NCSA: Security concerns drive shopping cart abandonment

Even in tough times when bargains are being sought by many, consumers are still wary of pouncing on a purchase if they have doubts about a site's online security. E-commerce sites that don't reassure consumers their personal data is secure are risking losing out on sales.

by Helen Leggatt

In what looks like another tough holiday season, online retailers need to do all they can to secure a sale. One area that many overlook is online security. Recent studies have shown that consumers are abandoning shopping carts if they feel their identities or personal information are at risk in the hands of a retailer.

A new poll by the National Cyber Security Alliance (NCSA) and Symantec found that security concerns were behind 63% of online shoppers' decisions to terminate a purchase. In addition, 46% terminated a purchase because of worries about providing the information being requested, 41% were unhappy at the amount of information being asked of them and 32% were unsure as to how the data they provided would be used. 

"Americans are extremely focused on protecting their personal information and their identities," said Michael Kaiser, executive director of the NCSA. "Skepticism is a front-line defense and it is heartening to see that Americans are actively engaged in making critical decisions when shopping online. This poll should alert online retailers that there is direct relationship between security and revenue."

Earlier this year a study released by McAfee found that around half of consumers have abandoned a shopping cart due to security fears. Even in an attempt to find a bargain, 63% will not make a purchase from a website that does not display a trust-mark or have a clear security policy.

"Online retailers who ignore the role security plays in converting digital window shoppers to customers are missing out on billions of dollars they can`t afford to lose in this economy," said Shane Keats, senior research analyst for McAfee.

As well as pushing security features in marketing, online retailers can also help reassure consumers by educating them about online security and actively promoting and displaying security policies at vital touch-points within their websites.

 

Cyber crims makes millions through fake anti-virus software

Kelly Gregor

Cyber criminals are taking control of people’s computers and forcing them to buy compromised malware in order to regain control of their machines, online security specialists AVG says.

The biggest challenge facing anti-virus and anti-spyware providers is making people aware of the constant dangers online. Most users don’t realise when they have entered a bad site and don’t realise they have a virus until its too late.

AVG global security strategist Larry Bridwell said the industry, the providers and the media needed to raise awareness and better educate people about the threats online, as the people creating and developing the attacks were only after one thing, money.

Mr Bridwell said AVG was seeing anywhere between 100,000 to 200,000 new variants of cyber crime via phishing attacks, spam, worms and viruses. About 60% of these new attacks are online for less than a day.

AVG research Nick Fitzgerald said cyber criminals were making millions of dollars every year from tricking people into buying goods they never receive, or hacking into financial systems and stealing money by forcing people to buy bad malware in order to regain control of their machines.

Mr Fitzgerald said the problem with the latter was that once compromised malware has been downloaded onto a computer, the criminals can hold the machine ransom and demand more money for false updates and upgrades.

Customers using AVG software to protect their computers can receive real-time updates every 30 seconds. Mr Fitzgerald said AVG collected data from its customers’ computers, details including sites visited that have been compromised, where the malware is coming from and how these criminals are manipulating computers and IP addresses to do “their dirty work”.

The majority of money earned through cyber crime in ending back in Eastern Europe, especially the Ukraine and Romania, South East Asia and South America.

“These people are very good at what they do when they put their minds to it. 
But they are lazy because they are only interested in money,” he said.

A good example of this, was when the tsunami hit Samoa, how many bad sites emerged masquerading as legitimate news sites. Mr Fitzgerald said the first seven search links under Samoa tsunami were compromised. These sites appeared before news sites such as The New Zealand Herald, The Times, The Guardian and CNN.

These criminals were playing on the emotion of the event and targeting people’s generosity through false fundraising appeals.

This week, AVG in Australia has reported three compromised Google sites. AVG was in Auckland yesterday to promote the lunch of its new anti-virus platform 9.0.

 

Copycat websites set to rob Christmas shoppers of millions

High street stores targeted as fraudsters become ever more sophisticated

Lauren Thompson

Online shoppers are at risk of losing money or becoming victims of fraud if they buy from scam or "copycat" websites this Christmas.

Experts are warning consumers to be on their guard after an increase in copycat websites of high street stores that look legitimate. There is also a proliferation of "bargain" websites selling counterfeit items or goods that fail to arrive. Many of these websites appear safe, with encrypted web pages and logos of secure payment services such as PayPal.

Ross Anderson, an online security expert at the University of Cambridge says: "It's easy enough to create copycat sites. At the end of last month there were at least ten dodgy 'Littlewoods sites'." Neither Trading Standards nor the Office of Fair Trading has the power to close down a dodgy website, and the police's e-crime unit refused to tell Times Money whether it had taken action against any retailers.

Sarah Kidner, of Which? Computing magazine, says: "Hundreds of websites ripping people off flourish because there is no effective policing online." Here Times Money explains how to shop safely this Christmas.

Copycat sites

Ms Kidner says it is easy for copycat websites to copy and paste the logo of a high street store. The Marks & Spencer, Topshop and John Lewis sites, for example, all allow this easily.

"Domain names that slightly misspell a shop's name can be bought for as little as £7. These would be used to build a fake site in the hope that someone accidentally misspells the web address when typing it in the address bar," she says. "The logo of a payment system such as PayPal can be pasted on to add credibility to a site and to make it appear secure."

Harriet Homuth, a Times Money reader, bought two tops in August from a website that looked like the Abercrombie & Fitch site — www.aber crombiestore.co.uk — which had the PayPal logo. Her items never arrived. The real site is www.abercrombie.com; the fake one has been taken down. PayPal says that it had nothing to do with the site.

A quick Google search reveals at least four similar sites still up and running, including www.abercrombie fitchshop.co.uk and www.fitchabercrombie.com. A spokesman for Abercrombie & Fitch says: "We have no association with these websites and we have shut them down on numerous occasions. They are registered by Chinese nationals on web servers in protected countries. They pop back up quickly after being shut down."

Ms Kidner adds: "Victims of copycat websites are likely never to receive their goods. Worst-case scenario, fraudsters will use their credit or debit card details to empty their bank account."

The easiest way to lure a victim on to a copycat website is via a phishing attack, when an e-mail invites someone to click on a link, perhaps to confirm an order or to update their details. Traditionally, this has been a problem for banks, but retailers are targeted increasingly as well.

"People are more careless and more easily phished when their accounts are with non-banks — eBay is a big target and Amazon," says Mr Anderson.

Kate Fisher, 54, received an e-mail recently purporting to be from the fashion store Great Universal, asking her to click on a link to "confirm an item in your shopping basket". Ms Fisher, who lives in Lurgashall, West Sussex, had never shopped at Great Universal. She did not click on the link, but rang the store to ensure that an order had not been made. The e-mail was a phishing attack that would have taken her on to a fake website; it has now been taken down.

It is also possible for your computer to be corrupted by a "pharming" attack, when you type a legitimate website address into your browser and still end up at a fake site. Tony Neate, of GetSafeOnline.org, says: "Check the address in your browser's address bar to make sure that it matches the address you typed. Subtle changes ('eebay' instead of 'ebay', for example) may indicate a pharming attack." The best way to guard against such attacks is to install anti-spyware software, as well as anti-virus software and a firewall.

Scams and dodgy sites

Shoppers looking for a bargain, or a particularly niche present, are most likely to fall victim to a dodgy website.

Consumer Direct receives thousands of complaints about Ugg boots and designer handbags bought at "bargain" prices online that either never arrive, or are counterfeit goods. Rebecca Farrell from Manchester fell victim to an online scam recently when she signed up for dieting tablets from viv3labs.helpserve.com. She was told that a trial of the pills would cost only £1, but to her horror she later discovered that two debits of £76.73 each had been taken from her bank account. She says: "I spoke to Trading Standards who told me this practice is illegal and it is unlikely that I will get my money back." The site did not respond to calls or e-mails from Times Money.

Fraudsters often have poor English and dodgy websites can be littered with spelling and grammar errors. "Many phishing and spoof websites originate in foreign countries and are written and programmed practically overnight," says Phil D'Angio, of VeriSign, the online security service. If a website name is prefixed with https:// it means that the site is encrypted, so the information you enter is secure. Also, make sure that the padlock appears in the browser interface rather than in the content of the page itself.

Problems with legitimate sites

The potential problems when buying online are manifold, from goods not arriving to poor after-sales service and not being given a refund.

Steve Langdown, from Newcastle upon Tyne, bought a Samsung home cinema system last month from www.pixmania.co.uk. He says: "It clearly stated on the website that the system came with an iPod dock. Well, it didn't and there are no obvious ways to connect an iPod dock. I have received no satisfactory responses to my e-mails and the product description on the website has removed the reference to the iPod dock." Pixmania did not respond to Times Money's e-mails and the company's call centre, based in the Czech Republic, was unable to comment.

Consumer Direct told Times Money that Mr Langdown's rights under the Sale of Goods Act apply; ie, that goods must be as described, fit for purpose and of satisfactory quality, and he, therefore, has the right to claim a full refund. However, many people find it impossible to enforce their consumer rights.

Sara Gibson, from Abingdon, Oxfordshire, was looking for a present for her sister — a Sony Freeview recorder — and the lowest price she found was online at www.totaldigital.biz. The recorder arrived, but it broke a month later. Total Digital sent her a new one, but Ms Gibson said that it smelt of cigarette smoke and there was dirt around the buttons, so she sent it back and requested a refund, which she never received. Total Digital, the internet arm of Premier Audio Visual Centre, told Times Money that it had never received the Freeview recorder that Ms Gibson sent back, but agreed as a gesture of goodwill to issue a refund.

Before buying anything from a website for the first time, google the site and look for problems experienced by other users on consumer forums. If you have problems with a product bought online, call Consumer Direct for advice on 08454 040506. Buying online with a credit card is safer than a debit card, because if something goes wrong you may be able to claim a chargeback from your card issuer.

Case study: It took nine months for goods to arrive

Jo Cugley, 26, bought her boyfriend some cooking utensils from www.decuisine.co.uk for his birthday earlier this year. It took nine months for the goods to arrive.

She says: "I had to call and e-mail hundreds of times, and eventually threaten the site with legal action before the goods were finally sent. Unfortunately, I paid the £25 on my debit card so I was unable to claim back the cost from the bank."

Ms Cugley, a wine buyer from West Sussex, found decuisine through Google after searching for kitchen gadgets. However, the site is littered with spelling errors, such as "Childrens Birthday Party's", and while the payments page displays a Thawte security logo, this is only a Jpeg that can be cut and pasted. Users should be able to click on the logo to reveal the website's security credentials, but when you click nothing happens.

If Ms Cugley had googled "problems with de cuisine" before she had made the purchase she would have found complaints about the site on consumer forums from people waiting months for their goods.

Decuisine did not respond to Times Money's e-mails or calls.

How to shop safely

Be wary of any unfamiliar retailer, especially those claiming to sell bargains.

Pay using a credit card, not a debit card. Remember, security logos such as PayPal may be fake.

Before you buy, see if other customers have had problems by searching for the site on consumer forums such as Moneysavingexpert.com.

Never click on a link from an unsolicited e-mail.

Always check that the website name is correct in the address bar.

 

Third of Agency Report Daily Cyber Incidents

Survey: 44% of Agencies Had More Security Incidents in Past Year

Eric Chabrow, Managing Editor
November 11, 2009

Nearly one-third of federal agencies report at least one cybersecurity incident each day, with more than half reporting such occurrences weekly, according to a survey released Tuesday of 300 federal information security professionals conducted by CDW-Government, a provider of IT wares.

Among other findings of the survey, which was conducted in September:

• 44 percent of agencies reported increases in security incidents last year, with 31 percent saying cybersecurity incidents have increased in severity.
• One-third of respondents picked malware as their No. 1 daily cybersecurity issue; followed by inappropriate employee activity/network use and managing remote user access, both 25 percent.
• 47 percent of the infosec pros surveyed - equally split between civilian and defense agencies - cited external sources as their greatest threat, followed by agency employees 23 percent, and contractors, 10 percent.
• Among internal threats, 66 percent of respondents cited inappropriate web surfing and downloads, 50 percent, lost devices; and 40 percent, lost-stolen-shared passwords. In fact, 44 percent of those surveyed said they had seen an employee post a password in a public place.
• 52 percent of front-line federal IT professionals report they have adequate budget to meet needs.

CDW-G also asked respondents about the Trusted Internet Connections program, which reduces the number of Internet connections, and nearly half - 47 percent - said the program has reduced the number of connections their respective agencies have to the Internet. Of those that have reduced connections, 82 percent said ithas improved their agency's security posture.

 

ACH fraud scams total $100 million, FBI says

The surge of Automated Clearing House (ACH) fraud committed by criminals stealing the online banking credentials of small and midsize businesses has resulted in approximately $100 million in attempted losses, according to the FBI.

Criminals are hitting businesses at a rapid clip, with several new cases opened each week, the FBI said in an intelligence note released Tuesday by the Internet Crime Complaint Center (IC3).

"FBI analysis has found in most cases, the victims' accounts are held at local community banks and credit unions, some of which use third-party service providers to process ACH transactions," the IC3 reported. "The bank account holders are often small- to medium-sized businesses across the United States, in addition to court systems, school districts, and other public institutions."

The IC3 alert comes less than a week after the Federal Deposit Insurance Corporation warned ofan increase in scams that recruit "money mules" to siphon money from business bank accounts through fraudulent electronic funds transfers, such as ACH transfers. The FDIC issued an alert on Aug. 26 about increased reports of fraudulent EFTs hitting banks' business customers.

IC3, which is a partnership between the FBI, the National White Collar Crime Center and the Bureau of Justice Assistance, said the attacks on SMBs typically start with a spear phishing email that contains an infected file or link to a malicious website. The email usually targets a company official who can initiate funds transfers; opening the attachment or visiting the website triggers a malware infection that includes a keylogger, which harvests banking credentials.

Fraudulent ACH transfers are directed to bank accounts of money mules, who are often recruited by criminals over the Internet with bogus work offers and directed to forward the bulk of the money overseas, the FBI said. In its alert, the IC3 noted that the fraudulent transfers in these scams also occur through the wire system, but that its bulletin specifically focused on the fraud occurring in the ACH network.

The FBI said the infection vector hasn't been determined in every case, but it identified more than two dozen different pieces of malware on the compromised computers, all with keyloggers. However, the malware isn't the only threat; the FBI's investigation revealed that a lack of controls at a financial institution or third-party in some cases also posed a threat.

"For instance, in several cases, banks did not have proper firewalls installed, nor antivirus software on their servers or their desktop computers," the IC3 wrote. "The lack of defense-in-depth at the smaller institution/service provider level has created a threat to the ACH system."

In one case, criminals used a DDoS attack against a compromised ACH third-party provider that prevented the provider and the bank from recalling fraudulent ACH transfers before money mules could cash them out, according to the IC3 alert. The transfers ranged from thousands to millions of dollars.

Terry Austin, president and CEO of Guardian Analytics Inc., an online banking security technology provider based in Los Altos, Calif., said the alert reflects the trends his company has been seeing. Attackers have been targeting specific small and midsize businesses, which tend to bank at small or regional financial institutions that haven't had the resources to invest in fraud prevention, he said.

"What it comes down to is the big vulnerability these banks have is the online account," Austin said. "You almost have to assume the user's computer has been compromised by the criminals in some way, whether by phishing or downloaded malware. No amount of anti-phishing or anti-spyware user education will prevent all endpoints from being compromised. The attacks are too prolific."

Over the past six months, his firm has seen increased interest in its fraud detection technology from regional banks trying to solve the current fraud problem, Austin said. Preventing the problem requires monitoring every user and every session, he added.

The FBI said that today's malware is reducing the effectiveness of signature-based antivirus and intrusion detection software, making it necessary to consider additional approaches such as user privilege reduction, application whitelisting and heuristic detection. 

 

Scareware, Rogue Ads Join Up for Hack Attacks

Two separate online security threats aimed at publishers and online advertisers are converging to form an even more potent force: Scareware is increasingly piggybacking in rogue ads to cause serious financial havoc and digital distrust - in some cases of once venerable websites - among consumers. Scareware refers to warnings that suddenly pop up on a consumer's screen purporting to be from a security vendor. The messages often suggest that the computer has been infected by malware. To stay safe, the consumer is urged to download new security software that will eliminate the problem. Of course, the download is actually the malware. Bogus ads are also hack attempts aimed at marketers - again, used to deliver malware. The New York Times fell victim to a rogue ad this September, as did MarketingVox in 2007. At first it was unclear what the malware was in the New York Times attack was meant to do. However, now Connecticut's Better Business Bureau reports that it was used to unleash scareware on the top-tier newspaper's online readers. Then Falls Gizmodo More recently, the tech blog Gizmodo fell victim to similar dual tactics, according to security vendor Sophos.  "Their plan was to infect as many computer users as possible with their malicious adverts," said Graham Cluley, senior technology consultant for Sophos. "They know Gizmodo gets a huge amount of traffic - once they infected the site through their adverts they could just lie in wait for their victims to visit." What is particularly audacious about this approach is that the criminals appear to have posed as legitimate representatives of Suzuki in order to plant  dangerous code on Gizmodo's site. Search Results Too Scareware is also piggybacking on search results, Connecticut Better Business Bureau President, Paulette Scarpetti, noted. "Hackers are also watching the headlines - such as the death of actor Patrick Swayze and the US Open - to plant infected versions of hot headlines on Google searches. Victims who click on fake search results are presented with a scareware pop-up." Scarpetti said this new menace takes advantage of people's trust in even the most prominent websites - a trend with which online brands and marketers are painfully familiar. Marketing to the Marketers Not surprisingly, providers of online security packages to retailers and other corporate sites are playing on companies' fears of losing customers' trust, as they position their latest wave of security products. McAfee, for example, is touting security to get consumers to make an online purchase, in its study "Digital Window Shopping: The Long Journey to Buy". McAfee found a majority of shoppers are "digital window shoppers," or consumers who start shopping on a site, leave for a period of time and return later to complete the sale. McAfee studied the behavior of 163 million shoppers and found that sales conversions were 11% higher for digital window shoppers who were shown a security cue - such as its own McAfee Secure trustmark.

 

Hackers Target Nearly 50% of German Internet Users

As per a research conducted by Forsa (a German research company) for Bitkom (the IT business association), almost 50% of Internet users in Germany have been targeted by cyber criminals. The research noticed 11% increase in cyber criminals' activities over the past one-year, with registered reports of 38,000 cases in the country.

Malware and PC viruses are still the ideal attack tactics for cyber criminals who infected 38% of web users by these two types of malicious software.

Yuval Ben-Itzhak, Chief Technology Officer, Forsa, said - the report recorded a rise in cyber crime mainly because of immense efforts by criminal groups which use Trojan-enabled phishing assaults, as per the reports by INFO SECURITY on October 12, 2009. He also said that the trend suggested observations made by Finjan.

As per Ben-Itzhak, the researchers reported in Finjan's Cybercrime Intelligence Report that Internet thieves are becoming shrewd in covering their tactics to remain unnoticed for a long period of time, as per the reports by INFO SECURITY on October 12, 2009.

Finjan researchers have also found that hackers are employing Trojans like the URLzone bank Trojan and new anti-fraud detection methods to evade identification by banks as well as their customers.

Ben-Itzhak has claimed that the figures of Bitkom verify their findings that the issue of online cyber crime has become a menace and touched high levels, with improving nasty skills of hackers who operate these scams.

In a survey conducted last year (2008), 4 Million people in Germany did not have computer security. Though 83% of survey participants had a virus security program on their system, just 67% were using a firewall. In addition, 28% of users had used an encryption program. 7% of surveyed users had no security mechanisms at all.

To evade attacks of cyber criminals, online security experts advise that that firms should evaluate and strengthens their IT safety systems against the rising cyber crime in the country. Users should make sure that their safety systems are both multi-layered and updated.

 

Two-Headed Trojan Targets Online Banks
By Larry Barrett
October 29, 2009

A new Trojan called "W32.Silon" is the latest headache for online banks and their customers, packing a one-two punch that helps it evade security tokens and steal customer log-in information at the same time.

The two-headed Trojan, according to online security software vendor Trusteer, uses a "two-pronged payload" to steal log-in information and commit financial fraud at popular online banks.

"This new Trojan illustrates how advanced malware writers have become in their ability to dynamically execute multiple, bank-specific attacks with a single piece of software," Amit Klein, CTO and chief researcher at Trusteer, said in a statement. "The level of sophistication built into W32.Silon is concerning, as is its focus on circumventing strong authentication systems like card and PIN readers."

W32.Silon is a new malware variant that intercepts Internet Explorer Web browser sessions and has been associated with fraud incidents at several large banks, according to Trusteer researchers.

To steal user credentials, W32.Silon performs its initial attack when a user begins a Web log-in session and enters his username and password. The malware intercepts the log-in POST request, encrypts the requested data and sends it to a command-and-control (C&C) server.

When it targets users of online banking applications that are protected by transaction authentication devices such as tokens or banking card readers, W32.Silon waits until the user has logged in and then injects dynamic HTML code into the log-in flow between the user and the bank's Web server.

First, the malware presents authentic-looking Web pages that appear to be from the bank asking users to employ their transaction authentication device. Next, the user is asked to enter information from the device into the Web page.

This information is then used by the criminals to execute fraudulent transactions on behalf of the user, Trusteer said.

"We have put all of our banking customers on alert, and are attempting to get the word out with this advisory," Klein said.

The sophistication of online scams has evolved to a point where watchdogs organizations such as the Anti-Phishing Working Group (APWG) have created an entirely new category for defining and quantifying attacks on financial institutions.

The group now defines "crimeware" as code designed to attack the data held by financial institutions.

"Due to evolution of attack sophistication, it is becoming increasingly difficult to separate and report on attacks that are specifically designed to steal customer banking information," Dan Hubbard, Websense's CTO, said earlier this month. "Additionally, attacks that only [look] for credentials from popular social networking, Webmail and gaming sites can lead to attacks for banking theft and crimeware."

Trusteer advises online banking customers to be especially vigilant when conducting transactions online and to visit its Web site for help detecting and removing the W32.Silon Trojan.