Online banking Scam

1 Overview
Not all people that send undesirable email (spam) are the same. Their motives differ as greatly as their tools and technical abilities. This document uncovers a spam gang who seeks to acquire your banking information, and the response from one of the targeted victims: Citibank.

This document describes the unique bulk-mailing tool used for recent rash of financial email scams. These scams target financial entities such as Citibank, Wells Fargo, Halifax Bank, eBay, and Yahoo. Only one specific spam gang uses this tool for these financial scams. This spam gang started slow with only a few members, but has increased in both gang membership and spam volume.

All emails and headers are provided unmodified with the following exception: all personal information has been modified to protect the identity of the recipient. These modifications are denoted with bold and underlined typeset. Every effort has been made to retain the same data format without disclosing personal information. For data taken from the public domain, such as newsgroup postings and messages from open forums, no effort has been made to modify the data or protect the publicly disclosed recipient.
2 The Citibank Scam
With the growth of online banking comes online fraud. These schemes vary from web sites that "look" like the actual financial institution to email asking for personal banking information. At first glance, the email below (Fig. 1) looks like just another one of these simple bank fraud schemes.

Figure 1: Sample Citibank Scam

Received: from host70-72.pool80117.interbusiness.it ([80.117.72.70])
by mailserver with SMTP
id <20030929021659s1200646q1e>; Mon, 29 Sep 2003 02:17:00 +0000
Received: from sharif.edu [83.104.131.38] by host70-72.pool80117.interbusiness.it (Postfix) with
ESMTP id EAC74E21484B for <e-response@securescience.net>; Mon, 29 Sep 2003 11:15:38 +0000
Date: Mon, 29 Sep 2003 11:15:38 +0000
From: Verify <verify@citibank.com>
Subject: Citibank E-mail Verification: e-response@securescience.net
To: E-Response <e-response@securescience.net>
References: <F5B12412EAC2131E@securescience.net>
In-Reply-To: <F5B12412EAC2131E@securescience.net>
Message-ID: <EC2B7431BE0A6F48@citibank.com>
Reply-To: Verify <verify@citibank.com>
Sender: Verify <verify@citibank.com>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit

Dear Citibank Member,

This email was sent by the Citibank server to verify your e-mail
address. You must complete this process by clicking on the link
below and entering in the small window your Citibank ATM/Debit
Card number and PIN that you use on ATM.
This is done for your protection -t- becaurse some of
our members no longer have access to their email addresses and
we must verify it.

To verify your e-mail address and access your bank account,
click on the link below. If nothing happens when you click on the
link (or if you use AOL)K, copy and paste the link into
the address bar of your web browser.

http://www.citibank.com:ac=piUq3027qcHw003nfuJ2@sd96V.pIsEm.NeT/3/?3X6CMW2I2uPOVQW

y———————————————
Thank you for using Citibank!
C———————————————

This automatic email sent to: e-response@securescience.net
Do not reply to this email.

R_CODE: ulG1115mkdC54cbJT469

At a quick glance, this email appears to be from Citibank, as it contains a Citibank URL. But a closer inspection indicates a financial scam:

* The email contains multiple misspellings and grammatical errors, such as "becaurse" and "This automatic email sent to:".
* The content contains hash-busters (unique characters in the contents that are used to bypass hash-based spam filters). For example, the "-t-" and "K" in the main paragraphs, and the "y" and "C" before the long lines of hyphens. Different recipients received the message with different hash-buster characters.
* Although the included URL begins with "www.citibank.com", it actually goes to "sd96v.pisem.net" [ref 1]. This server is hosted in Moscow, Russia and is not part of Citibank.
* The email header does not originate from Citibank. Instead, it originated from a DSL system in Italy. Network scans of this host (Appendix A) indicate that the system was likely compromised.

People who clicked on the link saw the Citibank web page and a popup that prompts for login information (Fig. 2, Fig. 3). Although the Citibank web page actually came from Citibank, the popup came from a non-Citibank server. Victims that entered banking information in the popup essentially gave their accounts to an unknown scam artist.

Fig. 2 Trojan login popup from 29-Sep-2003.
Figure 2: Trojan login popup from 29-Sep-2003.[ref 2]

Fig. 3 Reply screen after entering login information.
Figure 3: Reply screen after entering login information.
2.1 Mass Mailing Revisions
The 29-Sep-2003 mass mailing (Fig. 1, Fig. 2, and Fig. 3) is actually the second revision of the fraudulent bank emails. The first revision appeared on 16-Aug-2003 and asked the recipient to view new banking terms and conditions. Users who clicked on the link were redirected to a server in China. The first revision included the recipient's email address as a field in the URL. The second revision replaced the address field with a series of random characters. The popup for the second revision only asked for the user's Card and PIN numbers. The third release on 25-Oct-2003 (Fig. 4) was revised to prompt for the user's Card number, PIN number, and expiration date.

In nearly every case, a Russian server was used, either to host the requests, or to act as a web-bug and count the number of hits. For example, the web bug from the first revision can be found here. According to this web-log, there were 107,274 hits on 16-Aug-2003, and 91,573 hits on 17-Aug-2003 (Fig. 5). These were primarily due to responses to the first spam message. In contrast, the day before the mass mailing, there was only one web-log entry, from "68.82.62.191″ – a cable modem in Tybouts Corner, Delaware. The Delaware system was used 8 out of 10 times in the week prior to the mass mailing [ref 3] (Fig. 6) and was likely used for testing the web server. It is unclear whether this is the IP address of the actual perpetrator or a compromised host. Network scans of the host suggest the presence of a firewall and no open proxy services, so it is unlikely that the host previously provided an open proxy [ref 4].

Figure 4: The third revision of the Citibank trojan login, from 25-Oct-2003. A server in Moscow, Russia provides the popup but the main window actually is the Citibank home page.

Figure 5: Number of daily web hits recorded by the Russian web bug from the 16-Aug-2003 Citibank mailing.

Figure 6: IP addresses from the week preceding the 16-Aug-2003 mailing. A Delaware address repeatedly accessed the web bug prior to the mass mailing. This likely indicates someone testing before the public release.

 

Cyber crime bigwigs using big-business tactics

Cisco cybercrime reports says "The novel thing is that [cybercriminals] have taken the Harvard Business School, General Electric board room business training and applied it to their old techniques"

Cyber criminals are aping executives when it comes to sales, marketing, and risk management in the world of online treachery, according to a report released by networking giant Cisco. "A lot of techniques they are using today are not new; it is really about how they may be doing some of the same old things," said Cisco chief security researcher Patrick Peterson. "The novel thing is that they have taken the Harvard Business School, General Electric board room business training and applied it to their old techniques."

AFP reports that the California technology firm specializing in computer networking gear summarized current threats in a "Midyear Security Report" that concludes hackers are increasingly operating like successful businesses.

Peterson cited how cyber hackers capitalized on interest in the death of pop icon Michael Jackson in late June. Disasters, celebrity doings, and other major news is routine fodder for bogus emails and websites booby-trapped with computer viruses, but in the case of Jackson's death, crooks cranked out fake news stories to dupe readers. "They had their criminal copy editors working on copy for the story as fast as it happened," Peterson said. "They brought the Jackson story to market in a way that rivals media outlets. They have an advantage; they don't have to do any reporting."

Billions of spam messages with links to trick Web sites or videos promising scintillating Jackson images and information were fired off in the days after his 25 June death, according to Cisco. "Sales leads" that followed online links were turned into "customers," whose computers were stealthily infected with nefarious codes for stealing data, usurping control of machines or other evil deeds.

Cyber criminals are reportedly embracing a nefarious version of a "cloud computing" trend of offering computer applications online as services. Commanders of infected computers woven into "botnet" armies rent out illegally assembled networks to fellow criminals for sending spam, launching attacks or other deeds, according to Cisco. Peterson told of an "anti-anti-virus" online operation called "Virtest" that charges hackers monthly fees to keep them informed about which security firms can detect their malicious programs. "It's a criminal service," Peterson said of the operation, which appears to be based in Russia. "We've seen lots of examples of criminals sharing tools, but we've never seen a commercial business like this."

Spammers also employ a business marketing practice of packing booby-trapped websites with terms typically used as keywords in various Internet search engines so that their links land high in query results. Cisco referred to the practice as "Spamdexing."

"Because so many consumers tend to trust and not be suspicious of rankings on leading search engines, they may readily download one of the fake software packages assuming it is legitimate," Cisco said in the report.

Cyber crooks are also hunting for prey in the rapidly expanding population of mobile telephone users by sending trick text messages. Criminals have taken to sending blanket text messages to numbers based on area codes of local banks directing people to call into a service center to address supposed concerns about their accounts. Callers are connected to automated voice systems that, feigning to represent the banks, ask people to enter account passwords and other personal information that can later be exploited, Peterson said.

Online social networks, according to Cisco, are becoming popular "customer acquisition" territory for cyber criminals.

"It's big business now to penetrate those networks," said Peterson.

People in online communities are more likely to click on links and download content they believe is from people they know and trust, the report said.

 

 

U.S. secret service forms three new task forces

New task forces will deal with electronic crimes, and the agency says the partnerships will bring together law enforcement, academia, and private sector

The U.S. Secret Service has announced the formation of three new Electronic Crimes Task Forces (ECTFs), a public-private partnership aimed at fighting high-tech computer-based crimes. The three new U.S.-based task forces are located in St. Louis, Kansas City, and New Orleans and join an existing network of nationwide operations. The Secret Service also recently announced the creation of the first European Electronic Crimes Task Force, based in Rome, Italy, to provide a forum through which U.S. and European law enforcement agencies, the private sector and academia can collaborate to investigate, suppress and prevent computer related crimes.

"One of the top priorities for the Secret Service continues to be combating the computer related crimes perpetrated by domestic and international criminals that target the U.S. financial infrastructure," said Secret Service director Mark Sullivan. "Building on the success of the Secret Service's highly successful model, the addition of our new task forces has expanded the number of ECTFs from 24 to 28."

The ECTF approach developed by the Secret Service has generated unprecedented partnerships among law enforcement at the local, state, federal and international level, the private sector and academia. The types of investigations handled by the Electronic Crimes Task Forces encompass a wide range of computer-based criminal activity, including network intrusions, hacking cases, identity theft, and other computer related crimes affecting financial and other critical infrastructures.

The Secret Service has a history of working with other law enforcement agencies and believes in partnerships versus membership, where there is a

strong emphasis on prevention and education, in addition to traditional law enforcement measures. The agency says that the Electronic Crimes Task Force model provides a productive framework and collaborative crime-fighting environment in which the resources of its participants can be combined to effectively and efficiently make a significant impact on cybercrime.

Other law enforcement agencies bring additional criminal enforcement jurisdiction and resources to the task force, while representatives from private industry and academia bring technical expertise and research capabilities.

 

What CEOs Don't Know About Cybersecurity
Andy Greenberg,

Being the chief executive has its privileges. And one of them may be a blissful ignorance of your company's data breach risks.

According to a study to be released Tuesday by the privacy-focused Ponemon Institute, companies' chief executives tend to value cybersecurity just as--if not more--highly than their executive colleagues. But compared to lower-level execs, CEOs also tend to underestimate the frequency of cyberthreats their organization faces.

The survey, which was funded by cybersecurity firm Ounce Labs, asked 213 senior executives about their perceptions of data breach risks. Among those respondents, just 17% of CEOs said their company faced attempts by cybercriminals to steal data at least once every hour, compared with 33% of other executives. By contrast, nearly 50% of CEOs said their company experienced an attack "rarely"--less than once a week--while only 32% percent of other executives reported the same frequency of cyberthreats.

That disconnect, says Ponemon founder and lead researcher Larry Ponemon, isn't a matter of CEOs not valuing cybersecurity. On the contrary, about 77% of chief execs said that preventing cyber attacks and insider data theft was "important or very important" compared with just 51% of other respondents.

But Ponemon says that CEOs' staffs may not tell them the full extent of a company's data risks. "Even in the most transparent of companies, there's a bit of hesitance to give the CEO a report of vulnerabilities or even small breaches," says Ponemon. "We don't know how much filtering of bad news happens that keeps CEOs from hearing some of the darker secrets."

There's plenty of evidence to support the views of the survey's more paranoid respondents. Cybersecurity firms, such as Finland's F-Secure, detect more than 20,000 new variations of malicious software churned out by hackers every day. In fact, the rate of publicly known data breaches has been steadily rising for years, with 646 breaches recorded in 2008, a 46% increase over 2007, according to the Identity Theft Resource Center.

In January, Princeton, N.J.-based payment processor Heartland Payment Systems revealed that it had been the victim of a cybercriminal operation that had gained access to as many as 100 million credit card numbers, potentially the largest data breach of all time.

Despite that sort of high-profile hack, the CEOs interviewed in Ponemon's survey seemed especially unconcerned about cybercrime as a source of data breaches. While 31% named stolen PCs or thumb drives as a source of data loss, only 3% cited malicious hackers as the top threat for their company's data security--about a fifth as many as the lower level employees who cited cybercriminals as the most important threat.

 

Number of U.K. data breach incidents on the rise

Security breaches in the U.K. -- in both the private and public sectors -- are on the rise; one third of firms unaffected by data loss incident had introduced an enterprise-wide encryption policy

Seven in ten U.K. organizations experienced a data breach incident over the last year, up from 60 percent in the previous year. The third edition of an annual survey by the Ponemon Institute, sponsored by PGP, also found that 12 percent of 615 public and private sector organizations probed were hit by five data loss incidents over the previous year. Less than half of these breaches (43 percent) were disclosed publicly, while disclosure of the remainder was neither a legal or regulatory requirement.

John Leyden writes that the public sector (reporting an average of 4.48 breaches per organization) and financial services firms (3.11 incidents per year) were worst affected by data security problems. By contrast, none of the entertainment, media or defense firms polled reported any problems.

One third of firms unaffected by data loss incident had introduced an enterprise-wide encryption policy, something PGP argues is needed to tackle data loss problems posed by lost laptops and stolen smart phones.

The study found that the majority (57 percent) of U.K. organizations are using some form of encryption technology, most frequently file and database server encryption or Virtual Private Networks. Around a third (34 percent) of current U.K. corporate spending in encryption is focused on key management, the survey further reports.

A separate recent study by the Ponemon Institute estimates that data breaches cost around £60 per compromised record. Since the estimation of financial losses arising from data security breaches is a notoriously inexact science, it would be wise to treat this figure with caution.

The growth in the number of data breaches is happening at the same time as awareness of the importance of protecting sensitive data is also on the rise, with 61 per cent describing data protection as either "important" or "very important" in wider risk management efforts. The EU Privacy Directive was cited as the most important regulation in the area, followed by the credit card industry's PCI DSS requirements and the U.K. Data Protection Directive. 

 

IDentiWall eBanking presentation

 

<div><script language="javascript" type="text/javascript"> var _UserId="%2fzIX%2bpLleZg%3d"; var _rows=1; var _cols=1; var _backcolor="#F1F1F1"; var _heading="default"; </script><script language="javascript" type="text/javascript" src="http://www.authorstream.com/Javascript/WidgetPPT.js"></script></div>

 

Online security fears affect consumers more than economy

Seventy-two percent of consumers said the economy has not changed the way they shop online, but nearly half of consumers have terminated an online order due to security fears, according to a new survey by web security vendor McAfee.

Tim Dowling, vice president of McAfee's web security group, said security concerns are the driving force behind whether an online transaction is completed or terminated.

According to the survey, 63 percent of online consumers won't purchase from a website that does not display a trustmark or security policy.

A trustmark is a seal, logo or icon displayed on e-commerce websites to show that merchants are making an effort to protect their customers.

The Harris Interactive study also showed that 90 percent of consumers are concerned about their security when shopping on new or unknown sites and 47 percent of consumers look for trustmarks to feel safe when shopping on a lesser known site.

By displaying a trustmark, the lesser known site can prove credibility to potential customers and gain market share from larger sites, McAfee said.