eBay Fraud

eBay fraud is rampant in Romania, Russia and China. In fact, eBay says that the majority of all eBay phishing emails comes from these countries.

Mark Lee is the trust and safety manager for eBay UK and he’s made the following comments:

  • “[there’s] no fear of real punishment [in these countries]”
  • “These attacks are definitely organised”
  • “There are towns in Romania where the entire focus is on sites like eBay as the main source of income”

There have been several hundred arrests in Romania after eBay initiated a campaign to stop fraud, in June 2007. But this hasn’t stopped them and it’s still rampant in these parts.

Techniques used by these criminals include asking eBay shoppers for personal details (when people bid or ask questions on the site) – this is known as phishing and the personal details are later used to commit other crimes.

If you use eBay to buy or sell goods have a read here [ http://pages.ebay.com/securitycenter/ ] for tips and tutorials on eBay security. And continue to read FraudO.com for online security tips.

Bypassing Passwords Using FireWire

firewire cableIf someone has physical access to a computer they have a pretty good chance of bypassing its security. This new attack uses the FireWire port found on some computers and notebooks to access its memory and change the system’s password.

It’s been demonstrated to work on  Windows XP and on Macs, and could possibly affect other systems.

It’s up to companies like Microsoft and other vendors to fix their software to disable this vulnerability. Some lessons to be learnt are:

  • Restrict physical access to your computer
  • Don’t let other people plug devices into your computer
  • Apply software patches from vendors when they become available. Hopefully they’ll patch this problem
  • And if you’re paranoid about this one you can disable FireWire on some computers (by disconnecting the cable inside the computer)

Here’s the article explaining how it works on Windows XP, and here is an article on how it affects Macs.

Haute Secure

Haute Secure is a security service developed by 3 former Microsoft security specialists. It’s designed to filter the web pages you browse and it blocks any websites known to contain malware.

It’s free for people to download and install on their computers. If you run a website they charge money so they can scan your website and alert you if it gets hacked and infected with malware.

Most of the good antivirus packages have had this feature for a long time, and it’s a good idea to invest in one of these.

If you really believe it’s not worth spending money to keep your computer secure and you insist on using free antivirus programs, then this will make a good addition since free antivirus programs don’t usually filter web sites.

Adobe AIR 1.0

Adobe has been making news today for releasing version 1.0 of their AIR framework. AIR is a new way to develop and run programs, it’s a combination of a web page but runs without a web browser.

Adobe Air It has a long list of security features to make programs seem safe. And because of how internet applications work experts agree it won’t be long until this new technology is exploited.

One thing to be careful of is when AIR warns you about “self signed” applications. This means that no reputable company has verified the person who wrote the program. So if you download an AIR application and you get warned about it being self signed, the safe bet is to deny it.

If you’re tempted to play with AIR applications just be conscious of where you’re downloading programs from. They won’t remain safe for long.

Fraud Statistics

The US Federal Trade Commission (FTC) has released a report showing some statistics on fraud for 2007. These statistics come from people who report incidents of fraud to them, so it’s really limited to USA. The problem worldwide would be much much worse.

The top 20 complaint categories were:

Rank    Category    Complaints

  1. Identity Theft    258,427
  2. Shop-at-Home/Catalog Sales    62,811
  3. Internet Services    42,266
  4. Foreign Money Offers    32,868
  5. Prizes/Sweepstakes and Lotteries    32,162
  6. Computer Equipment and Software    27,036
  7. Internet Auctions    24,376
  8. Health Care Claims    16,097
  9. Travel, Vacations, and Timeshares    14,903
  10. Advance-Fee Loans and Credit Protection/Repair    14,342
  11. Investments    13,705
  12. Magazines and Buyers Clubs    12,970
  13. Business Opportunities and Work-at-Home Plans    11,362
  14. Real Estate (Not Timeshares)    9,475
  15. Office Supplies and Services    9,211
  16. Telephone Services    8,155
  17. Employ. Agencies/Job Counsel/Overseas Work    5,932
  18. Debt Management/Credit Counseling    3,442
  19. Multi-Level Mktg./Pyramids/Chain Letters    3,092
  20. Charitable Solicitations    1,843

That’s 258,427 cases of identity theft in one year, in one country! The total fraud losses recorded in this report totals more than $1.2 billion. The full report is here.

Trust Encryption Device (TED)

Australia’s CSIRO has developed a security device for online banking. It’s like a flash drive and contains a virtual computer environment which makes applications like online banking more secure.

However there’s a lot of doubt in the security world. You still need to plug it into a computer for it to start up, and you don’t always know what’s on the computer. Malware could still take screenshots and send them off to some unknown person on the other side of the world, and there’s little explanation on how it’s meant to avoid being tampered with.

It’s a technology to keep a watch on for the future. Full article here.

A New Skype Vulnerability

Skype, the popular internet phone software, has a new vulnerability with the way it handles video links. There aren’t any reported exploits yet but as always it’s only a matter of time.

Skype is susceptible to this vulnerability if all of the following happen:

  • Your computer uses Windows
  • You use Skype version or older (versions 3.5 and 3.6)
  • You do a video search from within Skype
  • The search takes you to a page that’s been hacked

The damage from this is still unproven but it’s fair to say that if someone can write the required malicious code they could use it to any effect they like (such as installing spyware on your computer or taking over its control).

Skype has responded with disabling adding new videos to their Dailymotion gallery. This will slow down the chance of an exploit spreading. And Skype will release a new version soon to fix the vulnerability.

Skype’s report is located here.

Only 5% of Windows PCs are fully patched

A recent survey by a security company called Secunia shows that only 5% of computers are fully patched. The other 95% are running insecure software.

pie_chart It’s important to patch all of your software. This includes the operating system itself (e.g. Windows, Mac OS, Linux), your web browser (e.g. Internet Explorer, Firefox), and all your applications. And of course in an office environment patches should be carried out by IT administrators (complete with backups).

This serves as a gentle reminder to our previous post on patching. Read Secunia’s article here.

Don’t trust public computers in hotels

hotel If you use public computers in hotels and similar environments (e.g. internet cafes) you need to keep in mind that the computer could be capturing your passwords. You can’t just assume it’s a safe computer.

This week a man was sentenced for installing key-logging programs on hotel computers in Miami, Las Vegas, and other US cities. Customers used these computers and whenever they entered a credit card number, the number was captured and used to buy over US$400,000 worth of products and services.

Mario Alberto Simbaqueba Bonilla, a 40 year old engineer, was arrested in Miami International Airport last year and has just pleaded guilty. He installed the key-logging software onto hotel computers and watched as hotel guests used the computers.

This isn’t a once off incident. If the computer isn’t yours then you just have to assume someone can capture your passwords or credit card numbers. If you need to use these computers to log into a corporate network or some other secure service (such as online banking) then think twice. Is it really that important? If so, then change the password as soon as you get onto a different computer.