A few months ago someone brought me a laptop saying that it needed its virus software updated. When I looked at it, I found that attempting to run any Windows process resulted in a popup window saying that the file was infected with a virus and that the antivirus software needed to be updated (in other words money had to be paid) to clean the infected files.  It took a while to finally get rid of the infection, but I wondered how the user got this virus.

Then while visiting the WordPress blog of a Twitter friend, I get the following very realistic popup indicating that a virus was found on my computer.  (There was a rash of WordPress hackings at specific web hosting providers.)  The popup looks exactly like Windows Explorer.

(Click to enlarge)

This is a mere screen capture of a Flash animation that made it appear like my machine was being scanned by legitimate antivirus software.  When it popped up, I was a little freaked out because it was pretty alarming.  I was, however, browsing with the Linux operating system at the time.  If you look closely at the screen print, you will see that the fake Windows Explorer appears in a Firefox browser window.  You will also notice that this fake antivirus scan does not say McAfee, Norton, Symantec or any other well known antivirus software.

After taking the screenprint I attempted to close the Firefox browser.  The Flash animation would not allow me to close the window without downloading an executable file that had I been using a Windows machine would install fake antivirus software.

This malware relies on the users’ fear of malware to get the user to install it.  After installation, it then essentially asks for money (to clean the supposedly infected system files) to be able to do the most basic task in Windows.  This type of malware is called ransomware in that it holds your system hostage until you pay money to regain access.  An unsuspecting user would likely pay to make their computer work again future opening them up to additional exploitation since criminals would then have the user’s credit card information and who knows what type of malicious activities the still installed software will actually do on their computer.

Legitimate virus  protection can help identify many malware threats but it’s not a panacea.  It doesn’t even matter what operating system is being used if the user will install anything.  Granted this particular malware is targeted specifically to Windows users, but malware is being created for other popular operating systems as well.  Therefore awareness is just as important as technological solutions especially since technological solutions tend to be reactionary.  A good rule is to ignore popups and kill any kind of forced downloads.

It is also important to keep up with updates and patches for your software.  I wonder what kind of damage could have occurred had I been using Internet Explorer 6 on a Windows machine.  If you are using this, please upgrade to Internet Explorer 8.  Also consider installing Firefox and/or Google Chrome.

You might also be interested in:

• Trojan Outbreak on Facebook

A few days ago I received a spammy email that appeared to be from someone I’ve known for a long time.  I was pretty sure that it wasn’t from the individual but maybe a coincidence since he has a common name; that is, until I looked at the email address the message was sent from; it was his Hotmail address.  I also found this same message in another of my email accounts.

I contacted him about the messages and he had no idea how they were being sent.  Looking that the email headers, one can see that the email was not spoofed as it actually originated on the Hotmail service.  The headers also show that originating IP address is in Asia.  Someone (or an automated process on a server) in Asia logged into my friend’s Hotmail account and sent emails to his contacts and who knows who else.

What Probably Happened

In October, it was reported that the passwords of tens of thousands of users of the Windows Live Hotmail email service were leaked online.  Microsoft confirmed that these passwords were obtained as a result of a phishing scheme.  If this is the case, any email service could be a target of such attacks.  In addition to sites that might pretend to be related to Hotmail to get a user to enter their login credentials, there are an unlimited number of seemingly innocuous websites that ask for email credentials many times social networking sites in order to see if the user’s friends are already using their service.  In fact, services like Twitter, MySpace, FaceBook, and LinkedIn have done this very thing to get more users on their sites.  Another factor is trojans that hide on a user’s computer with the sole purpose of stealing passwords.

Spam Isn’t the Real Issue

What many people fail to realize is that when you give away the password to your email account you are essentially giving away the keys to the kingdom.  Many users have financial and other personal information stored in their email accounts.  New websites pop up everyday and there is no way to know how reputable those sites are.  Even when the company is reputable, what happens to the data it has collected if it folds?

You Have to Protect Your Data

The weakest link in information security is always the users themselves.  Users have to be more vigilant in protecting their information.  There is only so much service providers can do if users give out their passwords themselves.

To resolve my friend’s immediate problem, I recommended that he change his Hotmail password and scan his computer for trojans.  The real solution, however, is to prevent disclosure of his password – accidental or otherwise.  It is also a good idea to change the password periodically.

You might also be interested in:

• Phishers Target State Department Credit Union
• Facebook Security Snare
• CheckFree: A Case of Phishing, Pharming and Drive-Bys

Rocky Mountain Bank, a small regional bank in Wyoming, has been in the news recently because it sued Google to reveal the identity of the owner of a GMail account to which the bank accidentally sent customer data. In addition, the bank wanted Google to delete that email as well as deactivate the user’s account. Many articles I’ve seen about the incident focus on the privacy of the GMail user.

More concern should be focused on Rocky Mountain Bank’s 1,325 loan customers. The bank sent their names, addresses, social security numbers and loan balances to the “wrong” GMail address. There are just so many things wrong with that statement. Most glaring is how could this information ever be sent to the right GMail account. This bank has opened up 1,325 people to the possibility of the irreparable damage of identity theft.

As a financial institution, Rocky Mountain Bank is bound by regulations meant to protect consumers from having their personally identifiable information exposed. The bank was completely and utterly reckless in the way this was handled. It is likely that the bank could be fined. The bank may even face lawsuits.

What They Did Wrong

They emailed personally identifiable information.
First, personally identifiable information should never been emailed even if requested. The moment unencrypted data is transmitted over the internet, that data is practically available for all to see. Data is stored at each server it has to traverse to get to its destination. It can also be intercepted by anyone on that route. While RMB focused on that one email account, it is impossible to delete all traces of this data as it could be anywhere by now. If this user is in a country that does not cooperate with U.S. law enforcement and has already downloaded or otherwise saved the email, that user is not subject to any litigation originating from the U.S. This data could already be available on the black market.

They did not use encryption.
If there is no other way to transmit the information other than email it must be encrypted. That data must be encrypted whether it’s at rest (on a hard drive, in a database, on a floppy, etc.) or whether it’s in motion (emailed, FTPed, etc.). This is a very basic principle.

Does anything else matter?
The bank could have also used filtering on outgoing messages to recognize sensitive data being emailed. The bank could have also double checked the email address that the message was being sent to as well as the actual email attachment. Or the bank could have implemented a secure messaging system so sensitive information never leaves their network. I’m not so sure this is the point, however. The fact that the wrong file was sent and the wrong email address are beside the point. If the bank made a habit of encrypting data and not sending financial records via email, all the other “what ifs” regarding the incident wouldn’t matter.

They covered their butts first.
In requesting these court orders Rocky Mountain Bank wanted the lawsuit sealed. That to me looks like the bank was trying to protect itself hoping the details of this data breach would not be exposed. The bank has most likely reported the breach to its customers but likely not how the breach occurred. What they have done by getting the email deleted, receiving the GMail user’s identity and deactivating that account does nothing to remedy a situation that cannot be remedied. This bank should bear sole responsibility for releasing customer information in such a reckless manner and should be held accountable.

Rocky Mountain Bank found that the email containing the sensitive data was not read by the email account owner. Rocky Mountain Bank has dropped its lawsuit against Google. Bank representatives are certainly relieved but this hardly means the data is not available elsewhere.

You might also be interested in:

• CheckFree: A Case of Phishing, Pharming and Drive-Bys
• Data Loss, Identity Theft and Credit Card Fraud Links
• Mobile Websites Suck

With Twitter’s relatively new popularity come those who want to exploit it for financial or other type of gain.  A few weeks ago Twitter users were being sent links to malware.  Those who clicked the links were directed to a site where malware was downloaded.  The malware then sent out links from the newly infected computer using the user’s Twitter account.  It connects to other social networks that the user may be logged into as well.  The malware primarily affects the Windows operating system and the anti-virus programs are not likely to detect it because of it’s dynamic nature.  This is the same trojan that has proliferated on MySpace and Facebook.

Suspicious Links

Twitter responded by suspending infected accounts and resetting passwords.  This, however, will not help you protect yourself from scammers.  There are numerous ways that suspicious links are sent.  One method involves Twitter accounts unknown to you sending you links.  These are easy to ignore.  The more effective manner is for malicious programs to send links to you from people you already know and trust which is why these malware programs are hard to avoid.

URL Obfuscation

Getting people to click on links has been successful because the malware takes advantage of the URL obfuscation created by URL shortening services.  Given that, it may be effective to avoid clicking on links all together.  However, avoiding links completely would likely make your Twitter experience less enriching.  One does not have to resort to such drastic measures.  Many URL forwarding services provide functionality to preview a link.  Here are examples from TinyURL and bit.ly:

URLs Revealed

Instead of manually typing the URLs, you can use Twitter clients that allow you to see the actual URL.  My favorite client that allows this is TweetDeck.

If you prefer the web client, you can use the Power Twitter Firefox extension.  Not only does Power Twitter expand short URLs but it also displays photos and video inlne in your Twitter stream.

Another option if you are using the web interface is the Long URLs Please Firefox extension.  It will expand URLs on any web page which is good for other sites where you may see shortened URLs as well.

Other options include looking at your Twitter stream using Friendfeed as it automatically expands short URLs.  Many people are already reading tweets on Friendfeed due to various changes to the Twitter service so it may not be that much of a stretch to use Friendfeed to see links as well.  (Of course, your Twitter friends have to be Friendfeed users as well.)

I applaud Twitter for trying to the curb the proliferation of Koobface but it’s really up to the users not to get infected: we need to be aware of what we are clicking.  Tools like TweetDeck, Power Twitter, Long URLs Please and FriendFeed can help you make informed decisions about what you click before you click it.

You might also be interested in:

• Twitter Cracking Down on Intentional Trending?
• Twitter as Travel Advisory System
• CheckFree: A Case of Phishing, Pharming and Drive-Bys
• The Curious Case of Julie Amero

A lot of attention has been given to increasing awareness about phishing. The goal of phishing is to lure unsuspecting people to voluntarily give up their website credentials with the intent of exploiting those credentials for financial or other gain. Some phishing scams only seem to spam and propagate itself. Most web savvy users know not to trust emails that appear to be from his bank about a security breach including a link to log in to verify the account. But is that all one needs to know?

On December 16, 2008, I received an email from CheckFree, an online bill payment service, saying that my computer may have been exposed to malicious software putting my computer at risk. At first glance, I thought it was a phishing scheme but then noticed that my full name and address were included in the email. After reading the email again I realized what must have happened. Customers who tried to log into CheckFree’s bill payment service were redirected to a site that downloaded malware onto their computers. (Forgive me for being the high-technology crime investigation geek but I was intrigued by that redirection process (called pharming). I did a paper on phishing and pharming a few years ago but at that time there were no concrete examples of pharming.) Like phishing, pharming involves sending a user to fake websites that look like the actual site in an effort to get the user’s account credentials or other personal data, but with pharming the URL in the address bar will be that of the actual site making it difficult to identify it as a fake. In such a case you can’t trust your eyes or your browser.

Without looking further, the drive-by malware download would make it appear that CheckFree had been hacked, however, the criminals did not have to do that. Pharming instead involves gaining access to a websites domain registrar to point the website URL to a nefarious server. That is what happened here. Access to CheckFree’s account at Network Solutions was obtained by sending a phishing email to CheckFree’s system administrators. The Network Solutions account was then used to point the CheckFree.com domain to a server in the Ukraine.

In this attack, users received a blank page and a drive-by malware injection at CheckFree’s site. If the attackers had put up a login page instead we would probably be hearing about all kinds of suspicious payments right now. A login page would have affected more users: while the malware only affected Windows users, a login page would have affected users regardless of the operating system. We still don’t know how many customers were affected or what the malware does.

I was not affected outright by this attack for several reasons including that I stopped using the MyCheckFree.com branded bill payment service opting instead to use the one provided by my bank. The troubling thing about this, however, is that CheckFree is the largest bill payment provider in the United States. If you are using an online bill payment service provided by your bank, it is most likely a co-branded CheckFree service. What I have read about this pharming incident is suggests that only users of the MyCheckFree.com website were affected. But I do wonder if any of their other services could be affected by this attack. CheckFree has also started notifying customers who use their bill payment service through banks. In addition, I wonder if any payment information in transit could have been affected or accessed. I was a developer in the electronic payment group of a bank some time ago and I don’t quite remember if payment information between banks is sent via the domain address or an IP address but it’s a question worth asking. With the encryption and authentication schemes that they use that might not have been a problem but I haven’t seen it mentioned anywhere.

According to accounts I read, 5 million customers could have been affected by this attack. It is our job as customers to be vigilant in holding companies accountable for protecting our personal data. To it’s credit CheckFree is contacting customers and offering complementary virus scanning software. But is that enough? If the hacker had gained access to customers’ accounts, they would have access not just to bank accounts but also to creditor accounts. It’s hard to even imagine the amount of work to remedy those kind of consequences.

Photo credit: iStockPhoto

You might also be interested in:

• Facebook Security Snare
• Are You Spamming Everyone You Know?
• Bank Emails Customer Data to Wrong Account Exposing 1,325 Customers to Potential Identity Theft
• Koobface Comes to Twitter: Are You Protecting Yourself?

The case involving Julie Amero was decided the day after Thanksgiving. For those that are not familiar, Amero is the substitute teacher in Connecticut that was convicted last year of 4 felony counts of “Risk of Injury to a Child” stemming from a 2004 incident involving porn popups displaying on a classroom computer while students were present.

During the trial witnesses for the State of Connecticut testified that evidence showed that Amero had to have purposely clicked on the linked for the porn sites. The defense’s expert was not given the opportunity to testify but it was his theory that the computer was infected with malware from a hair website that caused the porn popups. Both theories were wrong. According to a report released by Alex Eckelberry, et. al., who examined the computer’s hard drive after the conviction, the computer was infected with newdotnet, spyware that was installed one week prior to the instance bundled with a Halloween screensaver.

This conviction was thrown out but this has proven all for naught though as Amero has accepted a plea agreement for her new trial due to health problems related to stress. The plea agreement resulted in a $100 fine and revocation of her teaching credentials. So she is essentially being punished though she is clearly innocent. This case drives home something that is of the utmost importance in cases involving electronic evidence – both the prosecution and the defense must utilize qualified experts do a thorough examination of the evidence. Had the prosecution thoroughly examined the drive in a forensically sound manner, they would have no doubt found exculpatory evidence related to this case. Had the defense thoroughly examined the drive, they would have been able to defend against the prosecution presenting actual evidence instead of theories. The best way to counter electronic evidence is not with testimony, demonstrations and shaky theories but with electronic evidence.

In addition to having qualified computer forensic experts, it’s also important to have counsel that is not only computer-literate but also understands electronic evidence. Such counsel on either side would be able to recognize misleading testimony.

With Jammie Thomas’ copyright infringement case, I originally felt that qualified experts were not used because of cost but in both cases, it seems that the reason was more likely lack of awareness of computer forensic experts. In the case of Julie Amero, help from computer forensic experts was received after the case was already in full swing when it was too late. The experts became involved because of the media coverage of the case. How many other cases are involving electronic evidence are going on that aren’t receiving media coverage?

Not only is it a lack of awareness on the part of people who need computer forensic experts but also we (computer forensic experts) don’t seem to make our existence known. To that end, here are some places to find computer forensic experts. Looking at the websites, some don’t seem to focus on people who need to find an expert. The HTCIA, however, has recently created a Computer Forensic Examiner locator.

• International Society of Forensic Computer Examiners
• International High Technology Crime Investigation Association (members are not allowed to work on criminal defense cases unless approved and on a pro-bono basis)
• SANS Institute – Certified Computer Forensics Analysts
• International Association of Computer Investigative Specialists (members are law enforcement)
• High-Tech Crime Cops (mostly law enforcement)

It is important to note that members of some of these organizations don’t do criminal defense work but that does not mean that they wouldn’t given the right case. Nevertheless these organizations are a good starting point for looking for qualified computer forensic services.

While I use computer forensics to identify unethical and illegal behavior, I don’t think anyone should be punished due to misinterpretation of evidence or because a thorough examination of that evidence was not done.

You might also be interested in:

• Koobface Comes to Twitter: Are You Protecting Yourself?
• CheckFree: A Case of Phishing, Pharming and Drive-Bys
• Capitol Records, et. al. v. Jammie Thomas

Most of my Twitter conversation yesterday focused around data loss, identity theft and credit cards. The point of the discussion was that while consumers must be vigilant to protect their personal and financial data, most of it is out of their hands. The bigger problem is protecting the organizations that collect, transport, and store this data.

Because it’s difficult to fully convey this kind of information in 140 characters, I decided to put together a “bibliography”. These links are divided into general information, data collecting third-parties, merchants, banks and government.

General information

Identity Theft More Often an Inside Job
http://www.securityfocus.com/news/1727

Consumer data protection faces legal, tech hurdles
Experts agree that much work needs to be done by lawmakers and technology providers to foster an online environment in which consumer data is better defended from cyber-crime and misuse
http://www.infoworld.com/article/07/04/18/HNaotasummit_1.html

Survey: Congress falling down on data protection
http://news.cnet.com/Survey-Congress-falling-down-on-data-protection/2100-1029_3-5737983.html

Schwarzenegger vetoes data-breach bill
http://www.securityfocus.com/brief/607

Data collecting third-parties

Advertiser Charged in Massive Database Theft
http://www.securityfocus.com/news/9189

Hacker accesses customer information from database manager Acxiom
http://www.securityfocus.com/news/6665

Federal charge filed against Ohio man accused of hacking Acxiom
http://www.securityfocus.com/news/6733

Burned by ChoicePoint breach, potential ID theft victims face a lifetime of vigilance
http://www.securityfocus.com/news/10552

Merchants

Debit-card fraud underscores legal loopholes (Sam’s Club, OfficeMax)
http://www.securityfocus.com/news/11381

TJX completes Mastercard breach settlement
http://www.securityfocus.com/brief/740

Gov’t charges alleged TJX credit-card thieves
http://www.securityfocus.com/news/11530

Ralph Lauren, HSBC in data breach debacle
http://www.securityfocus.com/news/10921

Two retail breaches threaten consumers
http://www.securityfocus.com/brief/411

TJX breach larger than previously thought
http://www.securityfocus.com/brief/441

Report: TJX thieves exploited wireless insecurities
http://www.securityfocus.com/brief/496

ID Theft Alleged at D.C. Blockbuster
Ex-Worker Accused of Taking Customer Data, Spending $117,000
http://www.washingtonpost.com/wp-dyn/content/article/2005/04/25/AR2005042501411.html

Banks

MasterCard warns of massive credit-card breach
http://www.securityfocus.com/news/11219

MasterCard backs off Security, Leave Cardholders at Risk
http://www.securityfocus.com/archive/107/436227

Lessons learned: The Citibank ATM breach
http://searchfinancialsecurity.techtarget.com/tip/0,289483,sid185_gci1329591,00.html

Citibank debit card fraud highlights ATM vulnerabilities
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9106958

Citibank security breach: undisclosed *internally*, let alone publicly?
http://www.boingboing.net/2006/03/06/citibank-security-br.html

International Citibank Customers Shaken By Data Breach
http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articleID=181502068

Government

TSA loses 100,000 employee records
http://www.securityfocus.com/brief/498

U.S. Government Flunks Computer Security Tests
http://www.securityfocus.com/news/1693

Online attack exposes 197,000 personal records (University of Texas at Austin)
http://www.securityfocus.com/brief/193

Veterans Affairs warns of massive privacy breach
http://www.securityfocus.com/news/11393

You might also be interested in:

• Bank Emails Customer Data to Wrong Account Exposing 1,325 Customers to Potential Identity Theft
• CheckFree: A Case of Phishing, Pharming and Drive-Bys

I think everyone should take a look at this article about a work at home scam called reshipping. The interesting thing about this scam is that it also incorporates two other scams (overpayment refund and identity theft).

In addition here’s an article on a loan scam that might interest some as well:

These scams take advantage of those who are unaware of how these processes actually work or those who are desperate for a job or a loan.

Always be careful. Some skepticism is healthy.

You might also be interested in:

• No Related Post