I’ve just finished reading a great little note from Brian Krebs on the Washington Post that enabled me to “out” (don’t worry, I won’t) an incident that some of us in the security industry have been following in the last few days. One of “ours” has been hijacked on Tweeter, and the impersonator who hijacked him was twittering some rants and raves that actually close to this person’s professional life.

This makes you think again of what we have been discussing in the annual threat report on social networking threats getting real. Once again, our recommendation is – get your online identity straightened out. Make sure you are aware of who you are online, own your identity online – even if that means registering to the major social networks just to “plant your flag” as Brian so eloquently put it (as long as you point the flag to the social networking identity you actually use…).

Check out the original article by Brian here, and our annual report here [PDF].

Related posts:

1. The oracle strikes again – “Browser OS” threats start to appear
2. Blocking Facebook? Not popular, and not effective
3. Social networking threats – the “hacker” story

You may have already gotten yourself familiar with how eCrime works from our past research and field presence, but here is one more great example of this fascinating business: This article at the Washington Post covers the drop in prices of stolen credit cards. It talks about how a surge of “fresh merchandise” has hit the market and commoditized these credit cards to a level where you’d get change from a single dollar… It’s a great example of how eCrime works just like any other business in an economical ecosystem, and adapts to the supply and demand.

Just to complement the article, another contributing factor to the surge in availability is also attributed to the fact that there has been a surge in the availability of FTP credentials leading to legitimate sites. How does these two connect? Simple: FTP sites storing web content, get accessed by eCriminals (through an automated process of course), and the content associated with the website is modified to deliver a MalWeb attack that yields additional Trojan/Botnet infections. This leads to more credentials (both for FTP, as well as for financial services), which get to the market, get sold, and so on… This vicious cycle is feeding itself with more credentials, more access to financial resources, more infected systems in order to enhance the revenues from the eCrime business.

Simply put, the whole picture is what counts, rather than specific incidents. Protection on the other hand, is regarded to as “I have an AV”… leaving virtually millions of systems in the hands of MalWeb and other web threats that have proven to be more effective than thou.

Point in case – get better protection. For the sake of all of us… make sure that you can get protection from as far as your ISP, to as close as your home router, and of course PC. For enterprises it’s been easy with SWG (Secure Web Gateway) products providing that much needed layered protection, but for consumers we have usually smirked and had to dodge the questions of “so what do I do”. Start looking for ISPs that can provide that protection – beyond the “I’ll throw in an AntiVirus and an inkjet printer if you sign a 2 year contract”.

Related posts:

1. Getting a business degree as part of Security Research?
2. Hosting provider crackdown?
3. Obama Leads in US Presidential Election Poll – the eCrime Way

I was just reviewing the latest FBI report from the Internet Crime Complaint Center (IC3) here (PDF), and although I’m sure that a lot of security vendors out there are going to jump on the “33% increase in internet fraud last year” statements, looking into the actual numbers, it’s important to realize how “off” they are. As “Non-delivery” and “Auction fraud” top the charts (with 32.9% and 25.5% respectively), this means that the report only sees the tip of the iceberg. These are just the money mule schemes that are intended for laundering all of the profits actually made by eCrime. And it makes sense – most of the focus for law enforcement is on the lowest hanging fruit, and in the eCrime business model this means money laundering.

Another insight on how eCrime actually works can be learned from the amounts reported (average) per complaint type – the “non-delivery” types (of merchandise or money) ranges around $800 per complaint, while check and confidence fraud are at the $2000-$3000 loss per complaint. This makes sense as when an eCrime “transaction” starts, it is usually based on banking/financial institution account directly, harvesting large sums of money that are later split to smaller amounts (to lower visibility) and laundered through the “field operatives” (i.e. money mules). Bottom line – we still don’t have the full picture and (unfortunately) still cannot amass the true impact of eCrime in economic terms.

The bright side is that there is more awareness in the public (hence the rising numbers – remember that these are based on REPORTED cases…). Although the main focus as I mentioned is still on the perimeter of the business model, hopefully the continued cooperation between law enforcement and the industry (kudos again to the e-Crime congress which I had the pleasure to be part of last month) will get us all to the phase of handling the actual core of the business model and deal with it properly. We’ll keep doing our job in investigating both the technical aspects of the attacks associated with eCrime, as well as the back-office operations, and hope to get everyone lined up to deal with this growing threat.

Related posts:

1. Getting a business degree as part of Security Research?
2. Obama Leads in US Presidential Election Poll – the eCrime Way
3. Neosploit – The rumors of my demise have been greatly exaggerated

What a great way to sum up my last couple of posts – the Conficker media frenzy, and social aspects of web attacks. You can’t come up with these things anymore… Seems (for now) that the only real thing that came out of the Conficker issue is the fact that INFECTED machines started to look for info on a bunch of additional domains.

Side effect #1 of the media frenzy is the probable increase in the number of people buying security (AV) software (remember who was pitching the scare the hardest… see the ad just before the 60 minute spot on the previous post, and check out the scrutiny which McAfee was under at ZDNet).

Side effect #2 leads us to my previous-previous post and – you guessed it right, Rogue AV are taking advantage of the fact that people are searching for security solutions to protect themselves from Conficker, and manipulate users to install the rogue software… Classic social engineering meets security scare.

Bottom line (which should have been on every Conficker related story waaay before any advice on AV software): PATCH. Conficker can’t touch you if your Windows is up-to-date. Patched? Good, now go get an AV!

Related posts:

1. Conficker madness – good or bad?
2. Conficker continues its rounds. Hits 9 million mark
3. The China/Google thing, accountants and other miscreants

Just like BBC’s botnet debacle which fueled a vivid discussion amongst security circles, debating if the exposure is good (i.e., raising awareness to the threat) or bad (i.e., not really ethical, everyone knew about the ability to rent a botnet), CBS’s 60 minutes had a 15 minute spot focusing on Conficker. Check it out here:

On one hand, getting more awareness out there is great – not a lot of people realize how real the threat is, and how organized is the business of managing that threat (favorite quotes – it’s like a business, and uses advertising to promote itself). On the other hand, getting all rattled up towards April 1st might not be effective and may cause an uncalled for panic (and yes, a rush to buy or upgrade security software, which is probably why a certain vendor is highlighted on the CBS piece…).

Bottom line – keep cool, make sure you surf securely, and don’t click on every possible link you are presented with (think first, count to ten, and then click).

Related posts:

1. Conficker continues its rounds. Hits 9 million mark
2. Are you Conficker-proof? Do you really need to be?
3. Cyber[FUD]Fare – repost from fudsec.com

It’s that time of the year again… March madness is engulfing us with news and pre-season activities, and everyone is out and about to see what we would be seeing in the coming months. Just as we have portrayed before, eCrime is a social animal just as well, and is not going to let the action go by without having a chance to have a go at the crowd.

As usual – it’s the same technique all over again – using SEO (Search Engine Optimization) to grab high ranking in search results and leading users clicking on the related links to a variety of malicious content. We have see similar techniques used during the US presidential election season covered quite elaborately in the past, and don’t be surprised to see more of the same hitting the next seasonal event as long as it can attract enough “eyeballs” on search engines.

Related posts:

1. Christmas shopping online – make sure you get what you PAY for
2. Social networking strikes again
3. Optimizing Cross Site Scripting – and general security practices

It’s been a while since security vendors clashed on technology and made “bold” statements referring to the competition. Maybe is the recession, and in an attempt to grab some attention (and bolster sales), come statements such as “Heuristics are dead” (with a response from Sunbelt), and a direct jab at a competitor from Damballa.

My positions on these are clear – signatures are pretty much the past, but still have their place as a “last mile” solution that can speed up scanning for known threats. Heuristics are the natural evolution of signatures in the binary world, and the main focus should be on dynamic real-time scanning of web content which is the actual attack vector that eventually (when and if successful) brings in the binaries that the signatures/heuristics need to scan.

Not to side with anyone particular on this matter, this kind of communication is usually not that helpful for people looking to get a security solution. I would opt for the more educational “this is what the threat looks like, this is what you would usually get from other vendors, and this is our edge which makes us better”. This approach may open another Pandora’s box – the “independent” testing labs, but that’s another issue to be dealt with (how independent is the test, what is the test focused on, test material and samples, configuration, who sets the guidelines, etc…).

Nevertheless, I hope that we’ll see some more informative and research oriented (or at least research based) statements that we could all benefit from the next time someone rolls out a new technology.

Related posts:

1. If Gears was a problem then how about running Gmail offline on Air?
2. Two steps forward, one step back – controling botnets…
3. Blocking legitimate sites in real-time

After looking into the security issues and requirements that Microsoft has been working on in terms of the future browser, and based on our earlier predictions on the matter, comes an interesting interview with Google’s Chrome Javascript head Lars Bak. Specifically check out the 3rd page of the article which discusses the ever increasing ambiguity between the browser and the OS.

“The web is becoming an integral part of the computer and the basic distinction between the OS and the browser doesn’t matter very much any more.”

Great stuff and definitely something to watch for from Google as well (competition is wonderful isn’t it?).

Related posts:

1. More on the browser OS – from Microsoft Research
2. The oracle strikes again – “Browser OS” threats start to appear
3. Google’s “Ghost in a Browser”, WebSense, and more…

After talking about how your next operating system is not going to be related to Windows or Mac or Linux (hint – you are reading this post using it… more details on our Annual report and predictions paper), I came across this research from Microsoft (direct to the PDF here) that talks about how to construct a secure browser OS given the fact that web browsing has moved quite substantially from viewing static web pages to almost running an OS on the browser.

The MS guys portray a secure browser constructed as a multi-principal operating system, while covering a lot of security fundamentals that are missing or lacking a proper implementation in modern browsers. A highly recommended reading and definitely worth following up on.

Related posts:

1. It’s a browser! It’s an Operating System! It’s… brOSer?!
2. The oracle strikes again – “Browser OS” threats start to appear
3. Mapping and Security Research

So, yesterday I wrote about the new (and much expected) vulnerabilities in Google’s Gears technology. The issue is clear – Gears is picking up speed and traction as Google’s applications start to use it (i.e. Gmail, Docs, etc…) and its security model is being scrutinized. And then I stumbled across GeeMail. It’s basically offline Gmail without using Google’s technology. How do you do that? Simple – use Adobe’s Air™, as if one technology was not enough to deal with, try mixing and matching two for some added confusion and security standard overlap.

Just like Gears, Air has its benefits, (admittedly, I’m using them both), but seriously, this is just too much! So what’s the next step? Gmail offline using Adobe Air with Silverlight UI running through Yahoo! Pipes backend? Back in the days we used to follow a simple methodology – keep it simple (I’m omitting the latter part). Doing things just for the sake of using a specific technology is so 90’s “war of the programming languages”… everyone moved on to the simple model of using the right tool for the right job. In our case, even the review shows that the technology mix-up didn’t really cut it.

Related posts:

1. Gear up – predictions for 2009 has begun to materialize
2. The oracle strikes again – “Browser OS” threats start to appear
3. Getting a business degree as part of Security Research?