Spear Phishing – Targetting Students

spear Spear phishing is a term referring to targeted attacks on organisations to collect personal details. This latest warning will explain:

Students and staff at a few colleges and universities in the US have been receiving emails that appear to come from their system administrators. The emails state that a database is being updated and asks users to provide their username, password, and date of birth.

The schools targeted include Columbia University, Duke University, Princeton University, Purdue University, and the University of Notre Dame.

This information is collected by the people who sent the emails and used to compromise their accounts.

Be very suspicious of emails asking you to provide any personal details, especially if you didn’t request the email. And pay particular attention to which website the email links to – it’s a common tactic to use a similar sounding address that contains a typo (something that the human mind sometimes ignores).

Update: Australian universities have also been targetting in this attack. 

Fake IRS Tax Refunds

Emails are being sent claiming to be from USA’s IRS department. They claim to offer a $375 refund for filling out a form. The form is hosted on a hacked web site, not on the IRS’s web site. The form asks for a large amount of personal information including credit card numbers and PIN numbers. This information is collected (a trick known as phishing) and later used to commit identity theft (and effectively stealing your money).

cash_hand When doing any taxes online please ensure the website is correct. See this earlier article on how to recognise deceptive domain names (URLs) and check for SSL certificates on the page (double click on the padlock icon in Internet Explorer, read who owns the site).

Good antivirus packages these days will also keep track of which web sites you go to and alert you if it’s a known fraud site. So it’s a good investment to purchase one.

World of Warcraft Scam

trollThere’s another scam targeting World of Warcraft players. It starts with an email claiming that the recipient’s World of Warcraft account has been suspended. There’s a long explanation and a link to a website.

The website asks for a username and password. It then passes on the username and password to whoever wrote the email, it’s not a legitimate service.

This is called phishing. It works by tricking people into typing in their credentials onto a fake site.

These days good anti-virus packages can filter for these sites. You should also pay careful attention to the web page address. Read this explanation on how to identify false addresses (URLs).

Identity Theft From Call Centres

Identity theft can happen in many ways. Before computers people just stole mail from letterboxes and documents from people’s wallets (watch the movie Catch Me If You Can for an example).

Call centre dummy Then when the internet came along criminals starting tricking people into handing over personal details, or they employ hackers to write spyware that achieves the same result.

A new identity theft trend emerging in the world is coming from call centres. Staff working at call centres have access to the person details of a lot of customers, and since a lot of call centres have been outsourced to countries such as India, the Philippines, etc, companies are having a difficult time keeping things under control.

There’s an article here that mentions a few of the crimes happening in call centres. In summary:

  • Using mobile phones to take screenshots
  • Quickly copying people’s details into hidden books
  • Using USB drives to copy data

Theft of personal information is serious. The information can be easily sold, especially if staff feel they’re underpaid (a likely situation for overseas call centres).

It’s good to remember that in this day and age your personal details can be known to many parties, there isn’t much that’s still personal or secret. Be selective in what information you give to companies. And as mentioned previously don’t give personal details to call centre staff when they call you (instead of you calling them).

How To Recognise URLs

Understanding URLs is extremely important in avoiding online scams. If there’s only one technical skill you need to know about the internet it’s this, and it will save you being caught out one day.

I’ve limited acronyms to just one (URL) to make it easier to understand.

URL. It doesn’t matter what the letters stand for, it means the address of the web page you go to. You get to see URLs in the top of your web browser. An example of a URL is:

www.fraudo.com

You probably see these every day, every page on the internet has one, and you see links for them every day. This is basically how the internet works.

The only other thing you’ll need to keep in mind for this article is that there are good web pages and bad ones – legitimate sites and scam sites created for various evil purposes.

Now we’ll explain how to recognise a good URL from a bad URL.

I’ve made up two names to demonstrate, and apologies in advance to anyone who’s real business name is similar to these (I googled the names and they came up blank so I’m fairly certain they aren’t real business names at the time of writing).

Let’s say a legitimate company is called SomeFancyBank, and that their legitimate website is www.somefancybank.com. It’s the good site. And imagine you have an account with them and a fair bit of money in there.

And let’s say there’s a fraudulent website registered as confusinglookingname.com. So this one is controlled by someone intent on stealing your money, it’s the bad site.

So if you get an email asking you to click on www.somefancybank.com/login.asp you’ll probably feel safe to do so.

If you see a link that looks a little like www.confusinglookingname.com/login.asp you’ll be surprised and you won’t click, it’s a fake website designed to look like the real bank’s site, only they capture your details.

What if the link is www.somefancybank.confusinglookingname.com ? You can see your favourite bank’s name in there so maybe it’s real… Read on, you’ll see why this is definitely illegitimate.

A URL can be broken down into three parts:

1. There’s the stuff at the beginning (often it’s www but doesn’t have to be). And it could be long and could include many dots.

2. Then there’s the domain name (e.g. somefancybank). It’s usually a company name or some other trademark, followed by a .com. There can only be one dot in this part.

3. Then there’s a / followed by a bunch of technical bits. We’re not covering this part in this article. It’s what comes before the / that’s important.

So there are three parts to a URL and we’re only concerned with the first two.

Let’s go straight to some examples (the important bits have been highlighted in bold):

  • somefancybank.com/login.php – good
  • abcde.somefancybank.com – good
  • 123.somfancybank.com/123/456/789 – good
  • abc.somefancybank.com/scaryletters/ – good
  • confusinglookingname.com/login.php – bad
  • 123.abc.zz45xy.confusinglookingname.com/some/fancy/bank – bad
  • www.somefancybank.confusinglookingname.com – bad
  • www.some.fancy.bank.confusinglookingname.com/somefancybank – bad
  • important.clicknow.confusinglookingname.com/some/fancy.bank/login.asp – bad

I’m sure you’re starting to get the idea by now. Now for some trickier examples:

  • www.somefancybank.com.au/login.php – bad
  • www.somefancybank.com.login.confusinglookingname.com – bad

Let’s leave things simple and end it there.

Humans are good at recognising patterns, so when you see your favourite company name in the URL you might immediately think it’s legitimate. Scammers take advantage of this and deliberately make these links to trick people.

You’ll find these fake links in emails, other web pages, chat programs, etc. They’re everywhere so get used to recognising how they work and you’ll be a lot better off.

Using Unsecured Wireless Networks

Sophos (a large IT security company) recently conducted a survey of 560 people. 54% of them admitted to using someone else’s wireless network without permission. That’s more than half the respondents. Why should you care?

If you have a wireless network that isn’t well secured then:

  • Someone could be using your internet account and incurring expenses (or pushing you over a capped limit and effectively slowing down your connection)
  • Someone could be illegally downloading copyrighted content (such as using a file sharing program to download commercial movies – it’s illegal and you’re liable for providing the connection)
  • Someone could be using your internet connection to commit online crimes (just read the posts on this site to get an idea of how common this is).
  • It lets anyone within range bypass your firewall, making your computers and other wireless devices vulnerable. This is especially important if you have wireless in an office environment
  • It’s easier for someone to install spyware on your computer, making activities like online banking very dangerous

aerials The most important reason of these is how easy it makes it for someone to use your network to commit crimes. Imagine being involved in a child pornography investigation, or having your internet disconnected because your network was used to send millions of spam emails.

I’ve written before on how to secure a wireless network and if you haven’t done so it’s worth reading through here.

If you’re in the 54% of people who wouldn’t think twice of using someone else’s wireless network without permission then you should know that:

  • It’s illegal in a lot of countries (people get arrested for this quite often)
  • It’s effectively stealing. It isn’t a victimless crime
  • You can’t trust the network you’re using. It’s easy for someone to setup a wireless network in such a was that they can record all the traffic from it. This is one way to eavesdrop on other people’s traffic and to capture passwords

So the message here is to secure your wireless network, and don’t use other people’s wireless networks without permission.

Statistics Update

Secured CDA quick update about online crime.

In Italy, 26 people were recently arrested for taking part in running phishing sites (web sites that look like bank sites (for example) but are designed to capture your account number and password). Two of these people have already been sentenced (5.5 – 6 years prison). It’s important to realise how common this problem is in the world.

And a short while ago I wrote about some important disks that were lost by the British government, containing personal data on 25 million people. That incident received a lot of press coverage and it’s not an isolated case. This stuff happens frequently, like in Northern Ireland. Two CDs were lost this week by one of their government agencies containing personal data on 6000 residents. These disks were not encrypted, as the previous case. Full article here.

Then in California a laptop was stolen containing personal information on 45,000 patients of Sutter Lakeside Hospital. Again the data was not encrypted, making it all too easy for anyone to use this personal information as they see fit. I recently wrote an article on protecting laptops when used to take home work. Full press article here.

Some lessons to be learnt are:

  • There are a very large number of online criminals doing everything they can to try and steal your money
  • Disks and notebooks (laptops) are lost or stolen all the time. If they contain sensitive information they should be encrypted
  • Keep in mind that your personal details are not all that private anymore

Russian Chat Bot

Female robotIt’s amazing how many new tactics these people come up with in order to steal your personal information. There’s a new “bot” that chats with users on Russian online chat rooms (a bot is a program that mimics a real person online). It’s called CyberLover and apparently it’s quite clever in impersonating a human and gets people talking to it.

During a test it was found that the CyberLover chat bot got 10 real people to have conversations with it, in only 30 minutes. During this conversation it tricked people into providing their real names, contact information and photos. This is all private data, provided to the chatbot.

The darker side of this clever piece of software is that the bot is run by hackers intent on committing identity theft. Personal information like this is regularly sold on an online black market, and then used to commit fraud, such as opening credit card accounts in your name. Serious crimes indeed.

CyberLover is an interesting piece because it has different levels of its personality, and they’re mostly of a sexual nature. This type of conversation seems to get people’s attention more easily making it easier to manipulate them into providing personal information (called Social Engineering).

At the moment this is all in Russian however it won’t be long until it appears in other languages including English.

Wireless Keyboards are easily hacked

Wireless keyboards can be intercepted, very easily. This is something you should be aware of not only when purchasing new equipment but when using someone else’s computer. There’s no real defence against it either, other than using a wired keyboard.

Before I explain the risks let me point out which keyboards it does and doesn’t affect:

  • All keyboards using a 27MHz transmitter are at risk (which includes most of them)
  • Keyboards that advertise "wireless encryption" or "secure" features are also at risk
  • Bluetooth keyboards are safer (though these are generally more expensive)

typewriter The risks of such an "attack" should be obvious – other people within range could be recording every keystroke. This includes the address of websites you go to, usernames, passwords, the contents of emails, chat conversations, etc.

In a business environment this would be a critical breach of security. Giving away passwords, trade secrets, and other sensitive information is quite serious, and in a lot of cases criminally irresponsible. Wireless keyboards that fall into the "at risk" categories above should be banned.

At home the risks are just as serious. Anyone using a home computer to do internet banking should immediately recognise the dangers of giving away too much information (i.e. finding a large amount of money removed from your bank account). Again, either use a wired keyboard at home, a Bluetooth wireless keyboard (expensive), or limit the keyboard & computer’s use to trivial tasks such as gaming.

How does the attack work?

Well, it seems there are only 256 possible encryption codes, so hackers have cleverly written software that tries them all within seconds. Then there are other tricks they use to break the encryption that some keyboards use (for the IT savvy reader, it’s an XOR protocol).

So it takes about 20 to 50 keystrokes before enough information can be gathered to break the encryption.

How close does one need to be to "sniff" wireless keyboard signals? Usually it’s 4-8 feet, or 1-3 metres. But with more powerful aerials this can be extended much further (hundreds of metres).

Also keep in mind that Bluetooth generally isn’t a very security protocol. It’s only considered safer because of how easy it now is to hack normal wireless keyboards. But you shouldn’t use it to keep million dollar secrets.

There’s a video here demonstrating how it works (warning, it’s geeky and technical): Wireless keyboard hacking.

So go back to wired keyboards, they not only more reliable and more secure, they don’t have batteries that need replacing or recharging.