 |
Home | Rates | GCFlash | Contact Us | Search | Site Map |
| About GCF | Online Banking Center | Personal Banking | Commercial Banking | Tools | Favorites | Our Communities | Contact Us |
|
||||
|
||||
The ultimate in electronic access, high-yield savings accounts. Learn which great product is right for you! Details
|
||||
|
||||
|
|
||||
|
 |
|||
 |
SECURITY CENTER
|
Phishing For Trouble
Stop Spyware Before It Stops You |
Fooling Keyloggers
Internet Security Threats Becoming More Sophisticated |
PHISHING FOR TROUBLE
Despite efforts to curb phishing attacks, more aggressive tactics and black market tool kits have led to an increase in the crime according to a report by U.K. security firm MessageLabs. Their September 2007 report reveals that one in every 87.2 e-mails is a phishing attack, up from one in 93.3 in January 2007. The company finds phishing e-mails comprise 56 percent of all malware threats reported, such as viruses and Trojans.
One factor contributing to the rise is the availability of phishing kits that make sophisticated attacks simple to carry out by even the most non-technical criminals. The technique allows each compromised computer within a botnet to host multiple phishing sites at the same time. These sites are then replicated across the entire botnet, making them harder to shut down.
The report also found senior management executives are increasingly becoming targets of new attacks. One such threat involved an e-mail assault portraying a message from a recruitment company. A Microsoft error message appeared when the e-mail was opened, luring the victims to click on an .rft attachment that dropped two files onto the user's computer. The files then passed sensitive information back to the perpetrator.
Paul Wood, senior analyst at MessageLabs, said "Two years ago the number of such attacks accounted for one to two incidents per week. One year ago this rose to one to two per day. This year it has risen to around seven to 10 per day."
These numbers may be conservative according to information compiled by the Anti-Phishing Working Group (APWG). The global pan-industrial and law enforcement association received 28,888 incident reports in June '07, a 23% increase over the previous month. New phishing sites reached a record high of 55,643 in April.
As large companies became more diligent in securing their perimeters, cyber criminals turned their focus to smaller businesses to find new victims. Fresh blood attracted even more criminals to the arena, made especially easy with the proliferation of tool kits now available.
The tool kits are easier to find than one would expect. You can purchase a "Certified Ethical Hacking toolkit" on eBay for $10 to $20. Certified Ethical Hacking, CEH, is a certification provided by the International Council of E-Commerce Consultants awarded to security professionals trained to test systems as real hackers do. But such courses focus on technique rather than hacking kits, leading experts to believe the tool kits are more likely used for criminal activity.
Huge profits, the anonymity of the Internet plus a tool kit that makes sophisticated attacks easy to carry out equals an opportunity that crooks can't resist. And their numbers are growing by staggering proportions.
One security professional went undercover in an effort to understand the mindset and technique behind these crimes. He described the phishing community as being made up of specific roles and jobs.
The spammer creates and sends e-mail messages with a link to the phishing site. They often use botnets, zombie machines, to send messages in bulk within a short period of time in order to hit inboxes before spam filters can catch them.
The casher is a person who cashes out compromised bank accounts. With methods in place to extract currency from specific institutions, they advertise their services to others in the community through channel blogs.
And then there's the ripper, a person who rips off the phisher by keeping the sensitive data for their own activity rather than send it as agreed when obtaining the kit.
After a few weeks getting accustomed to the process and lingo, the undercover spammer convinced users to send him tools and phishing kits. He was to deploy the tools and send the gathered information back to the phisher. He was surprised to find common backend files with the same names in a variety of kits.
He also discovered that the phishers themselves are actually being scammed... by advanced phishers who hide code that e-mails the stolen information not only to the perpetrator of the attack but also back to the originator who sold them the kit.
Read the complete article.
With such a large community and huge profits to be made, this crime won't go away anytime soon. Don't let your guard down by thinking your spam filter is enough to keep you protected. Be certain the e-mail you open does, in fact, originate from a trusted source.
HOW TO AVOID A PHISHING SCAM
Never provide your personal information in response to an unsolicited request, whether it is over the phone or over the Internet. If you did not initiate the communication, you should not provide any information. If you question whether the message is legitimate, contact the institution yourself using phone numbers and web sites found on your monthly statements. A financial institution would never ask you to verify your account information online.
Review account statements regularly to ensure all charges are correct. If your account statement is late in arriving, call your financial institution to find out why. Online banking provides an excellent tool for early fraud detection. Frequent monitoring of your account activity allows you to stop a thief before the damage is out of control.
Contact Steven Botto, GCF's Security Officer, at extension 359 if you believe your personal information has been compromised.
STOP SPYWARE BEFORE IT STOPS YOU
Are you inundated with constant pop up ads? Is your computer performing sluggish? Has your home page changed seemingly by itself? Your computer could be under the control of spyware.
Spyware, and its counterpart adware, are computer programs that install themselves without your knowledge. While most offenders are advertising ploys that are merely annoying, others can suck up valuable computer resources or track your keystrokes and send your personal info back to their creator to steal your identity.
Spyware is downloaded through various methods. Those little pop up boxes warning that your computer may be infected with spyware can actually download the culprit into your system if you click for details. Are you really a free winner? You'll end up the loser if you let your curiosity get the best of you. A lot of the free downloads on the web come with a steep price, including file-sharing programs such as BearShare and Kazaa. Screensavers, emoticons and desktop features are often accompanied by unwanted marketing tools, i.e., adware. Even some free spyware removal tools are actually installing the very programs they claim to detect and remove.
Not every free download or pop up box contains a threat. Some adware can actually be beneficial. Companies you do business with could collect demographic data or track which sites you visit to customize your online experience. If you come across a product or tool that you're interested in, feed its name, vendor or other key information into a search engine. You'll instantly see in the results whether or not it is legitimate. The Better Business Bureau maintains information on over two million business. Check out the company online at bbb.org.
Congress has three bills on the table to enable prosecution of violators. But to date, only one charge has been levied against a perpetrator. The best defense lies in the hands of an informed pc user.
Download tools or features only from a trusted web site. Know that links appearing on the right frame of your Google search results are paid advertisements, not an endorsement of legitimacy. Read the terms and conditions of anything you download. While this can seem dull and lengthy, how the vendor handles your personal information is hidden in the fine print. Resist the urge claim that free prize. Don't follow links sent in an e-mail.
There are several good, free tools online to rid your computer of unwanted programs. The editors of PCWeek magazine tested product offered at several of the most common spyware removal web sites. Read their results.
INTERNET SECURITY THREATS BECOMING MORE SOPHISTICATED
The Federal Deposit Insurance Corp. (FDIC) was once again the target of a phishing attack, this time the deception was so authentic that even savvy internet users fell victim. Experts are alarmed by the level of sophistication displayed in this recent episode.
The e-mail falsely claims that the FDIC has developed a new program that will track suspicious activity on accounts linked to consumers' ATM, credit, debit and check cards in an effort to prevent identity theft. The e-mail contains an authentic-looking FDIC logo and a link to a spoofed Web site located in China.
Consumers are told that most major U.S. banks are participating in the program, and urged to register their cards immediately on the spoofed site.
The e-mail message is well-written, in contrast to other such deceptions that we've gotten accustomed to recognizing as fraud. And the spoofed site is nearly identical to the FDIC's actual site, including a page describing this "new program".
Tracing these spoofed sites back to their developer is very difficult. The average lifespan for these fraudulent sites is 2.5 days. Just enough time to e-mail millions of unsuspecting recipients... and reap the benefits of the 3% that fall prey.
Beware of anything announced via e-mail. If an offer sounds interesting, research it further before offering your personal information. Call the company directly using a telephone number you already know. Or visit the company's official Web site by typing in a known URL rather than using the link provided in the e-mail. Just clicking on that link can cause you problems, even if you don't submit personal information. Bogus e-mails can set cookies on your system that allow the sender to track information about your online habits, including capturing your keystrokes and relaying your login information back to the perpetrator.
New threats emerge almost daily, most prey on human curiousity. Resist those images of sexy, young female athletes or the Saddam Hussein hanging. They're often a tool used to download malware. Know that legitimate banks, lenders and government agencies will not ask for personal information via e-mail. Updated operating system and anti-virus products are essential in avoiding risk. Education and preventive measures are your best defense.
FOOLING KEYLOGGERS
Keeping abreast of current events just might be the greatest benefit seen from the advent of global communications. Even if you live on a faraway tropical island, you're connected to the rest of the world through the Internet. And also prey to the same scams, threats and trickery you tried to escape when you chose to leave the "real" world.
Informed readers already know that the greatest online identity theft risk comes through keyloggers. This type of software was developed to help companies monitor employee computer usage to assure they were using it for business purposes. But it didn't take long for crooks to see its potential. By installing the software without the user's knowledge, they could capture login names and passwords to a text file they could email back to themselves.
While different forms of keylogging software use various techniques to capture your valuable data, there are tricks you can use to avoid the most common methods.
The most efficient way is to maintain high security standards, preventing the download of the intruding program in the first place. But if your system was compromised before you configured the latest and greatest spyware prevention tools, your information is still being captured.
Most keylogging programs are designed to recognize nothing more than actual keystrokes, not mouse activity. So one way to fake them out would be to type extra characters into your password in the box, then click just to their right and backspace to delete them. The software would capture the fake password and backspaces, but not where they were located. This method works best if you insert the fake characters in the middle of your password, or better yet, throughout it. Putting them at the end makes it easier to guess which characters you're eliminating.
This technique isn't foolproof, more sophisticated programs could still figure out your password by trial and error since they would have the key elements. But it would do the trick in most cases.
Another method even more effective is to copy and paste your login name and password where required. Using keyboard shortcuts Ctrl-C to cut and Ctrl-V to paste, the only keystrokes captured would be C-V-C-V.
Store your user names and passwords on a text file saved to a removable drive, then plug it in and copy/paste only when you need it. Or write yourself a little paragraph that includes the letters, numbers and symbols you need and copy/paste each character as necessary. Here's an example assuming your password is hard to crack such as "re%G42k."
Your paragraph could read something like:
"Last year we saw a 20% increase in Green Mountain trees. We took our 4 kids to Jupiter."It doesn't have to make sense, and contains all the characters you need to cut and paste where needed. To cut and paste, use your mouse and click to highlight the character you want to copy. Hold down your Control key while tapping the letter "c." That character is now saved to your clipboard. Click in the password field of your login box. Again hold the Control key while tapping the letter "v." The character you saved to your clipboard is now pasted into the password field. Continue until your entry is complete.
This method is a bit tedious, but effective. And well worth the trouble it takes to safeguard your good name and credit.
One tool I find to be especially effective in preventing unwanted downloads is McAfee's Site Advisor. They test the links embedded on every site and report whether they find them safe or alert you if they're known to download unwanted adware, spyware or malware. In conducting research for this article, I came across a link for a keylogger detection scanner program. The information came from a reliable source so I thought it might be good to pass along. But first I wanted to check it out. I stopped immediately when a big red box appeared. The warning included which specific links on the Web site were known to be troublesome.
Site Advisor also works with Google to warn you at a glance whether any sites returned in your search results should be avoided. Each listing will be marked with either a big green check mark if they found the site safe, or a red X for those that aren't. For more information, visit siteadvisor.com.