[phishing] identities lost in phishing (fwd)

[Gadi Evron <ge () linuxbox org>]

Hi guys. I would like to invite you to come to the phishing list and
participate in this discussion.

To subscribe:
http://www.whitestar.linuxbox.org/mailman/listinfo/phishing

        Gadi.

---------- Forwarded message ----------
Date: Mon, 18 Sep 2006 06:37:39 -0500 (CDT)
From: Gadi Evron <ge () linuxbox org>
To: phishing () whitestar linuxbox org
Subject: [phishing] identities lost in phishing

As I often comment, it is funny to me (not really but hold on) when people
scraem about this or that organization losing a laptop with 20K
identities. What's 20K?

Obviously that is important, and speaks volumes of corporate security and
of privacy issues. Still, it is insignificant in a laughable fashion when
compared to what's being stolen daily online.

Every day, millions of online identities and website credentials are
lost. Millions. Every day.

This is done through trojan horses which are spread (bots, worm
fashion) among an immense online population.
There are thousands of new variants to these bots coming out every month
dedicated specifically as a targeted attack on online financial institutions.

These attacks target the financial online sites (banking, eCommerce,
etc.) not by attacking them directly on the macro level, but rather by
multiple micro-level attacks against their users, en-masse.

These trojan horses (bots) are so advanced, the utilize rootkit
technology, and when the user surfs to an HTTPS site, use
man-in-the-middle attacks on the machine itself to steal his or her
credentials.

These credentials in turn are sent to the remote attackers for further
processing.

A lot of money is lost this way. This is a world-wide problem, but it is
especially apparent (as the bad guys utilize the data more and more) in,
but not limited to, the UK and Europe.
In the US this is a growing trend, but it is mostly ignored by the
defenders (most are not aware of it) as regular primitive "email
phishing" is still the most apparent threat there. This is largely due to
US banks still mostly using username and password authentication.

Email phishing is important and a large threat, but it is doomed to death
(it will still be here 10 years from now, like Nigerian scams are here
today, but as a specific threat it will diminish into obscurity.

Phishing today should become the root in a tree called Online Financial
Fraud or eFraud. That, friends, is not going away whether in blogs, trojan
horses, email or your cell phone.

These trojan horse attacks, as they are located on the user's machine
itself, are not stopped by 2-factor authentication, etc. There are things
that can be done, but when the security problem is on a remote machine not
under the, say, bank's control, there is not much they can do with their
current confidence risk assesment systems.

There are solutions, but these are to be discussed another time. It is
obvious that one of the biggest problems facing banks, and ESPECIALLY
eCommerce sites (without the physical-space presence) is how to establish
reputation systems that will provide with a technological risk assesment
confidence decision as to how safe it is to work with a remote user.

The web channel is the cheapest and most effective in banking today, and
banks will not want to lose it.

We (Alan Solomon and myself) cover some of the market involving this
technology and how it works in a recent paper we published in the Virus
Bulletin September edition:
http://www.beyondsecurity.com/whitepapers/SolomonEvronSept06.pdf

Others here with experience on this, who are willing to talk, please share
your experience with us.

        Gadi.

_______________________________________________
phishing mailing list
phishing () whitestar linuxbox org
http://www.whitestar.linuxbox.org/mailman/listinfo/phishing

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.