 |
Phishing: An Interesting Twist On A Common Scam
After Two Security Assessments I Must Be Secure, Right?
---------------------------------------
Imagine you are the CIO of a national financial institution
and you've recently deployed a state of the art online
transaction service for your customers. To make sure your
company's network perimeter is secure, you executed two
external security assessments and penetration tests. When
the final report came in, your company was given a clean
bill of health. At first, you felt relieved, and confident
in your security measures. Shortly thereafter, your relief
turned to concern. "Is it really possible that we are
completely secure?" Given you're skepticism, you decide to
get one more opinion. The day of the penetration test report delivery is now at
hand. Based on the previous assessments, you expect to
receive nothing but positive information...... The Results Were Less Than Pleasing
-----------------------------------
During this penetration test, there were several interesting
findings, but we are going to focus on one that would knock
the wind out of anyone responsible for the security of
online systems. Particularly if you are in the business of
money. Most people are familiar with the term "Phishing".
Dictionary.com defines the word Phishing as "the practice of
luring unsuspecting Internet users to a fake Web site by
using authentic-looking email with the real organization's
logo, in an attempt to steal passwords, financial or
personal information, or introduce a virus attack; the
creation of a Web site replica for fooling unsuspecting
Internet users into submitting personal or financial
information or passwords". Although SPAM / unsolicited
e-mail and direct web server compromise are the most common
methods of Phishing. There are other ways to accomplish this
fraudulent activity. Internet Router Compromise Makes For A Bad Day
----------------------------------------------
In this case, the Internet router was compromised by using a
well-known CISCO vulnerability. Once this was accomplished,
the sky was the limit as far as what could be done to impact
the organization. Even though the company's web server was
secure, and the Firewall that was protecting the web server
was configured adequately, what took place next made these
defense systems irrelevant. Instead of setting up a duplicate login site on an external
system, then sending out SPAM in order to entice a customer
to give up their user ID, password, and account numbers,
another approach, a much more nefarious approach was taken. Phishing For Personal Or Financial Information
----------------------------------------------
You remember that router that was compromised? For proof of
concept purposes, the router configuration was altered to
forward all Internet traffic bound for the legitimate web
server, to another web server where user ID, password, and
account information could be collected. The first time this
information was entered, the customer would receive an
ambiguous error. The second time the page loaded, the fake
web server redirected the customer to the real site. When
the user re-entered the requested information, everything
worked just fine. No one, not the customer, nor the company had any idea that
something nefarious was going on. No bells or whistle went
off, no one questioned the error. Why would they, they could
have put the wrong password in, or it was likely a typical
error on a web page that everyone deals with from time to
time. At this point, you can let your imagination take over. The
attacker may not move forward and use the information
collected right away. It could be days or weeks before it is
used. Any trace of what actually took place to collect the
information would most likely be history. What Do You Really Get Out Of Security Assessments
--------------------------------------------------
I can't tell you how many times I've been presented with
security assessment reports that are pretty much information
output from an off-the-shelf or open source automated
security analyzer. Although an attacker may use the same or
similar tools during an attack, they do not solely rely on
this information to reach their goal. An effective
penetration test or security assessment must be performed by
someone who understands not only "security vulnerabilities"
and how to run off-the-shelf tools. The person executing the
assessment must do so armed with the tools and experience
that meets or exceeds those a potential attacker would have. Conclusion
----------
Whether you are a small, medium, are large company, you must
be very careful about who you decide is most qualified to
perform a review of your company's security defense systems,
or security profile. Just because an organization presents
you with credentials, such as consultants with their
CISSP....., it does not mean these people have any
real-world experience. All the certifications in the world
cannot assure you the results you receive from engaging in a
security assessment are thorough / complete. Getting a
second opinion is appropriate given what may be at stake. If
you were not feeling well, and knew that something was wrong
with you, would you settle for just one Doctor's opinion? Quite frankly, I've never met a hacker (I know I will get
slammed for using this term, I always do), that has a
certification stating that they know what they are doing.
They know what they are doing because they've done it, over
and over again, and have a complete understanding of network
systems and software. On top of that, the one thing they
have that no class or certification can teach you is,
imagination. About The Author
----------------
Darren Miller is an Information Security Consultant with
over sixteen years experience. He has written many
technology & security articles, some of which have been
published in nationally circulated magazines & periodicals.
If you would like to contact Darren you can e-mail him at
Darren.Miller@ParaLogic.Net. If you would like to know
more about computer security please visit us at
http://www.defendingthenet.com.
|
|
|
|
RELATED ARTICLES
Make Money Online - Defend Against The Latest Scam
First, let's do a little recap'. As I stated in the first part of the article, "Make Money Online - The Latest Scam Disclosed", "refund policy scammers" affect the websites that make money online by selling digital products by buying the product and asking for refunds, while keeping the product.
Free Spyware Removal - Its Not As Easy As It Sounds
Nobody wants to pay to remove spyware. At the very least, I don't. The blasted stuff shouldn't be on my computer anyway, so what ever would make me want to shell out cash to get rid of something that I shouldn't have in the first place?
Social Engineering - The Real E-Terrorism?
One evening, during the graveyard shift, an AOL technical support operator took a call from a hacker. During the hour long conversation the hacker mentioned he had a car for sale. The technical support operator expressed an interest so the hacker sent him an e-mail with a photo of the car attached. When the operator opened the attachment it created a back door that opened a connection out of AOL's network, through the firewall, allowing the hacker full access to the entire internal network of AOL with very little effort on the hacker's part.
Spyware Protection Software
Spyware protection software is the easiest way of removing spyware from your computer and keeping it away. It detects and removes all pieces of spyware and adware automatically. Spyware is extremely difficult to remove manually and should only be removed with spyware protection software.
How Did This Happen to Me? Top 10 Ways to Get Spyware or Viruses on Your Computer
If you use the internet, you have probably been infected with a virus, trojan or spyware. According to the SANS Internet Storm Center, the average unprotected PC is infected within 20 minutes of normal internet usage. Many people want to know what they did to get infected. Unfortunately, usually it was just one wrong click.
All About Computer Viruses
Your computer is as slow as molasses. Your mouse freezes every 15 minutes, and that Microsoft Word program just won't seem to open.
Lottery Scam, What It is and how to Avoid It?
Internet scams and frauds are on the rise! The quantity of scam
emails with various fraud schemes any email account receives
today is simply overwhelming! There is this infamous Nigerian
419 scam, which is by far the most widely circulated one. I wrote
about it in one of our ezine articles not long ago. You can read
about it here! And there are many other scams like Lottery, Letter
of Credit, money transfer, black money conversion, real estate,
fraudulent order and the list goes on and on.
Phishing ? Its Signs and Your Options
Phishing is the act of some individual sending an email to a user in an attempt to scam the user to release personal information. Is it easy to determine if it's a scam? Sometimes ? but not always. I hope to give you enough examples and information to help you to safeguard yourself from these unsavory individuals.
Do You Know What your Kids Are Doing Online?
It's a sad statistic, but hundreds of unsuspecting kids are lured away from home every year by strangers they meet in online chat rooms.
Internet/Network Security
Abstract
Homogeneous symmetries and congestion control have garnered limited interest from both cryptographers and computational biologists in the last several years [1]. In fact, few steganographers would disagree with the investigation of spreadsheets. Our focus in this work is not on whether write-back caches and evolutionary programming [13] can cooperate to achieve this intent, but rather on exploring an analysis of Markov models (Eale).
Is Shopping Online For Your Horse Gifts Safe?
Shopping for horse gifts or other gift items on the internet
is quick, convenient and is probably safer than you think.
However, you still need to be aware that it is essential to
vigorously protect your privacy and financial information
when making purchases online.
Blogs as Safe Haven for Cybercriminals?
To blog or not to blog? Well, why not? Lots of people like either to write or to read blogs -- sometimes both. The much-quoted survey by the Pew Internet & American Life Project, says 27 percent read blogs. 38 percent of all Internet users at least know what a blog is. The survey was made in November 2004 and estimated that 32 million Americans to be blog readers by the end of 2004. So now there must be much more blog readers and writers.
SPYWARE - Whos Watching Who?
I am in the midst of Oscar Wilde's The Picture of Dorian Gray. "The basis of optimism is sheer terror." With that attitude, I praise their skills only for the mere sake of not wanting them to defile mine, or my business.
The Risk Of Electronic Fraud & Identity Theft
Electronic Fraud and Identity Theft
-----------------------------------
Human beings are pretty sensible when presented with an
imminent threat or risk. That is, if it's staring us
directly in the face. Many threats and risk are presented in
subtle ways, and it is these subtleties we tend to
overlook.
From Spyware with Love!
It's late. You've been scouring the web for that perfect present for your Aunt Bess in Idaho. You finally find it at presents4aunties.com. The site looks a little rough on the edges, weird colors and such. But they have that gift you know will make Aunt Bess add you to her will. You purchase the gift, log off and head to bed. Tired but happy.
8 Surefire Ways to Spot an E-Mail Identity Theft Scam!
The E-Mail Identity Theft Scam is running Rampant. These E-Mail Scam artists will go to great lengths to Get Your Bank Account information and Steal your Identity. Learn how to Protect To Yourself Now!
Viruses, Trojans, and Spyware - Oh My!
Have you ever had to call Symantec or McAfee to ask them how to remove a virus? Or have you spent hours online trying to figure out how to remove spyware, only to find out that you did something wrong and now your computer won't boot? I know your pain and frustration with just trying to use your computer without worry. As a computer technician at ARCH Computing Services, I know how hard it can be to pay someone to remove viruses and spyware. In fact that's how I started in the computer business. I didn't want to pay someone to fix the problems that I usually caused. A little voice in my head told me "I can build a computer, it doesn't look that hard!"
Be Aware of Phishing Scams!
If you use emails actively in your communication, you must have received various messages claiming to be from Ebay, Paypal and a number of banks. A recent email as if from U.S. Bank Corporation that I received contains the subject "U.S. Bank Fraud Verification Process" and in the body of the mail it says "We recently reviewed your account, and suspect that your U.S. Bank Internet Banking account may have been accessed by an unauthorized third party. Protecting the security of your account and of the U.S. Bank network is our primary concern. Therefore, as a preventative measure, we have temporarily limited access to sensitive account features. To restore your account access, please take the following steps to ensure that your account has not been compromised:". It continues with a link to a webpage, which looks very similar to original web page of the bank.
What is Spyware?
The most frustrating part of having Spyware on your computer is the sheer feeling of helplessness that is invoked. Your computer slows down, it no longer does what you instructed it to, it seems to have a mind of its own. You effectively have lost control of your computer. Spyware (also referred to as Adware or Malware) is software that is installed on your computer without your consent. Spyware software monitors or controls your computer use. It may be used to send you pop-up ads, redirect your computer to websites, monitor your Internet surfing, or record your keystrokes, which, in turn, could lead to identity theft.
How To Prevent Spyware Attacking Your Computer
Spyware is software or hardware installed on a computer
without a user's knowledge. It gathers information and
reports it back to its source. It ties up bandwidth, slows
down CPU speed and generally is a nuisance.
|
