India Home for Phishing Emails: X-Force 2010 report

IBM has released results from its annual X-Force 2010 Trend and Risk Report, highlighting that public and private organizations around the world faced increasingly sophisticated, customized IT security threats in 2010. According to the report India was the top country for phishing email origination in 2010 at 15.5 percent, followed by Russia at 10.4 percent. Spam has continued to incline and grow continuously in India from spring 2009 to autumn 2010. The report highlights that U.S., India, Brazil, and Vietnam were the top four spam-sending countries, accounting for nearly one third of worldwide spam.

Based on the intelligence gathered through research of public vulnerability disclosures, and the monitoring and analysis of more than 150,000 security events per second during every day of 2010, key observations from the IBM X-Force Research team included:

More than 8,000 new vulnerabilities were documented, a 27 percent rise from 2009. Public exploit releases were also up 21 percent from 2009 to 2010. This data points to an expanding threat landscape in which sophisticated attacks are being launched against increasingly complex computing environments.

• The historically high growth in spam volume leveled off by the end of 2010. This indicates that spammers may be seeing less value from increasing the volume of spam, and instead are focused on making sure it is bypassing filters.
• While overall there were significantly fewer phishing attacks relative to previous years, “spear phishing,” a more targeted attack technique, grew in importance in 2010. This further indicates that cyber criminals have become more focused on quality of attacks, rather than quantity.
• India along with USA, Brazil, Vietnam, and Russia are the top five countries for spam origination in 2010
• As end user adoption of smartphones and other mobile devices increased, IT security departments have struggled to determine the right way to bring these devices safely into corporate networks. Although attacks against the latest generation of mobile devices were not yet widely prevalent in 2010, IBM X-Force data showed a rise in vulnerability disclosures and exploits that target these devices.

“From Stuxnet to Zeus botnets to mobile exploits, a widening variety of attack methodologies is popping up each day,” said Pradeep Nair, Director, IBM Software Group, IBM ISA. “The numerous, high profile targeted attacks in 2010 shed light on a crop of highly sophisticated cyber criminals, who may be well-funded and operating with knowledge of security vulnerabilities that no one else has. Staying ahead of these growing threats and designing software and services that are secure from the start has never been more critical. We have seen significant increase in interest from clients in India to enhance the reliability of their security infrastructure.”

The report also discusses the security trends and best practices for the emerging technologies of mobile devices and cloud computing.

Cloud Computing — The report highlighted a shift in perception about cloud security as adoption continued to evolve and knowledge around this emerging technology increased.

Mobile Devices — Organizations are increasingly concerned about the security implications of personal mobile devices used by employees. Organizations must ensure control of their data regardless of where it is, including employee-owned or business-issued smartphones.

Additional trends highlighted in the report included:

The new, sophisticated face of cyber crime — From a security standpoint, 2010 is most remembered as a year marked by some of the most high profile, targeted attacks that the industry has ever witnessed.

OMG CNN Confirmed Osama Is Alive – Scam spreads on Twitter

If you are seeing tweets right now from Twitter users, you may be misled into thinking that U.S. news organization CNN has revealed that Osama bin Laden is alive, Internet security firm Websense has reported.

The tweets lead to a phishing page.  Tweets are being posted by users right now at the rate of several hundred tweets per second and include:

omgg osama is alive!!! cnn confirmed that he’s still out there :((

I cant BELIEVE osama is still alive – CNN confirmed he around stillll :O

OMG CNN confirmed that they found Osama alive still ! ! !

Tweets lead to a bit.ly redirector that takes the user to a convincing phish page designed to harvest the user’s Twitter account credentials.

A user who enters credentials is then taken to a YouTube video related to the topic of the scam, a CNN video discussing the news “‘Osama is alive’ say protestors.”

The redirection chain is thus: hxxp://bit.ly/m[removed]Y -> hxxp://twitter.[removed].ru/relogin.php -> hxxp://www.youtube.com/watch?v=Ga[removed]Mg

Twitter trend-tracking service Trendistic recorded this scam as being 1% of the volume of all tweets some 8 hours ago.  The current rate of tweets is around 200 per minute, so the phishing page could be successfully harvesting Twitter account credentials and then tweeting on their behalf, thereby spreading the phishing links.

When Osama bin Laden’s death was announced, we saw Facebook status updates offering a video of the events.  Malware authors often use news events to entice and trick users into performing actions such as following website links.

Websense Security Labs advises Twitter users who believe they may have fallen for this scam to change their passwords immediately and to check their Twitter feeds for postings related to this scam topic.

Carl Leonard, Senior Manager, Websense Security Labs said, “Using Twitter to perpetuate a scam is as regular an occurrence as changing socks. It’s interesting in this case to see how the malware authors ‘make’ the news to spread their scams. At the current rate of 200 tweets per minute, this particular phishing page can successfully harvest Twitter account credentials and further spread phishing links by tweeting on unsuspecting users behalf. If you believe you may have fallen for this scam – change your password immediately”

Cybercriminals targeting consumers through social network viruses and data theft

The next time you are prompted to enter your facebook or twitter password after clicking on some nice ad, make sure the location bar of the browser says ‘facebook.com’ or ‘twitter.com.’ Moving beyond their favorite targets, the corporates, cybercriminals are now targeting the least secure users of all, the end consumers, notes the latest Microsoft Security Intelligence Report.

Gone are the days of alluring emails asking you to part with your bank account details to claim your million dollar prize, cyber criminals now prefer to ‘hang out’ at your favorite social networking site. According to the Security Intelligence Report — a quarterly security-related update from the World’s biggest software firm Microsoft — social networks accounted for 84.5 percent of all attempts to steal personal data from users in December 2010.

In comparison, only 8.3 percent of all such attempts — known as phishing — occurred through Social Networks in January 2010. There has been an increase of 1200 percent in phishing through social networking sites, as these venues have become lucrative hot beds for criminal activity, the report warns.

The attacks take the form of advertisements and links on Facebook and other social networks — legitimate marketing campaigns and product promotions, but are actual just traps to steal your data. They take the form of pay-per-click schemes, false advertisements, or fake security software sale.

“Social networking is on a high and cybercriminals and these sites have creates new opportunities for cybercriminals to not only directly impact users, but also friends, colleagues and family through impersonation,” says Sanjay Bahl, Chief Security Officer, Microsoft India.

The ultimate aim is to get users to download and install their programs, which will then make use of their computer to spread itself as well as to steal all kinds of data entered through the computer. Social networking viruses, Microsoft points out, is especially risky in India since the country has some 50 million (5 crore or 4% of the population) social networking users.

Interestingly, Microsoft owns 5% of Facebook — a site whose revenues may be hit if people stopped clicking on its ads.

According to the report, the most common category of unwanted software in India was Worms, which affected 42.5 percent of all infected computers, down from 45.4 percent in the last quarter. Worms are self-replicating programs.

The second most common category in India was Misc. Trojans, which affected 33.9 percent of all infected computers, down from 34.5 percent from the last quarter. Trojans, which may also be worms, also have the additional characteristic of being harmful to the user and are often used to steal data.

Hackers made $11 million in unauthorized transfers to China, says FBI

In a first of its kind report, Federal Bureau of Investigation, U.S. (FBI) has quantified the economic impact of Chinese hackers on U.S. businesses. According to a fraud alert from FBI, U.S. businesses have been taken for at least $11 million over the last year thanks to unauthorized wire transfers to China. Cybercriminals have been compromising the businesses’ banking credentials in order to send money overseas.

At least 20 incidents occurred between March of 2010 and April of 2011 that resulted in the credentials of small-to-medium-sized businesses being compromised. According to the FBI, the typical scenario involves scammers sending phishing e-mails to the business in question, at which time someone enters the business’ banking credentials into a malicious website. The scammers then use the credentials to log into the business’real banking website in order to wire money to “Chinese economic and trade companies.”

In just a year, this resulted in $11 million in losses, with transfer amounts ranging from $50,000 to $985,000 at a time. The total attempted amounts were closer to $20 million, though—the FBI says that many attempted transfers were over $900,000, but the scammers are usually more successful trying smaller amounts. On top of the electronic wire transfers, some of the scammers also sent domestic money mules to the U.S. in order to make further fraudulent transactions.

“The economic and trade companies appear to be registered as legitimate businesses and typically hold bank accounts with the Agricultural Bank of China, the Industrial and Commercial Bank of China, and the Bank of China,” the FBI warned. “At this time, it is unknown who is behind these unauthorized transfers, if the Chinese accounts were the final transfer destination or if the funds were transferred elsewhere, or why the legitimate companies received the unauthorized funds. Money transfers to companies that contain these described characteristics should be closely scrutinized.”

The FBI says that some—but not all—cases seem to involve attacks through malware such as ZeuS, Backdoor.bot, and Spybot.

Hackers pose bigger threat than malicious insiders

The Identity Theft Resource Center has found that hacking accounted for the largest number of breaches in 2011 year-to-date.  Almost 37% of breaches between January 1st and April 5th were due to malicious attacks on computer systems.

This is more than double the amount of targeted attacks reflected in the 2010 ITRC Breach List (17.1%).

Note that these numbers do not include the recent hackings of enormous quantities of email addresses from companies. Email addresses alone do not pose a direct threat as long as consumers realize that they are more susceptible to phishing scams. Phishing scams try to trick readers into providing personal information that can be used for identity theft.

Paralleling the ITRC breach report finding is the recently released Symantec Internet Security Threat Report. This report discloses that over 286 million new threats were identified during 2010. Additionally, the Symantec report said they witnessed more frequent and sophisticated targeted attacks in 2010. This may partially explain why the ITRC observation of increased hacking has occurred so quickly.

Additionally, a new survey by McAfee found that the most significant threat to businesses was data leaked accidentally or intentionally by employees. ITRC views these as two different types of breaches. Accidental breaches are those that happen by employee mistakes, and while they cause harm, the people who made a mistake never intended to injure the company. However, the insider who intentionally steals or allows others access to personal information is considered a malicious attacker.

“At first it may be difficult to know if a hacking was perpetrated by an insider or outsider,” says Linda Foley, founder of the ITRC and data breach report manager. “ITRC does not have access to the Secret Service’s forensic information has so we can only report on situations when information is released.

As of April 5, 11.6% of 2011 breaches with known forms of leakage were insider theft.  When these events are added to known hacking attacks, ITRC’s breach database report indicates that 48.2% of published breaches are some form of targeted attack.”

The business community seems to be taking the brunt of hacking attacks, according to published reports of breaches. In fact, 53.6% of all breaches on the ITRC report were business related.   The other categories, “Banking/Credit/Financial,” “Educational,” “Government/Military,”, and “Medical/Healthcare” all dropped in their respective percentage of reported breaches.

Unfortunately, it is still difficult to ascertain the true cause of many breaches due to entities publicly stating “the information was stolen” or “due to theft.” Additionally, nearly half of breached entities did not publicly report the number of potentially exposed records. Several medical breaches ranging up to 1.9 million records caused a spike in the total records for the health services field.

This was probably due to mandatory reporting by HHS. Since other entities do not have that type of requirement, it is likely that entities in other categories also had breach events with large record exposure numbers that went publicly unreported.

No conclusions can be drawn yet about how this year will compare to prior years. The one thing that is consistent, year after year, is that data breaches will occur. These events are outside the realm of consumer control. Due to our individually broad electronic “footprints”, our Social Security numbers and financial account numbers are in a vast pool of information that can be breached.

The responsibility for protecting this personal identifying information is fully on those who request and store it. All entities that collect personal information need to understand and embrace the concept that only they can safeguard our information and that this safeguarding must be an urgent priority.

Not only are hackers winning, but so are the thieves who steal unattended laptops and dig into dumpsters behind companies for paper data. Breaches just don’t happen, they are allowed to happen. ITRC will continue to track, analyze and report on the situation of breaches of personal information.