vulnerability with the Google Android market is that it allows users to self-sign the code "with their own home generated certificates". As a result, this also poses security risks as the status is only checked upon installation, so once you install a bad app on your phone Google can't take it back.
As we all become dependent on our phones to check our email, make financial transactions, and shop online our "user behavior" also changes. Just like the internet, mobile phones have also become a "social device" which makes people more vulnerable to security risks. Do people pay the same attention when opening an email or downloading something on their computer VS their mobile phone?
Smartphone users beware - Make No Assumptions, ensure Physical Security - don't leave your phone lying around and be Mindful of Malware.
Posted by Dylan Sachs on Fri, Feb 19, 2010
Before the advent of high-resolution security cameras, dye packs and GPS trackers, criminals would simply walk into a branch, pull out their guns, take the money and escape on their steeds. The criminals have evolved. They would then walk right up to the teller, hand them a note, and walk out with a bag full of money, right past blue-haired grandmothers updating their bankbooks and blue-collared workers depositing their paychecks. Technology evolved. So did the criminals. Now, criminals are robbing banks in even easier ways.
Phishing sites, vishing or smishing phone numbers, card skimmers - these tactics all enable the criminals to acquire the precious details they 
need to defraud financial institutions and their customers of hard-earned dollars without ever leaving their homes. Simply acquiring this information isn't enough for the criminals to start planning their retirement in a non-extradition country - they need someone to actually get the money for them.
Criminals are (typically) quite adept at protecting themselves - whether it be having a safe house, a getaway car, or rigging their hard drives with thermite - to ensure that getting caught doesn't mean hard time. So what is an aspiring fraudster to do these days? Find a Money Mule.
Money mules are typically recruited online, lured unknowingly into the criminal world by the prospect of quick, easy money.
You see the recruiting posts everywhere. Job postings and spam with subject lines of "Work from home!" or "Make $1000/wk CASH!" can seem like a blessing to those desperate in today's harsh economic times.
Once the "employee" (mule) makes contact with the fraudster (who pretends to be a corporation), the mule is instructed to open a bank account exclusively for use by the "corporation." At this point, one of two things happens: either the "corporation" will send the "employee" a legitimate-looking check, or; the "employee" will forward the account details to the "employer", who transfers a modest sum of money - maybe a few thousand dollars - into the account. The fraudster then instructs the mule to withdraw 90-95% of the money. Once the cash is in-hand, the mule is sent to a Western Union office, where they transfer the money back to the "employer", keeping their 5-10% share as their "salary."
Unfortunately, the only real check this mule is going to get is a reality check. The check provided by the "corporation" is counterfeit, but this only comes to the attention of the mule sometime later on, well after the withdrawal and transfer is completed. Once the bank realizes the check is counterfeit, they reverse the deposit, which then brings the account into overdraft, leaving the mule with a fairly significant debt to the bank. When a direct transfer is made into the account by the fraudster, it comes from a compromised bank account. Once the transfer is reported to the originating bank as fraudulent by the account owner, they reverse the transaction, with the same results - the mule is left on the hook for the debt.
This means that the person without a job is now jobless and in debt, the person struggling to get out of debt is now deeper in it, the retiree's pension check just got much thinner. The bank is upset with the mule, the mule is upset with the "employer," and the "employer" is laughing all the way to the bank (for lack of a b 
etter term).
The mule now feels like an ass, having been taken advantage of and victimized as a result of their ignorance and/or greed. To make matters worse, when the "employee" opens an account for their "employer", they are instructed to provide the account details - along with all other common employment information like Social Security/Insurance Numbers, full name/address, etc. to the "corporation". This instantly makes the employee a victim of identity theft, as the fraudster collects this information for sale on the black market (or personal use) later on.
According to the Internet Crime Complaint Center (IC3), money mule handlers have tried to steal $100 million from small- and medium-sized businesses - who knows how much money the mules have lost as a result of these schemes.
Money mule handlers - I'm hesitant to use this term, but the "masterminds" behind these schemes - are good businesspeople. They are only interested in streamlining their business and maximizing their profits. Some are part of larger, real-world criminal organizations/gangs, some operate exclusively in the tubes of the Internet. Regardless, money remains the driving factor, and as banks get hip to the tactics of money mule operations, they begin implementing strategies to prevent their customers from suffering the same credit-score-reducing fate. The handlers pick up on this, and start blacklisting banks - essentially telling the mules where they should be opening accounts.
Throughout our travels around the ‘Net, BrandProtect comes across all kinds of scams and associated data. One juicy tidbit was a list sent around by a mule handler's handler - the person that directs the handlers how to run their "departments" efficiently, and makes executive decisions for the group. So, what's on this list? Well, Dearest Reader, I'm glad you asked. The list contains names of almost 50 U.S. banks that are known to have lax account security in place, idyllic environments for the growth of the criminal's business.
Straight from the file itself: "Ask your clients... to open a Checking account and provide the log in details, such as "User name, Password, the 3 Security Questions and Answers". They should go into the bank and get the account opened. It should NOT be done online. In a state that has more than one bank, please send all the banks to him so that he will choose the one that is convenient for him."
As you can see, this is not the work of a half-baked junkie looking to make a quick score - lots of time and effort has been invested in this, because the perpetrators know the rewards are great.
Are you on the list of banks known by criminals to have lax account security in place? Drop us a line, and we'll let you know.
Co-authored by: Michael Kiefer, BrandProtect
Posted by Jamila Hunte on Mon, Jan 18, 2010
We live in an age where there is a need to have information right at our finger tips. Not only do we need to have information that is easily accessible we also need to be mobile.
With the introduction of mobile devices like the iPhone, users are able to have the best of both worlds. Apps are all the rage. You can make your shopping list, check the weather, see your new friend request on Facebook, play your favourite video game and read your favourite book and these are just the tip of the iceberg.
Recently, a new app had found its way to Google’s Android market, an apps store maintained for its mobile services. This new application appeared to offer a feature that would allow the user to gain access to
their bank’s website through this shortcut. It is now believed that this app and 50 similar apps were harnessing malicious activity – activity that could lead to phishing attempts. A recent article in computerworld.com
provides more information on this app created by a developer only known as “09Droid”.
This android app was brought to my attention and was a concern for one of my clients. We were concerned that this app could have been downloaded by their customers who were innocently looking for an easy way to access their bank account.
Luckily we were able to make contact with one of the sites that were advertising the app and since then it has been removed. There was still a concern, however, that there could be other sites that provide this app. According to a recent article in willhall.ca
droid apps have been removed by Google.
We have been put at ease, at least for now…
There could be another android app lurking around out there, but the word is getting out and banks and credit unions are beginning to make their customers aware that what may appear to be a handy shortcut, could get them in a world of trouble. So buyer BEWARE!!!
Posted by Dylan Sachs on Fri, Dec 04, 2009
It has been well known for some time - at least, amongst those in the industry and by those with coverage - that having a solid takedown service is essential to limiting the exposure you and your customers face as a result of phishing attacks. Studies have shown - consistently - that brands who have a well-defined takedown process (including a third-party takedown company) experience significant reductions in the lifetimes of phishing sites targeting their customer base.
Recently, there has been a spike in fast-flux, high-volume phishing activity. Previously, this was known as "Rock Phish" activity; however that can be considered version 1.0 - domains, hosted on a botnet, targeting multiple financial brands and their customers via phis
hing sites. Version 2.0 - known as Avalanche or ZBOT - is particularly troubling as they have evolved to include a malware payload, and broadened their target base by including social networking sites, government agencies, and even spoofing the email recipient's domain. While complete fraud-loss and malware infection rates are difficult to come by, Damballa research found that the Zeus Trojan - the malware payload included in the Avalanche attacks - has infected 3.6 million systems in the U.S. alone.
In addition to giving up their banking credentials, hundreds - possibly thousands - of users are unknowingly becoming infected daily with one of the most difficult-to-detect pieces of malware ever seen. Zeus makes up 44% of all finance-related malware, and provides the fraudsters with complete access to the infected host, allowing them to upload keylogging software, automatically steal login credentials, even route legitimate domains to phishing pages. Even those systems with up-to-date anti-virus software aren't immune from infection by Zeus - Trusteer found that up to 77% of infected systems had up-to-date AV definitions (and that across all AV software, there was only a 23% detection rate of Zeus). Earlier, I mentioned that the Avalanche attacks were targeting social networking sites - the same social networking sites that have been used as command-and-control centres for other pieces of malware.
The simplest solution is often the most effective, and when dealing with hosted malware and phishing sites, the simplest solution to prevent further infections or credential loss is to get the content removed. Anti-Phishing Working Group recently published their 1H2009 Global Phishing Survey, in which they have a section detailing the Avalanche phish. Their findings showed that Avalanche domains had an average lifetime of 18 hours, 45 
minutes from the time the email was sent out to the time the site became unavailable. In the grand scheme of things, this is a fairly short lifespan - the same report outlines the average lifetime of standard phishing sites as being 39 hours, 11 minutes. While this is promising, it still leaves 18 ¾ hours open to steal credentials and infect unwitting users.
BrandProtect first saw our clients being targeted in late June, with three more clients being added to the target list in the following months. In total, 506 domains were launched which had pages (either phishing, malware, or both) targeting our clients. BrandProtect's 24/7 Incident Response Team has a distinct advantage over other takedown providers in that they have team members spanning the globe, able to converse with the registrars of these domains in their native tongue, during their normal business hours. This advantage resulted in an average lifetime of the domains targeting our clients of 7 hours, 48 minutes - or a 60% reduction over the reported industry average. Needless to say, our clients are quite pleased with these results.
Now, if only there was a way to prevent people from clicking links in email messages...
Posted by Minal Pithia on Tue, Oct 06, 2009
As an Incident Response Analyst at BrandProtect I communicate with ISP's, registrars and domain owners on a daily basis. Recently, I spoke with an aggravated website owner who said to me "I don't understand why my site has been repeatedly hacked, I changed my passwords, deleted the fraudulent folders and my hosting company is no help". Many frustrated website owners experience the same thing. They don't understand why they keep getting hacked. If you leave doors open to your site, it's very easy for, perpetrators to get in. The key to protecting your site is to maintain it and make sure security always comes first. A website is like your home-it's your virtual space. You should invest in secure doors and locks. It's mind boggling to see the number of sites that get hacked. Nowadays, creating your own website or blog is simple and inexpensive; unfortunately people are avoiding taking various security measures.
When building a website, don't build a castle on a cloud. Although it's important to make the site look good, what's the point if it's unsecure? From my experience, I noticed that website owners lack the background to maintain their sites and don't understand the vulnerabilities sites have that hackers expect to find. Most often when sites get hacked we hear about terms like Patches, SQL injection and Cross Site Scripting (XSS). But, what do these terms really mean? Here are a few definitions that will help us understand how sites get hacked:
Patches - Patches work like bandages, they seal flaws in software to make it work better. Software companies often have to fix bugs on their program due to security problems or to add new features.
SQL injection - this is one of the most popular security vulnerabilities in web applications today. We see this in sites that allow users to query a database; when a user enters data into a field, it is then inserted into a SQL command without any checking. This type of attack allows the perpetrators to manipulate the database of a site and allows them to bypass authentication into a site. Here is some more good info on SQL injection.
Cross Site Scripting (XSS) - this security vulnerability allows a malicious website to upload another website to another frame and use java script to read or write data on the other website. Attackers find clever ways of infecting malicious scripts into web pages where they can gain access to sensitive information. Unfortunately, many XSS vulnerabilities lead to phishing sites.
The key to protecting your site from getting hacked is simple, maintain it and keep it up to date. If you are using Word Press, Joomla or Apache make sure you update it with the latest security patches. Updating your software is extremely important. Unlike Microsoft, web applications don't always alert their users to update. Therefore, be proactive and don't always rely on your webhosting company. They are not responsible for maintaining your website and are not responsible if your site gets hacked. Always look for the latest updates and do your research. Lastly, secure your password. Take a look at Dylan Sachs blog on "Password Security - sing a song, save some stress".
For expert advice I turned to BrandProtects IT Manager Adam Chrichton, who lists a few important tips:
1. If you operate your own web host, keep it up to date (whether IIS or Apache) with current patches. Same goes for the database if you use one. If you use a hosted service, make sure they keep things up to date/patched. If they don't, find someone else.
2. Use very secure passwords for all logins. If you must use a dictionary word, use two with a space or punctuation between them, and put at least one capital, one number and perhaps a punctuation mark. Make sure it's at least 8 characters long. If possible, change it every 45 - 90 days.
3. Guard against code errors like SQL injection vulnerabilities by having your web site code verified by a professional programmer. While lots of people can make a web site, and often at an inexpensive cost, they don't know how to format their database queries and statements to protect against common attacks.
4. If you operate your own web host, run a server antivirus product on it if it's Windows. While some Linux viruses do exist, they're much less common since there are fewer desktop computers running Linux.
5. If you operate your own web host, make sure you have a good (i.e. tier one or two vendors like Cisco, Juniper, Watchguard, Sonicwall) firewall to protect it. Put the web host server in a DMZ, not in your main (trusted) network. Don't permit access between the DMZ and your main (trusted) network.
6. Don't be afraid to pay for a reputable firm to do a security audit if budget allows. While security audits can't always practically have all recommendations followed to the letter, they will at least help you understand in what ways you're exposed.
Websites are fun and easy to create and also very useful. It's worth going the extra mile to get a professional to look at your site. The key to building a good website is to treat it like your home; secure it, clean it and maintain it.
Posted by Minal Pithia on Wed, Aug 05, 2009
The term “Phishing” originated in 1996, by 2003 fraudsters registered thousands of domains that targeted various organizations. Today we see many different kinds of phishing attacks. Phishers are always coming up with new ways to target people and organizations. Recent “media hyped’ events such as swine flu and Michael Jacksons death have been turned into a scam. They grab any opportunity they can get. They are also quick to use new technology and with Smartphone’s on the rise, it makes it easier for them to launch more and more Smishing, and Vishing attacks. As identity theft on the Internet becomes more sophisticated it’s important to protect ourselves.
What is Phishing?
Phishing is a fraudulent attempt usually conducted by email to lure people into giving their personal financial information.
What is Vishing?
Vishing is the practice of obtaining personal, financial or other confidential information for the purpose of financial reward, through the telephone. The term “Vishing” is derived from a combination of “voice” and “phishing.”
What is Smishing?
Smishing is another form of criminal activity, which sends out a text message asking people to provide personal, financial and confidential information by asking their victims to call back a number.
Tips on how to protect yourself from a Phish, Vish or Smish:
• Never trust strangers – Do not open emails from people you don’t know. Know that your bank will never send you an email to update your account information.
• Keep your eyes open – Look closely at the email or text message you receive. What is the actual link of the website? Are there any spelling errors? Banks never send out text messages to their customers asking them to call a number.
• Listen closely - Listen to the phone call; does it sound legitimate? Do not give out your personal information over the phone. If in doubt contact your financial institution.
• Do I know him or her? – Spear Phishing is another new attempt used by phishers to target corporate employees. With companies creating a presence online using social networking sites, blogs and forums, it is important to note that it makes it easier for phishers to obtain employee information such as name, email address or job title. This makes a phishing email look more legitimate. Ask yourself, do you know this co-worker? Do they email you often? If you are not sure call them and ask them if they sent you the email.
• Protect your computer – Use up to date anti-virus software to protect your computer from malware and never open attachments from an unexpected email.
• Knowledge is power –Stay up to date with the latest news on Identity Theft.
Posted by Rosemary Brkopac on Tue, Jul 21, 2009
The proliferation of malware sites that use trademarked brand names in their source code is a hot button issue for many of my clients. A review of their stats makes it is easy to see why; a comparison of the aggregate number of malware incidents reported from January to December 2008 versus January to June 2009 shows a mind boggling 300% increase.
Malware is a term coined from a blend of the words "malicious" and "software", and includes Trojan Horses, viruses, computer worms, spyware and crimeware. Some possible outcomes of malicious code downloaded on a user's computer are data destruction, pc hijacking, performance limitations, crashes and identity theft.
It is frustrating to see the magnitude of the abuse; large established brand owners, smaller organizations, and Internet users are all victims. In many cases just visiting a malicious website is enough to get you infected; you don't need to click on any links to download the malware. The security firm Sophos cautions "With one new infected webpage discovered every 4.5 seconds, there is no longer any such thing as a trusted website." Here at BrandProtect as infected sites containing our clients' brand terms are identified we work with domain owners, ISP's and registrars to quash them. These sites cause havoc in cyberspace, but with exemplary co-operation among industry colleagues they tend to come down quickly - and as each one tumbles I feel I pressed the Staples® Easy ButtonTM.
Inevitably, you will come across a site that downloads malware on your computer. What should you do? For expert advice I turned to our BrandProtect IT group who provided valuable information about protecting your system from attacks and mitigating damage. Adam Crichton, our IT Manager, lists the most critical aspects of malware infection prevention and clean up as follows:
-
Run a current antivirus and anti spyware/malware system. If you need a free one for home use I recommend AVG Free Edition for the antivirus and Spybot Search and Destroy for Malware/Spyware.
-
Keep these up to date. Regularly check that your antivirus and malware/spyware definitions have been updated within the last week.
-
If you can, pay for protection, because it generally works better. I recommend Symantec's Norton Internet Security 2009 but most of them are good. However, you should disable the firewall on this product and enable the basic windows firewall instead to save yourself some headaches. Most home users are behind routers now and this provides automatic firewall protection anyway.
-
Once infected, run a full scan with both antivirus and anti-spyware / malware. After completing the scan, run it again after a reboot. If you continue to find more malware, you should take your computer to a professional for clean up. This can often be accomplished for $50 or so.
-
Be a good netizen. Don't run a computer you suspect is infected with malware, and don't run without antivirus / antimalware protection. Get it checked by a professional or go through the steps above if you're not sure.
-
Do NOT click links that come up on your computer that say you're infected with malware that are not from your installed antivirus/malware software. This will only further infect your computer.
-
Backup your documents, pictures, movies and music frequently, so if you have a computer destroyed by malware and your computer cannot be recovered, you at least have your critical data available.
Adam Kalbfleisch, our Desk Top Support Manager, provided some additional guidance:
-
Always uses a reputable source when downloading software on your computer. Sites like Downloads.com and Majorgeeks.com guarantee their software is clean.
-
Never google for free anti-virus software - this is a red flag to cyber criminals that you don't have anti-virus protection.
- Always download your music from iTunes.com. People who download from the free software/music/movies sites are open to picking up malware. In the long run it is much cheaper to spend money with legitimate sites than to deal with the fallout caused in picking up a virus (legal issues aside!).
I'd like to suggest you print out this list and keep it by your computer .... for when ......
Posted by Dylan Sachs on Fri, Jun 26, 2009
Among the many opportunities provided to me during my time with BrandProtect, the most exciting for me is most definitely the trips to the semi-annual APWG (Anti-Phishing Working Group) meetings. These meetings, held in different international locations, are excellent opportunities to learn more about bleeding-edge scams, the scammers that employ them, and the people that track their activities around the globe. In the past, these meetings have sent me to Pittsburgh, PA, Tokyo, Japan, and Atlanta, GA.
The latest APWG conference was held in beautiful Barcelona, Spain, this past May. The agenda for the Counter-eCrime Operations Summit included presentations such as National Reports from Italy, Spain, UK, and Malaysia, "The Ins and Outs of Fast Flux Networks", "A Multi-Stakeholder Approach to Battle Cyber Crime", and an entire afternoon devoted to end-user education initiatives (the full agenda can be found here). More information on APWG, including past and future conferences, educational resources, and instructions on how to report phishing to them can be found on the APWG site.
These conferences are not only an opportunity to catch up on the latest and greatest research in the world of Phishing and online fraud, but also let me interact face to face with some of the best and brightest our industry. Engaging world-renowned researchers in discussions ranging from investigative approaches and recent findings, to the latest "footie" results and Canada's addiction to hockey not only helps build up my knowledge and networking base, but solidifies BrandProtect's reputation as a friendly, engaging company who is in it for the greater good, just like everyone else.
If you have any questions regarding the APWG's events or presentations, feel free to drop me a line at dsachs@brandprotect.com.
Posted by Kevin Joy on Fri, Jun 12, 2009
Gartner's recent report entitled "The war on phishing is far from over" provides us with both some insights into what companies require for protection and some interesting facts to consider on trends. The study was conducted via an online panel with 3,985 online adults with broad representation from across the US.
Key findings include:
- Gartner advocates a multi-prong security approach, including phishing e-mail blocking, safe browser surfing features, the use of site authentication, the detection of phishing attacks and the takedown of such attacks. There also is a bit on the need for continued education of customers and employees, like that which can be provided by services such as Phishme
- There was an increase of almost 40% in the amount of Phishing attacks in the year ending September 2008 vs the prior year
- The average consumer loss in 2008 was $351, down 60% year over year. Gartner believes that this is due to more institutions having detection systems in place, forcing more high-volume, low-value attack strategies to be conducted
- Somewhat surprisingly, 4.26% of those targeted in Phishing scams said they lost money to attackers, up from 2.97% in 2005. Roughly the same amount, 4.33%, admitted to giving away sensitive information. This speaks to the increased sophistication of social engineering techniques, particularly given the amount of awareness that has been generated in the media in the past few years for this type of fraud and how not to fall prey
- Consumers recovered 56% of their losses, and had the 30% or so that didn't bother to find out if they were covered had done so, almost all of these losses would have been borne by the banks, PayPal and other financial services providers
- While not specifically researched in this report, Gartner believes that Phishing related losses to corporate accounts via "SpearPhishing" and "Whaling" were considerable
- Evidence points to attacks moving away from purely being associated with known financial institutions to lotteries, dating sites, fake mortgage and pharmaceutical companies, which will make it harder for consumers to recover their stolen money
- Younger adults were found to be more likely to lose money to scams than older ones
- Roughly 58% of adults were aware of Malware and most of these understood the potential severity of the threat, but were more than likely to not know much about the means to protect themselves
- Usage of safe browsing features was limited to 36% of online adult consumers
All to say that fraudsters continue to be creative and persistent, that no one solution is perfect, but that there is evidence that points to the fact that companies that are taking action are being effective in mitigating the impact of such threats.