Tuesday, June 4, 2013

Spear Phishing, Malware and too much information

Phishing attacks are a deceptive form of social engineering that exploits current web, network and email security technologies. The goal of a phishing attack is to obtain access to someone’s username, password, financial account information or access to confidential information that can be sold on a black market.

In the past, most of these came in as very easy to spot emails, but that’s changing.   Now the emails are very well hidden and extremely convincing.   They are also targeted or SPEAR PHISHED to their intended targets.   Phishing attacks use a combination of data obtained from Social Media sites, websites all to create specific deceptive communications to their targets.

This his how these COULD BE DONE

Your friend’s [insert popular social media here] account password is compromised.   The person with that access now sees that you are fan of Bank of America and you post to your [insert popular social media here] using an iPhone.  I’m not picking on iPhones this is just an example

 They also see that your mobile phone and email address are shared with your friends through [insert popular social media here].
"the Bad Guys" now have the following:
  1. Your email account
  2. The fact that you own an iTunes account (99.9% of all iPhone users do)
  3. They know what bank you use and what fake email to send
  4. They have your cell phone to send you fake notices about your bank account, iTunes account or email account.
  5. You may be currently out of town on vacation (bonus for them)
Now "the Bad Guys" are going to masquerade as trustworthy source.  They may choose the source from the information they obtained from the hacked social media account. 

Occasionally banks will verify that you are using your credit card outside of the normal area.   So you don’t think anything of it when you get a text, email or even a phone call from your bank asking you to answer a few questions to verify your card is authorized to be used away from your home.


You get an email that appears to arrive from your bank.   You click the link on your laptop. You have just installed something called a Blackhole Exploit Kit or “Man-in-the-Browser” attack. 

The banking link doesn’t do anything to the laptop.  It may actually just freeze up or restart your browser.   So you decide to go to your bank the traditional way.  What you don’t see is that the bank site is redirected and masked by this malware.   So you are really entering information inot an infected or spoofed site controlled by “the Bad guys”.  
The site looks legitimate, but it may ask for more user credentials than you usually provide.  It might say something like “Your request can’t be processed.  Please verify the following information.” 
Above a Non-infected BOA account Message
This image from LMG Security


Above: Infected BOA account asking too much information
This image from LMG Security


The site will ask for an unusal amount of information for verification.  Be familiar with your banks HELP tab about what information they may require.  If you are ever prompted for more than they state, then something is wrong.


Most are less likely to fall for this, but it apparently works.

You aren’t at your computer and you get a quick text message from a strange number.  It appears or claims to be your bank or even your email account.  It says your account has been compromised, follow this link to verify your information and change your password.

Some even ask you to text back your password.   I hope you see the problem.  Your bank isn’t going to do this.

Phone Call

This one takes marbles.   As I mentioned earlier our bad guys know you are out of town.   They also have your cell number.   They assume that you will be using your credit card.   They have a very professionally sounding (usually female) caller call your cell and ask you if you are using your card out of town.  They explain they just want to make sure it hasn’t been stolen.  This makes you feel great that they are watching out for you.   They then claim that in-order to avoid your card being declined they would like you to verify a few things.   They ask your username, your password, a secrete question, the card number, etc. 

If you suspect this is baloney and it is, you should knowingly give them some false information.   They will accept it as the real thing and the call.

There is a reason all the security in the world can’t prevent this.   That’s because we humans are often times very careless.   We love to share and are encouraged to share our personal information on blogs (I'm guilty), social media, and others sites.   Phishing attacks have been around prior to the internet and they will continue to exist.   Use caution.
To learn out more about Banking Malware, see this very informative post from LGM Security.