Archive for October, 2010

by Ondrej Krehel

The email looks like it came from your bank. It seems important. The wording is polite, but there’s a tone of urgency. Might as well click the link, right? You click the link.

The website looks just like your bank website. Same logo. Same introduction text and picture of a silver-haired couple coasting to a happy retirement. You enter your username, password.

A new screen pops up. You’re not so familiar this one. The tone is urgent again. Please reconfirm your username, reconfirm your password. Now they want your full name, address and date of birth. This is odd. Oh, and Social Security number. The question is right at the bottom next to the Submit button.

Would your bank ask you these questions in an online form?

In this new cyber world of ours, the answer is No.

Hackers create approximately 8,000 malicious websites a day, 57,000 a week that model legitimate websites, a . Nearly two-thirds of the trick websites had to do with banks. The best of them work their way into search engines.

And if you don’t fall for a fake website, hackers have even stronger weapons in their arsenal: Trojans and botnets that can beat antivirus. Take Zeus, for example. A botnet, Zeus was the main tool used by hackers on charges of lifting more than $10 million from U.K. banks and $3 million from U.S. banks. Zeus, which opened digital backdoors on the banks’ computer networks, is active on more than 150 servers online right now.

Unlike a virus, botnets are controlled remotely—the name is derivative of robot—so hackers can activate them to engage a mass security attack, spam campaign or other malicious activity, marshalling several computers from one control center.

There is even a mobile phone version of Zeus, which can drain your bank account by confirming transactions via SMS. First your PC is hacked, and then your smartphone.

And it’s all for sale online, in underground forums. Zeus ranges from $700 to upward $3,000 for more sophisticated versions, but can command significantly more if infected computers, posed to strike, are part of the deal.

Where are these attacks coming from? The short answer is everywhere, but they’re concentrated in Asia, Eastern Europe, Russia and the Middle East. AVG recently found that Japan and Sierra Leone were among the safest places to surf online, while surfing in Turkey and Russia posed the most risk.

Dshield.org, a popular computer security site, tracks the source IP of Internet attacks. Recently the top six attacks all started from China and were reported anywhere from 85,000 to nearly 700,000 times. And this is only what is known and tracked. It boggles the mind to think about the numbers of the unknown and undetected.

Check out for safe web surfing, and read other news on .

Ondrej Krehel, Chief Information Security Officer,

Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

by Ondrej Krehel

The Department of Homeland Security has marked October 2010 National Cyber Security Awareness Month, and for good reason. Last year consumers in the United States lost almost $560 million in online scams, a $265 million dollar increase over the previous year, according to the F.B.I.

To help steer clear of cybercrime, remember the basics, such as . And always stay suspicious. With the advent of the last month, even Facebook of links, pictures, and multimedia data. If you think it might lead to questionable or dangerous content, don’t click it.  Some other tips that will help stay safe include:

• Never pay for anything upfront online and use a service such as PayPal or a credit card that has buyer protection. Do not link your PayPal to your checking, or any other account that can be immediately withdrawn from.

• Use different passwords for different sites. That way, if your LinkedIn account is hacked, they won’t have access to your email, your bank and other social websites.

• If you suspect a website is not what it claims, leave it immediately. Do not click or run any content or software.

• Do not provide your personal data, such as SSN, credit card numbers, or other confidential information on websites where you can’t verify the security.

• Log on to the computer with an account that does not have “Administrator” privileges, to reduce the likelihood and severity of damage from self-installing malicious software.

• Do not connect to “free Wi-Fi” access points. It might be the “evil twin” of a legitimate access point, set up to intercept your logins and online transactions.

• Do not use cracked/pirated software! These are great avenues for introducing malware into, or exploiting weaknesses in a system. This also applies to P2P (peer-to-peer) illegally distributed audio and video files.

• If sensitive information is stored on the hard drive, protect it with encryption and by regularly backing up your data to a separate disk and, where possible, a remote site or facility.

• Do not expect antivirus alone to protect the computer. Use additional measures such as an anti-malware, personal firewall, browser security plugins and anti-phishing toolbars. However, be aware that there is a lot of fake security software out there that can be easily installed on your computer with a click. Sometimes even the best protection might not protect as well as common sense and caution.

• Ensure your mobile device has security and protection features enabled, such as power on password, inactivity time lock, security settings for cleaning browsers and caches, and antivirus and data encryption, if available. Also, regularly backup your mobile device.

• Consider how much of your identifying information is posted on social networking sites, such as Facebook, Twitter and others. Are there photos that show the entire layout of your apartment, and everything in it? Is your full birth date disclosed? Oversharing is a bad idea for many reasons; take a look at or .

• Be aware of phishing e-mail scams that include website links advertising incredible deals. Rather than clicking on them, type the link of known sites into your browser. Misspelled website names are still around.

With the holiday season around the corner, scammers and con artists will increase their efforts to get into your pockets. In the coming weeks we’ll post some specific holiday shopping tips, but until then, stay aware, keep your PC clean and secure and, most importantly, stay vigilant—that’s often all it takes online.

Ondrej Krehel, Chief Information Security Officer,

Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

An old virus with new tricks, attacking new assets

by Ondrej Krehel

The recent “Twitter” hack was only live for about five hours, but in that time , including the White House press secretary Robert Gibbs and Sarah Brown, wife of the former British prime minister.

The attack didn’t even require users to click a link or download software. It activated simply by hovering the mouse over the malicious java-coded tweet. This demonstrates a new trend with viruses online: When it comes to web vulnerabilities, the operating system doesn’t matter, it will work on Mac as wells as Windows or Linux.

Though the attack hasn’t caused any financial damage—at least not any reported so far—it highlights a new kind of violation in the social network age: an attack on the user’s online identity.

With Twitter, Facebook, MySpace, LinkedIn, Foursquare and all the other social media applications available online, we’re all designing, modifying and pruning a digital self, whether we’re conscious of it or not. Some younger people seem to spend more time attending to their virtual life than real life outside. We’ve all met them.

Social media attacks happen often, and in many forms. Take ., a young woman decidedly not on Facebook, with a declared “distaste for the world of social networking websites,” who found herself the representative face of an 800,000-member strong Facebook group.

Then there’s the Lori Drew MySpace trial. The overprotective mom established a fake online identity to bully her teenage daughter’s school rival. The result: A judge has criminalized the act of creating a fake persona online.

Hackers are even profiting on social networks using these tactics, by compromising Facebook, Linkedin, or other login credentials so the original account owners are locked out. In one case the original owner’s friends were messaged “stating that while on a vacation in London thieves mugged him just when he was preparing to return home; therefore he needed $500-$1,000 to clear the hotel bills.”

Now consider that many people use the same username and passwords across the Internet, logging into online banks, credit cards and all their social media sites.

These kinds of crimes, manipulating digital identities to get into physical wallets, are only growing. And they’re attacking a new type of asset – our digital identity.

All of us are quite aware how a Social Security number or our credit card number can be breached. But do we pay the same amount of attention to protecting our online identity? Facebook in July accounted for 12.8% of all phishing e-mails, a three hundred percent increase since June 2010.

Other social media threats in past have included traditional Trojan worm viruses, spread through links, pictures and multimedia content. But in this coming age of over-sharing and the online self, future attacks will likely not be so blunt. The new viruses will manipulate your online identity. They’ll be you, tweeting away, telling all your friends about this great new Russian site that has real Rolexes—real!—for a paltry $20. Don’t worry, you won’t have to click the link, the message can do all that for you.

As I type, Facebook and other online personal accounts are being sold as a commodity among hackers and scammers. Early this year were on black market, ranging for $1-20 per account.
As users share more and more data, and personal information, they’re only making their accounts more valuable to those who would like to manipulate them. And not necessarily illegally. There are rumors that financial lenders are starting to monitor social networks for information on consumer behavior and creditworthiness.

The old proverb, “Tell me what you read, and I will tell you who you are,” could be changed to “If you Google me then you will see who I am.” Don’t let hackers or online marketers take that away from you. Know the value of your digital self.

Ondrej Krehel, Chief Information Security Officer,

Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.