Friday, May 25, 2007

Google launches security awareness effort using the blogosphere

There is another effort to curb fraud, phishing and financial misdeeds in the blogosphere. This week, Google launched a blog called the "Google Online Security Blog," which is designed to protect their users from the sometimes dangerous (murky) waters on the Internet.

In their own words (from their first post):

Online security is an important topic for Google, our users, and anyone who uses the Internet. The related issues are complex and dynamic and we've been looking for a way to foster discussion on the topic and keep users informed. Thus, we've started this blog where we hope to periodically provide updates on recent trends, interesting findings, and efforts related to online security. Among the issues we'll tackle is malware, which is the subject of our inaugural post.

In this post they discuss "drive by downloads," which install what I call "cybernasties" on systems, often designed to steal personal, or financial details. They point out that Google already warns users of malicious sites in their search results and that users can prevent these sites from loading using Google Desktop Search.

They have also included a link to a paper, which studies this issue.

Since Google (as far as I know) isn't selling security software, the paper is well worth a read. This isn't to say that a lot of the papers published by security companies aren't relevant, it just means that Google's effort isn't designed to sell security software.

They also point out that most of the sites they investigated that download malware a.k.a. crimeware belong to webmasters, who don't know they've been hacked and are being used to compromise systems.

This post was written by Panayiotis Mavrommatis and Niels Provos of Google's Anti Malware team and includes a link to StopBadware.org. StopBadware.org has a lot of great tips on how to protect and avoid the growing phenomenon of malware (crimeware).

Google's Online Security Blog can be seen, here.

I look forward to seeing what else they come out with!

Sunday, May 20, 2007

Technology alone isn't going to stop phishermen and other cyber ghouls on the Internet

Not so long ago, I did a post about how the federal government was phishing their own employees.

It didn’t surprise me that many of the phish took the bait, pretty easily. It would just mean that the federal employees, who were phished are no different from the general population on the Internet.

After all, there wouldn’t be so much phishing, if it didn’t work.

Apparently, the practice is catching on and Amy Joyce of the Washington Post did an interesting article about why the idea might be a good one.

In the article, James MacDougall (South Carolina’s computer security guru) as saying:


You can spend all the money on the technology you want, MacDougall said. But if the end users are doing dangerous behavior, there is almost no cure for that.


Mr. MacDougall has hit an important point right on the head and phishing tends to set new records, every time the Anti Phishing Working Group issues their monthly report. Their most recent report (April) indicates that not only did the number of phishing sites set a new record, but their numbers more than doubled over the previous month (March).

Spam filters designed to stop phishy e-mails seem to be under major attack, and haven't been very effective in the recent past, either.

Maybe, we are spending too much money on technology to solve the problem rather than using some good old fashioned common sense?

One of the reasons, technology tends to be defeated, or used by criminals – is that it is too easily compromised by human beings. Most financial scams rely on the greed factor, or getting people to fall for something that's too good to be true.

It doesn’t take a genius to buy DIY (do it yourself) crime kits, which are readily available over the Internet, and commit what some might consider, sophisticated criminal activity.

Relying on technology to protect us without human oversight is a big mistake, and this holds true, for more than financial crimes.

Government and private systems are attacked all the time for their information.

Technology is a wonderful tool and makes things easier, but it has limitations. Instead of throwing all of our resources into technology, which seems to have a limited life span, maybe we need to focus more on the human factors that put us at risk, daily.

Thought provoking story by Amy Joyce, here.

Advance Fee credit schemes steal from people who are already in financial trouble

A Florida scam artist has been caught after ripping off thousands of people in what is known as an advance fee credit scheme. The scam -- which targets a market segment known as the under banked -- offers credit to people, who wouldn't qualify for it, otherwise.

Although variations of advance fee schemes have been around for centuries, the global and anonymous nature of the Internet has enabled them to spread like a virus with the click of a mouse.

In advance fee credit schemes, after paying a large fee in advance, the people don’t get the credit and are out the fee.

According to the AP, the Florida man, defrauded low income people out of about $12 million in this recent arrest.

Although in this instance, credit cards were being offered, other forms of credit are offered in advance fee credit scams, also.

These scams are spread via spam e-mails all the time, but they also appear in more traditional advertising like newspapers and magazines. People are also often solicited by telephone.

Recently, the Truston blog commented about a New York Times story revealing that InfoUSA, a databroker, was selling lists of senior citizens interested in lotteries and sweepstakes. Lottery and sweepstake scams are rampant on the Internet.

I wonder how many other telephone lists are sold by data brokers, which help fraudsters market their scams?

The Federal Trade Commission (FTC) has a nice page explaining this problem, here.

Suspected activity can also be reported to the FTC:

The FTC works for the consumer to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint or to get free information on consumer issues, visit http://www.ftc.gov/ or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.

Most scams do not make sense and are too good to be true. Paying a third-party to get credit is unlikely to change, whether or not, an individual qualifies for a particular financial product.

On a final note, it's also not wise to give out your information to someone you don't really know. Doing so, might lead to becoming an identity theft statistic.

AP story, here.

Truston blog post on New York Times article about data brokers selling telephone lists to criminals so they can "market" their scams, here.