Archive for the ‘Phishing’ Category

Global Spear-Phishing: A New Threat

Thursday, April 7th, 2011

While Charlie Sheen maniacally pronounces his  self induced “winning” status to a saddened, bewildered and exhausted fan base, another  growing menace actually seems poised for “winning”.

Consumers got a wake up call on two fronts with the disclosure of the massive Epsilon Interactive data breach last week.

Our  first wake up call stems from the sheer length of the  list of companies who utilize Epsilon’s email  service to reach their customers.

The second wake up call is the reality that so many trusted brands outsource our names and email addresses to a third party  email service provider (ESP)  who has now been exposed as functionally incapable of protecting the  private personal data that was entrusted to them.

The truth is that there is nothing you or I can do to prevent these leaks when the repository for our data is in the hands of other people.

According to the consumer advocacy group Cauce, the following  financial institutions were affected by the breach:

  • Ameriprise Financial
  • Barclays Bank of Delaware
  • Capital One
  • CITI
  • JP Morgan Chase
  • Moneygram
  • Scottrade
  • TD Ameritrade
  • TIAA-CREF
  • U.S. Bank
  • World Financial Network National Bank (Victoria’s Secret card)

The CAUCE report went on to explain:

“As well, these marketing and retail companies have reportedly had their client email, names and in some cases, other information stolen”:

  1. 1800Flowers.com
  2. AbeBooks (division of Amazon)
  3. Airmiles
  4. Beachbody
  5. Benefit Cosmetics
  6. Best Buy
  7. Best Buy Canada Reward Zone
  8. Brookstone
  9. City Market
  10. CollegeBoard
  11. Dillons
  12. Disney Destinations
  13. Eileen Fisher
  14. Ethan Allen
  15. Food 4 Less
  16. Fred Meyer
  17. Fry’s
  18. Hilton HHonors
  19. Home Shopping Network
  20. Jay C
  21. King Soopers
  22. Krogers
  23. Lacoste
  24. L.L. Bean credit card
  25. Marks and Spencer
  26. Marriott Rewards (Update: Marriottt confirmed NO points totals were taken)
  27. McKinsey Quarterly
  28. New York & Company
  29. QFC
  30. Ralphs
  31. Red Roof Inns
  32. Ritz-Carlton (Update: Ritz-Carlton confirmed NO points totals were taken)
  33. Robert Half
  34. Smith’s
  35. Soccer.com
  36. Target
  37. TiVo
  38. Verizon
  39. Viking River Cruises (unconfirmed)
  40. Walgreens (for the second time)

The impact of the Epsilon breach is expected to cause a sharp, severe and extended series of spear phishing attacks. These phishing attacks will  target and exploit the trusting relationship between the victimized brands and their clients.

It is estimated that tens of millions of people’s names and email addresses have been exposed as a result of this breach. In the past three days, our own household has received at least three notifications from worried banks and retailers.

Consumers should brace themselves for what could be a barrage of incoming phishing attempts, disguised as communication from a trusted vendor. Although most savvy internet users are aware of these ploys, now is a good time for a few timely reminders.

  • Consumers can report attempted phishing attacks to the U.S. Secret Service by emailing them at: phishing-report@uscert.gov
  • Never click on a link in an email, just type the web address into your browser yourself to avoid infectious malware.
  • Security expert Brian Krebs reported that over 100  ESP’s (email service providers) have been under attack by fraudsters in recent months. This is an ongoing, sustained effort to grab your information!
  • Gmail, Earthlink and Yahoo all provide tools to help fight spam and phishing attacks.

An ancient proverb comes to mind: ” Trust in the gods, but tie up  your camel anyway!”

 

Tags: , ,
Posted in Data Breaches, Data security, Financial Scams, Internet, Phishing | No Comments »

The New Face of Phishing

Tuesday, August 17th, 2010

In the past six months,  a dangerous new threat has emerged in the world of internet phishing. Many of us have often laughed at the crude and poorly crafted phishing explorations that often invade our in-box.

Lest any of us fall asleep at the wheel thinking we are already hip to the rather primitive  phishing tactics of the past, this one could easily  catch you in it’s insidious hooks if you don’t read on.

Known as “tabnapping”, this ploy is designed to psych you out with a behind-the-back switcheroo that literally kidnaps  open tabs and catches most savvy observers by surprise. Using an almost invisible layer of embedded JavaScript, here’s how it works.

Brian Krebs explains:

” As Mozilla Firefox creative lead Aza Raskin describes it, the attack is as elegant as it is simple: A user has multiple tabs open, and surfs to a site that uses special javacript code to silently alter the contents of a tabbed page along with the information displayed on the tab itself, so that when the user switches back to that tab it appears to be the login page for a site the user normally visits.”

In as little as five seconds, a tabbed page silently and almost invisibly changes to a seemingly familiar page (including the cute little “favicon” in the address bar) which requires you to re-enter your log-in credentials. As soon as you enter your private details,  both you and your personal information  have literally been “had”.

The best defense against this tricky new tactic is to take a time-out. What that means is whenever a site you visit “times-out” , you should take some time-out of your browsing frenzy to open a new tab and re-enter the desired URL yourself.

Most browsers including Safari, Chrome,  Firefox and Internet Explorer claim to be on the lookout for you by blocking tabnapping attack code. Researchers and hackers have both been able to sidestep many of the current blocking protections,  leaving most browsers vulnerable.

Safety dictates that you don’t log in on any tab that you  have not opened yourself. Get into the habit of opening fresh tabs whenever you enter a user-name or password.

If you forget to refresh previously opened and familiar log in pages, one day soon you could literally open up a fresh can of worms.

Posted in Data security, Financial Scams, Internet, Phishing | 2 Comments »