IBM Reports On Spear Phishers 169
FrenchyinOntario writes "IBM reports that while "regular" phishing is declining the black hats are now engaging in targeted spear phishing to glean as much information about a specific identity as they can for all the usual cybercrime reasons. It concerns authorities because the usual suspects - criminal and terrorist organizations - will want to take advantage of this, but the chilling part is how your identity will now be dependent on multiple institutions protecting your personal information, as opposed to eBay, PayPal, your bank, etc."
Slashdotted, mirror here (Score:5, Informative)
Re:Slashdotted, mirror here (Score:1)
When I first read the article summary, I thought it was going to describe indirect phishing - e.g. trolling for ancillary info about someone such that one can "recover" the account. e.g. Many accounts can be accessed by claiming a forgott
Re:Slashdotted, mirror here (Score:2)
We sued them and got about £300 i think.
Excellent phishing my friend! (Score:2)
1. Post mirror links to slashdot
2. Check the browser string to see what OS they are running, which includeds SP level.
3. Since most slashdot users probably run pirated copies of XP, they couldn't load SP1.
4. Microsoft only distributes patches for SP1 and SP2 now.
4. List of rootable hosts!
Re:Slashdotted, mirror here (Score:3, Insightful)
Re:Slashdotted, mirror here (Score:5, Funny)
So the phishers have refined their tactics (Score:5, Funny)
Naw, it's an intelligent design!
Re:So the phishers have refined their tactics (Score:4, Funny)
not the teaching of evolution, evolution itself.
Then MEGACORP won't have to waste profits on securing their massive database of customer eyecolor and bloodtype.
Re:So the phishers have refined their tactics (Score:2)
Re: (Score:1)
Re:So the phishers have refined their tactics (Score:1)
Slashdot should change the 2 minute wait to 2 minutes per thread. This tabbed browsing is killing my slashdot productivity here.
what do they mean (Score:4, Insightful)
Scamming is way too easy (Score:1)
What happened is that someone used a fake id and her bank account number to cash $15,000 in fake money orders at two local banks. She didn't have even a thousand dollars in her account, but the banks gave the cash in "good faith". Well, now the bank is refusing to remove the 15,000 debit on her account and their only advice to her is to "borrow the 15,000 from your relatives and pay us back". S
Re:Scamming is way too easy (Score:4, Insightful)
The Solution is already contained in the "Fair Debt Collection Practices Act of 1979." The only problem here is that it is only applied to credit. Being one who likes solutions here it comes!
The solution is to make the feduciary agent (bank) responsible for 100% of all false charges to the account with triplicate damages plus collection costs and legal fees if you have to collect. (This isn't funky law it already works) Application of this to DEBIT accounts would solve the problem to a very large extent.
The next part of the solution is to require all banks to provide you with 3 account numbers. One is for the actual account where you store your money. Another is an "Incoming Account" which you can publish to the world. Anyone like this friend could have a check deposited this way and no danger because the account is nothing but a key to put money in. The other is an "Out going" account where a person may place a limited amount of money for outgoing epay type or othe draws. This "Out Going" account could be closed and changed at will. That way one could lock out those skunks who try to autopay forever etc. This way one could protect their account.
A few other notes: We should end the "Overdraft" and bounced check laws. If a check does not have money, it should just be a refused transaction. Coupled with this the provision to immediately transfer funds... This way nobody goes to jail for bad checks, we just refuse them the goods because we can validate their check and charge the funds immediately.
Of course Banks would have a piss fit over these changes because no more overdraft fees etc. Well Tough Luck to them. Tell them to get a life and start earning their money serving their employers rather than screwing them. We would get fired if we treated our employer with such disrespect. This is only a proposal of good business practices. Nothing else. Skip the lectures about "Free Enterprise" because if a bank cannot make money under a good common set of laws they should go to hell. Mods this is good stuff, get a life if you don't like it!
Re:Scamming is way too easy (Score:2)
Your assessment regards the change in status of checks is quite correct. You only made one error. You assumed that they still are this. As of the last 2 years of the Clinton Administration an "E Check" became as valid as a "Wet Check" and as such this property defacto already changed over 6 years ago. Gone! I am only proposing that a check be updated to its current legal status in fact.
This is in fact just a recognition of fact and law already existing. You can be sent to jail for a bad check someone
A way around this... (Score:5, Informative)
Re:A way around this... (Score:1, Interesting)
Re:Freezing Credit (Score:2)
It's not always necessary to pay a fee to protect your information. Certain states have passed laws allowing you to request the freeze for free - check your state regs for the details.
Folks should be aware that the credit industry is starting to push for legislation at the federal level that will be far weaker than, and will automatically trump, these state laws. God forbid they lose the ability to extend "valuable offers" from their affiliates and business partners.
Another alternative approach is to fi
Re:A way around this... (Score:2)
Oh, and as far as I've ever been able to find my name and SSN were sold after I applied for my passport at the post office. That was the only place I had given my SSN in years and the theft occured within days of tha
Freezes depend on state law (Score:2)
Re:A way around this... (Score:5, Insightful)
Yes, of course, because the National ID card is the magic wand of the identification world, isn't it? There's no way any one could possibly forge one of those...
Wrong! (Score:2, Funny)
Re:A way around this... (Score:3, Funny)
french ID cards are a thousand times more secure than your dollar bills
What an idiotic statement...for three reasons:
Re:A way around this... (Score:4, Insightful)
Re:A way around this... (Score:3, Interesting)
If we're going to get ID cards, I'd at least want them to be useful. At this point I'm in more danger of having my identity stolen than of being tracked by black helicopters...
Re:A way around this... (Score:2)
The trouble is, the people who do design these systems tend to be either moronic, corrupt, or lazy.
Re: (Score:3, Informative)
Re:A way around this... (Score:2, Interesting)
No one ever explains why this is better than an ID/account number and password?
Lyal
Re:A way around this... (Score:2)
No. It's a card with a *private key* that can encrypt data given to it using that private key. The bank/eBay/other would have your public key. They would create some random token to be encrypted and give it to you. Your card encrypts and signs it using your private key. If they can then decrypt it and verify it with your public key then they know it's you.
http://www.rsasecurity.com/rsalabs/node.as [rsasecurity.com]
Re:A way around this... (Score:2)
I hope this will give me a "smaller profile" with respect to the identity thieves, in that I won't have all this account activity going on all the time. Some of the ID thief rings seem t
You're right! (Score:1, Insightful)
By the way, have you thought of being a psychic? You predicted the flaming. ;-)
MOD PARENT UP - Please. (Score:1)
Re:A way around this... (Score:2)
It would save them TONS of work.
So kids, if someone tells you they are in favor of a national ID card, hold on to your wallet. They are probably an identity thief.
aw, crud.. (Score:5, Insightful)
Social Engineering, anyone??
Re:aw, crud.. (Score:1)
Mr. AC,
Please define "HUGE". And who's to enforce this fine?
I mean, a $250,000 fine or whatever to a very large corp, is their toilet paper budget for the week. Which they'll then pass on to their customers and/or make their stockholders eat.
I have to say ... (Score:4, Interesting)
Re:I have to say ... (Score:1)
10 years behind the times? (Score:1, Offtopic)
Re:I have to say ... (Score:1, Interesting)
I suggest you actually listen to some of it today.... in fact you have, many hit the top 40 charts in "secular alternative" music over the past 5 years.
the clueless like you stay on your path to what you think. the rest of us get bit shit eating grins as you not realize that bands like Creed and others are simply christian rock bands that are flying under the radar subverting you in your music... (OMFG! I better listen to some Insane clown Possee to cleanse my soul of this evil c
Re:LMAO Re:I have to say ... (Score:2)
Please, mod parent up.
is this kuro5hin? mod up! (Score:2)
That, and i've got Gibby Haynes screaming American Woman into a megaphone running through my head.
it's bad on IRC (Score:3, Interesting)
Re:it's bad on IRC (Score:1)
PLEASE TO BE NOT REPORTING US TO FBI!!!1 (Score:2, Funny)
Re:it's bad on IRC (Score:5, Insightful)
A Romanian scammer, on a Brazilian server (just a random pick, not trying to suggest anything negative about Brazil), scamming an American user. The legal hoops are mind-boggling. That's if the IRC Ops can even get any useful information from their logs, which isn't 100% sure.
Re:it's bad on IRC (Score:2)
The connections came from Romanian dial-up accounts, and I reported it to the ISP (obviously, nothing was ever done). I also extracted IRC information from a bot on the compromised server, and joined the channel. I found a handful of other bots in there, and mailed the admins of each I could see (with s
Re:it's bad on IRC (Score:2)
Protecting personal information is something new? (Score:3, Insightful)
Wasn't it a company's responsibility to protect your personal information already? I don't understand how this new method of phishing changes that (not including the technical aspects of said protection).
An Open Information Society (Score:5, Interesting)
Re:An Open Information Society (Score:5, Informative)
Re:An Open Information Society (Score:2)
Re:An Open Information Society (Score:1, Insightful)
Why? No one is going to 'legislate away' the development of ne
Re:An Open Information Society (Score:2)
Re:An Open Information Society (Score:2)
The problem is that cameras are so common and so unobtrusive most people just don't grasp how much they are being observed/recorded. If anything that is only going to ge
Re:An Open Information Society (Score:2)
This is a fictional Neanderthal dominated Earth where they have evolved a technological society.
Every action they make - their entire lives - is recorded. The recordings can only be accessed during legal proceedings.
I've read the first 1 and a half of the 3 books in the series. Pretty cool.
Re:An Open Information Society (Score:2)
Re:An Open Information Society (Score:1)
People break laws they don't agree with every day - including speeding, using illegal drugs (as opposed to legal ones [pmusa.com]), refusing to mow their laws, etc.
With no privacy, the American police system will either fail miserably, or will over-compensate, and we'll have no privacy AND no freedom.
I wish we COULD live in a society where one could do what they wanted, and no one questioned it, so long as what you do doesn't infringe u
Re:An Open Information Society (Score:1)
Everyone will judge you and you are guaranteed to piss people off.
Example:
Hit your child? Child abuser! (people saying this, let's call them group A)
Don't hit your child? Raising an undisciplined kid! (B)
No child? Something must be wrong with you! (C)
One of the above 3 groups will be pissed at you no matter what.
Also, there are unjust laws - imagine if you'd get convicted of every law you ever broke.
Most people alive would have over 100 years of jail time.
Re:An Open Information Society (Score:2)
prisoner's dilemma (Score:2)
And this is why your idea will not work. As long as there is incentive NOT to open up, then someone, someplace won't do it.
And for those that don't know what a priosoner's dilemma is, let me try to explain. It goes something like this: 2 prisoners are in jail and awaiting trial. The exp
Re:prisoner's dilemma (Score:2)
Re:An Open Information Society (Score:2)
Our attitude towards privacy is like living in a house without doors and then complaining that the government needs to do something to stop the epidemic of robberies.
Another stupid cutesy technical term? (Score:5, Funny)
Re:Another stupid cutesy technical term? (Score:2)
Re:Another stupid cutesy technical term? (Score:2)
Server (Score:2, Informative)
A report published this week from IBM Corp. suggests that phishing schemes are growing in sophistication, allowing would-be Internet criminals to target their victims by name. A targeted or "spear phishing" attack is designed to extract data from a specific individual or organization, maximizing damage caused and financial gain. IBM estimates that these types of attacks have grown ten-fold this year alone. According to the company, they can be used for identity
Lucrative Targets... (Score:1)
More like the billionth time. As Willie Sutton [wikipedia.org] never said when asked why he robbed banks: "Because that's where the money is."
Why phishing? (Score:3, Funny)
Re:Why phishing? (Score:2)
Re: (Score:3, Funny)
Opportunity to make a difference? (Score:5, Interesting)
I agree. Look at stem cells and the Reagans (Score:1, Insightful)
All it takes is one high-profile, CNN-covered major story to get our government's attention and get some changes done.
Re:I agree. Look at stem cells and the Reagans (Score:2)
Yep, like Bill Frist. Using a veto when your party controls congress is an embarassing display of disunity -- using it against your own senate majority leader is mortifying. Karl Rove must be getting really distracted by the grand jury to not be greasing the wheels here.
Re:Opportunity to make a difference? (Score:2)
There is, however, a drawback. ANYTHING LIKE THIS IS A CRIMINAL OFFENCE. Jail sounds like a good reason not to do it.
Morally it is not dissimilar to beating up a politician to demonstrate the trauma of violent crime. Not acceptable, even if your motive is the "greater good".
Anyway, all you need to do is wait. Sooner or later the genuine bad guys will do it anyway.
They were caught (Score:2)
The real question is... (Score:3, Funny)
Multiple institutions *are* responsible (Score:5, Interesting)
The way I see it, all personal information I send to a particular company should be confidential and protected. Some if it they simply don't need. For instance, why the hell did the clerk at Hollywood Video ask for my SSN to open a damn account to rent movies?! They did not need my SSN and I sure as hell didn't give it to him either, but it makes me wonder how many people actually *have* given out their SSN just for a Hollywood Video account. Not good.
If a company does not protect my personal information and it gets stolen and/or misused, you bet your ass they'd see some backlash from me. The only bad thing is, it's hard to figure out exactly *which* company that held your personal information was compromised. It's certainly not like they're going to volunteer the fact that they were comprimised, otherwise you might take your business elsewhere (to a more responsible company). Just look at the millions of people who had their information on backup tapes "misplaced" by a UPS driver (posted on slashdot a while back) after the company was stupid enough to send that info via UPS to begin with.
Companies that have our personal information need to be held accountable on how they handle it and should be prosecuted to the fullest when they mishandle it.
Re:Multiple institutions *are* responsible (Score:3, Interesting)
Video places use it for a credit check. They're loaning you a movie.
On the other hand, here's a trick I learned. When you're asked for a SSN, say "I'm soooo sorry! I didn't think I needed it. I'll have to come back!" 90% of the time, the clerk will just say "We really don't need it, just hang on." I kid you not! Try it! It pisses me off that a lot of firms "require" this information but when you balk or plea
Re:Multiple institutions *are* responsible (Score:2)
What's with the TSA mandating that everyone takes their shoes off?
Actually, they don't mandate it. They just "recommend" it. You're not required to take your shoes off. If you go to an airport where the TSA "recommends" that you take them off, and you refuse, then you will be wanded and patted down, and may have your bags searched as well.
We just don't do it, and if they give us a hard time, we'll wait in that little compartment until they look over our stuff and let us go.
Look over your stuff an
Re:Multiple institutions *are* responsible (Score:2)
It's great that you go along with the crowd. Heck, you've even found a way to go along with the crowd faster!
The crowd's got nothing to do with it. I average about one airline flight per week (I'm already up to five this week, and fly home on another tomorrow), so my goal is to waste as little time as possible.
I understand what the real problem is, but now I think we're just being idealistic. I was just stating what *we* do when we are "recommended" to take off our shoes by the TSA "agents," not stat
Re:Multiple institutions *are* responsible (Score:2)
if enough people do a certain thing, they're bound to make a difference.
Some things, yes.
If enough people just stand up for their rights and say, "I've had enough," you can bet the TSA will be forced to revise its draconian policies.
Exchanging a body search for removing your shoes isn't standing up for your rights. It's just inconveniencing yourself to no benefit. And it won't make the TSA do anything at all... they'll happily hold up the line behind you in order to search you thoroughly. If enou
Re:Multiple institutions *are* responsible (Score:2)
You seem to assume that merely irritating the TSA's employees will create some sort of force for change. I don't agree. Similarly, I don't bother screaming at customer service people, except perhaps as a way to get escalated to someone with some decisionmaking authority. Being an asshole to people who have no ability to change anything accomplishes nothing constructive.
You also assume that congressmen already know that people are annoyed. They know some people are annoyed, but they don't think enough
Re:Multiple institutions *are* responsible (Score:2)
They'll complain to their boss, who will in turn complain to his/her boss
No, they'll complain to their boss, who will tell them to suck it up, they're getting paid $35K per year for unskilled labor, and can put up with some hassle. Unless it becomes a retention issue, and it won't, it'll go no further than that. Griping is just griping, like when I was an Air Force cop and griped that my car didn't have an AM/FM radio, or when I complained that the hard canvas seats on military airplanes were uncomfo
Re:Multiple institutions *are* responsible (Score:2)
Huh? I've conceded failure because I choose to protest through a route that actually has some chance of doing some good, while you're fighting the good fight by annoying some people who are just trying to do the job they've been given?
Now, if you'd told me that you've been working your representatives with letters, contributions, phone calls, etc., and you've been writing letters to the editor of the paper and generally trying to raise awareness of the issues, and then decided that you may as well bother
Re:Multiple institutions *are* responsible (Score:2)
Damn straight.
Just last week, I was going through my mail and found, like I do all the time, a set of balance transfer/cash/etc. checks for one of my credit cards. I opened it since I always shred these checks, and was surprised to find not only a set of my checks, but also someone else's.
If I had wanted to, I could have used those checks in 6 different places where they wouldn't have checked ID. The banks sure as hell don't check signatures anymore -- I've seen instances where checks with NO signatur
Re:Multiple institutions *are* responsible (Score:2)
I've heard of the same technique being used by people who aggregate and publish public-domain information; their comp
So lemme get this straight . . . (Score:1)
This is great!!! With my credit history, I'm safer than ever now! Nobody in his right mind would try to use my identity for any money-making venture! ;^D
Re:So lemme get this straight . . . (Score:2)
Re: (Score:1)
Re: (Score:1)
Fishing (Score:4, Funny)
If they would just attack the politicians... (Score:2)
M
Fun with adverbs (Score:5, Funny)
Surreptitiously organized crime may be involved also, but they keep such a low profile that it's hard to tell.
Account Accountability (Score:2)
Probably been going on for a long time (Score:4, Insightful)
A serious attack has a specific target and attacks it quietly. Serious attackers aren't going to show up in the "top 10 virus" lists. They're probably not going to use an attack that appears in some known signature list. They may have the ability to craft their own attacks, or at least modify known ones beyond recognition. The volume-oriented defense techniques won't work.
Military security people are very aware of this issue. You don't want to tie up all your resources chasing kids who are throwing rocks at the airfield fence. The real threat is probably being quietly mounted elsewhere.
British banks are clueless dweebs.... (Score:4, Insightful)
The scary part, however, was that it greated me with my first name, suggested I log on to their site, then ended with a paragraph going roughly like this:
"To make sure you c"n recognise genuine e-mails from us, we will always include the post code of your registered account with us"
Now, it does stop a phisher from firing off a million random e-mails. What it doesn't do is prevent someone from following your local mail man a couple of days and writing down who gets a statement from said bank (which is one of the worlds largest credit institutions) and firing off messages. That is worse than a random phisher as the bank itself is teaching it's clients to trust messages that include their postcode, even though their postcode is an easily available piece of information, so people are more likely to take the e-mail at face value and not scrutinise it as well as they should. What's worse is that the e-mail included links instead of asking people to go to the site listed on their statements, or similar, teaching people that hey, it's ok to click on links in mails that claims to be from their bank...
The worst thing is that this kind of behaviour is the norm for British banks. The fuckwits deserve everything they get from these phishers. What sucks is that their customers will get screwed over in the process.
I've twice been called up by one of my other banks fraud department because they wanted to verify transactions. In both cases they wanted me to provide the security information for my account over the phone when they had called me and I had no way of verifying that they were who they said they were (caller id is trivial to fake, and you wouldn't even need that if the number is unknown but looks plausible to the person taking the call). So again, the fraud department of my bank is teaching its customers that it's ok to give out the very same security details that are sufficient to a) do transfers, b) get passwords for online banking reissued, c) get credit cards reissued.
Just the other day I overheard a woman on the train to work complaining to her boyfriend about the same thing. In my cases I know it was genuine calls because I called back on numbers I knew belonged to the bank.
This same bank also tends to accept corporate id cards to let you sign for your credit cards if they're ordered to an office. So, trick people with a phony call, get the credentials, call the bank to get the card reissued, create your own plastic laminated id card, and order it sent to a serviced office somewhere where you rent a room with cash for a day or two... The same bank have twice refused to deliver cards to my home address because dropping it through the letter box was apparently too insecure.
The great thing about getting a credit card reissued, is that many banks here will accept it as ID. So get a credit card reissued, and voila, instant access to all the poor persons other accounts as well, and from past experience they'll happily offer to let you do over the counter cash withdrawals of however much you want from your credit card accounts.
They're so clueless it's scary to think I trust them with my money (but the rest of them are just as bad).
Why did I have to move to a country with a banking system from the dark ages?
Identity proxy (Score:3, Interesting)
You'd end up having to trust that one company, but a single company could quite easily put in place policy and technology to keep your identity safe... that would be their primary focus. That's unlike eBay and others who really just want to do business with you and happen to also have your personal information. Their policies aren't as good as they need to be.
Besides, with your info only at one place it'd make spear phishing much harder: no relying on little bits of info from many places as a hacker would need to get all your personal info from one place.
Spear Phishers (Score:2)
keep the database lean (Score:2)
An estore shouldn't need to keep my CC, personal bio and address at all, on the same tables.
Re:black hats (Score:1, Funny)