HDTV/3D TV News
HSBC, Natwest and CitiBank were the brands most targeted by phishers last month.
That’s according to a report on internet security by McAfee’s AVERT labs that also investigated the most popular methods of phishing and the most common types of malware.
It found that 40% of phishing scams were targeted at HSBC, followed by CitiBank which was attacked by 38%, and Natwest in third place with 16%.
McAfee said that with better technology enabling financial institutions to defend themselves more against threats, phishers have been moving more towards smaller organisations.
The most popular phishing scam last month involved tax notifications, and in second place was a notification from a billing department. Other commonly used scams besides HSBC and Natwest phishes was the ‘please confirm your data’ scam.
Cyber criminals have two options when trying to make money, according to Greg Day, a McAfee security analyst. One is via automation, which requires technical expertise on the part of the attacker, and the other is what he called ‘human hacking’ or social engineering.
He said of social engineering that ‘rather than me knowing how to break into Windows or listen to your web browser and steal information, its almost like me walking up to you on the high street saying hi, I’m from HSBC, can I have your pin code?’
CitiBank have yet to comment on the report, but HSBC made a statement saying ‘we will review the McAfee report because we take this issue extremely seriously as we do all issues of security, particularly as it relates to direct attacks on our customers. We invest considerably in securing our offerings to our customers and like most major global banks will never send an email asking them to provide security details.’
Natwest also commented, saying ‘phishing is an industry wide issue which affects all banks and financial institutions. NatWest has an excellent track record of protecting our customers’ accounts. We have developed and put in place significant security processes and resources to protect against precisely this type of threat. NatWest continues to take fraud extremely seriously and has taken considerable steps over the past few years to warn customers against responding to phishing e-mails, and continues to clearly advise that we will never ask customers to provide us with this type of personal information by e-mail.’
I can see that emailed bank statements from HSBC are delivered in a html attachment. It looks to me that this system would be dangerously vulnerable to phishing attacks, e.g. by intercepting the email and replacing the attachment with a fake htlml. So I searched the internet and this is all I found in a google cache the company’s (http://www.brintech.com) website is down.
This vulnerability seems unfixable, why not use encypted pdf files or pdf files on a server behind and password & key authentication.
{Article}
bRINSIGHTS
March 16, 2009
All in a Day’s Work: Uncovering a Potentially Serious Cisco Security Vulnerability
by JB Snyder, Senior Technical Security Consultant
“An innovative way to do e-mail encryption” is a phrase that has been used to describe Cisco’s IronPort PostX / PXE E-Mail Encryption Solution, which is specifically designed to protect against e-mail interception. Without a doubt, it is a creative encryption solution, but as part of a regular Brintech client engagement, our ethical hacking team uncovered a potentially serious design flaw in the system that deserves attention.
The design of PostX “secure envelope” transmission advertises secure information and makes the e-mails stand out to potential hackers, increasing rather than decreasing the risk of interception. This fact of target advertisement combined with the false sense of security that the customer and the end user both share makes PostX secure envelope transmissions more of a risk than even straight unencrypted e-mail transmissions.
A little background … the PostX secure envelope technology is an HTML file attachment that provides encryption between the browser that opens the file and the secure website. It’s a great idea for dealing with e-mail encryption – only the default usage of the system does not require a passphrase. Without a passphrase, an envelope could be intercepted by an attacker, giving him complete ownership of the file. With the password and the file, the attacker could access the data in the “secure” e-mail without any problem.
To test this theory, our ethical hacking team monitored e-mail transmissions at a client site. The “secure envelope” header instantly made the PostX transmission stand out as interesting information. Light inspection of the PostX transmission indicated that we could in fact create a counterfeit “envelope” that would likely phish the password. Code for creating the counterfeit envelope was written leisurely in 20 minutes. Highly skilled individuals could do it in less than 5. The result? The password of the bank’s head of IT was phished on the first try and was then used in conjunction with the envelope to access “secure” e-mail.
If you discount this vulnerability because you know that you would never leave a solution like PostX (or probably anything else) without a passphrase, think again. The same vulnerability can occur even when the passphrase option is enabled. The user must put in a password before ever enabling the “passphrase” feature. Therefore, the first password can always be phished. The feature merely says “remember me on this computer,” implying nothing about making it more secure. Even a trained user must put in passwords before seeing the passphrase in the following scenarios:
The first login
Every time he or she goes to any new machine or browser and tries to access secure mail
When browser cache / cookies are cleared
This trains the user to always put in the password to enable the passphrase – then it’s too late. With the password, the hacker can also acquire the passphrase, and use it to phish subsequent passwords even if the password is changed at a later date.
In practice, no users can effectively use the passphrase to ensure against this interception attack. Imagine these scenarios: you run spyware detection and clear cookies. Or you get a new PC at work. Or you transfer departments. Or you get a new laptop at home. Or use a different browser like Firefox, Google Chrome, or Safari. Or restore your system from a backup. Should you keep a notebook in your pocket to record which machines / platforms are supposed to have cookies and which aren’t, so you can know when you’re being potentially phished? Or should a bank customer never clear cookies, only use one machine and browser, and notify the bank every time he or she gets a new PC? Bank employees couldn’t keep up with this, and bank customers couldn’t keep up with it either. For all purposes, it’s an impossible task.
Unfortunately, there are no workarounds for these vulnerabilities, but Cisco has released free software updates to address them. The full text of Cisco’s advisory is available at the following link: http://www.cisco.com/warp/public/707/ci … port.shtml.
Please note that the affected products in this advisory are directly supported by IronPort, and not via the Cisco TAC organization. Customers should contact IronPort technical support at this link to obtain software fixes: http://www.ironport.com/support/contact_support.html.