This data will be analysed by Agari to see how phishing attacks can be identified and prevented.  The company has actually been in operation since 2009 and helps protect over 1 billion email accounts from these types of attack.  The company already collects data from around 1.5 billion emails a day, though they don’t collect the actual email messages.

Instead the company just passes on malicious URLs in the messages to the relevant companies who’s name is being used in the phishing message.  Google said it expects the new arrangement to benefit Gmail users as more mail senders will now be authenticating email and implementing common phishing blocking policies.

Cnet reported that Daniel Raskin, the vice-president of marketing for Agari said…

“Facebook can go into the Agari console and see charts and graphs of all the activity going on in their e-mail channel (on their domains and third-party solutions) and see when an attack is going on in a bar chart of spam hitting Yahoo.  They receive a real-time alert and they can construct a policy to push out to carriers (that says) when you see this thing happening don’t deliver it, reject it.”

Phishing emails aren’t just a nuisance, they cost businesses millions every year in credit card insurance payouts, a cost which is inevitably passed on in interest charges.  The sophistication of phishing messages, which purport to be from a bank, business or website asking you to log in to confirm your security details, or offering you a fantastic deal that doesn’t really exist, again to get your personal details including those for your credit card.

The simple rule is that no bank, company or website will EVER email you asking you to log in and confirm your details.  Modern web browsers will highlight the actual domain name for the site you are visiting, for example PayPal.com and you can see if you are being diverted to a different domain.  The best rule is that if you receive an email purporting to be from, say Bank of America, then never click on the link.  Instead manually go to the bank or company’s website and log in yourself.

Agari says they have been operating in “stealth” mode for the last few years to as to try not to attract too much attention to their work.  Currently they analyse 50% of all email traffic in the US.  Cnet say…

The company aggregates and analyzes the data and provides it to about 50 e-commerce, financial services and social network customers, including Facebook and YouSendIt, who can then push out authentication policies to the e-mail providers when they see an attack is happening.

This new alliance forms no guarantee that phishing emails will be eradicated, and it is still up to the end user to use caution when opening any suspicious email.

According to his information, PayPal accounts are sold for as little as $50 per 100 unverified accounts. 50 cents per account may not seem like much, but you need to consider that unverified means that the original owner has not linked the account to a bank account or credit card. This limits what can be done with the account (while it is possible to use it to move money, it cannot be used to make purchases if the PayPal balance is not sufficient).

Verified accounts on the other hand start at prices of $2.50 for PayPal accounts with a balance of up to $10, and more if the balance is larger. You see a larger account with a balance of more than 1000 Dollars go for $45 at the site selling those hacked accounts.

It is rather interesting that the site not only lists the account balance, first name address and type of account but also much of the user’s email address. Registration at the site is closed and only possible by contacting a site operator over ICQ.

Considering that email addresses are listed, it would make sense of PayPal to try and get an account to block all hacked accounts before third parties can use them for illegal activities.

Brian believes that the majority of accounts for sale have been collected via phishing attacks, but that trojans on user computers have also been used considering that some of the PayPal accounts are sold with linked email account log ins.

It feels kinda strange that a site like this can operate for a relatively long time without being taken down by the authorities. I won’t link directly to the site, but you find the link and a sister site mentioned in Brian’s article.

I personally would have expected the accounts to be sold at higher prices. This can either mean that demand is not high, or that the site operators have access to a lot of hacked PayPal accounts.

What’s your take on this?

A recent study of the University of California, entitled Click Trajectories: End-to-End Analysis of the Spam Value Chain comes to a similar conclusion, albeit from a different point of view.

95% of spam-advertised pharmaceutical, replica and software products are monetized using merchant services from just a handful of banks.

According to the university’s study the most effective approach of taking down botnets is to stop the money flow at the bank level.

Considering that it is only three banks that “provide the payment servicing for over 95% of the spam-advertised goods in [the] study” it is safe to say that payment processing is the biggest bottleneck in botnet operation.

The researches analyzed other possible bottlenecks, domain registrars and hosting companies for instance, but came to the conclusions that this angle was not as effective as the payment processing angle:

For example, while only a small number of individual IP addresses were used to support spam-advertised sites, the supply of hosting resources is vast, with thousands of hosting providers and millions of compromised hosts. The switching cost is also low and new hosts can be provisioned on demand and for low cost.

By contrast, the situation with registrars appears more promising. The supply of registrars is fewer (roughly 900 gTLD registrars are accredited by ICANN as of this writing) and there is evidence that not all registrars are equally permissive of spam-based advertising. Moreover, there have also been individual successful efforts to address malicious use of domain names, both by registries (e.g., CNNIC) and when working with individual registrars (e.g., eNom). Unfortunately, these efforts have been slow, ongoing, and fraught with politics since they require global cooperation to be effective (only individual registrars or registries can take these actions). Indeed, in recent work we have empirically evaluated the efficacy of past registrar-level interventions and found that spammers show great agility in working around such actions. Ultimately, the low cost of a domain name (many can be had for under $1 in bulk) and ease of switching registrars makes such interventions difficult.

When it comes to payment processing and banks, the researchers concluded:

Finally, it is the banking component of the spam value chain that is both the least studied and, we believe, the most critical. Without an effective mechanism to transfer consumer payments, it would be difficult to finance the rest of the spam ecosystem. Moreover, there are only two networks—Visa and Mastercard—that have the consumer footprint in Western countries to reach spam’s principal customers. While there are thousands of banks, the number who are willing to knowingly process what the industry calls “high-risk” transactions is far smaller. This situation is dramatically reflected in Figure 5, which shows that just three banks provide the payment servicing for over 95% of the spam-advertised goods in our study. More importantly, the replacement cost for new banks is high, both in setup fees and more importantly in time and overhead. Acquiring a legitimate merchant account directly with a bank requires coordination with the bank, with the card association, with a payment processor and typically involves a great deal of due diligence and delay (several days or weeks). Even for so-called third-party accounts (whereby a payment processor acts as middleman and “fronts” for the merchant with both the bank and Visa/Mastercard) we have been unable to locate providers willing to provide operating accounts in less than five days, and such providers have significant account “holdbacks” that they reclaim when there are problems.21Thus, unlike the other resources in the spam value chain, we believe payment infrastructure has far fewer alternatives and far higher switching cost.

The study, available here as a pdf document confirms that the most effective way of seriously impact the operation of botnets is at the payment processing level.

Google recently announced changes to their email service Gmail that would aid users in determining the real sender of an email message.

Google actually has added a series of improvements to Gmail. Emails from a sender who is not already in a Gmail user’s contacts are now shown prominently in the header. This change makes it easier to identify the sender directly without having to look at all email headers.

But the changes do not stop here. It sometimes happens that someone sends an email for another user or from another website, for instance by using a web form. This is now also reflected in the email header directly. Gmail users now see the name of the sender as well as the sender’s email address and a via link.

Probably the biggest change from an anti-phishing point of view is a new warning that appears if Gmail believes that the email could have been sent by someone else. Gmail shows a “This message may not have been sent by” warning underneath the sender with links to learn more and to report a phishing email.

All three additions are visible directly when an email has been opened on the Gmail website. The new information improve security for all Gmail users, provided that those users pay attention to the notifications and additional information.

Especially the first two additions can be overlooked easily due to their gray font color on white background. The phishing warning on the other hand uses a yellow background so that it can be easily spotted by everyone. (via)

It quickly turned out however that the message was a scam, a phishing attack to steal my PayPal login credentials. Why would attackers want those information? To transfer all the money from the account, and maybe even more if a Credit Card is linked to the account.

They may use PayPal to make purchases on the Internet, or use the account as a temporary haven for illegal transactions.

Whatever it is, it is certainly not in the interest of the account owner. Lets take a closer look at one of the emails to see what it is all about, and learn how to identify if it is a phishing email.

The email reads:

Dear PayPal account holder,

PayPal is constantly working to ensure security by regularly screening the accounts in our system. We have recently determined that different computers have tried logging into your PayPal account,and multiple password failures were present before the logons.

Until we can collect secure information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.

Download and fill out the form to resolve
the problem and then log into your account.

Thanks ,
PayPal

The sender is PayPal updates-int@paypal.net, the subject: Your account has been temporarily limited. There is an attachment, a HTML page with the name Restore_your_account_PayPal.html.

When you look at the email you will notice several indicators that it is a phishing email. You do not really need to look at email headers for that.

• 1. No customer name – Phishing emails usually do not have access to customer names, which means that they will address the recipient in general terms. Dear xxx.
• 2. No contact – Companies do usually include contact information in their emails. This can be a company’s street address, support phone numbers or links to web properties.
• Attachment – While it is possible that companies send attachments with their emails, it is unlikely that a company will do it in this case.

When you look at email headers you notice that the return-path and received headers do not mention PayPal but another domain (powerski.net), which more or less proves that the email at hand is a phishing email.

But what about the HTML email attachment? The easiest way to find out is to save it locally to open it in a text editor.

I do not really need to see the site in action, analyzing the code is all that is needed to get the information that I want.

If you double-click the HTML file in the email you will load it in your default browser locally. You will see a form and a page that resembles the PayPal site.

If you look at the source, you notice that the form action points to http://networkpp.comlu.com/tmp/w.php and not a PayPal domain. Form action means that your input is send to that address when you click the submit button.

The form asks for all kinds of personal and security related information, including your social security number, credit card or debit card number, expiration date, security code, mother’s maiden name and email.

What can you do if you receive an email that you suspect to be a phishing email?

• Ask a tech savvy user to look at it. You can forward the email to the user for instance if necessary.
• Go to the company website manually, look for contact information and call or email support there.
• Analyze the email the way I did. All information you need can be found in the email itself.
• When in doubt do not open. Move the email to a folder for safe-keeping, or delete it outright.

Please note, if you ever get an e-mail requesting your username and password, it is phishing for it. See our phishing protection tips for some tips on how to protect yourself. There is also a phishing flowchart to help you identify phishing. In addition to this, Gmail has a lab that will verify PayPal and eBay e-mails.

Websites Already Have it

While one would hope passwords are encrypted and kept out of harm’s reach, that is not always the case. In many systems security is an after thought. Sometimes security policies and programs are not seen as necessary until after a breach. Important customer information is not always protected the way that it should be.

In a system like this your password my not be encrypted. It may be stored in plain text (sometimes called “clear text”). There may not be proper access controls in place either.

With the usernames and passwords so easily accessed, no one from the company needs to ask you for them. The company, or a number of employees within it, has access to them. This is a part of why it is important to use different passwords on different sites.

Top Level Staff May Have Access

A system with good security will encrypt your passwords. Even if someone who was not supposed to have access to the file containing passwords gained it, it would look like gibberish. There are ways get around this under certain circumstances, but over all the encryption keeps people from being able to read customer information.

That said, there will be people higher up who have access to the key which can decipher passwords. If a legitimate need for the information arose, such as a court order, then a ranking company official would be involved, not you.

While not directly relating to passwords, Dropbox works in a similar fashion. All data that Dropbox stores is encrypted, protected from staff and general misuse. The higher-ups are able to access the data, but only under special circumstances. They can give access to authorities, but it must be by court order. It is an example of how an encrypted system is still controlled by someone in the company.

Your Password May Not Be Stored Verbatim

Some sites and systems may use a cleaver trick to log you in. You would think, when you login, a server compares the username and password that you send with a username and password on record. That is not always the case.

Some systems will use your password and a random number, put them into a formula, and get a crazy looking code of letters, numbers, and symbols. This code is virtually perfectly unique to your password. The site stores this code and the random number.

virtually perfectly unique
http://blogs.msdn.com/b/tomarcher/archive/2006/05/10/are-hash-codes-unique.aspx

Unlike encryption, where the password can be retrieved if a key is used, the created code cannot be unlocked to reveal your password. It is a one-way process designed to make your password unreadable. It is difficult to figure out the password based on the code. The point to a system like this is that they do not want to know your password.

When you login again, you send your username and password. The system takes the password you send, puts it and the random number back in the formula, and forms the crazy code again. It then compares that code to the code on file. If they match, you are allowed in; if they do not match, you get an error. Voila, login without a stored password.

The crazy code has a special name: a hash value. Sony disclosed their use of hash values after the Play Station Network was brought down by hackers.

The System May Force Resets

Some systems will give limited tools to IT personnel (by policy, access, or design). In these cases, the only tool they may have available is a password reset. This is done to remedy the frequent problem of lost passwords. Passwords can be safely encrypted or hashed, yet access can be easily restored.

Facebook uses this system. You have to tell the website something about yourself first, but it will reset your password after you have. This automates the process so you do not have to wait for tech support.

Many Functions Do Not Require Your Password

In most systems, the employee logs in, is verified by the system, and has the appropriate access for the role they play in the company. The software they use may be able to modify your contact information, account balances, length of service, view your history with the company, etc. Heck, sometimes they can outright delete you. Think about how a bank teller can deduct money from your account when you ask for cash. By far, their username and password trumps your username and password. There is nothing legitimate that a bank could need your password for.

In Summary

As it has been stated by every reputable company, there is never a reason to give someone your password. The company will never ask for your username or password. These occurrences prey on ignorance. If you know someone who you think might fall for a ploy like this, educate them. They should be less likely to give the information out if they know why it is never needed.

Imagine my surprise when I received a new email today from a company that I never worked with before. The email was send by leewanachapa@anez20.com and was send via secureserver.net, a Godaddy owned company IIRC.

It reads:

FWD: Attention: MARTINBRINKMANN.com Expiring Soon

Notice of Expiration

Domain Name: MARTINBRINKMANN.COM
Bill To: Invoice # 1304452910
Invoice Date May 3, 2011
Essen, NR Terms Net 14
45130 – US Due Date May 18, 2011
P.O. #
ONLINE SECURITY
Domain Name Registration Price Term
MARTINBRINKMANN.COM May 3, 2011 – May 3, 2012 $75.00 1 Year

Attention :

This solicitation is to inform you that it’s time to send in your search engine registration for MARTINBRINKMANN.COM. DRS is a submission service and search engine ranking firm.

Failure to complete your search engine registration by May 18, 2011 may result in the cancellation of this offer (making it difficult for your customers to locate you using search engines on the web).

Your registration includes search engine submission for MARTINBRINKMANN.COM for 1 year. You are under no obligation to pay the amount stated above unless you accept this offer by May 18, 2011. This notice is not an invoice. It is a courtesy reminder to register MARTINBRINKMANN.COM for search engine listing so that your customers can locate you on the web.

This Offer for MARTINBRINKMANN.COM will expire on May 18, 2011. Act today!
For Domain Name:
MARTINBRINKMANN.COM
ONLINE SECURITY
unsubscribe

All links in the email pointed to http://domainrenereg.com/. A few aspects of that email were suspicious:

• I was not addressed personally
• The price for a one year renewal was way to high ($75)
• The domain was set to expire on May 3, 2011 but I did not receive renewal emails before.
• The domain was paid for until 2013 and not 2011

I was curious and visited the site anyway. I knew that I was protected from harm by NoScript, so no worries there. The page looked like this

Notice anything in particular? Right, there is no account login on the page. All you can do is to enter your credit card data on the first page. That page was obviously phishing for credit card information.

This is the first time that I have received such an email. It looks and feels very amateurish to me. Having said that, it is likely that the attackers will tune the emails in the future, for instance by only writing to domain owners whose domains are really expiring.

Use this as a word of caution. If you receive such emails submit them to your domain registrar so that their legal department can take care of it.

As a side note. I’m currently working on a http://www.dmtools.com/“>domain management tool which webmasters and companies can use to manage all their domains and web properties. If you are interested to hear more about it let me know.

We have seen an increase of phishing emails with the subject “Your account has been temporarily limited” that target PayPal users. The from email address is updates-int@paypal.net. The email body contains no links or clickable contents. It reads like this.

Dear PayPal account holder,

PayPal is constantly working to ensure security by regularly screening the accounts in our system. We have recently determined that different computers have tried logging into your PayPal account,and multiple password failures were present before the logons.

Until we can collect secure information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.

Download and fill out the form to resolve
the problem and then log into your account.

Thanks ,
PayPal

A html file with the name Restore_your_account_PayPal.html is attached to the email which mimics the official PayPal page but is executed from the local system. It consists of a simple form asking users to fill out personal information which includes name, address, social security number and credit card. The form does not ask for PayPal login information.

The email is obviously fake and not from PayPal. Here are some clues why that is the case:

• It does not mention the name of the customer, nor a PayPal representative or contact information.
• The return address is set to nobody@ne07.tt.co.kr and not a PayPal address
• Thunderbird mentions that the “sender is open HTTP proxy server”
• The attached file is a local form that is executed on the user’s system and not on the official PayPal website.
• PayPal does not use PayPal.net, it redirects the domain to PayPal.com. It is therefor unlikely that PayPal.net email addresses are used to communicate with customers. We personally have only received emails from PayPal.com and country domains like PayPal.de

A look at the HTML source code reveals further inconsistencies. The document embeds elements from unofficial sites like Megabyet, the form action (which is where the form data is submitted and processed is also on Megabyet and not on PayPal.com.

What should you do with the fake email? You can forward it to spoof@paypal.com the way it is, or delete it right away if you do not want to forward it to PayPal’s spoofing department.

The system addresses a problem that security researchers and companies have faced in the past. Security researchers who uncovered vulnerabilities or stolen data were not able to pass the information along in a centralized secure way. There simply was no option to send a direct warning to service providers, banks or other companies that were affected by the vulnerability or compromised data.

Researchers had to analyze the data to identify the affected companies or online services before they had to find the right contact to pass the data along securely. Cyber-criminals benefited from this as it gave them additional time to make use of the stolen data.

“Last year, according to the Anti-Phishing Working Group, one million U.S. households lost money or had accounts misused as a result of phishing, at a cost of $650 million”, Nancy Anderson, Corporate Vice President and Deputy General Counsel said.

The Internet Fraud Alert System has been designed to provide security researchers and the security community in general with a centralized alert system to report stolen data, such as credit card numbers or account login details. The service furthermore allows the researches to contact the institutions directly, allowing them to take the appropriate action to protect their customers.

Through a centralized alert system powered by Microsoft technology and managed by NCFTA, Internet Fraud Alert provides a new, powerful tool to quickly inform financial and online companies about compromised customer account credentials (such as online usernames and passwords) or stolen credit card numbers. With this information, institutions can take action to protect their customers from further fraud against their accounts.

Microsoft donated the technology to the NCFTA, a non-profit organization dedicated to facilitating public-private partnerships between industry, law enforcement, and academia on cyber-security issues.

Only US companies participate in the Internet Fraud Alert system at the moment. It remains to be seen if this is going to change in the future or if this will remain a US-only project which would severely diminish the efficiency of the system.

Aza Raskin just posted an interesting article on his blog detailing a new phishing attack that he calls Tabjacking. The concept of this new attack is ingenious.

It basically refers to a website that is changing its look and feels to a fake website after some time of inactivity. Here is how it works.

The web user visits a harmless looking site and decides to keep it open in a tab for the time being. A JavaScript code on the page notices that and replaces the site’s favicon and title with a popular site’s one. This could be Facebook, Gmail or any other popular website that the user likely uses.

The website itself will also change its contents so that it looks like the website that the attacker wants to steal login credentials for.

Many users identify websites in tabs by their favicon and title. This could lead to the user believing that the site is indeed the real website. Clicking on the tab displays what the user expects to see as the copy looks exactly like the original.

For Gmail it would for instance be the Gmail login form. Users who enter their login credentials into the form will send them right to the attacker. The script on the website will redirect the user to the real website in the end.

A New Type of Phishing Attack from Aza Raskin on Vimeo.

There are obviously a few elements left that the user can use to identify the attack. The url for instance will not reflect the website that is displayed to the user. It is also likely that the site will not make use of https.

Take a look at Aza’s blog post for additional information about the attack including codes, fixes and lots of user comments.

Any address that is not in that local list will be send to a Microsoft server where it will be compared against a database that contains unsafe and suspicious websites. Standard computer information and the SmartScreen Filter version number will also be transmitted in the process.

Information that may be associated with the address, such as search terms or data you entered in forms might be included. For example, if you visited the Microsoft.com search web site at http://search.microsoft.com and entered “Seattle” as the search term, the full address http://search.microsoft.com/results.aspx?q=Seattle&qsc0=0&FORM=QBMH1&mkt=en-US will be sent. Address strings might unintentionally contain personal information, but this information, like the other information sent, is not used to identify, contact or target advertising to you. In addition, Microsoft filters address strings to try to remove personal information where possible.

From time-to-time, information about your usage of SmartScreen Filter will also be sent to Microsoft such as the time and total number of websites browsed since an address was sent to Microsoft for analysis. Some information about files that you download from the web such as name and file path may also be sent to Microsoft. Some website addresses that are sent to Microsoft may be stored along with additional information including web browser version, operating system version, SmartScreen Filter version, the browser language, and information about whether Compatibility View was enabled for the website. A unique identifier generated by Internet Explorer is also sent. The unique identifier is a randomly generated number that does not contain any personal information and is not used to identify you. This information, along with the information described above, is only used to analyze performance and improve the quality of our products and services.

The SmartScreen Filter is a security addition to Internet Explorer that warns the user if known malicious or dangerous websites are visited. It is therefor usually recommended to keep the filter activated.

Some Internet Explorer users on the other hand might prefer to deactivate it. Either because they are using a security software that checks the websites for them, like Web of Trust for instance or a security software that integrates in the web browser and checks the accessed websites, or because they do not want to transmit information about the visited websites to Microsoft.

The SmartScreen Filter can be disabled in the Internet Options of Internet Explorer. Open the Internet Options by clicking on Tools > Internet Options and switch to the Security tab.

Select the Internet Zone and click on the Custom level button. This opens a new window with lots of configuration options. Scroll all the way down until the Use SmartScreen Filter setting which is Enabled by default. Selecting Disable instead and clicking on OK will disable the filter for general Internet usage.

You need to confirm the changes. This will disable the SmartScreen Filter in Internet Explorer 8 so that no visited websites and computer information will be submitted to Microsoft.

It is also possible to turn of the SmartScreen Filter by clicking on the Safety link in the Internet Explorer toolbar and selecting SmartScreen Filter > Turn Off SmartScreen Filter. This menu can also be used to check websites manually and report potentially dangerous websites. The last two options can be performed even if the SmartScreen Filter has been deactivated in Internet Explorer.

Internet users therefor need to know about phishing and how to identify phishing emails from safe emails.

The Login Helper blog has created a phishing flow chart that outlines the process of analyzing an email to determine if it is a phishing email or not.

The flow chart addresses the three biggest email dangers: Attachments, links and social engineering. The chart has been color coded for easier recognition of safe and dangerous elements in emails. All red elements in the flow chart are considered dangerous while blue elements are considered safe.

The chart furthermore provides basic suggestions on how to react when possible dangerous elements are encountered, for attachments it would be to save them locally and check them with a service like Virus total online.

Following the chart leads either to a safe or dangerous rating for the email that is being analyzed.

Avira has published their January statistics of the most phished brands. This information can be helpful to identify or avoid services that are targeted the most by phishing attacks.

Most of the phishing attacks are carried out against financial services and sites. The only non-financial service in the top 16 list is Facebook.

The phishing list is tipped by PayPal which was the target of the phishing attack in 61.89% of all cases followed by HSBC Bank with 8.59% and Bank of America with 6.09% of all attacks.

Other companies in the list include Ebay, Abbey Bank, Chase Bank, Banco Poste Italiane, Alliance Leicester, Western Union and Citibank.

It is obviously not always possible to switch a company or service based on the phishing statistics but it should warn users that use these brands to be very cautious when they receive emails that seem to come from those companies. (via Avira)

One interesting aspect of the chart is that Chase Bank and ebay battled it out for most of the year and that PayPal began its rise in December which Avira attributes to the Christmas season and the increased usage of PayPal in that season.

Several other brands experienced a lot of phishing attacks as well. Here is the top 10 list according to Avira:

• PayPal 32205 threats
• Chase Bank 25901 threats
• eBay 18738
• American Express 5202 threats
• Bank of America 4540 threats
• Abbey Bank 3978 threats
• IRS 3712 threats
• HSBC Bank 2762 threats
• Citibank 2265
• Facebook 2217

All of the brands in the top 10 with the exception of Facebook are brands related to the finance sector or shopping. It certainly is an interesting trend that the attackers were able to produce that many phishing websites in December alone to make PayPal rise to the top of the statistics.

The statistics collected by other companies will probably differ marginally but it is likely that the top brands listed in the Avira list are also the top brands in their listings. PayPal users should be very cautious at the moment.

Trend Micro are reporting about yet another Facebook phishing attack that is currently in the wild. The attack begins – like most phishing attacks – by mass mailing potential Facebook users informing them that they need to update their Facebook login credentials. A link is offered in that email and if they follow that link they land on a website that looks like Facebook. What’s interesting here is that the email address field of the Facebook login form is already filled out so that the Facebook user only needs to enter the Facebook password to complete the process.

A click on the login button will open a new page that contains a link to an update tool which installs a trojan on the user’s system.

It attempts to access a Web site to download a file which contains information where the Trojan can download an updated copy of itself, and where to send its stolen data. This configuration file also contains a list of targeted bank-related Web sites from which it steals information. Note that the contents of the file, hence the list of Web sites to monitor, may change any time.

It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user’s account information, which may then lead to the unauthorized use of the stolen data.

The blog post contains security tips on how to distinguish legit from phishing emails. Users who are interested in those can visit the blog post but the most important lesson once again is to avoid clicking on links that are send via email.

SafeOnline is a security program developed by Prevx that is available as a standalone software or as part of Prevx 3.0. This program, according to its developers, is able to protect PCs against many forms of phishing and pharming even if they are infected.

How is it done?

The core protection lies in the ability to block keyloggers, screen scrapers, man-in-the-browser attacks, session hijackers, clipboard grabbers, and a number of other threats commonly installed by trojans like SilentBanker, Bancos, Zeus, Torpig, and Curtwail onto thousands of PCs daily. Rather than focusing on being able to identify the threats themselves, SafeOnline works to isolate the browser from the rest of the system even if unknown threats exist that try to steal data from the user. System level malware generally attempts to read data from the browser but Prevx introduces a layer in-between the browser and the rest of the operating system, tricking the threats into thinking that they have successfully read and transmitted the user’s credentials outside of the system when they have not. Unlike other solutions, Prevx SafeOnline works with the user’s existing browser, without requiring the use of a specialized browser so there is no need for the user to change their browsing habits – protection is applied seamlessly and silently in the background.

This sounds like a reverse sandbox where the contents in the sandbox are protected from the rest of the computer system. According to Prevx it offers protection against

* Man-In-The-Browser
* Phishing attacks
* Keyloggers
* Screen Grabbers
* Cookie Stealers
* Info Stealing Trojans such as ZEUS, MBR, Goldun, and Silent Banker

Prevx has contacted several banks in the UK offering their product for free to the bank’s customers. Six banks so far have shown interest in the product. These banks had special requirements according to PC World that included that the product would work with other security software and would not force the banks to change their websites. The security product was able to meet all of these requirements.

Verdict: The main question here is if it is really safe. Will it really defeat all keyloggers and phishing attacks? What if the security software fails do to so? What if users feel overconfident using the software? It might work as an extra layer of defense on a PC system but it might take a while before the company can build enough trust in their product. Thanks Dante for the tip.

Here is how Mikko describes what happended in his blog: He posted a warning about a new MySpace phishing website two month ago as a tweet using his Twitter account. This message contained an unclickable url of the phishing website to warn users and spread the word.

Twitter, after two months, figured that the url was a phishing url and made the decision to suspend the account. It is not clear if this was an automatic or manual suspension. The Twitter account of Mikko was restored after two days and the following explanations was given:

I’ve unsuspended your acct.
You were suspended for using the malware URL rnyspeceDOTcom in DMs.
Be careful!
We scan evrythng for malware.

To make matters worse all of his followers and people that he followed were not restored. Both counts showed 0.

The whole incident raises several questions:

• Why was the Twitter account banned after two months and not immediately?
• Why did no one notify the Twitter user about the suspension
• Why did it take two days to restore the account
• Why can’t the followers and followed be restored

Twitter’s reaction fell short and put the blame on the Twitter user rather on an ineffective way of handling the incident. Until things change Twitter users should be very careful what they post in Twitter.

Think of this example: A user receives an email from PayPal or his bank which states that the account was comprised and that action needs to be taken right now. A link is provided and most users will click on that link to get to the website fast. The website looks like the real PayPal or bank website which adds to the trust the user has in the process. The website asks for authorization and most users will enter their data without hesitation. The data that is entered will be collected by the attackers and used in criminal activity.

What is phishing:

• Phishing always requires a user to visit a specifically prepared website (most of the time through a link that is added in emails or messaging)
• The fake website looks a lot like the real website (there are ways to detect fake websites)
• The goal of the attackers is to get the user to enter the data that they are after into a web form.

Phishing protection:

The most powerful weapon against phishing is common sense and the following rules that every user should oblige to.

• If you are not a customer of the site delete the email immediatly. Don´t click on the link or reply.
• If you are a customer and you are not sure if the email is legit do one of the following:
• Contact the institute by phone or contact at the official website ( do not use the email link of course) and ask if the mail is official.
• Instead of using the link provided open the website by typing in the official link there. The site should have news about the email on their starting page. (most of the time). If not, use 2a to verify the email.

Thankfully though there are quite a few tools out there to aid and protect the user against phishing attacks.

• Most web browsers these days come with phishing protection enabled. The lists that they use are usually updated several times a day. It has to be noted though that they only detect phishing websites that are already in the list.
• Several email clients, like Mozilla Thunderbird, but also online email services, like Gmail or Yahoo Mail, make use of phishing protection as well.
• Internet security programs do come with phishing protection as well.
• Password managers can be an excellent aid. If you have saved the login for a website in the password manager you usually can login automatically (Last Pass for example supports that option). The password manager will only work on the real website and not the phishing website.

The most powerful protection again is the user’s common sense. Here are a few pointers on how to detect if a website is real or a phishing site:

• Check the url in the address bar. Is it pointing to the right website? Make sure you look close for chars that look similar, e.g. o and 0.
• Is it a https website? Is the certificate valid?
• Does the website look different? Open another web browser tab to enter the url manually just to be on the same side (if you have opened an external link)

Firefox users can check if the phishing protection of their web browser is working. Do you have additional phishing protection tips?

Firefox will display a warning whenever the user tries to open a website that is a reported phishing website. Updated phishing and malware lists are automatically downloaded every 30 minutes if the web forgery protection is enabled in the web browser.

The following screen is then displayed if a website is opened that is on that list of phishing and malware websites.

The user still has the option to ignore the warning and proceed with the site loading but it is generally recommended to stop at this point and close the tab. There is however one nagging questions that some Firefox users have. How can they be sure that the phishing protection is working in the web browser?

Mozilla has created a specifically prepared website that will trigger the phishing protection. Users who open the It’s a trap website at Mozilla.com will see the web forgery warning if the phishing protection is enabled and working in the web browser. Everyone else will simply see the test website.

Firefox users who do not see the warning page should go into the Tools > Options > Security in the Firefox options and ensure that the entries Block reported attack sites and Block reported web forgeries are checked.

The phishing test website will not work with other browsers even if they offer phishing protection as well.

Microsoft determined that the attack was not a breach of internal Microsoft data and believes that the account data was gained by a phishing attack. Phishing attacks are common ways these days to lure users into entering their account data on websites that look like the real deal but are not.

Hotmail users are encouraged to immediately change their account password to protect the account from unauthorized access. It is furthermore recommended to change the account password on other websites if the same password was used for accounts there as well.

A good tool that can help users create and use secure passwords is the Last Pass extension which is available for Firefox,Internet Explorer and Google Chrome.