Botnets Turn Your PC into A Zombie

A botnet is a group of Internet-connected personal computers that have been infected by a malicious application, which allows a hacker to control the infected computers without alerting the computer owners. Since the infected PCs are controlled remotely by a single hacker, they are known as bots, robots, or zombies.

Consumers’ and small businesses’ lax security practices are giving scammers a base from which to launch attacks. Hackers use botnets to send spam and phishing emails, and to deliver viruses and other malware.

A botnet can consist of as few as ten PCs, or tens or hundreds of thousands. Millions of personal computers are potentially part of botnets.

Spain-based botnet Mariposa consisted of nearly 13 million zombie PCs in more than 190 countries. Further investigation determined that the botnet included PCs from more than half the Fortune 1000. This botnet’s sole purpose was to gather usernames and passwords for online banking and email services.

There are more than 70 varieties of malware, and while they all operate differently, most are designed to steal data. Mariposa’s technology was built on the “Butterfly” botnet kit, which is available online, and which does not require advanced hacking skills to operate.

The criminals in this operation ran the Mariposa botnet through anonymous virtual private network servers, making it difficult for law enforcement to trace back to the ringleaders.

The botnet problem persists. PCs that aren’t properly secured are at risk of being turned into zombies. Certain user behaviors can also invite attacks.

Surfing pornography websites increases your risk, as does frequenting gaming websites hosted in foreign countries. Downloading pirated content from P2P (peer-to-peer) websites is also risky. Remember, there is no honor among thieves.

Computers with old, outdated, or unsupported operating systems like Windows 95, 98, and 2000 are extremely vulnerable. Systems using old or outdated browsers such as IE 5, 6, or older versions of Firefox offer the path of least resistance.

To protect yourself, update your operating system to XP SP3 or Windows 7. Make sure to set your antivirus software to update automatically. Keep your critical security patches up-to-date by setting Windows Update to run automatically as well. And don’t engage in risky online activities that invite attacks.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses scammers and thieves on The Big Idea with Donnie Deutsch. Disclosures

Spear Phishers Know Your Name

“Spear phishing” refers to phishing scams that are directed at a specific target. Like when Tom Hanks was stranded on the island in the movie Cast Away. He whittled a spear and targeted specific fish, rather than dropping a line with bait and catching whatever came by. When phishing attacks are directed at company officers or senior executives, it’s called “whaling,” appropriately enough. I don’t know who sits around and coins this stuff but it makes analogical sense.

Spear phishers target their victims in a number of ways.

They may select a specific industry, target specific employees with a specific rank, and pull a ruse that has been successful in the past. For example, a spear phisher might choose a human resources employee whose information is available on the company website. The phisher could then create an email that seems to come from the company’s favorite charity, assuming this information is also available online, requesting that the targeted employee post a donation link on the company’s intranet. If the target falls for the scam, the scammer has now bypassed the company’s firewall. When employees click on the malicious link, the company’s servers will be infected and antivirus software may be overridden.

Lawyers are popular targets, since they are often responsible for holding funds in escrow. A spear phisher might contact a lawyer by name, leading him or her to believe that the scammer is an American businessperson who needs help moving money while overseas.

I was recently targeted in a spear phishing scam, one aimed specifically at professional speakers. The scammers requested that I present a program in England, and once my fee was agreed upon, I was asked to get a “work permit,” which costs $850.

People who are not be targeted based on their professions may be targeted based on their use of social media. Facebook, Twitter and LinkedIn are known playgrounds for spear phishers, who obtain users’ email addresses and create email templates that mimic those sent by the social networking website. Scammers may even weave in names of your contacts, making the ruse appear that much more legitimate.

Knowing how spear phishers operate allows you to understand how to avoid being phished. Never click on links within the body of an email, for any reason. Bypass the links and go directly to the website responsible for the message. Any unsolicited email should be suspect. If you manage employees, test their ability to recognize a phishing email, show them how they got hooked, and then test them again.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses phishing on NBC Boston. Disclosures

Women Proved “Securest” in the Defcon Social Engineering Game

In a recent post (Hackers Play “Social Engineering Capture The Flag” At Defcon), I pointed to a game in which contestants used the telephone to convince company employees to voluntarily cough up information they probably shouldn’t have.

Of 135 “targets” of the social engineering “game,” 130 blurted out too much information. All five holdouts were women who gave up zero data to the social engineers.

Computerworld reports, “Contestants targeted 17 major corporations over the course of the two-day event, including Google, Wal-Mart, Symantec, Cisco Systems, Microsoft, Pepsi, Ford and Coca-Cola. Sitting in a plexiglass booth, with an audience watching, they called up company employees, trying to get them to give up information.”

Contestants had twenty minutes to call unsuspecting employees at the target companies and obtain specific bits of (non-sensitive) information about the business for additional points. Participants were not allowed to make the target company feel at risk by pretending to represent a law enforcement agency.

The players extracted data that could be used to compile an effective “attack,” including “information such as what operating system, antivirus software, and browser their victims used. They also tried to talk marks into visiting unauthorized Web pages.”

Social engineering is the most effective way to bypass any hardware or software systems in place. Organizations can spend millions on security, only to have it all bypassed with a simple phone call.

The players in this game were all men. Maybe the women didn’t give up any data because they were simply untrusting. It could be that the women were properly trained in how to deter social engineers and protect company data over the phone. Or maybe the women simply paid attention to their sixth sense, and felt they were being conned.

Any time the phone rings, a new email comes in, someone knocks on your door, or visits your office, question those who present themselves in positions of authority.

Don’t automatically trust or give the benefit of the doubt.

Within your home or business, communicate what can and can’t be said or done, or what information can or cannot be provided.

Keep in mind that when you lock a door, it’s locked, but it can be opened with a key, or with words that convince you to unlock it yourself. Always view every interaction, whether virtual or face to face, with a cynical eye for a potential agenda.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hackers using social engineering to hack email on Fox News. Disclosures

Criminal Hackers Create 3 Million Fraudulent Websites Annually

A recent study shows that organized criminals create approximately 8,000 malicious websites every day, or over 57,000 each week.

These malicious websites model legitimate websites that we visit every day, such as bank websites, online shopping sites, and eBay. According to this study, the most frequently impersonated companies include Visa, Amazon.com, PayPal, HSBC, and the United States Internal Revenue Service.

People are typically directed to these scam sites in one of three ways:

1. Often, potential victims end up visiting these spoofed websites via phishing scams. Phishing, of course, occurs when you receive an email that appears to be sent from your bank or other trusted entity, and a link in the email brings you to a website that is designed to steal your login credentials.

2. Scammers lure victims to their scam sites via search engines. When a website is created and uploaded to a server, search engines index the scam sites as they would any legitimate site. Doing a Google search can sometimes lead you to a website designed to steal your identity.

3. Social media sites like Facebook and Twitter are free, and this gives scammers an advertising platform. Criminals simply post links in status messages, on group pages, or fan message boards, using the legitimate appearance of the site to gain credibility.

Once a computer user clicks one of these links, he or she ends up on a website that is riddled with malicious software, which may install itself on the victim’s computer even if the victim doesn’t click or download anything on the scam site. This tactic is called a “drive by.” Or, users may be tricked into clicking links to download files. Either way, the ultimate goal is to gather usernames, passwords, and, if possible, credit card or Social Security numbers in order to steal identities.

By understanding how these scams work, PC users can begin to learn what to do while online and, more importantly, what not to do.

Never click on links in the body of an email. NEVER. Always go to your favorites menu or manually type the address into the address bar. This means that you should never copy and paste links from emails, either.

When searching out a product or service, be aware that you could be led to a scam site. A properly spelled web address is one indicator of an established, legitimate site. Try to restrict your business to sites you know and trust. Also, before entering credit card information, look for “https://” in the address bar. This means it’s a secure page and less likely to be a scam.

Just because a link for a tempting deal appears on a popular social networking website doesn’t mean it’s legitimate. I’d shy away from clicking links. Use your common sense. If it seems too good to be true, it is.

Forewarned is forearmed.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses phishing on NBC Boston. Disclosures

On the Internet, FREE is a Dangerous Four Letter Word

The wild, wild web is like any major metropolitan city. There are high-class neighborhoods, retail districts, theater districts, business centers, popular social areas, seedy red-light districts (in Boston we called this the Combat Zone), and bad, bad, BAD neighborhoods.

Depending on where you go, you may pick up a virus or get bonked on the head.

The Internet is the same.

As more consumers seek out more free entertainment online, cybercriminals are shifting their attacks accordingly. McAfee recently conducted a series of studies determining that searching for celebrities like Cameron Diaz can increase your chances of infecting your PC. McAfee’s new “Digital Music & Movies Report: The True Cost of Free Entertainment” also confirmed that your PC is equally vulnerable when searching the word “free.” This report reveals the significantly increased risk of fraud when including “free” and “MP3” in the same search query. And when you add the word “free” to a search for ringtones, your risk increases by 300%.

Cybercriminals lure users with words like “free” in order to infect their PCs with malicious software, which is designed to take over the infected computer and allow hackers full access to private files, usernames, and passwords.

To stay safe, avoid searching for “free content.” Stick to legitimate, paid sites when downloading music and movies.

If a website is not well established, avoid clicking links in banner ads.

Use comprehensive security software to protect against the latest threats.

Use common sense: don’t click on links posted in forums or on fan pages.

Use a safe search plug-in, such as McAfee® SiteAdvisor® software that displays a red, yellow, or green annotation in search results, warning users about potential risky sites ahead of time, and highlighting safe results.

Be aware that the more popular a topic, movie or artist is, the more risky the search results will be.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses scammers and thieves on The Big Idea with Donnie Deutsch. Disclosures

iTunes a Platform for Phish Scammers

iTunes users all over the world are being hooked in a possible phishing scam that siphons cash out of their PayPal accounts. Phishing scams, of course, consist of emails that appear to be coming from a legitimate, trusted business. These emails are often designed to trick the victim into revealing login credentials. Once the phishers have access to the account, they begin withdrawing funds.

In this case, scammers used victims’ iTunes accounts to purchase gift cards, which were paid for by the victims’ linked PayPal accounts. Some victims of this particular scam have has just a few dollars stolen, while others have had their accounts emptied.

Gift cards are a form of currency created by the issuer. Their value is in the products or services available when cashed in. A scammer can purchase a $100 gift card and sell it online for $50. Pure profit.

There are many variations of iTunes gift card scams:

1. Scammers can easily set up websites posing as a legitimate retailer offering gift cards at a discount, having fraudulently obtained those gift cards. They may accept people’s credit cards and make fraudulent charges. In these cases, the victim can refute the charge, but will need to either cancel the credit card or persistently check their statements once their card has been compromised. Like Mom said, if it sounds too good to be true, it probably is.

2. The system for generating codes that are embedded on a plastic card or offered as a download is nothing more than software created by the card issuer or a third party. At least one major retailer has had their gift code generation compromised, and who knows how many more have been or will be compromised in this way. Criminal hackers can then offer the codes at a significant discount.

3. iTunes gift card scams are so effective, in part due to the limited availability of iTunes downloads in certain countries. There are numerous copyright issues, with some music companies making deals with musicians and iTunes, while others refuse to do so. Scammers have capitalized on this, using it as a marketing tactic.

The best way to avoid phishing scams is to never click on links in the body of an email. Always go to your favorites menu or manually type the familiar address into your address bar. And never provide you login credentials to anyone, for any reason.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses iTunes gift card scams on NBC Boston. (Disclosures)

Debit Cards Fraud Means Difficult Recovery

There are 437,000,000 debit cards in circulation, and their use is on the rise. Criminal hackers are paying attention. Credit cards offer some measure of protection when it comes to “zero liability policies,” as long as the cardholder refutes the charges within 60 days. But when a debit card is compromised, the stolen money is can be hard to get back.

I get unfortunate emails like this all the time:

“I was a victim of debit card fraud. I live in Las Vegas, NV and have a debit card and I know that not all rules apply for debit cards. We had a problem out here with “skimming.” Over $300.00 dollars was taken from my account and I still had the card  in my possession. It was done at 2 bank ATM machines, about 2 minutes apart on different sides of town. I contacted my bank and got no results. My bank said that I had to have given my card and pin number to someone. I fought and fought and lost. I know that there is or was a time limit of this but is there anything else I could have done?”

Federal laws limit credit card holder liability to $50 in the case of fraud, as long as the cardholder disputes the charge within 60 days. Debit card fraud victims must notify the bank within two days after discovering the fraudulent transactions in order to maintain this $50 limit. After that, the maximum liability jumps to $500. And if a victim doesn’t discover or report the fraud until after 60 days have passed, the liability could be the entire card balance, for a debit or credit card. Once your debit card is compromised, you might not find out until a check bounces or the card is declined. And once you do recover the funds, the thief can just start all over again, unless you cancel the account altogether.

Here is Regulation E in black and white:

ELECTRONIC FUND TRANSFERS (REGULATION E)

Limitations on amount of liability. A consumer’s liability for an unauthorized electronic fund transfer or a series of related unauthorized transfers shall be determined as follows:

(1) Timely notice given. If the consumer notifies the financial institution within two business days after learning of the loss or theft of the access device, the consumer’s liability shall not exceed the lesser of $50 or the amount of unauthorized transfers that occur before notice to the financial institution.

(2) Timely notice not given. If the consumer fails to notify the financial institution within two business days after learning of the loss or theft of the access device, the consumer’s liability shall not exceed the lesser of $500 or the sum of:

(i) $50 or the amount of unauthorized transfers that occur within the two business days, whichever is less.”

Debit card fraud can happen a number of ways. ATM skimming, gas pump skimming, or point of sale skimming are a few. The key, of course, is the bad guy gets your PIN. In the end, the bank doesn’t want to believe that you were defrauded. It’s cheaper for them to conclude that you are lying.

Always cover up your PIN when entering in any POS, pump, or ATM.

As inconvenient as this may seem, if you are a regular user of a debit card, you should check your statements online daily.

Consider limiting your debit card use. I use mine for deposits and withdrawals. But I only use it around two or three times a month.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses credit and debit card fraud on CNBC. (Disclosures)

More ATM Skimmers Being Used By Gangs

A report issued by the FTC finds that customers in the process of withdrawing cash from ATMs are more likely to be victims of ATM fraud than a direct, physical crime, and skimmer devices have recently been found on gas pumps and ATMs throughout Northern California.

ATM skimming occurs when a device is placed on the face of an ATM, often over the slot where the card is inserted. The skimmer, which may use Bluetooth or cellular technology to transmit the data to criminals wirelessly, appears to be a part of the machine. It’s almost impossible for ATM users to know the difference unless they have an eye for security, or the skimmer is of poor quality. Often, the thieves will hide a small pinhole camera in a brochure holder, light bar, mirror, or speaker on the face of the ATM, which is used to capture the victim’s PIN. Gas pumps are equally vulnerable to this type of scam.

Always shield the ATM keypad with your hand while entering your PIN. Be vigilant while using an ATM. Look around and beware of anyone lurking – they could be waiting to pounce, or shoulder surfing, trying to see your PIN. And if you ever sense that something is off about an ATM or gas pump, just leave.

Choose a PIN that’s not easily guessed but can be entered quickly. Using consecutive numbers or repeating the same numbers is never a good idea. Many new ATMs won’t allow you to choose a “soft” PIN anyway.

Don’t ever let anyone assist you at an ATM. It’s hard to envision what kind of scenario might require another person to intervene at an ATM. But consider this possibility: your card gets stuck and a stranger graciously peeks his head over your shoulder to help. He frees your card and helps you finish the transaction. In the process, he got your PIN and swapped your card with another.

Beware of ATM skimming and learn to recognize a skimmer. Here is an example of a particularly well-made skimming device, which would be easy to miss. Not all are as well crafted, but some are very good.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses dummy ATM scams on NBC Boston. (Disclosures)

Seven Social Media Landmines to Watch Out For

In the early days of the web, cybersquatting was a concern among corporations who were late to the game in getting their domain names. I had a little battle with LedZeppelin.com that I regret, but that’s another story.

Today that same battle is being played out in social media. Anyone can register any brand or likeness on social media with very little difficulty, and it’s free. Once the scammer owns your name, they can pose as you, blog as you, and comment as you.

The basis of much of this social media identity theft, or “impostering,” revolves around social engineering. When a profile claims to represent a certain person or brand, it is generally taken at face value. Lies propagated from such a credible source are likely to be taken as fact for quite a long time, if not indefinitely.

1. Someone may want to seize your C-level executive’s name on Facebook, LinkedIn, or Twitter, posing as that person in order to gather marketing intelligence. Once they are “linked” or “friended,” they have access to that person’s contacts and inner circle.

2. Another tactic is to pose as a family member of an executive, since on Facebook, parents and children are often “friends.” Pretending to be the child of one executive “friending” another in order to gather information is an effective con.

3. Given the opportunity, companies will often take over social networking pages in the name of a rival company. The competition, unable to use the page for their own benefit, loses market share.

4. In other scenarios, the same social networking page or profile can be used to disparage or slander the competing company.

5. Or worse, it could be used to spread falsehoods or create fake contests or scams that inevitably damage the brand.

6. There have been companies and individuals whose names or variations of their names were hijacked in response to a customer service issue gone wrong. The person then uses that platform to slam the company using the company’s own name.

7. Employees who are unhappy with their jobs can use social media to vent their frustration about their boss or company. This can easily result in a public relations nightmare.

The best thing to do is gather every possible brand name and individual name that could be used against you. Even if you never use the site, you own the name. This can be done manually for free or by paying a small fee. I’ve done both. Manually is very time consuming. One site that can help you do it yourself for free or provide full service for a fee is knowem.com.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hackers hacking social media on Fox Boston. (Disclosures)

mCrime Higher on Hackers’ Radar

This year’s Defcon convention of hackers in August brought to light a fact that many in the security industry have known: mobile phones are becoming a bigger target for criminals.

Recent news of applications on the iPhone and Android that are vulnerable to attack and possibly designed to send your data offshore have reinforced the security concerns for mobiles.

It is inevitable that over the next few years as millions of smartphones replace handhelds and billions of applications are downloaded, risks of mobile crime (mCrime) will rise. As we speak, the large antivirus companies are snapping up smaller mobile phone security companies in anticipation of a deluge of mobile attacks.

Right now, however, the path of least resistance continues to be the data-rich computer that sits in your home or office, or maybe your mortgage broker’s office. Unprotected PCs with outdated operating systems, unsecured wireless connections, antivirus software that hasn’t been updated, and reckless user behavior will continue to provide a goldmine for criminals.

The problems with computer security will continue as Microsoft abandons XP users and stops offering security updates. But as more and more users shed Windows XP and upgrade to Windows 7 and beyond, mobiles will become attractive targets.

In the meantime, protect your mobile phone.

The Blackberry is the most “natively” secure. It’s been vetted by corporations the world over to protect company data. Enable your password. Under “General Settings,” set your password to “On” and select a secure password. You may also want to limit the number of password attempts. Encrypt your data. Under “Content Protection,” enable encryption. Then, under “Strength,” select either “stronger” or “strongest.” When visiting password-protected Internet sites, do not save your passwords to the browser. Anyone who finds your phone and manages to unlock it will then have access to all of your account data and, ultimately, your identity.

The key to being a “safe” iPhone owner is to add apps that help secure your information. Enable the passcode lock and auto-lock. Go into your phone’s “General Settings” and set the four-digit passcode to something that you will remember but is not overtly significant to you. That means no birth dates, anniversary dates, children’s ages, etc. Then go back into “General Settings” and set the auto-lock. And turn your Bluetooth off when you aren’t using it.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses mobile phone spyware on Good Morning America. (Disclosures