IBM Reports On Spear Phishers 169
FrenchyinOntario writes "IBM reports that while "regular" phishing is declining the black hats are now engaging in targeted spear phishing to glean as much information about a specific identity as they can for all the usual cybercrime reasons. It concerns authorities because the usual suspects - criminal and terrorist organizations - will want to take advantage of this, but the chilling part is how your identity will now be dependent on multiple institutions protecting your personal information, as opposed to eBay, PayPal, your bank, etc."
what do they mean (Score:4, Insightful)
aw, crud.. (Score:5, Insightful)
Social Engineering, anyone??
Protecting personal information is something new? (Score:3, Insightful)
Wasn't it a company's responsibility to protect your personal information already? I don't understand how this new method of phishing changes that (not including the technical aspects of said protection).
Re:Slashdotted, mirror here (Score:3, Insightful)
Re:A way around this... (Score:5, Insightful)
Yes, of course, because the National ID card is the magic wand of the identification world, isn't it? There's no way any one could possibly forge one of those...
Re:A way around this... (Score:4, Insightful)
Re:it's bad on IRC (Score:5, Insightful)
A Romanian scammer, on a Brazilian server (just a random pick, not trying to suggest anything negative about Brazil), scamming an American user. The legal hoops are mind-boggling. That's if the IRC Ops can even get any useful information from their logs, which isn't 100% sure.
You're right! (Score:1, Insightful)
By the way, have you thought of being a psychic? You predicted the flaming. ;-)
I agree. Look at stem cells and the Reagans (Score:1, Insightful)
All it takes is one high-profile, CNN-covered major story to get our government's attention and get some changes done.
Re:An Open Information Society (Score:1, Insightful)
Again he just sounds like an asshole: "Our will is absolute and we will do as we please with your life and no, citizen, you cannot do anything about it because you are just a sheep to be lead by your superiors." Fuck that.
Probably been going on for a long time (Score:4, Insightful)
A serious attack has a specific target and attacks it quietly. Serious attackers aren't going to show up in the "top 10 virus" lists. They're probably not going to use an attack that appears in some known signature list. They may have the ability to craft their own attacks, or at least modify known ones beyond recognition. The volume-oriented defense techniques won't work.
Military security people are very aware of this issue. You don't want to tie up all your resources chasing kids who are throwing rocks at the airfield fence. The real threat is probably being quietly mounted elsewhere.
British banks are clueless dweebs.... (Score:4, Insightful)
The scary part, however, was that it greated me with my first name, suggested I log on to their site, then ended with a paragraph going roughly like this:
"To make sure you c"n recognise genuine e-mails from us, we will always include the post code of your registered account with us"
Now, it does stop a phisher from firing off a million random e-mails. What it doesn't do is prevent someone from following your local mail man a couple of days and writing down who gets a statement from said bank (which is one of the worlds largest credit institutions) and firing off messages. That is worse than a random phisher as the bank itself is teaching it's clients to trust messages that include their postcode, even though their postcode is an easily available piece of information, so people are more likely to take the e-mail at face value and not scrutinise it as well as they should. What's worse is that the e-mail included links instead of asking people to go to the site listed on their statements, or similar, teaching people that hey, it's ok to click on links in mails that claims to be from their bank...
The worst thing is that this kind of behaviour is the norm for British banks. The fuckwits deserve everything they get from these phishers. What sucks is that their customers will get screwed over in the process.
I've twice been called up by one of my other banks fraud department because they wanted to verify transactions. In both cases they wanted me to provide the security information for my account over the phone when they had called me and I had no way of verifying that they were who they said they were (caller id is trivial to fake, and you wouldn't even need that if the number is unknown but looks plausible to the person taking the call). So again, the fraud department of my bank is teaching its customers that it's ok to give out the very same security details that are sufficient to a) do transfers, b) get passwords for online banking reissued, c) get credit cards reissued.
Just the other day I overheard a woman on the train to work complaining to her boyfriend about the same thing. In my cases I know it was genuine calls because I called back on numbers I knew belonged to the bank.
This same bank also tends to accept corporate id cards to let you sign for your credit cards if they're ordered to an office. So, trick people with a phony call, get the credentials, call the bank to get the card reissued, create your own plastic laminated id card, and order it sent to a serviced office somewhere where you rent a room with cash for a day or two... The same bank have twice refused to deliver cards to my home address because dropping it through the letter box was apparently too insecure.
The great thing about getting a credit card reissued, is that many banks here will accept it as ID. So get a credit card reissued, and voila, instant access to all the poor persons other accounts as well, and from past experience they'll happily offer to let you do over the counter cash withdrawals of however much you want from your credit card accounts.
They're so clueless it's scary to think I trust them with my money (but the rest of them are just as bad).
Why did I have to move to a country with a banking system from the dark ages?
Re:Scamming is way too easy (Score:4, Insightful)
The Solution is already contained in the "Fair Debt Collection Practices Act of 1979." The only problem here is that it is only applied to credit. Being one who likes solutions here it comes!
The solution is to make the feduciary agent (bank) responsible for 100% of all false charges to the account with triplicate damages plus collection costs and legal fees if you have to collect. (This isn't funky law it already works) Application of this to DEBIT accounts would solve the problem to a very large extent.
The next part of the solution is to require all banks to provide you with 3 account numbers. One is for the actual account where you store your money. Another is an "Incoming Account" which you can publish to the world. Anyone like this friend could have a check deposited this way and no danger because the account is nothing but a key to put money in. The other is an "Out going" account where a person may place a limited amount of money for outgoing epay type or othe draws. This "Out Going" account could be closed and changed at will. That way one could lock out those skunks who try to autopay forever etc. This way one could protect their account.
A few other notes: We should end the "Overdraft" and bounced check laws. If a check does not have money, it should just be a refused transaction. Coupled with this the provision to immediately transfer funds... This way nobody goes to jail for bad checks, we just refuse them the goods because we can validate their check and charge the funds immediately.
Of course Banks would have a piss fit over these changes because no more overdraft fees etc. Well Tough Luck to them. Tell them to get a life and start earning their money serving their employers rather than screwing them. We would get fired if we treated our employer with such disrespect. This is only a proposal of good business practices. Nothing else. Skip the lectures about "Free Enterprise" because if a bank cannot make money under a good common set of laws they should go to hell. Mods this is good stuff, get a life if you don't like it!