IBM Reports On Spear Phishers

FrenchyinOntario writes "IBM reports that while "regular" phishing is declining the black hats are now engaging in targeted spear phishing to glean as much information about a specific identity as they can for all the usual cybercrime reasons. It concerns authorities because the usual suspects - criminal and terrorist organizations - will want to take advantage of this, but the chilling part is how your identity will now be dependent on multiple institutions protecting your personal information, as opposed to eBay, PayPal, your bank, etc."

what do they mean

[eobanb]

...by 'multiple institutions...as opposed to ebay, bank, etc.' Isn't that multiple institutions? I think what the summary is really trying to say is, to the phishers' advantage, a chain is only as strong as its weakest link.

aw, crud..

[werelord]

And this is probably the easiest fishing they'll be able to do.. Until companies are made liable for any damages that occurr when they "lose" their information, this will probably be an extremely easy method of fishing..

Social Engineering, anyone??

Protecting personal information is something new?

[GFunk83]

"...the chilling part is how your identity will now be dependent on multiple institutions protecting your personal information, as opposed to eBay, PayPal, your bank, etc."

Wasn't it a company's responsibility to protect your personal information already? I don't understand how this new method of phishing changes that (not including the technical aspects of said protection).

Re:Slashdotted, mirror here

[ergo98]

The primary link is down, and people have to resort to mirrors. If Slashdot karma is all it takes to get people to help the system, then it seems pretty cheap.

Re:A way around this...

[TripMaster Monkey]

Yes, of course, because the National ID card is the magic wand of the identification world, isn't it? There's no way any one could possibly forge one of those...

Re:A way around this...

[pete6677]

On the contrary, it is the use of a national ID number (social security number) that makes identity theft so easy and common. If more than one number were required to prove identity, thieves would have to work a lot harder to pull it off and would be more likely to trip up and get caught. With so many banks and stores ready to hand out instant credit to anyone who comes along with an SSN and some minimal form of ID, it's no wonder that criminals are taking advantage of the system.

Re:it's bad on IRC

[Steinfiend]

What are the IRC Ops supposed to do in a case like this? I'm not trying to be a troll, I'm seriously asking. They can ban the users, they can close the room, and they can send the logs to whatever law enforcement agencies are responsible for their area. However, how much will that achieve?

A Romanian scammer, on a Brazilian server (just a random pick, not trying to suggest anything negative about Brazil), scamming an American user. The legal hoops are mind-boggling. That's if the IRC Ops can even get any useful information from their logs, which isn't 100% sure.

You're right!

[Karma_fucker_sucker]

And...we should have people's religious preference and background on this ID. Then....if they're, let's say, Muslim or a convicted cracker, we'll have them wear a yellow star on their shirts. That way the children will be safe!

By the way, have you thought of being a psychic? You predicted the flaming. ;-)

I agree. Look at stem cells and the Reagans

[Anonymous Coward]

It's still a hot debate, but some Republicans definitely perked their ears up when Ron Reagan's family started getting involved with stem cell lobbying.

All it takes is one high-profile, CNN-covered major story to get our government's attention and get some changes done.

Re:An Open Information Society

[Taevin]

Interesting essay but the guys sounds like a bit of an asshole apologist for 'Big Brother'.

For in fact, it is already far too late to prevent the invasion of cameras and databases. The djinn cannot be crammed back into its bottle. No matter how many laws are passed, it will prove quite impossible to legislate away the new surveillance tools and databases. They are here to stay. Light is going to shine into nearly every corner of our lives.

Why? No one is going to 'legislate away' the development of new surveillance technology but what the hell does that have to do with using it to monitor everyone's activities? Assuming the people can actually rein in the government, laws preventing the use of such technology in any public place by any one for any reason would be easy to pass.

Again he just sounds like an asshole: "Our will is absolute and we will do as we please with your life and no, citizen, you cannot do anything about it because you are just a sheep to be lead by your superiors." Fuck that.

Probably been going on for a long time

[Animats]

The "computer security" industry has turned into a volume business aimed at annoyance attacks. The very profitable "wait for high-volume exploit and patch" mindset into which the industry has settled is useless against serious attackers.

A serious attack has a specific target and attacks it quietly. Serious attackers aren't going to show up in the "top 10 virus" lists. They're probably not going to use an attack that appears in some known signature list. They may have the ability to craft their own attacks, or at least modify known ones beyond recognition. The volume-oriented defense techniques won't work.

Military security people are very aware of this issue. You don't want to tie up all your resources chasing kids who are throwing rocks at the airfield fence. The real threat is probably being quietly mounted elsewhere.

British banks are clueless dweebs....

[vidarh]

This hit home, as just today I got an e-mail from one of my credit card companies... I regularly (as in several times daily) get phishing attempts to that e-mail accounts pretending to be from all kinds of banks I've never used, so I assumed it was yet another one from the start. But I got curious anyway. After lots of checking it turned out to be genuine.

The scary part, however, was that it greated me with my first name, suggested I log on to their site, then ended with a paragraph going roughly like this:

"To make sure you c"n recognise genuine e-mails from us, we will always include the post code of your registered account with us"

Now, it does stop a phisher from firing off a million random e-mails. What it doesn't do is prevent someone from following your local mail man a couple of days and writing down who gets a statement from said bank (which is one of the worlds largest credit institutions) and firing off messages. That is worse than a random phisher as the bank itself is teaching it's clients to trust messages that include their postcode, even though their postcode is an easily available piece of information, so people are more likely to take the e-mail at face value and not scrutinise it as well as they should. What's worse is that the e-mail included links instead of asking people to go to the site listed on their statements, or similar, teaching people that hey, it's ok to click on links in mails that claims to be from their bank...

The worst thing is that this kind of behaviour is the norm for British banks. The fuckwits deserve everything they get from these phishers. What sucks is that their customers will get screwed over in the process.

I've twice been called up by one of my other banks fraud department because they wanted to verify transactions. In both cases they wanted me to provide the security information for my account over the phone when they had called me and I had no way of verifying that they were who they said they were (caller id is trivial to fake, and you wouldn't even need that if the number is unknown but looks plausible to the person taking the call). So again, the fraud department of my bank is teaching its customers that it's ok to give out the very same security details that are sufficient to a) do transfers, b) get passwords for online banking reissued, c) get credit cards reissued.

Just the other day I overheard a woman on the train to work complaining to her boyfriend about the same thing. In my cases I know it was genuine calls because I called back on numbers I knew belonged to the bank.

This same bank also tends to accept corporate id cards to let you sign for your credit cards if they're ordered to an office. So, trick people with a phony call, get the credentials, call the bank to get the card reissued, create your own plastic laminated id card, and order it sent to a serviced office somewhere where you rent a room with cash for a day or two... The same bank have twice refused to deliver cards to my home address because dropping it through the letter box was apparently too insecure.

The great thing about getting a credit card reissued, is that many banks here will accept it as ID. So get a credit card reissued, and voila, instant access to all the poor persons other accounts as well, and from past experience they'll happily offer to let you do over the counter cash withdrawals of however much you want from your credit card accounts.

They're so clueless it's scary to think I trust them with my money (but the rest of them are just as bad).

Why did I have to move to a country with a banking system from the dark ages?

Re:Scamming is way too easy

[cluckshot]

The Solution is already contained in the "Fair Debt Collection Practices Act of 1979." The only problem here is that it is only applied to credit. Being one who likes solutions here it comes!

The solution is to make the feduciary agent (bank) responsible for 100% of all false charges to the account with triplicate damages plus collection costs and legal fees if you have to collect. (This isn't funky law it already works) Application of this to DEBIT accounts would solve the problem to a very large extent.

The next part of the solution is to require all banks to provide you with 3 account numbers. One is for the actual account where you store your money. Another is an "Incoming Account" which you can publish to the world. Anyone like this friend could have a check deposited this way and no danger because the account is nothing but a key to put money in. The other is an "Out going" account where a person may place a limited amount of money for outgoing epay type or othe draws. This "Out Going" account could be closed and changed at will. That way one could lock out those skunks who try to autopay forever etc. This way one could protect their account.

A few other notes: We should end the "Overdraft" and bounced check laws. If a check does not have money, it should just be a refused transaction. Coupled with this the provision to immediately transfer funds... This way nobody goes to jail for bad checks, we just refuse them the goods because we can validate their check and charge the funds immediately.

Of course Banks would have a piss fit over these changes because no more overdraft fees etc. Well Tough Luck to them. Tell them to get a life and start earning their money serving their employers rather than screwing them. We would get fired if we treated our employer with such disrespect. This is only a proposal of good business practices. Nothing else. Skip the lectures about "Free Enterprise" because if a bank cannot make money under a good common set of laws they should go to hell. Mods this is good stuff, get a life if you don't like it!