Category Archives: Aladdin

Are you LinkedIn/Facebooked/Twittered/Beboed/Viadeoed/etc?

I’ve just finished reading a great little note from Brian Krebs on the Washington Post that enabled me to “out” (don’t worry, I won’t) an incident that some of us in the security industry have been following in the last few days. One of “ours” has been hijacked on Tweeter, and the impersonator who hijacked him was twittering some rants and raves that actually close to this person’s professional life.

This makes you think again of what we have been discussing in the annual threat report on social networking threats getting real. Once again, our recommendation is – get your online identity straightened out. Make sure you are aware of who you are online, own your identity online – even if that means registering to the major social networks just to “plant your flag” as Brian so eloquently put it (as long as you point the flag to the social networking identity you actually use…).

Check out the original article by Brian here, and our annual report here [PDF].

Credit cards on a clearance sale and your internet security

You may have already gotten yourself familiar with how eCrime works from our past research and field presence, but here is one more great example of this fascinating business: This article at the Washington Post covers the drop in prices of stolen credit cards. It talks about how a surge of “fresh merchandise” has hit the market and commoditized these credit cards to a level where you’d get change from a single dollar… It’s a great example of how eCrime works just like any other business in an economical ecosystem, and adapts to the supply and demand.

Just to complement the article, another contributing factor to the surge in availability is also attributed to the fact that there has been a surge in the availability of FTP credentials leading to legitimate sites. How does these two connect? Simple: FTP sites storing web content, get accessed by eCriminals (through an automated process of course), and the content associated with the website is modified to deliver a MalWeb attack that yields additional Trojan/Botnet infections. This leads to more credentials (both for FTP, as well as for financial services), which get to the market, get sold, and so on… This vicious cycle is feeding itself with more credentials, more access to financial resources, more infected systems in order to enhance the revenues from the eCrime business.

Simply put, the whole picture is what counts, rather than specific incidents. Protection on the other hand, is regarded to as “I have an AV”… leaving virtually millions of systems in the hands of MalWeb and other web threats that have proven to be more effective than thou.

Point in case – get better protection. For the sake of all of us… make sure that you can get protection from as far as your ISP, to as close as your home router, and of course PC. For enterprises it’s been easy with SWG (Secure Web Gateway) products providing that much needed layered protection, but for consumers we have usually smirked and had to dodge the questions of “so what do I do”. Start looking for ISPs that can provide that protection – beyond the “I’ll throw in an AntiVirus and an inkjet printer if you sign a 2 year contract”.

Fighting eCrime? We are not there yet!

I was just reviewing the latest FBI report from the Internet Crime Complaint Center (IC3) here (PDF), and although I’m sure that a lot of security vendors out there are going to jump on the “33% increase in internet fraud last year” statements, looking into the actual numbers, it’s important to realize how “off” they are. As “Non-delivery” and “Auction fraud” top the charts (with 32.9% and 25.5% respectively), this means that the report only sees the tip of the iceberg. These are just the money mule schemes that are intended for laundering all of the profits actually made by eCrime. And it makes sense – most of the focus for law enforcement is on the lowest hanging fruit, and in the eCrime business model this means money laundering.

fbi1

Another insight on how eCrime actually works can be learned from the amounts reported (average) per complaint type – the “non-delivery” types (of merchandise or money) ranges around $800 per complaint, while check and confidence fraud are at the $2000-$3000 loss per complaint. This makes sense as when an eCrime “transaction” starts, it is usually based on banking/financial institution account directly, harvesting large sums of money that are later split to smaller amounts (to lower visibility) and laundered through the “field operatives” (i.e. money mules). Bottom line – we still don’t have the full picture and (unfortunately) still cannot amass the true impact of eCrime in economic terms.

fbi2

The bright side is that there is more awareness in the public (hence the rising numbers – remember that these are based on REPORTED cases…). Although the main focus as I mentioned is still on the perimeter of the business model, hopefully the continued cooperation between law enforcement and the industry (kudos again to the e-Crime congress which I had the pleasure to be part of last month) will get us all to the phase of handling the actual core of the business model and deal with it properly. We’ll keep doing our job in investigating both the technical aspects of the attacks associated with eCrime, as well as the back-office operations, and hope to get everyone lined up to deal with this growing threat.

Are you Conficker-proof? Do you really need to be?

What a great way to sum up my last couple of posts – the Conficker media frenzy, and social aspects of web attacks. You can’t come up with these things anymore… Seems (for now) that the only real thing that came out of the Conficker issue is the fact that INFECTED machines started to look for info on a bunch of additional domains.

Side effect #1 of the media frenzy is the probable increase in the number of people buying security (AV) software (remember who was pitching the scare the hardest… see the ad just before the 60 minute spot on the previous post, and check out the scrutiny which McAfee was under at ZDNet).

Side effect #2 leads us to my previous-previous post and – you guessed it right, Rogue AV are taking advantage of the fact that people are searching for security solutions to protect themselves from Conficker, and manipulate users to install the rogue software… Classic social engineering meets security scare.

Bottom line (which should have been on every Conficker related story waaay before any advice on AV software): PATCH. Conficker can’t touch you if your Windows is up-to-date. Patched? Good, now go get an AV!

Conficker madness – good or bad?

Just like BBC’s botnet debacle which fueled a vivid discussion amongst security circles, debating if the exposure is good (i.e., raising awareness to the threat) or bad (i.e., not really ethical, everyone knew about the ability to rent a botnet), CBS’s 60 minutes had a 15 minute spot focusing on Conficker. Check it out here:

On one hand, getting more awareness out there is great – not a lot of people realize how real the threat is, and how organized is the business of managing that threat (favorite quotes – it’s like a business, and uses advertising to promote itself). On the other hand, getting all rattled up towards April 1st might not be effective and may cause an uncalled for panic (and yes, a rush to buy or upgrade security software, which is probably why a certain vendor is highlighted on the CBS piece…).

Bottom line – keep cool, make sure you surf securely, and don’t click on every possible link you are presented with (think first, count to ten, and then click).