Turkish fraudsters just having fun, lucky for us…this time.

So Turkish fraudsters have poisoned a master DNS lookup and diverted traffic to another domain.

This time it would appear other than some slight embarrassment no harm was done but the result could have been very different, and Vodafone, Betfair, UPS, The Telegraph and other major organisations could have been looking at major reputational damage and huge loss of confidence in their online presence. Not to mention loss of revenue and increased costs directly due to such attacks.

We often hear from consumers that they trust websites of major organisations as they know what they look like. However just going to identical looking fake sites if redirected by a poisoned DNS could mean consumers lose data. So no matter how big you are you are not immune from such attacks, in fact as in this case the bigger the better.

FCS previously warned about the issue of DNS poisoning almost 3 years ago, it hasn’t gone away. It can be incredibly difficult to ‘know’ whether you are on an authentic site or a fake one, just because it looks right doesn’t mean it is. Phishing attacks depend on ‘look-a-like’ sites and phishing is still on the increase.

So what’s the answer? Perhaps to use a technology that not only warns the consumer but also alerts the website owner in real-time of the presence of an attack, and automatically redirects consumers to a safe haven.

The solution is out there. But companies seem to have to get impregnated before they take precautions. In other life choices it’s the other way around.

In fact if this available British patent pending technology had been deployed this wouldn’t have even been a news story. When did you last see a headline “Bank foils thieves by locking front door”? The analogy is real, we have the technology.

First Cyber Security are manufacturers of cyber protection.

Television will never catch on – cyber-egos however, they just might

Television will never catch on. Who’s going to want to sit in a dark room to look at a small black and white picture in the corner? Of course the technology improved, the reasons got better, and we now all have a screen the size of Wales that has a great picture even with the sun shining on it.

CB Radio will never catch on. Who’s going to want to speak to people they don’t know in a 5 mile radius where most of the conversation is about what the weather is like five miles away? Of course the technology improved and became mobile phones. Mobile phones allow us to talk to anyone in the world; cleverly filtering the service so that we talk to people we actually know and want to talk to.

E-mail will never catch on, it’s a weird tool only used by academics who think an address ends with ac.uk!

Then suddenly, almost overnight, everyone has an e-mail address, every company has a web site, and Microsoft begrudgingly accept that maybe the internet is here to stay.

Texting will never catch on. Who’s going to want to send a short text message using a keyboard requiring multiple pressings to even get an ‘e’ to someone using a device primarily designed for talking to people? Of course it not only caught on, it prospered and so began the end of the conversation and the start of the statement that doesn’t want a response, except to like it and pass it on to someone else, the start of the cyber-ego.

Facebook is the simplification of everyone having their own website (other cyber-ego centric sites are available), and the preposterous extension that the rest of the world wants to look at your web site, and pictures of you on holiday, and down the pub making weird faces. If no one ever wanted to look at your holiday pictures when they were 5 by 4 photographs being passed around, or even worse, the dreaded 35mm slide show, why does anyone think people are interested when they are on Facebook?

Glory be, now we have Twitter, combining real-time statement based texting with the distribution abilities of Facebook aka the internet. We have real-time messaging that Dan Dare wouldn’t believe was possible and we use it to tell the world what we had for breakfast, or we missed our bus, or maybe something trivial. Why do we think anyone cares? Because our new improved cyber-ego tells us that all our followers (hundreds of our closest friends) are hanging on every word we say. We massage your cyber-ego and in return you massage ours. We ‘like’ and re-tweet you and you do the same in return. Suddenly there is no trivia any more, everything is equally important. You used to have to remove the wheat from the chaff. There is no chaff to remove anymore, everything is wheat. Now there is something to tweet about.

The big advantage is that now that I know everything about you, your date of birth, your mother’s maiden name, where you go on holiday, and when you go on holiday, I needn’t bother you with the chaff of applying for a credit card or a loan on-line, I have your wheat, I can do it all for you. I’m even willing to spend the money for you; after all I am one of your closest friends.

Rod Pugh is MD of First Cyber Security, manufacturers of bogus wheat detectors.

The irony of this being a blog has not escaped me – Rod

I’m not a victim of cybercrime, but my friends are. Is it my fault?

No, but you may have inadvertently collaborated with the fraudster to help him steal from your friends.

So how does this scam work? It is multi layered. First they need access to your e-mail account. There are several ways this can be achieved.  Maybe you replied to an e-mail simply telling you to re-register your details (am I that naïve, many are?). Maybe they already knew a lot about you and sent you a more focused ‘spear phishing’ e-mail.  Many  lists of personal details have been compromised in recent times, so the previous warning of be suspicious if the e-mail says ‘Dear Valued Customer’ no longer applies, as they probably already know your name, age, and other affiliations. So they could know you are a member of a frequent flyer club or a hotel loyalty club and can send you an apparent real e-mail that passes all the obvious tests that asks for more details.

Or maybe you simply have a password of ‘123456’ or ‘password’ or one of the other easy to guess passwords we have to use as we can’t possibly remember a different password for every situation. So if they crack your frequent flyer account are they also in your bank? So, via hook or by crook (more likely crook) they have access to your email account, no big deal you may say, it’s not like it’s my bank account. But they now have access to the personal email addresses of all your friends, and if they send an email to your friends it will say it comes from you (for in effect it has). So now your friends all get an email saying (and this is real, not made up for illustration):

I’m writing this with tears in my eyes,my family and I came down here to England for a short vacation and we were mugged at gun point last night at the park of the hotel where we lodged,all cash and credit card were stolen off us but luckily for us we still have our passports with us…We’ve been to the Embassy and the Police here,but they’re not helping issues at all they asked us to wait for 3weeks but we can’t wait till then and our flight leaves in few hours from now but we’re having problems settling the hotel bills and the hotel manager won’t let us leave until we settle the hotel bills,we are freaked out at the moment…Well I really need your financially assistance…Please let me know if you can help us out,Write me back so i can tell you how to get it to me..

Some of your friends, seeing an email from your real account may reply offering help. The crook is waiting for the reply, note your ‘flight leaves in a few hours’ and gets an instant ‘Please wire me £500 to…”.  If a friend says this is suspicious I saw you yesterday they may call you. But your email account has had its password changed so you can’t log on and email all your friends even when you find out. Do you even know the email addresses of all your contacts? Probably not.

By the time you convince your email provider you are really you and they change the password again the crook has had the replies and sent out the information to send the money. If just one of your friends is fooled it’s all worthwhile.

Speed is everything. Send out the email early in the morning. When you can’t log in you may just think the service is down and you will try again in the evening. There is no reason to be suspicious.

Then a few days later a friend calls to say “Did you get back OK, I was so worried?” Oops, I forget to warn everyone in my contact list! One hacked email account, multiple victims. The culprit has long gone way before the victim even knows they are a victim. The perfect crime.

It’s not my fault, but is it my responsibility? Your security failures can affect others more than you.

Joke Super-Injunction e-mail exposes security flaws.

I received a great joke e-mail today.  An e-mail from a friend said “WTF? Is this you?”  containing a link to europeansportsnews.com and signed by my friend.

So the e-mail is from a known source with a hyperlink. It must be safe.  Click on it and you get a funny news story from  ‘ESN’ (an imaginary TV sports channel) about a super injunction with scrolling news bars naming you as the famous star who has been, shall we say, ‘friends’ with a lady. Very well put together and very funny. An excellent promotion by paddy power. The first thing you want to do is send it to someone else, hence helping to promote paddypower.com.

But by the joke working it exploits and exposes three security issues.

Firstly an e-mail that says it’s ‘From’ someone you know means nothing. It can come from anyone and it’s trivially easy to make it look as if it came from someone you know.  The paddypower.com website even says “(We’ll send it so it looks like it came from your email address, to make it more believable!)”. If we recognise the senders address as a friend or colleague we are almost certain to look at the e-mail or open attachments. Danger number one, no matter what ‘From’ says in an e-mail, it could be from anyone and fake e-mails often have attachments that could have malware.

Secondly the hyperlink in the email says http://www.europeansportsnews.com/2011/another-super-injunction.

But the actual link behind what you see is much longer, goes to a different domain, and contains the information about you your friend gave so that the ‘News’ story can be personalised to make the joke more believable. But we can’t show that in the link as it would spoil the joke. So, what you see is not what you get. You don’t read between the lines, you need to look behind the lines. Danger number two, hyperlinks in e-mails can really link anywhere, even if you think they are from friends.  This is the main process behind phishing e-mails, the link you can see says it’s your bank, but the actual link takes you somewhere else.

And thirdly, what web site did you visit? Was it europeansportsnews.com ?  If course it was, I could see it in the URL bar.  But again this means nothing. Because you are really just seeing a sub-domain of paddypower. The full domain was in fact http://europeansportsnews.paddypower.com.   The latest version of Internet Explorer even helpfully gives such a small window we only see the europeansportsnews bit.  Danger number three, if you can’t see the entire domain name, up to the first ‘/’ after the ‘//’ then it’s meaningless as anyone can add a sub-domain to their domain to fool you. For example the domain for www.barclays.co.uk.i8.cn is not Barclays Bank but i8.cn in China.

Similar techniques have been used by fraudsters to get you to agree to download files which compromise your PC because your inbuilt validation process says you recognise who sent the email, so it’s safe.

To be not overtly critical of this joke, this entire exercise could be used as a template for a spear phishing attack like the one recently discovered (or not so recently, depending upon which report you believe) against the US military and Gmail. Essentially a spear phishing attack is specifically targeted at an individual. Because it uses explicit information about the individual they are more likely to respond to the attacker believing them to be genuine. A phishing e-mail says ‘Dear Customer’, a spear phishing attack says ‘Dear Terry Jones, I have been updating your notes on Project Wigwam’ and this all makes sense to the usually cautious Mr Jones who is working on Project Wigwam.

The joke super-injunction e-mail essentially harvests genuine e-mails that are linked, and other individual specific data, so one recipient will recognise the sender and more likely believe it to be genuine.  In this particular case it is an innocent exercise but the genuine hacker could use a similar process to get e-mail addresses and personal data that relate to each other.

There is no simple solution except to encourage the enlightened IT departments to educate their users into not believing what they see without independent out of browser validation. Academic research has shown many in-browser indicators such as the Green and Red URL bar are often not noticed, not understood or ignored by the general public. Spear phishing attacks are more dangerous because the story is more believable, and the individual has been carefully chosen because they have information of value to the attacker.

The problem with good jokes like this is they teach us to lower our defences and that allows the criminal to use the same ideas to make jokes very much at our expense.  At least with a betting site we know the odds, and we have a choice.

Rod Pugh is MD of First Cyber Security Ltd, manufacturers of Cyber joke detectors.

Boiler room share scams ‘Buyer Beware’. Could the industry help itself?

The last few weeks have brought the old chestnut of ‘Buyer Beware’ to my attention. The UK press has raised the issue of boiler room share scams and so-called sucker lists yet again.

UK citizens have fallen victim to some of these very expensive share scams, in one case losing £400k, but the average hit is about £20K per victim and still more people become targets. The scams are simple. You’re offered shares in a company at a knockdown price or sometimes in land for development all of which may or may not exist.

I want to suggest that the financial industry could be doing more from a technology perspective to help reduce the number of scam victims at least as far as the Internet is concerned. These tempting offers arrive by post, email or are advertised on the Internet and it’s particularly the email and Internet that concern me because there are things I believe we can do to protect and or give reassurance of the authenticity of companies making these offers.

Unfortunately this type of scam is more likely to be replicated by criminals in the current economic climate both because of the ease of execution and the high volume of cash collected.  From the potential victims perspective the current low interest rates are unattractive so it’s tempting more into dealing in shares with potentially high gains and so the boiler room scams are perpetuated.

In the UK the FSA and the City of London Police are the principal authority and law enforcement agency regarding this issue. I’m sure they are doing a good job in tracking down the relevant criminals and bring the due force of law wherever possible. The unfortunate fact is that this is reactive after the event and in some cases the criminal and the money have long gone.

What I would like to see is proactive action before the scam traps the victim. The advice by the FSA and Police is to check out the credibility of companies offering the shares for sale particularly if the offer seems too good to be true… Buyer Beware.

The FSA say first check the registration of the company offering the shares on the FSA registration database. Then check the banking arrangement of the company making the offer to establish if they are based in the UK and therefore is likely to be under the jurisdiction of FSA. Then check the ‘bad boys’ list of companies known to FSA and others who are unauthorised or disqualified from trading in shares in the UK.

Human nature being what it is, will everyone follow this advice or should there be something provided to help? Once your money has gone into the scam what are the odds of getting any of it back?

My question is: Could the checking of the FSA lists be automated in some way in a move to become proactive? If an offer is made to a potential investor whether legitimate or not, whether it’s via email or seen whilst surfing the Internet it should be possible to check the authenticity of the company automatically. Then the less experienced investor can make a value judgement to risk investing or not.

Is this possible?  Yes it is. Will it work? Yes it will. The question is will the FSA and the industry want to move in this direction and adopt such a system? I’m sure potential investors in the UK would be a lot safer and more confident if this approach were implemented.

Come on FSA give me a call, we make protective overalls for financial boiler rooms.

Festival ticket scams: Tell me the old old story, again

MSN.COM, a trusted and reputable web site has published a story about how to detect bogus web sites selling (or rather not selling) festival tickets for the summer. See http://money.uk.msn.com/id-fraud/photos.aspx?cp-documentid=153733410&page=1 It has some interesting information at the start:

“One in 12 British ticket buyers is caught out by bogus outlets every year to the tune of £80 on average. Many of these websites use seemingly official names to fool punters, so they’re not easy to spot.”

Then it gives you ‘the’ solution: “If you’re unsure, do your homework. Look for a UK registered office, a UK phone number or a VAT registration number to ensure the firm is legitimate.”

In internet security terms this is laughably the old old story that is dangerously out of date and pointless to tell the consumer, because even if it was good advice, almost no-one would do it.  The average consumer will do almost nothing to validate a web site as being legitimate, they certainly will not click on a padlock to see what certificate is behind it ( and the name in the certificate often doesn’t match the trading name of the website, so it would confuse the consumer anyway ). They are not going to check with Companies House to see if a registered office is genuine, a UK phone number can be bought by anyone anywhere via Skype for about £10 ( that will stop the fraudsters! ), and goodness knows how they check a VAT number is real. Seeing these things on a web site is more likely to give a false sense of security for a fake site. You might as well write ‘This site is Genuine’ across the top of the page.

Buying tickets for festivals has some unique characteristics compared to other forms of on-line retailing. There are two vital things that are different between buying a festival ticket and a fridge (well three, you can’t carry your fridge in your pocket), firstly there is a finite number of tickets available, so the consumer is under a heightened level of anxiousness to buy before they sell out, so many natural defences can be ignored in the race to buy before they all go. Secondly there is a start time for when the tickets are available (or in the case of the Olympics, an end time that caused similar panics) which also causes the consumer to do things at speed they wouldn’t do when considering that fridge!

This means a fake website need only be up and running for a few days, harvest all the credit card details, and be gone before the consumer is even expecting their tickets.  When several weeks later the consumer becomes concerned about their tickets the fake site has long gone, and the consumer is often too embarrassed to report it. The festival organiser has probably sold all the real tickets so he has no loss. It’s difficult to complain to someone and say they are responsible for something they were never involved with in the first place.

As I said at the outset “The average consumer will do almost nothing to validate a web site as being legitimate”. Visit http://www.firstcybersecurity.com/main/ticket.asp and see how a “do almost nothing” solution works.

The Consumer and Cyber fraud; an Inconvenient Truth

 As a consumer it’s natural to assume that all the organisations you deal with in cyber space are doing their best to protect you, their customer. After all, you would have thought it’s not in their interests for a victim of cyber fraud to be you. Unfortunately this is not the question that some organisations ask. Rather they say what would it cost them if you were a victim? From their perspective, if this is an acceptable number and if it’s cheaper for them if you are a victim rather than protecting you, so be it.

This is not the stance of all the companies in all the industries mentioned here. Many work in an honourable and moral way, but it is certainly a stance of a number of the companies.

Let’s start with Banks. Their mantra is straightforward. Do it on-line because it’s cheaper for them. They don’t want to employ people to work in your local branch to cash your cheque or pay your bills. They want you to do it on-line. They also want to abolish cheques as that involves people touching bits of paper. What you won’t hear from banks is details about how much on-line fraud is costing them or their customers. If they told you then you might not want to bank on-line any more, so better to keep it all quiet. Many banks view fraud as a normal business expenses. For example, they will spend X % of their revenue on advertising, and Y % of their revenue will go to fraud. Y is a perfectly acceptable number if it is less than what the industry standard is, because that means the bank, in its own world, is doing OK. It’s actually irrelevant what the actual number is; it’s an acceptable right-off on the balance sheet.

Methods are being introduced to protect on-line banking transactions, but they are not consumer safety products, they are banking safety products. What they do is attempt to ensure that the bank is really talking to their customers, which is fair enough. But where is the assurance that the customer is really talking to their bank? If the customer has been seduced into visiting a fake site of their bank (and there are many live fake sites at any one time) they can put in any identity information. The fake site can receive it, potentially use it in a man-in-the-middle attack to access their details, and tell the innocent consumer their bank server is under maintenance, and try in two hours. By the time they try again their money may have gone.

To put this in more human terms I am regularly called by my bank asking if they can do anything for me. Good for them you will say. Each time they want to ask a couple of security questions before they proceed. They have of course called my number so they at least know it’s my phone. The questions always are “What is the second part of your postcode? and “Do you have an overdraft with us?” The first question is in the phone book and numerous other sources so proves nothing, and the second question has a 50/50 chance of being right. So when I ask “How do I know you are my bank?” they reply that as soon as I answer their two ‘security’ questions correctly they will tell me other details. What they repeatedly fail to comprehend is that if these are the security questions that open up the details of my account, as soon as I answer if they are not my bank, and how do I know that, I have given the information to a stranger that could then potentially use that to tell my bank they are me. Let’s not even discuss the value of their questions.

Another big market subject to fraud is on-line ticketing. This is especially true for special events that have a finite number of tickets. The consumer is in a pressure ‘must buy’ mode so many of their normal defences are down. A fake web site can be up and running in a matter of hours from registration of the domain. Choose one that is similar to a real booking agency, or the event (often events have purpose registered domains so it’s even easier to register a ‘similar’ one), send out some ‘phishing’ emails with links to the fake site. Even better the tickets sale starts at a certain time, so people are queuing up to by your tickets. Twenty four hours later the site could have gone, along with all the harvested credit card details. Incredulously some ticket agencies take the view that they sold all their tickets to the big event, so if the consumer was fooled into visiting a fake site and handing over credit card details that is hardly their fault, they did nothing wrong, why should they pay out of their profits to protect the gullible?

This is not a totally unreasonable argument. When is it the consumers fault? When is protection the responsibility of the ticket agent? If you were physically on the way to a ticket agent to buy tickets and a man offered you the tickets you wanted, but they turned out to be fake, it would be unreasonable to complain to the ticket agent who ‘didn’t’ sell you the tickets. So is cyber fraud simply ‘caveat emptor?’

Well it shouldn’t be, but it often is. If the genuine web site was selling high value branded items that were unique to them and their approved resellers their attitude changes somewhat. If the consumer goes to a site selling counterfeit goods believing them to be genuine and buys the product there are now two issues for the brand owner. Firstly they have lost revenue for the genuine sale, and secondly there is a high risk of reputational damage to the brand if the fake product fails to perform in the way the real one would.

Suddenly this is no longer an IT and security problem, but a marketing one. So the rules change. The real brands web sites will have warnings about fake sites, and often lists of the ‘similar’ domains that are not authorised to sell their brands. They want to tell you they are real, these are not. But of course the fake sites just do the same. So the consumer is further confused. Choose a big brand name and put it into your favourite search engine and see how many results you get with similar domain names and special price offers. Don’t think that the sponsored links are safer; often they can show fraudulent sites selling counterfeit goods as well.

So what’s the answer? If cyber crime was a sharp bend in a mountain road and drivers kept driving off the cliff the government wouldn’t say “It’s their own fault for driving without due care and attention”. They would put up a crash barrier to protect us. That is exactly what the cyber community needs, a cyber crash barrier to protect the vulnerable, naive users of the internet, in fact, you and me, to put trust and confidence back into the internet. And don’t think the internet savvy IT expert isn’t just as vulnerable as the rest of us. Studies have shown he can be just as susceptible as he has a false sense of confidence that he can spot fake sites. Often he will not appreciate that false sites can be pixel identical to the real sites. In fact the crook can actually show the real site, until you enter your details.

 Rod Pugh is MD of First Cyber Security Ltd, a manufacturer of cyber crash barriers.

http://www.firstcybersecurity.com/