More reports of evil twin attacks at cafes

via The Times Online: Hackers target wi-fi hotspots in new phishing attack

Computer users have been warned of the dangers of using wi-fi hotspots after it emerged that cyber-criminals are targeting the networks in café chains including Starbucks.

Times Online has uncovered evidence that criminals are using a technique known as an ‘evil twin attack’, where victims think that they are logging on to the genuine network in a café but are in fact being diverted to a ‘rogue’ connection.

This attack has been predicted to be popular for a long time, so this is not very surprising. It’s very difficult using current software for anyone to verify the identity of a wireless hotspot, so hotspot users need to make sure that their applications are communicating securely too.

Unfortunately for most people not very familiar with computer security (i.e. most people), determining if your applications are communicating securely is ALSO usually quite difficult to determine. Browsers are the obvious candidate, but some recent research determined that most users ignored missing security indicators or warnings anyway. Besides that, do most users know whether their IM session or online service is secured in an appropriate manner?

As a side note: similar man-in-the-middle attacks have been conducted on the Tor network, too. Never trust a common carrier, eh?

Aus security firms demo CBA SMS 2FA vulnerability

Via ZDNet: Two-factor bank authentication proven vulnerable

Two-factor authentication systems using SMS messages can be exploited by criminals to steal money, according to security experts who demonstrated an attack in Sydney on Thursday.Australian security firms TrustDefender and Dragonfly Technologies, who specialise in endpoint security and two-factor authentication respectively, broke the security of a Commonwealth Bank account using a specially crafted piece of malware.

The demonstration showed how malware could be used to not only capture the login credentials of an online banking customer but also how, once the users’ system was infected with a trojan, an attacker could exploit weaknesses in the mobile phone-based authentication system to clean out a victims’ account.

I’m not familiar with the specifics of CBA’s system, but are their SMS codes are used on a transactional basis?  If not, this would make it easier for a trojan to make its own transactions using the victim’s logged in session, of course.  This type of attack has been around since 2004 at least, most famously in the E-Gold / Grams trojan.

Seeing LCD screens through walls

via New Scientist Technology Blog: Seeing through walls

Have you considered that someone could be reading what’s on your monitor from a few rooms away? It’s unlikely, but possible, as work by Cambridge University computer security researcher Markus Kuhn shows.

A radio antenna and radio receiver – equipment totalling less than £1000 – is all you need. Kuhn managed to grab the image to the left through two intermediate offices and three plasterboard walls.

Neat.  But what to do about it? As the article points out, this type of attack has been around for quite a while against CRTs.

DoS extortion is no longer profitable

via Symantec: DoS extortion is no longer profitable

In the last six months of 2006 we saw a pretty sharp decline in the daily number of denial of service attacks. Although there are likely a number of factors at play here, I think there is one primary factor: denial of service extortion attacks are no longer profitable.DoS extortion attacks are usually carried out by a bot-network owner. Using their bots, the extortionsist has to make a successful DoS attack against a target organization. Following that they have to issue the extortion request and hope the target organization pays it.

Statistics like DDoS volumes and motivations are difficult to accurately obtain, but this makes intuitive sense really.  There are other, stealthier ways of making money out there.  DDoS extortion involves an investment of time to negotiate with the victim and carefully monitor the attack, and leaves the attacker more vulnerable to profiling and tracing.  As the Symantec post also points out, political and retribution attacks won’t be going anywhere, which also lines up with recent experience.

Slick social engineering: fake Windows re-activation

via Symantec Security Response Weblog: MS Needs Your Credit Card Details?

Recently we came across an interesting Trojan sample, detected by Symantec as Trojan.Kardphisher. The Trojan is not very technical – it’s really just another classic social-engineering attack. What makes it interesting is that the author has obviously taken great pains to make it appear legitimate.When you restart your PC after the Trojan is installed, this window appears:

UK ID cards – the smoking gun

Oopsie!  Via the Daily Mail (UK):

Secret paper reveals Labour’s lies over ID cards

They appear to contradict commitments given by Labour in its 2005 Election manifesto, which pledged that the cards, and the national identity register containing people’s names, addresses, fingerprints and other information, would be ‘on a voluntary basis’.

The briefing notes, released under the Freedom Of Information Act, show that civil servants had already been told ID cards would be compulsory for everyone by 2014.

…
In a table illustrating the predicted yearly savings expected by the department it states that from 2014 – Year 7 of the project – ‘The identity card scheme is now compulsory’.

With Australia’s proposed and hastily-legislated ID cards using a similar ‘voluntary’ opt-in – being those who want the luxury of health care – I wonder if a similar smoking gun exists?

Mule scams via BPay now? How convenient!

Via iDeceive, it looks mule scammers are now advertising you can now process your mule scam transactions via BPay. Mule scammers have had very slick web sites for a while which are almost indistinguishable from real businesses (or lifted from real businesses), but this blurs the line further still.

As the iDeceive site notes, who knows if they are actually using BPay or not, but it adds a good bit of credibility to the hook since BPay is very popular in Australia and it’s generally perceived that only ‘real’ businesses use it.

Phone scam targets Brisbane homes – but maybe not a very good one

From the Brisbane Times:

Phone calls to Queenslanders where an employee of a law firm asks for the resident’s personal details could be a well organised scam or identity theft racket.

And divulging those details to a stranger who phones at home could be potentially dangerous, the Queensland Office of Fair Trading warned.

and:

The caller had her full name, and the call sounded official, but when the man asked to confirm her address, he had the wrong information.

“He gave an address that sounded totally fictional, something like ‘Mahogany Grove, Sweet Waters’,” she said.

She told the man he had the wrong number, be he continued to probe her for details, and asked if she lived close to Brisbane.

“He sounded quite nice, not aggressive at all; the type that puts you at ease.

It’s always good to publicise ID theft scam techniques that operate over mediums other than email – which have been around for much longer anyway, of course.  A good rule for salespeople or conducting a survey is to start with small talk, ask innocent questions, gain trust then gradually ask more probing questions.  The same rule applies to scammers of course, so if this is a scam, it’s not a very good one.

It’s always very hard to be paranoid of people’s intentions if you don’t want to appear rude.  My favourite example of this is swipe card access into buildings.  In a big company, it’s likely that an employee won’t know all the other employees; yet if someone is behind you, is wearing a suit and looks friendly, would you hold the door for them or slam it in their face?  You should do the latter, but most do the former.

Sydney eBay scammer makes $40k exploiting weak passwords

Easy money – at first:

Dov Tenenboim, 21, of North Bondi, used his home computer to hack into at least 90 different eBay seller accounts last year, according to police.

After hacking into the eBay accounts of Wendy Runge and Kathy Gill, he sold $13,482 worth of nonexistent Apple iPod music players. After each sale he would direct his victims to pay for the goods by transferring money into the bank accounts of his accomplices.

By using other sellers’ accounts, Tenenboim was able to take advantage of their good reputation to fool buyers into thinking the deal would be good. He also hacked into the Commonwealth Bank phone and internet banking account of Hugh Devlin last August.

His main method to get access to the accounts? Guessing weak passwords. Nice work if you can get it… and don’t get caught.

Another fact I find interesting is that assuming ‘Dov Tenenboim’ is a fairly unique name, Mr Tenenboim has been a bit of a businessman too: at least once or twice. I once did a course involving the Myers-Briggs personality test where both entrepreneurs and criminals were often said to be in the same broad personality type (SP). I guess this is some nice anecdotal evidence for that claim.

More…

3 men indicted in stock hacking scheme

Excellent news at a time when many cases of electronic fraud go unpunished (and undetected). Their scam sounds quite efficient, too – may as well cut out the middleman chumps of pump-and-dump scams and pump those stocks yourself.