With the robust and genuine software and hardware security applications the cost of computing is going too high. The vendors are no more struck in pleasing their consumers with just the usability features. They have tightened the technology and even releasing numerous updates though they seem overwhelming to their customers. In this kind of situation, finding out new vulnerabilities in software and them trying to exploit them with viruses and trojans are not viable for the hackers. It is here where they figured a new strategy – exploiting the weakest link of a sturdy technical security system. Guess who? The human of course… It can be the administrator of the PC or a corporate network. Even luring a small employee of a corporate network into downloading something infects the network.

Kevin Metnick, a security consultant, mentions in his CSEPS Course Workbook that it is much easier to trick someone into giving a password for a system than to spend the effort to crack into the system.

Social engineering explained
The concept of Social Engineering is to directly trick the user of the computer to download malware or to reveal sensitive information under the auspice that they are doing something perfectly innocent. The task is too simple and many fall out for it for the lack of awareness on the scams being played on.

With a world class antivirus that gets 1st rank in all AV-tests and a best team releasing realtime AV definitions everyday or a robust firewall from the industry leader, is simply not helping the administrator of the computer. Because it is himself who is infecting the PC. The job of the attacker is to simply lure him to do it. However, it may not be downloading malware that the attacker wants every time. He may just lure the user into giving away some sensitive information. It ranges from SSN to credit card number.

The hacker hijacks a genuine domain or creates a genuine-looking one by himself. It is a part of website spoofing. Once the user enters the domain they are either lured into providing their personal details or download something. Selling scareware is also a part of social engineering. In fact Google reported that 90% of all domains involved in distributing fake antivirus software used social engineering techniques.

Why your antivirus can’t keep up?
Each hacker holds a number of domains under him. If one is identified and taken down, the other goes up. The malware mutation used here is also rapid. Though you have the latest version of antivirus called Internet security suite, it may be too late before the vendor identifies and releases a fresh virus definition. Microsoft has gathered information about few billions of downloads over the past two years, and roughly 1 out of every 14 program downloads are later identified as malware. In few cases, just clicking on the background of the malicious site will initiate a download.

Anti social engineering: Should it be from your computer and AV or You?
You computer security is only as robust as your security awareness. Any computer, be it running on Windows XP, Vista or Windows 7, the software will not allow any data to enter your system unless you permit it by initiating its download. And if somebody tries upload any corruptive data to your system, it wouldn’t work because you never initiated it in the first place.

The popular browsers today are designed not to download blindly anything, even if it is initiated by the user himself. The browser does its job perfectly by alerting the user with details of the initiated download. (You might remember the classic pop up of the browser with a OK and Cancel options on it.)

But the hacker is clever enough to give a set of instructions including a message saying “You will receive a warning about this control. Ignore the warning and click OK”. The user unaware of the situation clicks OK and downloads the malware. The PC is now infected under the full authorization of its administrator.

In other situation, the user might get an email saying its from his bank (email spoofing from the hacker) informing that he has withdrew a huge amount from his account and a link to site what looks like his banking website. The scared user is now tricked into typing his account details and the password. In the next few hours, the account gets emptied by the hacker.

Most of the social engineering techniques run in the same way. Agreed that genuine antivirus is required to protect your PC, but it is not designed to tackle situations like this.

Here are few tips that help you help from preventing social engineering to some extent:

• The awareness of the user is the key here. Keep yourself updated on the online scams.
• Avoid using administrator privileged account for PC, unless for updating the security patches.
• Beware of unknown websites and emails that prompt you for personal information.

Most of the people fall victim for social engineering tactics either out of stupidity or greed. And unfortunately, we don’t have patches or hot-fixes for either of them. The person should also have a proper mindset to deal with social engineering tactics. A mature person is less likely to get enticed and fall for online scams.

New types of consumer frauds have evolved into the market incurring more losses to the victims. The average amount lost due by consumers due to id theft in 2010 was $631 per incident. This also includes the amount payed by victim towards payoff of any fraudulent debt as well as fees to resolve the fraudulent claims.

Opening an account without the victim’s knowledge was seen to be the most damaging form of id fraud which caused $17 billion losses to victims in 2010 itself. This fraud, called as new account fraud, is not only harder to detect but also severely impacting to the victims.

Account takeover was another common form of the id fraud. Changing the physical address of the victim’s pre-existing account, without his knowledge, was the most popular tactic comprising of 44% of the total account takeover incidents in 2010. Registering an account with the victim’s name was another popular tactic.

In 2010, 14% of the id thefts were committed by the people who were well-known to the victims. This form of fraud is called Friendly fraud, where the fraudsters will be either friend, relative, neighbor or roommate of the victim. Consumers between 25-34 age were the most likely to fell victim for friendly fraud. The most common form of fraud committed by the friendly fraudsters was new account fraud. In 2010, around 30% of the new account fraud was perpetrated by someone well know to the victim. Theft of Social Security Number was also most prevalent in friendly fraudsters.

The above trends for Id fraud suggests the importance of safeguards on not only private information like bank account number and passwords, but also personal information like SSNs.

Basics about Bots and Botnets
The term bot is related to the word robot. A computer system is first infected by a Trojan virus or any such malware; then the hackers, who are creators of this malware, take over the controls of the system and remotely operate it for their use. Since, the infected computers are obeying the controls of the hacker, these are also called bots or zombies.

A single bot is of not much use to the hacker. Thus, he first tries to increase the number of zombies by spreading the malware via the infected PC. Thus, the network of bots increases and forms a botnet. A typical botnet contains a few hundreds or a couple thousands of computers. However, there are a few botnets that contain millions of infected PCs. All of them serving to the key master – the creator of the botnet.

How/where are they used?
The primary risk of having/using a PC-turned-bot is putting all your credible information (like bank accounts, credit card numbers, passwords, financial information or any such sensitive data) available for the hacker to exploit. Bots also send spam, viruses, spyware to other computers on internet in order to spread their botnet. These are automated processes and do not require commands from the hacker each and every time.

Botnets are also used to perform other tasks online like creating email spam, clickfraud, spamdexing, launching of denial-of-service (DoS) attacks, fast flux, access number replacements, etc.

How to check if your PC is a part of botnet
Your PC Internet connection – turning inexplicably slow either while browsing or while checking mails can be a symptom of botnet infection. The malware used in botnet infection are specially designed to hide themselves even during carrying out the automated processes. Thus, it is hard to trace them down sometimes even with an antivirus installed in your PC. However, Prevx suggests a small technique using which you can check if your PC is part of a botnet follow when your internet becomes slow. The process is as follows:

1. Close all your browsers and email software (like Thunderbird, Outlook, etc)
2. Open Task Manager: Press CTRL+ALT+DEL at a time and then select Task manager from the Window.
3. Open Networking tab and observe the graph or Network Utilization percentage below the graph. If it is showing more than usual percentage, then it might indicate that your PC is infected.

If the above is true in your case, the next steps to do will be:

• Immediately pull off from the internet by disconnecting the LAN cable.
• Use a rescue disk (like Norton antivirus rescue disk) and scan your computer thoroughly.
• Replace your antivirus immediately with a superior one and run thorough scan (because it is already proved that the existing one is ineffective).
• Reconnect PC to the internet and update your MS Windows, antivirus database, browser, adobe reader, and other vulnerable applications that are installed on your PC.

Risks increased exponentially
Today, any user can get affected by cyber threats through browsing, searching or merely visiting legitimate sites than ever before in the Internet history. Malicious web links are sprouting at a rapid pace. According to CA Internet Security Business Unit (ISBU), 78% of threats came from online interaction during the first six months of 2009. IBM’s ‘X-Force 2009 Mid-Year Trend and Risk Report’, states that there was more than 500% increase in new malicious web links in the first six months of 2009. The vulnerability towards the threats seems to have reached the peak point. In the first half of the year 2009 alone, nearly 3,240 new vulnerabilities were discovered.

New threats
With the evolution of web based communities and explosion of Internet services, users are spending more time online and engaging in social networking activities on the Internet than ever before. This is resulting in new threats that exploit these services and communities. When a reputed website hosts third-party content, users often let down their guard while following hyperlinks in the third-party content or installing applications offered by them. Malware authors follow social networking buzz and the most popular activities online to attack the users. They are always ready to exploit significant and popular news stories to trap the netizens. Thus many people become victims of cyber traps.

The attackers are constantly upgrading their tools to attack the unwary users. This criminal activity is scaling new peaks constantly. According to IBM, the SQL injection attacks almost doubled from first quarter to second quarter of 2009. Through SQL attacks, malicious code is injected into genuine web sites to infect the visitors.

For the past few years, Botnets are the primary tools for many cyber criminals. They are always a challenge to the cyber security professionals as it is very difficult to track them down. Botnets can launch almost every type of cyber attack including data exfiltration, sophisticated espionage, and spam.

Targeted attacks
Although targeted attacks were rare earlier, they are seen often these days. Apart from the common people, top management of companies, governments, industries and even journalists are being targeted for private information. Emails with Malware attachments is the popular and preferred method for targeted attacks. According to CA (ISBU), 17% of the infections are distributed through E-mail. There is also an increase in attacks targeting client software using Adobe products including Flash and Acrobat Reader.

Criminals are adapting more effective methods to target online banking system. Trojans are the result of new tactics that go beyond the simple key logging-with-screenshots efforts, which prevailed earlier. CA (ISBU) reported that Trojans were the most common threats representing 71% of the total infections in the first half of 2009. When it comes to Phishing, IBM says that 66% of the phishing attacks targeted financial industry and 31% targeted online payment in the first half of 2009.

Over the years, Internet security issues have been growing. Initially, virus was the only problem. Later with the explosion of Internet, many newer threats have evolved increasing the security vulnerability such as malicious domains or untrusted web sites, presence of malicious content on trusted sites, including popular search engines, blogs, bulletin boards, personal Web sites, mainstream news sites and online magazines. Today you are in a high-risk zone as soon as you are online. It is always advisable to be alert while you are browsing.

A recent online scam which promises viewers to download the recent “Twilight – New Moon” movie is found to install malware in PCs.

The entire process of this scam is as follows…

• Viewers are lured with the text websites, chat rooms and blogs that read: “Watch New Moon Full Movie.” Comment posts with related keywords are also used simultaneously to attract more search engines.
• Search results for the movie then link users to stolen images from the movie itself, convincing the fan that the movie is only one click away.
• When they click on the “movie player” they are told to install a “streamviewer”.
• The streamviewer, however, installs malware on the user’s computer.

Don’t get enticed by such scams to get downloads without verifying if the sources are genuine or not. It can turn up to be more hectic not only in terms of cost but also in terms of toil and time. And the entire accountability will fall upon none other than you.

Courtesy: PCTools.com

Scareware adopts bogus sales tactics that are designed to scare a user into believing that his or her computer contains critical errors or viruses that have to be fixed immediately. Scareware ads offer an instant solution to the so-called problems on the computer and come for a price. In some cases, this software is harmless – while in others – it is actually a malware or another spyware. The ad might pop up anytime when surfing the web. The ad may open a pop-up window leading people to believe that the message is triggered by their own Operating System. The message claims that the consumer’s computer is infected with a virus and may require a “fix” and that clicking on “OK” would take the user to the download site from where the user could purchase the “fix”. By luring the victims to buy the software, the perpetrators may even steal sensitive information such as credit card details of the victim and these details may be sold to black market forums.

As of June 2009, over 250 rogue programs had been detected by Symantec in a study, which spanned over June 2008-09. Bogus security software could be freely available, may cost up to US$100 or come in a trial version. They may be installed manually by the user or when he opens an attachment or while surfing through a malicious website. Scareware can also be unknowingly advertised on legitimate websites such as social-network sites, forums, blogs, and appear in search engine results that are sponsored by cyber criminals. These crooks also hire sales representatives to sell their products who earn an average of US$23,000 a week. They are paid for every installation they make and even get bonuses like electronic gadgets and luxury cars.

Another tactic of Scareware is scaring users with unanticipated images, sounds or video. This is known as Prank software. An example of this kind of software is “NightMare”, which when executed lies dormant for some amount of time, finally changing the entire screen of the computer to an image of a skull while a horrifying shriek is played on the audio channels.

Many cases have been filed against the perpetrators of such sites and they have been asked to pay for the damages caused by them. In 2005, Microsoft and Washington State successfully sued Secure Computers for US$1million over charges of using scareware pop-ups. Various regulatory bodies like the US Federal Trade Commission are taking an active part in trying to put an end to this menace.

However, it is your responsibility to be aware of these things and avoid being trapped.

The following email was sent to a small business support’s email id for financial gain from a@gmail.com – an email id belonging to their client.

“I’m sorry for this odd request because it might get to you too urgent but it’s because of the situation of things right now, i’m stuck in New York City with family right now, we came down here on vacation , we were robbed, worse of it is that bags, cash and cards and my cell phone was stolen at GUN POINT, it’s such and crazy here in london , i need help flying back home, the authorities are not being 100% supportive but the good thing is we still have our passport but dont have enough money to get on flight ticket back home, please i need you to loan me some money till im back home to pay back , i will refund you as soon as i’m back home, i promise , all we need is $800”

The issue looked genuine. The only odd thing was that it was sent as ‘BCC’ (undisclosed recipients). However, the email was from the client’s id.

The following reply was sent to the email id of the client.

“Not a problem. Please let us know what we need to do.”

Then this person got suspicious and sent this message immediately.

Is there a number we can reach you?

Within 10 minutes there was a reply from the email id as follows…

“Well I’ll can’t access any cell right here , all i need is $800 more to complete my ticket fee right now , I can get it back to you as soon as im back home , You can wire me the money via western union , You only need my name and the country name here , I still have my passport ID to pick up the money here

Name : First Lastname
Country Name : New York, United State of America

Thats all you need , You got it right ?”

This is a tricky situation as you don’t want to be seen as unsupportive when a client is in genuine trouble. Thus, the business was willing to send the money. However, they called the client’s mobile in the U.S and he answered – making it clear that the email was not sent by him. If it wasn’t answered they were all set to send the money, since, they were not aware of anyone being fooled in this way before. The business wanted to widely circulate this to prevent people from being fooled this way.

This report focuses exclusively on financial cybercrime, specifically credit card fraud and identity theft. Financial cybercrime has increased dramatically in recent years and looks set to increase further as the proliferation of communications technology proceeds apace and reaches regions of the world with many underemployed poor people with information technology skills who can take advantage of cybercrime opportunities.

India stands in 14th place among world hosting phishing websites for 2008. Though the cybercriminal activity in India is very low compared to many other major and emerging economies, the report says that there has been a leap in cybercrime in past few years.

According to the report, “The country’s top ten BPO firms hire up to 25,000 new employees per year, and financial services are one of the fastest growing segments. However, low salaries and fast turnover in the industry might provide an incentive to make extra money through cybercrime.”

However, SMBs in India are turning towards adoption of efficient security measures to check the issue of data security. According to a report from AMI Partners Inc, Indian Small and medium businesses (SMBs, or companies with up to 999 employees) are realizing that data security is not just adopting security solutions but that formulating structured policies is also a critical factor. SMBs in India are on track to spend US$291 million on security-related investments in 2009.

For more information click here.

Courtesy: Search-Marketing.In

However SMBs are the most vulnerable segment in terms of data security. Data explosion, electronic threats and increased usage of web-based solutions are some of the important factors that increase the risks of SMBs being vulnerable in data security.

This is not confined to just India but is spread across even all the major economic countries. In fact, U.S is the most targeted country in terms of phishing attacks. A recent report from Brighton University says that US gets a significant 53% of total world’s phishing attacks followed by UK, Italy, Spain and Canada.

However, being the world leader of BPO I agree that it is not feasible for India to succumb to phishing attacks and be vulnerable in data security. A recent study from AMI partners Inc., SMBs in India are realizing that data security is not just adopting security solutions but that formulating structured policies is also a critical factor.

The report says that Small and medium businesses (SMBs, or companies with up to 999 employees) in India are on track to spend US$291 million on security-related investments in 2009. Security software accounts for three fourths of the total SMB security expenditure. Managed security services (MSS) is one of the key trends in the SMB security space, which is expected to grow at approximately 21% this year.

Courtesy: Search-Marketing.in
Related Links:
Wan optimization