The Security Pub

Random Thoughts About Security

Monthly Archives: November 2009

Verified by Visa Phishing Scam

You should use some caution if you get an email asking you to join Verified by Visa over the next few weeks. Taking advantage of the holiday rush to shop online, the public awareness of the Verified by Visa brand, and the security it offers, criminals are pushing a Phishing scam that offers very little in the way of true protection.

Verified by Visa is a solid layer of security for your Visa card. It works alongside the fraud detection and purchase protection offered by the issuing bank. What happens is you register for it online during the checkout process for a participating Verified by Visa retailer. You enter the required information, create a password, and activate the Verified by Visa service. Once activated, you cannot use the Visa card online without the password. If you want to know more, the official FAQ for Verified by Visa related information is here.

According to Webroot, a new Phishing campaign is circulating that is targeting holiday shoppers online using the Verified by Visa service name to lend creditability to the scam. This fake offer starts with an email inviting you to join the Verified by Visa program. From there you are linked to a Phishing site that is “clearly more professional, slick, and clean than most Phishing pages,” “The form’s businesslike appearance serves to reassure the victim that the page really belongs to Visa.”

If you see this invitation, two things will stand out that are sure to ring warning bells. The first thing is the address used. While the email text will list one address, the actual address used in one example is vbvactivation-visa.com. This is not a legit Visa address.

Also, when registering for the Verified by Visa service, as mentioned, you do so during the check out process at a participating retailer. Visa would never send you random emails asking you to join. Another issue with the domain is that it uses HTTP and not HTTPS in the address. If you are dealing with Visa, and they need any type of information, they will always use HTTPS in the address field.

The second thing to scream fake and keep those warning bells ringing is that you are being asked for all kinds of personal information.

“In a real sign-up form for Verified by Visa, you won’t be asked to provide your mother’s maiden name, social security number, birthdates’, or any other sensitive details that you wouldn’t otherwise enter into a Web-based order form while shopping online,”.

It was also discovered that the domain used in the Phishing attack was registered to a GMail account.

If you see emails that ask you to join the Verified by Visa program, forward them to phishing@visa.com and delete them. Under no circumstances should you follow links or open any attachments with them.

If by chance you get an email that claims to come from the bank that issued your Visa card, pick up the phone and call the bank, and give them nothing over email. The odds are this too is a scam, and the bank will know immediately.

What To Consider When Using FaceBook

Facebook is more popular than ever and the new features available on Facebook are opening new windows for vulnerabilities that everyday users may not be aware of.  A compromised facebook account could be a backdoor to more serious attacks on email or banking.

Here are 10 things to consider when using facebook….

  1. Stop posting your phone numbers. Remember that your number is exposed to your friends, and therefore you’re relying on their security practices as well as your own to protect you. If a phisher can spoof your number, they have an extra layer of authenticity in convincing your friends you are in trouble and need money.
  2. Put down the games. I know the Mafia can’t take Cuba without you, but it’s time to stop. The top games on Facebook have been hacked, and it’s just a matter of time before the one you play is next. It’s arguable that the damage is already done with the games and applications you’ve already allowed, but don’t sign up for any new ones! Third party apps are not guaranteed to be secure, and you should not trust them with your credentials. Here is a post I wrote last week on face book applications.
  3. Don’t trust chat. The chat feature on Facebook should be treated as a public conversation.
  4. Never give out any private information, even if you’re positive you are talking to your friend. Refresh your personal info. Take a fresh look at your profile from the perspective of a social engineer. Does your profile tell a story about you? What information can you cut out? Many security questions ask about personal details about primary school and pets. Delete any photos or profile details that may relate to those kinds of questions.
  5. Don’t use the lazy emails. Facebook will fill your email inbox with notifications, and the links to easily respond. Instead of following the links in email, open up a fresh tab and go to facebook.com directly. Facebook and most social networks are targets for email spoofing. Otherwise you’ll be entering your login password at facebock.com!
  6. Don’t friend acquaintances. Think of the friends list as a circle of trust. If you don’t know the person well enough to trust their security savvy, than you’re very unlikely to recognize the behavior of a phisher pretending to be them. 500 friends means 500 possible inroads to a social engineering or phishing attack. Tone down the number.
  7. Don’t keep an old password! Changing your password short circuits many trivial forms of attack. Facebook is a high risk target for Identity Theft, especially if you’re using applications frequently. How about doing it now!
  8. Photos are forever. Make it clear to your friends and family that you do not want those pictures of you in your birthday suit on anyone’s profile. (As opposed to the one of you in a suit on your birthday!) Pictures give behavioral information to an attacker. Bruce Schneier calls this “incidental data” in his Taxonomy of Social Networking Data. There he makes the assumption that incidental data is information that you did not create about yourself, and therefore do not control. I would add that although much of it is outside your control, there are ways to influence your friend’s posting behavior overall. Also, Facebook gives users the ability to “untag” themselves in pictures. While the damage is already done in the short term, you’ve influenced long term vulnerability.
  9. Don’t forget @mentions. This new feature brings more incidental data. Be respectful of your neighbor’s privacy. Ask yourself if having a friend’s entire profile pinned to your comment like a big arrow is actually necessary for the joke to be funny.
  10. Don’t trust other websites. Facebook is everywhere now. The same trust rules apply to the Facebook Login feature that is spreading to other websites. If you don’t trust the website you’re on, then signing in with the Facebook credential does not give you an added layer of protection, but rather hands your password to strangers.

McAfee Releases Cybercrime Report

The world is arming for cyber war and better defenses must be planned for and implemented.

McAfee, a computer security company, makes this claim in its Fifth Annual Virtual Criminology report, released on Tuesday.

Now several nations around the world are actively engaged in cyberwar-like preparations and attacks, said Dave DeWalt, McAfee president and CEO, in a statement. Today, the weapons are not nuclear, but virtual, and everyone must adapt to these threats.

In fact, nuclear weapons remain matters of serious concern — more so, presumably, than malware — but logic bombs and computer viruses are also on threats in their own way.

In Washington on Tuesday, the Senate Subcommittee on Terrorism and Homeland Security held a hearing titled, “Preventing Terrorist Attacks, Countering Cyber Intrusions, and Protecting Privacy in Cyberspace,” public and private sector experts emphasized the danger of cyber attacks and summarized efforts to address the risks.

Read the full article | Download the report

MasterCard's New Security Layer

phone-mastercardWith all the security threats out there, credit card companies are really working hard to make their cards as secure as possible. MasterCard has been working on a new layer of security, which is suppose to be released in the first half of 2 010.  You would uses a cell phone to authenticate your online transactions by asking for a password that is sent via SMS or generated on the spot by JAVA application. The goal is to improve the customers’s protection against phishing schemes and man in the middle attacks. It could also make managing your credit card, and sending and receiving payments from your cell phone possible.

Read the full article

A Windows 7 Backdoor??

Today Microsoft denied that they built a backdoor into Windows 7, a concern that surfaced yesterday after a senior National Security Agency (NSA) official testified before Congress that the agency had worked on the operating system. “Microsoft has not and will not put ‘backdoors’ into Windows,” a company spokeswoman said.

Read the full article