Defense in Depth

On Friday Opera announced that version 9.5 of the browser (download Opera 9.5 beta for Windows or Mac) will include built-in antimalware protection from Haute Secure (download for Windows 32-bit or Windows 64-bit).

This is, of course, to counter the antimalware protection built into Firefox 3, currently available as a final release candidate (download for Windows or Mac). Firefox uses data from Google and StopBadware to block a site before it loads on your browser.

Haute Secure counters that its offering is better because it relies upon a community of dedicated users to inform the product when to block and when not. In testing at CNET, the latest version of Haute Secure still misses some recently published phishing sites, while Firefox 3 RC2 blocked them immediately.

How did that happen? Haute Secure explains that the APIs provided by antiphishing sites such as PhishTank won't update until the site is confirmed to be bad, whereas Google can make that determination on its own. Still, Haute Secure prevents malicious sites (as opposed to mere phishing sites) from loading, and provides more information about those sites than does Firefox 3.

Haute Secure was founded by a group of former Microsoft employees, and its flagship product came out of beta in March.

We've seen banks, even eBay and PayPal, all targeted by phishers. Now they've turned their attention to iTunes, creating a bogus site that reportedly looks like an iTunes billing page asking for current credit card information.

"We've never seen Apple as the target," Proofpoint's Andrew Lochart told Computerworld on Tuesday. "It's probably indicative that the bad guys see Apple's online presence as large enough to be a target."

In addition to asking for credit card information, the phony iTunes page also asks for one's social security number and mother's maiden name.

In general, if you receive an e-mail with a link to a site requesting personal financial information, be very cautious about proceeding. Bookmark or type in the URLs for sites containing financial information, such as your bank or e-commerce sites like iTunes. Never link directly from an unsolicited e-mail.

In a joint operation with Romanian authorities on Monday, U.S. Department of Justice officials announced racketeering and other charges against 38 individuals living in the United States and Romania.

In addition, the Justice Department executed nine arrest warrants, while Romanian authorities simultaneously executed several search warrants. Total losses associated with today's arrests and charges, unsealed in California and Connecticut, are said to be in the millions of dollars.

Speaking in Bucharest, Romania, Deputy Attorney General Mark R. Filip stressed the importance of multinational agencies working together to fight international crime.

Filip said the nine people arrested were charged with sending out spam to lure victims to go to fraudulent, or phishing, Web sites, where they were meant to be tricked into entering personal information such as Social Security and credit card numbers.

Personal data obtained by the phishing ring was harvested by suppliers who, in turn, sent the information to cashiers, who encoded the information onto magnetic strips on the back of credit and debit cards. The cards where then used by runners to withdraw money from various ATMs, with a portion of the total withdrawals wired back to the supplier.

Washington D.C. -- On Wednesday, in a talk at Black Hat D.C. 2008, two researchers set out to see whether phishing sites were created by the "Einsteinian, ninja hackers that the media makes them out to be."

In a talk titled "Bad Sushi: Beating Phishers at their own game," Nitesh Dhanjani and Billy Rios found not a sophisticated gang of elite coders, but hundreds of bad coders all copying one another, and often stealing from each other.

Dhanjani and Rios expressed disapproval of antiphishing products that use black lists to block known phishing sites. One, because some legitimate server admins might have their compromised account password visible on such lists. Two, because the researchers were able to open those lists and see the servers that were being compromised.

They followed one of the servers that had shown up on one black list multiple times. What they found was a poorly configured Internet-facing server, one that was easily compromised, and therefore hosting several phishing sites.

Once they found a compromised Web server, they then wondered: how hard is it to create an authentic-looking phishing site? Dhanjani and Rios found kits online, prepackaged with images and forms from Bank of America, Citibank, and PayPal, among others. Just install one of these kits on a compromised server and you're in business.

Looking deeper into the code used in these kits, they found that one kit had been copied many times, with different images. Moreover, the creator of the kit was skimming off the people using the kit; every time someone fell for a phishing site, their personal data not only went to the phisher who put up the site, but also to the author who wrote the kit.

With personal information flowing in, what does the average phisher do next? Dhanjani and Rios googled to find sites trading personal data--not a surprising find. What they found was that U.S. and U.K. IDs often sold for much less than European and Asian data. They could not account for the difference.

They also found forums and sites dedicated to ATM "skimming." Skimming is the physical use of secondary readers and keypads on ATMs used to capture account numbers and PINs. Often the ATM transaction goes through, and the customer doesn't realize the account has been compromised until later.

Dhanjani and Rios suggested that site administrators should lock down their sites so that phishing kits don't take root. They also suggested that sites require more security in order to raise the bar. By requiring a customer to use two-factor authentication, or a persistent cookie, many of the financial phishing sites would cease to be effective, they said.

A number of phishing sites have cropped up within the last day using domains previously attributed to the Storm worm botnet. Last fall, Storm was used in a series of pump-and-dump stock spam blasts, including a unique MP3-based spam blast, but researchers at F-Secure don't think the original authors of Storm are necessarily trying something new. F-Secure said Tuesday that "October brought evidence of Storm variations using unique security keys. The unique keys...allow the botnet to be segmented allowing 'space for rent.'" They think phishers are leasing parts of the larger botnet.

F-Secure cites a Halifax bank as one of the phishing targets, while Trend Micro identifies the Royal Bank of Scotland as another. What connects these sites are the server domains hosting the pages. Trend Micro said Tuesday it detected the hosts "while watching domain activity normally associated with suspected RBN (Russian Business Network) -associated activities."

The original Storm worm code, so named because it coincided with a severe winter storm in Europe, will celebrate its first anniversary next week, on or around January 19.