Phishers, the devil’s in the details!

Phishing is presumably big business (although maybe not). Because email is very cheap to send, phishing has a low barrier for entry. Usually, Gmail’s spam filter is so accurate that I don’t see the phishing emails, however, recently some Blizzard themed messages have gotten through. I get the impression that the emails are crafted by foreigners who lack the finesse necessary to deceive people–a good thing, no doubt. As with most pursuits, the devil is in the details. Let me illustrate with the most recent email to pierce Gmail’s phishing armor:

Hello, thank you for shopping at the Blizzard Store!

StarCraft II®: Wings of Liberty™: 6129523855006794206159153

To use this key to activate the game, simply follow these instructions:
1. Log in to your Battle.n Account – Or Create a Battle.net Account

2. Verify your e-mail address. (If you have previously verified your address, skip this step.) From the main Account Management page, click the ‘verify this e-mail address’ link. Then, check your e-mail account for a verification e-mail. Click the link in this e-mail to verify your e-mail address.

3. Return to the Battle.net account management page, then click on ‘Code Redemption’.
4. Enter the above CDKey in the code field.

5. Once you have successfully redeemed this code, you will be able to play the game.

NOTE: If you have previously chosen to gift your digital purchase, attaching this key to their Battle.net account will prevent you from being able to redeem this key with your Battle.net account.

Order Date: 2010-8-10
Order #: 2573775

(1) StarCraft II®: Wings of Liberty™ – $59.99

Credit Card Number : ****-****-****-9527
Credit Card Type : Vista
Item Subtotal: $59.99
Tax: $0.00
Shipping & Handling: $0.00
Shipping Tax: $0.00
Grand Total: $59.99
===========================================

If you have any questions or concerns about your order, please contact us at:

Phone: Toll-free at (1-800-592-5499)
Website: http://us.blizzard.net/account

Live phone support is available seven days a week, 8:00AM – 8:00PM Pacific Time.

Thanks for shopping with us!
Blizzard Customer Service

I like the use of ® and ™! Those are definitely nice touches. However, Blizzard begins by greeting you with the name on the account. Moving on, the CD key should have dashes. Whoops. Next, we see “Battle.n Account – Or Create at Battle.net Account.” Within a few words, they misspell Battle.net and give you the proper spelling. Then there’s the gratuitous use of capitalization throughout. Seen here on “Account,” “Or,” and “Create.” Throughout, there are a few small, unprofessional and inconsistent bits, like the lack of carriage return between items 3 and 4. Then “CDKey” is lacking a space… Another awesome failure: the “Vista” credit card type! A couple lines lower, the “Shipping Tax” itemized seems off.

To be fair, if you were expecting a StarCraft email (sadly, the phishers are two weeks late) and gave only  a quick glance, the email could work. It is apparently sent by Blizzard Entertainment! However, digging deeper in the email header we see more incorrect details:

from Blizzard Entertainment
to seth@sethholloway.com
date Wed, Aug 11, 2010 at 8:46 PM
subject Battle.net Account Management
mailed-by hotmail.com

Mailed by hotmail? Phishy. Details, details!

Also, it’s important to hover over links before following them… This is probably my favorite part: “wowsuppor-check-blizzard.com.” I guess wowsupport-check-blizzard.com was already registered And, of course, official Blizzard emails direct you to us.battle.net instead of blizzard.com. Details!

Another detail that reeks of fraud is the use of “WoW”/”wow”, which refers to another Blizzard product, World of Warcraft. Account management, StarCraft II, and World of Warcraft blend into one weak attempt at phishing.

I believe that every critique should come with a suggestion, so here’s my suggestion: buy a legitimate copy of StarCraft II and copy the official email exactly, changing only the link (from official site to your faked site). Then, replicate their website and direct people to the fake. To Blizzard’s credit they do not make copying the page easy because they cleverly use dynamically rendered Ajax elements with obfuscated JavaScript and XSLT. They also have a lot of content and they update the pages regularly. Another idea: direct them to your domain, infect their computer with malware, and quickly forward them to battle.net so they’re none the wiser.

If you want to step up to the big leagues, you’ll have to concentrate on the details!

Flash, you sneaky bastard!

Flash, the popular multimedia platform that helps make websites more interactive, has cookies separate from your web browser’s cookies. They’re called local shared objects (LSO) and they may be a security hole–like all things Flash

There are a number of directories where the flash cookies may be stored. For example, on Mac OS X, LSOs are stored in two locations:

• ~/Library/Preferences/Macromedia/Flash\ Player/#SharedObjects/
• ~/Library/Preferences/Macromedia/Flash\ Player/macromedia.com/support/flashplayer/sys/

And there are more possible! For a detailed list, check the list of locations on Wikipedia’s LSO entry.

You can manually navigate to these locations and delete nasty ad-tracking/malware-hosting objects; however, while deleting unwanted cookies is worthwhile, it’s not a good long-term solution. I recommend you update your Flash settings (this interface also allows you to delete your LSOs) now! There are several tabs to look through, but don’t worry–it’s quick. Make sure you deny access to your camera and microphone! For finer grained control, the Firefox extension Objection helps track and eliminate Flash cookies.

Whatever your strategy, I wish you luck!

The on-screen keyboard: A hint more security

Keyloggers are rampant! They are the most prolific trojan horse and they can easily transmit your passwords to bad guys. They’re simple and effective.

Keyloggers work by intercepting and transmitting keystrokes, so a simple countermeasure is to avoid keystrokes. While this is impractical as a general approach, you can add a hint more security to your workflow by inputting passwords (or even bits of a password) via an on-screen keyboard.

In Windows, it is very easy to turn on an on-screen keyboard:

Start -> All Programs -> Accessories -> Accessibility -> On-Screen Keyboard

Once the keyboard is up, simply set focus on an application then use your mouse to press the keys on the on-screen keyboard.

Does anyone have evidence that on-screen keyboards are also vulnerable? Any other simple security tips?

Forget Ocean’s 11, these heists are all digital

Over the holidays Wired published an article, the Seven Best Capers of 2008, that ran down a list of crafty, entertaining schemes that ultimately resulted in the perpetrator getting caught. I encourage you to read the entire article; you’ll find that every story involves a digital component. Here’s the top rated heist:

The Snohomish Smokescreen

In September, a robber disguised as a gardener pepper-sprayed an armored car driver using a pesticide sprayer and ran off with a bag stuffed with $400,000 in cash. When police arrived seconds later, they found the sidewalk crowded with dozens of men decked out in the same attire as the perp: blue shirt, Day-Glo vest, safety mask and glasses. While the cops hacked through a forest of suspects, the real perp fled to a nearby creek and escaped in a waiting inner tube.

Turns out the unwitting decoys had been lured to the crime scene by a Craigslist ad that promised construction work to those showing up in a “yellow vest, safety goggles, a respirator mask … and, if possible, a blue shirt.” A month later, following a lead from a homeless man who witnessed the preparation for the Brinks job, police arrested 28-year-old Anthony Curcio fresh from a Las Vegas vacation. Curcio is now charged with “Interference with commerce by threats or violence,” because “Pulling the most awesome robbery ever” isn’t listed in the U.S. code.

Missing from the list are the scams by Wall Street, car companies, and any other bailout recipient as well as individuals like Bernie Madoff

While not as entertaining to watch as the daring Ocean’s 11, the list helps to highlight how new media (using twitter to create flashmobs, for example) and cybercrime are the way of the future. A realistic movie about any one of these heists would involve a kid at a computer for days on end, slowly accumulating wealth.

Stealing physical items was much easier to catch and prosecute; with modern plots siphoning off fractions of a cent per transaction, we face a brave new world. America has to increase technological infrastructure, educate citizens about risks, and allow greater research into security.

What do you think? Have I misinterpreted? What’s the future of crime and high-stake heists? How can we prevent it or at least mitigate the losses?

Do we need AV software?

Do we need AV software? It is naive to think that safe practices will protect you–there are simply too many ways to get into a system. You need something to protect your computer, and good AV software won’t hurt.

I was reading a lifehacker article asking readers about antivirus (AV) software. The range of knowledge conveyed in the comments is ridiculous. Some users claimed they never had a virus. There are known botnets with over a million machines. I doubt that all million machines are owned by a single individual, which means there are multiple users who are either willingly allowing someone to use their machine, or the multiple users are unaware of the heist. With the sophistication of modern viruses (rootkits, automatic replication, dynamic signature changing, etc), it is silly to claim you would even know if you had a virus.

A couple users claim that there had never been a virus for Linux. I don’t even know where to start on that one. Definitely false. Any script kiddie could gain access to a Linux system that had not been hardened. There are a number of measures a system administrator can take to mitigate threats on Linux, but not every Linux user is a sys admin. Services like ssh being on by default increase the risks greatly. The power of a Linux command line and access to powerful development tools make subsequent attacks easier to launch.

People seem to define virus strangely. Some viruses like vundo trigger a lot of pop-ups, but won’t necessarily crater your system. Other viruses that do not brick your machine are passively collecting information, waiting for further instructions, or launching attacks. You don’t even have to open a file to be at risk. You don’t even have to be online; infected USB keys (and other input devices) can infect a computer that isn’t online.

It’s not just dumb users either. Viruses come from your friends and people you trust. Elaborate social networking hoaxes are being performed everyday, and everyday they get more convincing. Malware distributors have some of the most professional websites online. Their UI and interface design mimic trusted providers so a quick glance will not immediately reveal a problem. You have to realize and appreciate the ingenuity of the nefarious Internet warriors–they’re smart, creative, and talented.

Comparisons have shown that no one piece of antivirus software will catch all viruses, so your best bet is to

1) be safe:

• Don’t open links in emails. Type the URL into the address bar on your own.
• Be mindful of what your friends are sending you. Would Suzy really send you a link to get rich quick?
• Avoid the worst of the web (pornography, gambling, warez)

and 2) run a few different tools:

• AVG (or avast!) – Antivirus
• PeerGuardian 2 – IP Blocker
• Ad-Aware – Antispyware

So do we need AV software? Yes. You can never be totally safe, but you can mitigate your risks. Use common sense, a few tools, and perform frequent backups. Good luck!

America needs to harden its cyber security

Business Week has a nice article on how the US is falling behind in cyber security. It’s remarkably apropos after a couple high profile security stories earlier this year: computers on the International Space Station and an Iranian IT worker was executed after being found out as a spy. Are there viruses on US government computers on land? Do we have spies working in our governmental IT department? The answer to both questions is likely yes, so what are we doing about it?

Computers are used for everything! Unfortunately, America is falling behind in security research and, more importantly, countermeasures. I am glad to see the recommendations for President-Elect Obama; I just hope Obama takes the threat to heart and hardens America’s cyber security. If we do not, no amount of firepower will protect us from attackers controlling our computers that are controlling the bombs.

**UPDATE**

Michael Masnick over at Techdirt pointed at that everyone knows we need better security and asks what we should do? To start, fund serious research into security. Establish courses on security in schools nationwide so that students can keep up with trends, and learn how to do things properly. Next, allow hobbyists a way to polish their skills within fear of being thrown in jail. Increase the number of jobs in cyber security and take cyber threats seriously. With the education in place and the government in line, we need to harden individuals machines. The government can (help) develop and promote helpful software: firewalls, antivirus, antispam, and intrusion protection applications. Allow Microsoft a one-time ability to patch all users systems and subsidize the operation if need be. Finally, increase the punishment for people operate outside the framework or who pass the buck (posting links to infected sites).

Governess Palin hacked

Alaska Governess Palin had her Yahoo mail account hacked recently. The hacker released a screenshot of one email:

It is out of context, but Palin seems loyal, friendly, and helpful. I’m actually impressed.

I find the attack amusing, but I fear that going after high profile politicians is not the way to achieve anything. The hacker has likely hastened the end of net neutrality and Internet anonymity as politicians clamor for control. For hackers, of course, this is no worry because they’re not going to be traced anyway, but it’s bad for the rest of us.

Encrypt your Gmail

I’m a big fan of the Google suite of products. I’ve been connecting via https for a while now, but Google has now made it easier. There’s a great article on Wired about encrypting your Gmail. Anyone using the Google services should do this immediately. Here’s a quick how-to:

• Log in to Gmail (https://mail.google.com/mail/)
• In Gmail, click on “Settings” in the top right corner (beside your username).
• Scroll to the “Browser connection” section at the bottom of the page
• Click the radio button for “Always use https”
• Click the “Save changes: button at the bottom of the page
• Profit