Merchants lose US$649K a year to online fraud

UK merchants say online fraud is now the greatest threat they face, costing them on average 400,000 pounds(US$648,920) in annual losses, according to a survey published on Tuesday by CyberSource.
The payments processing provider's sixth annual to be fraudulent.

Online businesses rejected an average of 4.6 percent of orders on suspicion of being scams, a figure CyberSource said was worrying, partly because some of the rejected orders were likely to be valid.

Read more of "Merchants lose £400k a year to online fraud " at ZDNet UK.

Indian Income Tax dept Server Hacked

NEW DELHI: All high value income tax refunds will go through intensive checks and its software system will be revamped, after its account was hacked and Rs 11 crore (roughly $2500000) was siphoned off, the government said on Monday.

At least Rs. 11 crore of refunds were discovered to have been stolen last week by hacking into the password of some assessing officers who are responsible for crediting the refunds. The refunds were credited to fake accounts for which the returns had been filed electronically.

"We have stopped the payment and have been able to prevent at least two cases. Also investigation and action has been initiated by the Directorate of Income Tax (Investigation), Mumbai to detect the bank accounts to which the refunds had been credited and the beneficiaries," the finance ministry said.

All high value refunds issued during the current financial year will be checked again. "The system of handling high value refunds will be replaced with a more robust and foolproof system," the finance ministry said.

Income tax refunds could get delayed, said an official. Refunds in 2009-10 have doubled from the last year at Rs 12,421 crore as many refunds were deferred. It was Rs 6,899 crore the previous fiscal.

The investigators have identified the bank accounts, beneficiaries and some of those involved in the scam, the finance ministry claimed.

Central Bureau of Investigation and the Mumbai police are looking for the beneficiaries.

Ransomware: Extortion via the Internet

Ransomware got its start in 1989. Back then, it was relatively ineffective. That's changing, which is bad news for us.

One of my neighbors recently experienced ransomware first hand. Up until then, he had no idea it existed. Because of that, it seems important to revisit extortion malware, explain exactly what it is, and how to avoid it.
Ransomware made its debut with a trojan called PC Cyborg, the brainchild of Dr. Joseph Popp. The extortion begins with a vulnerable computer becoming infected. Once settled in, the malware hides all folders and encrypts file names on the C: drive. Next, a dialog box opens, proclaiming the victim needs to send PC Cyborg Corporation US$189, because the license had expired.
Until ransom money is received and the malware's activities are reversed, the victim has a non-working computer. Thankfully, the doctor's trojan had a weakness. It encrypted the file names using symmetric cryptography. Once experts had a chance to analyze the malcode and encrypted tables, it became simple to reverse and determine who created the ransomware.
It seems the doctor felt he was doing something worthwhile (eventually declared mentally unfit). At his trial, he mentioned that the ransom money was to be used for AIDS research.
Public key and cryptovirology
In 1996, two researchers Adam Young and Moti Yung fixed Dr. Popp's oversight, explaining how in the paper: Cryptovirology: Extortion-Based Security Threats and Countermeasures (PDF). I believe it's also where the term cryptovirology was coined.
Young and Yung figured out how to use public-key cryptography in ransomware, making reverse-engineering virtually impossible. The crypto-virus encrypts the victim's files using the malware writer's public key. The extortion comes into play when the victim is asked to pay ransom in order to obtain the private key for decrypting the files.
How it works
Young and Yung call this type of ransomware crypto-viral extortion. Giving the following definition:

"Crypto-viral extortion, which uses public key cryptography, is a denial of resources attack. It is a three-round protocol that is carried out by an attacker against a victim. The attack is carried out via a crypto-virus that uses a hybrid cryptosystem to encrypt host data while deleting or overwriting the original data in the process."

The three-round protocol is interesting. It consists of the following:

• Crypto-virus is installed: Using any number of techniques, usually drive-by dropper platforms; the crypto-virus gets installed on vulnerable computers. When the virus activates, it creates a symmetric key and initialization vector (IV). The crypto-virus proceeds to encrypt data files using the symmetric key and IV. After which, the crypto-virus concatenates the IV with the symmetric key. Finally, the concatenated string is encrypted using the malware author's public key. With everything now in place, the crypto-virus pops open a window explaining the ransom demands to the victim.

• Victim's response: If the victim decides to pay the ransom. There are several ways that can happen. We will look at those in a bit. The victim also has to send the encrypted concatenated string to the cybercriminal.

• Attacker's response: The extortionist then decrypts the string using the private key, which discloses the symmetric key and IV. Finally, sending both back to the victim. Who will use them to decrypt the data files.

Covering their tracks
On their Web site, Young and Yung talk about the effort cybercriminals go through to protect themselves. They store the public and private keys on a smart card and do not personally know the bit representation of the private key:

"Ideally, the smart card will implement two-factor security: something the virus author knows (a PIN number) and something the virus writer has (the smart card that contains the private key). Also, the card will ideally be immune to differential power analysis, timing attacks, etc. to prevent the virus author from ever learning the bits of the private key."

The Web site goes on to explain why the extortionists do this:

"In the U.S. the virus author cannot be forced to bear witness against himself or herself (Fifth Amendment) and so the PIN can remain confidential. The purpose of this setup phase is to limit the effectiveness of seizing and analyzing the smart card under subpoena or warrant (competent evidence)."

Payment techniques
In the past, ransomware has not been the malware of choice. That's because cybercriminals are concerned about the money trail sending ransom funds creates. I mentioned earlier that many approaches have been tried. Here are some of them:

• Trojan. Ransom-A declares that it will destroy one data file every 30 minutes unless US$10.99 is sent to a specified account via Western Union.

• Trojan.Archiveus is a bit more creative. The ransom note declares the decryption password will be sent. If the victim purchases something from a specified Web site, typically in Russia.

• Win32.Ransom uses a novel way to obtain ransom money. The crypto-virus blocks Internet access until the victim sends a premium SMS message. This approach is becoming the favored payment method.

Example
To help understand the entire process, let's look at what many consider cutting-edge ransomware. F-Secure has released information about Trojan:W32/DatCrypt. Here's how it works.
The Trojan makes its way onto the victim's computer. After which, it gives the illusion data files such as Office documents, music, audio, and video are corrupt. As shown in the following slide (courtesy of F-Secure):

In reality, the files have been encrypted by the Trojan. The next message opened by DatCrypt informs the victim to download specified file repair software. Notice how the window created by the malware appears to be a message from the Security Center (courtesy of F-Secure):

What is actually downloaded is Rogue:W32/DatDoc. Malware that gives the appearance of fixing the problem. But, only one file can be fixed with the free version (courtesy of F-Secure):

The attackers are trying to lull the victim into thinking the software actually works. They hope the victim will spend US$89.95 for the registered version. In reality, victims are paying ransom to get their own files back.
Solution
There is no magic formula to avoid crypto-viral extortion. It's just malware looking for vulnerable computers to exploit. Keeping operating system and application software up-to-date, along with a decent anti-virus application will offer protection. Also, having current backups of all important data is a good idea, just in case.
Final thoughts
Ransomware is making a resurgence. Hard-to-trace Internet payment methods are emboldening cybercriminals.
Two thoughts immediately come to mind. Once the extortionist has the money, why send back the decryption information? Also, what proof does the victim have that the whole process won't start over again?

Scareware 'one of biggest' cyberthreats

Even though tricking users into downloading rogue security software, or scareware, is one of the oldest tricks up cybercriminals' sleeves, it continues to be one of the biggest threats in cyberspace, noted a security expert.
In an e-mail interview with ZDNet Asia, Danny Siew, Trend Micro's senior director for technical support in the Asia-Pacific region, said: "Given the fact that for most of last year, and up until today, we are seeing scareware taking advantage of hot search trends or news or events, its presence should be a concern not just in Asia but all over the world."
His observation is backed by findings released in December 2009 by the U.S. Federal Bureau of Investigation (FBI), which stated that aggressive scareware tactics led to an estimated loss of more than US$150 million to users.
McAfee attributed the success of scareware to social engineering. Vu Nguyen, Asia-Pacific and Japan manager for McAfee Labs' global threat response team, said many of these attacks tapped current news, such as the recent earthquake in Haiti, or specific terms to lure victims to open antivirus files.
"Why is this successful? It is based on scare tactics to get users to react and pay the money right away," noted Nguyen in an e-mail statement.
Trend Micro's Siew added that the traditional methods of getting Net users to download fake antivirus programs are evolving, with cybercriminals now looking to "lock up" victims' data by encrypting their files and holding it ransom until users pay to release them. This method of attack is also known as "ransomware".
In a blog post on the security vendor's TrendLabs Malware Blog site, Det Caraig explained that to recover these files, a user has to download a paid version of the fake antivirus program. "In reality, however, the paid version of the program fixes the problem that [was] created in the first place but only after the user has been forced to pay up," he added.
Evolving FAKEAV attacks
One of the more common scareware currently in circulation in Asia, as well as globally, is FAKEAV. Siew said that in 2009 alone, more than 50 FAKEAV-related attacks were reported. Attack methods were initially in the form of, for example, bogus LinkedIn profiles proliferating malicious URLs that consequently led to FAKEAV downloads.
However, over time, cybercriminals started to venture into ransomware and search engine optimization (SEO) poisoning, Siew noted. More recent developments also include the use of Google Trends and geolocation technologies that track Internet Protocol (IP) addresses, which "enabled cybercriminals to instigate more targeted and more successful attacks", he said.
Prevention better than cure
To prevent scareware attacks, the most basic rule is still to "avoid clicking any URL and executing any file that came from someone you do not know", Siew said. "Despite this oft-repeated warning, however, people still fall prey to their own curiosity and pay the price."
Other than encouraging users to install security software to safeguard their data, McAfee's Nguyen also advised users to use their common sense. "If something is too good to be true, then it probably is."

Google In China LIVE BLOG: Latest Updates On Google's Threat To Leave

We'll be live-blogging developments pertaining to Google's recent actions in China.
Send reactions, tips, and news here.
MONDAY JANUARY 18 8:42 AM ET: Google is probing possible inside help on its attack, Reuters reports. Reuters writes,

Google is investigating whether one or more employees may have helped facilitate a cyber-attack that the U.S. search giant said it was a victim of in mid-December, two sources told Reuters on Monday. Google, the world's most popular search engine, said last week it may pull out of the world's biggest Internet market by users after reporting it had been hit by a "sophisticated" cyber-attack on its network that resulted in theft of its intellectual property.
The sources, who are familiar with the situation, told Reuters that the attack, which targeted people who have access to specific parts of Google networks, may have been facilitated by people working in Google China's office.

SUNDAY JANUARY 17
9:22 PM ET: In the war against the Internet, China is 'just a skirmish,' writes the New York Times. The New York Times warns,

But even Google, which has benefited more than any other company from the flourishing of content online, might be unable to fight the momentum of government restrictions, despite its move in China.

SATURDAY JANUARY 16 7:08 AM ET: China ecommerce giant Alibaba slams Yahoo's support of Google as 'reckless.'
Alibaba turned on Yahoo, one of its major shareholders, in a statement that criticized Yahoo's public support of Google's decision to stop censoring search results.
The AP reports,

"Alibaba Group has communicated to Yahoo! that Yahoo's statement that it is 'aligned' with the position Google took last week was reckless given the lack of facts in evidence," Alibaba spokesman John Spelich said Saturday. "Alibaba doesn't share this view."

 1  2  3  4  5  6  7  8  Next  Last »

Germany warns against using Microsoft Internet Explorer

The German government has warned against using Microsoft's Internet Explorer to browse the web because of security flaws.

 

By Fiona Govan
Published: 7:00AM GMT 18 Jan 2010

The German government's caution applies to versions six, seven and eight of the world's most popular browser.

The Federal Office for Information (BSI) Security told Germans to avoid use of all versions of Explorer after a security hole led to attacks against Google and others by hackers in China.
Microsoft admitted last week that its browser was the weak link in recent attacks by hackers who pried into e-mail accounts of human rights activists. Following the attack, Google threatened to end its operations in China.

 

But Microsoft rejected the German government's warning as too strong and sought to reassure general users that the security threat was low.
"These were not attacks against general users or consumers," said Thomas Baumgaertner, a Microsoft spokesman in Germany, adding that the attacks on Google were carried out by "highly motivated people with a very specific agenda".
"There is no threat to the general user, consequently we do not support this warning," he said.
Microsoft claims the security risk can be limited by setting the browser's security zone to "high", although they admitted this limits functionality and blocks many websites.
But the BSI insisted that such measures were not sufficient and urged internet users to use alternative browsers.
"Using Internet Explorer in 'secure mode,' as well as turning off Active Scripting makes attacks more difficult, but cannot fully prevent them," it said in a statement.
Microsoft is urgently working on fixing the flaw but experts fear that in the meantime there could be a spate of attacks by copycat hackers.
Graham Cluley, of antivirus firm Sophos, said: "The way to exploit this flaw has now appeared on the internet, so it is quite possible that everyone is now going to have a go.
"We've been working with Microsoft to see if the damage can be mitigated and we are hoping that they will release an emergency patch," Mr Cluley said.
"One thing that should be stressed is that every browser has its security issues, so switching may remove this current risk but could expose you to another."
Last week, Microsoft said it had no plans to pull out of China, dashing hopes the software giant would support its rival Google in its stand against Chinese censorship of the internet.
Steven Ballmer, chief executive, questioned the sudden urgency of complaints about attempts to hack the Gmail accounts of human rights activists from inside China.

Chinese Cyber Attack on U.S. Law Firm

A Los Angeles-based law firm says it's been the target of cyber attacks originating in China.

Gipson Hoffman & Pancione is representing a software company, Cybersitter—which is suing the Chinese government over software piracy.

The firm told the Wall Street Journal its attorneys started receiving Trojan emails on Monday—the day before Google announced it might withdraw from China because of cyber attacks.

Attorney Gregory Fayer says the attacks came from Chinese servers, and that the firm has reported the incident to the FBI.

Unpatched Adobe holes link Google and earlier attacks

The targeted attacks on Google and more than 30 other U.S. companies late last year bear striking similarities to targeted attacks on 100 U.S. companies last summer, a security researcher familiar with the attacks said Tuesday.
Last July, workers at about 100 U.S. technology companies were targeted with e-mails containing malicious PDF files that exploited a zero-day vulnerability in Adobe Reader. The attacks were detected early and there were no serious consequences, said Eli Jellenc, head of international cyberintelligence at VeriSign iDefense.
In mid-December, Google, Adobe Systems, and a host of other Silicon Valley companies were targeted by attacks originating in China, prompting Google on Tuesday to say that it will stop censoring its Chinese search results and to threaten to pull out of that market. The latest attacks also involved malicious PDF files in e-mail attachments and the code was similar to the previous attack, Jellenc said.
Google said the companies targeted in the attack numbered more than 20, but iDefense put the number at 34, including Google. In many of the cases, the attack was successful, Jellenc said. The attacks were targeting source code repositories, according to iDefense.
Coincidentally, Adobe on Tuesday patched a zero-day vulnerability in Reader and Acrobat that was discovered in mid-December and was being exploited by attacks in the wild to deliver Trojan horse programs that install backdoor access on computers. Jellenc said he could not say for sure whether that was the vulnerability targeted in the attacks on Google and the others.
Reader was found to be one of the buggiest programs in 2009 and has been the target of numerous zero-day exploits in the wild.
The code samples obtained by iDefense from the two attacks are different but have very similar characteristics, he said. They contact two similar hosts for command-and-control communication to receive instructions from the attackers once the target machines are infected, according to iDefense. The servers used in both attacks employ the HomeLinux DynamicDNS provider and they both currently point to IP addresses owned by Linode, a U.S.-based company that offers virtual private server hosting, iDefense said. In addition, the IP addresses from both attacks are within the same subnet and they are six IP addresses apart, the company said in a statement.
"Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the Silicon Valley attacks have been compromised since July," iDefense said.
Jellenc said his company started helping some of the victimized companies with the investigation on Thursday night, providing information on characteristics of attacks launched by Chinese groups.
Examining the attacks
Google noticed the malicious code in its system in mid-December and then followed it back to the drop servers and determined that other companies--including at least two financial companies and one major defense contractor--had been targeted, Jellenc said citing sources familiar with the investigation.
Google also may have been able to see a target list of IP addresses in the code, he said. (Google has declined to provide more details about the attacks beyond what they have publicly stated.)
The attackers stored data acquired in the attacks at Texas-based hosting provider Rackspace and had command-and-control servers based in Taiwan that are commonly used by "actors out of the People's Republic of China," he said.
A Rackspace spokeswoman confirmed early Wednesday that a server at the company had been affected. "In this case, a server at Rackspace was compromised, disabled, and we actively assisted in the investigation of the cyberattack, fully cooperating with all affected parties," she said. The hosting company runs the servers and operating systems for its customers' Web sites, but customers run their own applications on the servers, she said.
Jellenc said that iDefense "confirmed with some clients and partners of ours in the defense contracting community that the IP addresses used to launch the attacks are known to be associated with previous attacks from groups that are either directly employed agents of the Chinese state or amateur hackers that are proxies for them that have attacked other U.S. companies in the past."
At Google, attackers not only wanted intellectual property, but they tried to access Gmail accounts of Chinese human rights activists, Google said. Only two Gmail accounts appear to have been accessed and only limited account information, and not e-mail contents, was visible, according to Google. In addition, accounts of dozens of Gmail users in the United States, China, and Europe who advocate human rights were accessed routinely by third parties, probably via phishing or malware located on the user's computer, Google said.
While attacks can be traced back to a country of origin, it's very difficult to prove that it was the work of a government agency, said John Bumgarner, chief technology officer of the U.S. Cyber Consequences Unit, which does independent research for the U.S. government.
The latest attacks are just the latest in a series of attacks from China on nonmilitary Web sites, according to Alan Paller, director of research at the SANS Institute. In November 2007, U.K. and U.S. companies doing business in China were targeted for proprietary information, he said. And in May 2008, Chinese entities hacked into organizations working for freedom in Tibet, he said.
"The interesting thing about this is somebody big is fighting back," Paller said.
These types of attacks happen every day, said George Kurtz, chief technology officer at McAfee. "What we're seeing is really the tip of the iceberg," he said. "This is going to be bigger than originally anticipated."
Jellenc and other security experts said they did not believe the targeted attacks were at all related to an attack Tuesday on Baidu, China's largest search provider. In that attack, visitors to the Baidu site were re-directed to a site where a group calling itself the "Iranian Cyber Army" claimed responsibility for the attack. The same group had taken credit for a similar attack on Twitter last month.
Dan Kaminsky, director of penetration testing at IOActive whose research has helped improve the security of the Internet infrastructure, predicted the attacks would prompt references to a Digital Pearl Harbor.
"I don't know how accurate or how fair that is but certainly something of note has occurred that has not occurred in previous years," he said.
"I think everybody is surprised by the utterly unambiguous response," Kaminsky added. "This definitely is 'shot heard round the world' territory, at least in our [security] community."

Microsoft, Yahoo to follow Google's lead in China?

Now that Google has said it will stop censoring search results on its Chinese Web site, a key question is whether rivals Yahoo and Microsoft will do the same.
In the wake of a major cyberattack last month, Google said Tuesday that it will no longer censor its Google.cn site and may pull out of China entirely.
"We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all," Google said in a blog posting. "We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China."
If Google were to pull out, it could offer an opportunity for Yahoo and Microsoft to gain share in a huge market if they are willing to continue censoring their sites.
At the same time, doing so would likely subject either company to enormous bad publicity and a potential backlash elsewhere. Historically, the companies have all justified their moves as saying they are necessary to do business in China and argued that engagement is better than isolation.
We've asked both Yahoo and Microsoft to comment on whether they plan to change policy and will update as soon as we get a response. We're also checking whether Google's move will have any impact at Baidu--the leading search site in China.
And, speaking of Baidu, some are already posting their two cents on twitter, suggesting that it is Baidu's domination of Google in China, as opposed to the censorship issue that would be behind any pullout. I don't know the economics of the China search market that well, but it would seem to me that even a distant No. 2 spot in such a huge market would be worth keeping, all things being equal.
As for Microsoft's other online businesses in China, the company has about 8 million Hotmail accounts in China, although none of the data is stored there, according to a source familiar with the company's operations.
Microsoft came under fire in 2006 after censoring some blogs posted to MSN Spaces. At the time, general counsel Brad Smith defended Microsoft's actions.
"We certainly think it is better for us to be present around the world rather than not," Smith said. "I emphatically think it is good for us to be offering these services. Part of being present is the obligation to comply with local law."
What do you think Microsoft and Yahoo should do? And, is Google pulling out over morals or market share?

More firms securing mobiles with software

The number of protected corporate mobile devices will more than triple over the next four years, jumping from 5.6 percent in 2008 to 18.6 percent in 2014, a new study has found.
In a statement Tuesday, Juniper Research said the number of handsets installed with third-party security software will reach 77.7 million in four years. The findings were newly extracted from a report it released at the end of last year.
The growth will take place despite the lack of an anticipated flood of malware targeting mobile platforms, the research analyst noted.
"Improvements to the underlying security of the mobile operating system, shorter replacement cycles and concerted efforts by the mobile industry to avoid the problems seen in the PC world, have so far kept the malware threat to the mobile device at bay," Anthony Cox, senior analyst at Juniper Research, said in the statement.
The report attributed the uptake of mobile security tools to the increasing value of information held on mobile devices. The research firm added that mobile security adoption is highest in Europe, followed by the United States, China and Southeast Asia.
Data protection legislation in Western markets was a significant driver for enterprise mobile device protection, according to Juniper Research. In a whitepaper, it cited a law in Massachusetts that mandates any enterprise conducting business with those within the U.S. state must use encryption to protect confidential information stored on handhelds and laptops, or transmitted wirelessly on public networks.
A study released last year by Symantec found that about one in five respondents in Asia did not have mobile antivirus software on their corporate handsets.
Juniper Research estimates that overall corporate IT security revenues will reach US$16.4 billion globally by 2014. Encryption is set to grow 26 percent to US$4.3 billion in the same period.
F-Secure's regional director for Southeast Asia, James Tan, concurred with Juniper Research's findings. In response to e-mail queries from ZDNet Asia, Tan noted that the company's mobile security offering, which enables users to lock down their devices, wipe them clean as well as back up data on the mobile phones, has been generating "much" interest from consumers and operators.
"Certainly in recent times, more and more mobile operators in this region have been approaching F-Secure to explore mobile security solutions as a service offering to subscribers, and also to seek out solutions to overcome network issues [experienced] as a result of 'corrupt' traffic," he said. "From a competitive perspective, we are also experiencing more and more mobile protection offerings entering the market from both established and new applications vendors."