Security

(Credit: FBI)

Criminals have tried to steal an estimated $100 million from corporate bank accounts using targeted malware and money mules, the FBI said on Tuesday.

"Within the last several months, the FBI has seen a significant increase in fraud involving the exploitation of valid online banking credentials belonging to small and medium businesses, municipal governments, and school districts," the agency said in a statement.

The FBI is seeing, on average, several new victim complaints and cases every week, according to a report prepared by the Internet Crime Complaint Center and linked to in the FBI release.

Brian Krebs reported on The Washington Post's Security Fix blog last week that the FBI puts losses from online fraud involving malware and money mules at around $40 million. Krebs is keeping a running list of businesses who have been victims of online theft and detailing the attacks.

Here is how the typical scam works. The criminals may find contact information and an organizational chart of a business online, as well as information about who handles the financial transactions for the company or agency. So-called "spear phishing" e-mails are sent to the employees who can initiate funds transfers, either wire transfers or transfers through the Automated Clearing House (ACH) system.

The e-mails contain either an infected file or a link to a Web site hosting malware. Once the file or link is opened, the malware containing a key logger is installed on the recipients' computer. The key logger harvests the user's corporate online banking user name and password and creates another account using that information or initiates a fund transfer masquerading as the authorized user.

The money is typically transferred into accounts opened by willing or unwitting people, known as "money mules," who then forward the deposits overseas. Usually, increments of less than $10,000 are transferred to avoid currency transaction reporting. The money mules are recruited through "work from home" ads or contacted after placing resumes on employment Web sites.

In several cases, banks did not have proper firewalls or antivirus software to protect against such attacks, the FBI said.

Current signature-based anti-virus programs are increasingly ineffective and companies should also consider using heuristic detection, application white listing that allows only known software and libraries to execute on a system, and reducing user privileges, the report advised.

Last week, the Federal Deposit Insurance Corp. (FDIC) issued a warning to banks and financial institutions about the increased use of money mules in unauthorized electronic funds transfers.

"Money mule activity is essentially electronic money laundering...," the FDIC statement said.

Criminals are shifting their focus to stealing online bank credentials from businesses instead of consumers because there is more money in the corporate bank accounts to plunder, according to Amit Klein, chief technical officer of browser security vendor Trusteer.

"Therefore, criminals can transfer larger sums of money, with a lower risk of raising red flags and being detected by a bank's anti-fraud systems which look for anomalous or unusually large withdrawals or wire transfers," he said in a statement. "Unfortunately, small-medium businesses do not have any better browser security mechanisms than consumers to protect their banking credentials from being stolen."

This is a screenshot of the SMS the hacked iPhone users received.

(Credit: Tweakers.net)

A hacker in the Netherlands broke into some jailbroken iPhones and sent text messages to the owners asking them to pay to find out how to secure their phones, according to postings in a Dutch forum called Tweakers.net.

One of the victims posted a screenshot from his iPhone of the SMS received. It said: "Your iPhone's been hacked because it's really insecure! Please visit doiop.com/iHacked and secure your iPhone right now! Right now, I can access all your files."

The URL provided now displays a message indicating that it was reported for spam or phishing abuse and has been deactivated.

Ars Technica reports that before the page was removed, it asked that victims send 5 euros ($7.36) to a PayPal account and then await an e-mail with instructions on how to secure the phone. The fix probably would involve restoring the factory settings, according to the Ars Technica post.

"If you don't pay, it's fine by me," the hacker's page said. "But remember, the way I got access to your iPhone can be used by thousands of others--they can send text messages from your number (like I did), use it to call or record your calls, and actually whatever they want, even use it for their hacking activities! I can assure you, I have no intention of harming you or whatever, but, some hackers do! It's just my advice to secure your phone."

The accidental disclosure of a House ethics investigation has kicked up quite a fuss on Capitol Hill as it turns out that more than 30 congressman and aides are under investigation. But after committee chairman Zoe Lofgren (D-Calif.) disclosed the breach on the House floor late Thursday, her colleague, Rep. Jo Bonner (Ala.), who is the committee's ranking Republican, spoke next, telling fellow members that the breach was an isolated incident.

Not exactly.

In February, a company that monitors P2P networks said that it had found blueprints and avionics about the president's helicopter, Marine One, on a computer in Tehran. An investigation later found that a third-party defense contractor with access to that data was using a computer that also had P2P file-sharing software on its hard drive...

Read more of "File Sharing's Mysteries Again Stump Uncle Sam" on CBSNews.com.

The creator of PhoneSnoop shows how the free spyware app works in a video on his blog.

(Credit: Chirashi Security)

The U.S. Computer Emergency Readiness Team warned BlackBerry users on Tuesday about a new program called PhoneSnoop that allows someone to remotely eavesdrop on phone conversations.

The PhoneSnoop application must be installed on the phone by someone who has physical access to it or by tricking the user into downloading it, the CERT advisory said.

The author of the app, Sheran Gunasekera, director of security for Hermis Consulting in Jakarta, Indonesia, says it wasn't written to do any actual harm, but rather to warn of the dangers that still exist with the BlackBerry.

The application can be used by anyone to spy on any BlackBerry user's phone. However, Gunasekera says it is not hidden on the device after it's installed, so users should be able to easily see it.

"My intention was to raise awareness that even though the BlackBerry is one of the more secure platforms, there are still means where its users can be spied upon," Gunasekera wrote in an e-mail on Tuesday. "I wanted to highlight that even with such technical security controls, the human element can be exploited through social engineering."

To aid BlackBerry users who asked him how they could protect themselves from being snooped on, he said he released on Tuesday another free tool called "Kisses" that will detect and display hidden programs on the device.

On his blog, Gunasekera explains how PhoneSnoop works.

"PhoneSnoop sets up a PhoneListener and waits for an incoming call from a specific number. Once it detects a call from that specific number, it automatically answers the victims' phone and puts the phone into SpeakerPhone mode," he writes.

US-CERT said BlackBerry users should only download applications from trusted sources and password protect and lock the devices to prevent someone from installing unwanted software.

The issue of BlackBerry snooping made headlines this summer when Etisalat, a carrier in the United Arab Emirates, sent SMS messages to BlackBerry subscribers encouraging them to download a patch that security experts said was spyware.

SMobile Systems did a technical analysis of the software and concluded that the "true nature of the spyware is to intercept BlackBerry users' email messages and forward the messages to a monitoring agent inside the Etisalat network," according to the BlackBerry Cool blog.

Nokia and SAP are forming a new company that will use their technologies to help manufacturers battle counterfeit products.

Announced Tuesday at SAP TechEd in Vienna, Original1 will offer services to better authenticate branded products and protect them from counterfeiting, the companies said in a statement.

Offering software as a service (SaaS), Original1 will draw on a combination of SAP's supply-chain technology and Nokia's mobile authentication software. Nokia and SAP will each own 40 percent of the business, while German firm Giesecke & Devrient (G&D) will own the remaining 20 percent and add the security and encryption component.

The service will target products that are especially vulnerable to counterfeiting, such as pharmaceuticals and luxury goods, G&D spokesman Stefan Waldenmaier said. Other items, such as auto parts and software, could also benefit from the service, he said.

At this point, the service can only work with physical products, not electronic items. So, for example, Original1 could protect boxed software but not downloadable media.

Here's how it works: branded products will be electronically tagged with smart, tamper-proof barcodes, allowing the manufacturer to track them using a Nokia smartphone as they move from factory to store shelf. A retailer can then check the product information against a database and determine whether the data is coming from a legitimate product.

Located in Frankfurt, Germany, Original1 will be run by Claudia Alsdorf, currently the vice president of SAP Research.

"Counterfeiting is a worldwide problem that is increasing and affecting many successful companies in all industries," Alsdorf said in a statement. "Today, more than ever, companies need to combat counterfeiting before it's too late, when their company livelihood is at stake."

SAP has already run pilot tests of the new service with some of its customers and said the testing has been successful.

Nokia and SAP have a history of working together on mobile projects. Nokia is an SAP global technology partner, while SAP is a Nokia Enterprise Zone member.

Subject to regulatory approval, Original1 is expected to open its doors before year's end.

In the video below from SAP, Alsdorf talks about the new company:

If you have an SMC8014 cable modem/Wi-Fi router from Time Warner your network might still be vulnerable to attack.

Blogger David Chen reported last week on a security hole affecting about 67,000 combo modem/router devices that could allow anyone to access Time Warner customers' private networks, snoop on sensitive data, and direct users to malicious Web sites.

At the time, Time Warner Cable spokesman Alex Dudley said a patch was being rolled out and a permanent fix was being tested.

On Monday, Chen published an update to his blog that says he is still finding evidence that the devices are still vulnerable.

In the last week, I have not seen a single bit of evidence that supports their claims of a 'temporary patch.' I contacted Time Warner reps on Twitter to find out more about the measures they took to temporarily fix this issue; I have yet to receive a response," writes Chen, co-founder of a start-up called Pip.io.

"A quick nmap (network mapper security) port scan of a random Time Warner subnet showed dozens of routers still open and vulnerable to attack. When the scan was expanded to more ips (IP addresses), hundreds of routers were found," he added.

Dudley, who was traveling on Monday and unavailable to comment until late in the day, said: "We do have a patch and if it is not in place in a particular device or a small number of devices it will be shortly."

Asked how many devices had been patched, he said he did not know.

Meanwhile, a permanent fix was still in quality assurance testing, Dudley said.

In his blog post, Chen provides suggestions for how Time Warner Cable could fix the problem, including change the default configuration of the routers to use WPA2 instead of WEP for Wi-Fi encryption and Disable access to the router's Web administration page from outside IP addresses.

"Of course the best idea would be to immediately recall those routers and issue your customers real cable modems and decent wifi routers with good security," he wrote.

And for Time Warner Cable customers who are using the devices, Chen urged them to call the company and ask for a replacement cable modem and use a separate router.

Updated on October 27 at 11:23 a.m. PDT to correct blogger's first name.

(Credit: U.S. Navy)

The U.S. Department of Defense ban on USB thumb drives instated nearly a year ago will eventually be partially lifted to allow authorized people to use official flash drives for mission-critical functions, according to a top military official.

"In the future, we expect that a government-owned and procured USB flash media, that is uniquely and electronically identifiable for use in support of mission-essential functions on DoD networks, will be permitted for use by authorized individuals," Robert Carey, chief information officer for the Department of the Navy, wrote in his blog recently.

"We are working on upgraded antivirus and malware detection, alert and eradication capabilities, as well as implementation of controls to deny network access to unauthorized USB flash media and revised operating procedures for scanning and cleaning flash media," he wrote. "The bottom line is, the days of using personally owned flash media or using flash media collected at conferences or trade shows are long gone."

Thumb drives, CDs, and other removable storage devices were banned last November after military computers became infected with a worm that was partially spread by thumb drives.

The thumb drive ban has been inconvenient for military personnel who used them for carrying tech manuals, medical records of wounded troops, mission plans, and other types of important information, according to DefenseNews.

TrendMicro last year introduced its cloud computing strategy to deliver security to desktop PCs. Now the security software vendor, according to CEO Eva Chen, is taking cloud security a step further by protecting the cloud itself.

An update to its Deep Security product, introduced Monday, offers protection for the "entire server," including the operating system, network, and applications layers, according to the company.

So is why there a need for yet another layer of server protection. Don't servers already have an enormous amount of protection?

She acknowledged that servers are typically protected by a firewall, an intrusion detection system (IDS), and an intrusion prevention system (IPS). "But now people are doing virtualization," Chen said. "And once you do virtualization, the server can move from one network center to another network center or move from your own data center to a public data center, and therefore the server is not just behind the firewall all the time. It needs to protect itself."

Another issue is the changing nature of servers. In the past, they mostly were used to serve up data. But with cloud computing, applications run on the server and that makes them vulnerable to hackers. "In last two years an enormous amount of Web servers were attacked by cybercriminals. They just insert SQL injections or a malicious link in your site or serve up malicious content from your site," Chen said.

Initially, TrendMicro's product is aimed at the enterprise but, long term the company plans to develop services to support small Web sites and blogs.

As a small site owner, I understand the need. SafeKids.com, which is a WordPress blog I maintain, was attacked a couple of years ago due to a security flaw in a template I was using. The attacker embedded hidden links to sites that offered male enhancement products. I discovered the problem when I was embarrassed by Google Viagra ads appearing on my site. I don't have anything against Viagra, but the ads weren't appropriate for a site that focuses on Internet safety for children. Google, which places ads that are related to the site's content, was fooled into thinking that my site covered male enhancement rather than children's safety. Chen said that TrendMicro is exploring technology that could protect sites like mine by alerting owners to potential problems as soon as they occur.

In a partnership with RSA, the company is also working to protect financial sites against phishing attacks. It has software that looks for phishing sites that mimic legitimate ones and warn the legitimate site owners who can then take action against the impostors.

Listen to Larry's interview with TrendMicro CEO Eva Chen.

Listen now: Download today's podcast

Imagine your laptop gets stolen. Wouldn't it be great to remotely spy on the machine and get it back?

Clair Fleener, chief executive of IT outsourcer InertLogic, got that chance after a laptop belonging to a customer was stolen.

Fleener was instrumental in the investigation that led to the recovery of the laptop, monitoring the activities of the laptop user for two weeks using remote software and sharing the information with law enforcement in Omaha, Neb.

The story starts back in mid-May, right around Mother's Day, Fleener recounted this week. Someone broke into the car of an employee working for an InertLogic customer and stole the laptop, which had work and personal information on it.

Months went by before anyone realized that technology InertLogic uses to help manage equipment remotely was sitting on the laptop and could be flipped on to monitor it. The technology, from Kaseya, captures screenshots from remote machines and can be used to install keyloggers, as well as record audio and images from a Webcam.

Fleener relied only on the screenshots that were taken captured every 5 or 10 seconds to see what the user of the laptop was up to. Within a short time, he learned the name, address, and other sensitive information about the man using the laptop. (Fleener is careful not to accuse the individual of being the thief because there is no proof of that.)

The man visited Facebook, MySpace, and other social networks, according to Fleener. He used Google to search for auto parts and did queries on how to remove security tags from merchandise. He looked at porn and made pirate copies of DVDs, including "Harry Potter and the Half-Blood Prince." Every time the laptop went online, typically on weekend nights and never on Tuesday, Fleener and others got paged.

Benjamin Lavalley, a senior engineer at Kaseya, figured out that by looking at the nearby Wi-Fi access points and doing an online map search, they could try to find out the exact location of the laptop.

The list of Wi-Fi access points indicated that an AT&T store, a Burger King, and a Cubbies restaurant were all nearby. Lavalley searched Google Earth for a location with those merchants in close proximity and narrowed the location down to a spot about 20 miles away from where the laptop was stolen. A drive-by confirmed it--the laptop appeared to be in an automotive shop and gas station where the man using it happened to work.

This screen shot shows an AT&T store and a nearby Burger King on Google Earth, helping investigators pinpoint the location of the stolen laptop based on Wi-Fi networks available.

(Credit: InertLogic/Kaseya)

On Wednesday night, about two weeks after the sleuthing began, sheriff's agents went to the auto shop and caught the man using the laptop.

"He had a cover story and it was pretty well thought out," Fleener said, explaining why no arrest was made. The man claimed he had bought the laptop from a customer of his for $500 and didn't know it was stolen. Despite losing the money, he handed the machine over with no objections, Fleener said.

"It's like every movie or TV program where there's a mystery involved," Fleener said of the investigation. "You find yourself getting involved in the story. It was very exciting."