Evidently the criminals that utilize stolen credit card and ATM numbers for profit are called Cashers. Wired profiles a former Casher, and this is my favorite part:

It was his mother who introduced him to the online world of card thieves. In 2002, after completing a stint in drug rehab, his mother, “a big-time eBay seller,” sent him a link to Counterfeit Library, a website that catered to fraud artists.

“She knew I was into that stuff,” Dillinger says. “I used to send her these huge $150 gift baskets every Mother’s Day (paid for) with someone else’s credit-card number. So she pointed this (site) out to me.”

Who needs criminal help when you have a mom?  Good read on the in’s and out’s of phishing and other credit card related cyber crime.

Confessions of a Cybermule [Wired]

Internet Explorer 7 will be a huge win for web security, and Microsoft has announced how they will be distributing it:

AU will notify you when IE7 is ready to install. Alternately, you will be able to visit the Windows Update or Microsoft Update sites and obtain IE7 by performing an “Express” scan for high-priority updates. Either way, you will see the welcome screen that allows you to choose whether to install it.

Enterprises will have some ability to control this:

We are also providing a Blocker Toolkit for our enterprise customers who may want to block automatic delivery of IE7 in their organizations; this blocker has no expiration date.

IE7 to be distributed via Automatic Updates [IE Blog on MSDN]

British Bank Barclays gets it:

The bank has signed a deal with F-Secure for 1.6 million licences of the Finnish firm’s anti-virus program…

At the same time, the bank is bringing in a system that uses text messages to let customers know when money is moved using their online account details.

Great example of using security to gain a competitive advantage.

Barclays banks on ant-virus deal [BBC]

The nerds guys over a RSA examine all the players in the Phishing game. Some of them are obvious, the email addresses are bought from email harvesters, and the sites are usually hosted on bots. But interestingly, based on their monitoring of internet chat rooms, they’ve found that harvester and the exploiter of the account info are usually different people:

BigCriminal42: hi everyone, Jolly good evening to you. I'm buying credentials of top UK banks. Anything goes, especially [... here comes a list of banks]

BankBuster007: hello bigcriminal I have good credentials of [... a few of UK's finest financial establishments]. How much you want

It’s interesting to me that the tradecraft has become so developed that people specialize in different aspects of the fraud. Plus, you have to love their usernames.

Phishing Supply Chain: Part 1, Part 2 [RSA Security Blog]

ComputerWorld has a scary article about the strategies being utilized by some of the more advanced trojans to bypass SSL and even the most advanced authentication. Among the strategies they are using:

• Stealing passwords via keystroke loggers, plus taking screen shots of secondary authentication mechanisms like on-screen keyboards.
• Creating a man-in-the middle site on the users own computer and using that to harvest credentials, while still proxying them on to the real site.
• And, my favorite, using the existing authenticated channel to the bank:

The Trojan then manipulates the underlying transaction, so that what the user thinks is happening is different from what’s actually transpiring on the site’s servers…When the user successfully authenticates, the Trojan opens a hidden browser window, reads the user’s account balance, and creates another hidden window that initiates a secret transfer.

I may be transferring all my money to First National Bank of the Mattress soon.

How SSL-evading Trojans Work

Our favorite Internet regulator, ICAN’T ICANN, is close to deciding that the contact info needed in WHOIS is the technical contact. From the WSJ article:

… the Icann committee responsible for Whois voted 18-9 to restrict its listings solely to someone who can resolve technical “configuration” problems. That means a Web-hosting company could be listed without any link to the person who controls what appears on the site. After the committee makes recommendations on other aspects of the Whois rules, the full Icann board is expected to approve the reduced disclosure requirement.

It has been pushed by privacy advocates, but is opposed by ‘major corporations’ and the US Government. This may have significant implications for those of you who do investigations, or even normal users who are trying to determine if they are being phished.

The current options if you’d like your contact info to remain private are to:

1. Dummy it up (officially against ICANN policy, but rarely enforced) or
2. Pay your domain registrar extra to mask your whois information for you (can be as little as $1/domain)

I’m not sure we really need something beyond these two options, although I sure am tired of getting SPAM and telemarketing calls based on my WHOIS.

Sorry, the Wall Street Journal is a pay-subscription only, and Google News says no one else has picked it up yet.

Wall Street Journal: Should Owners of Websites be Anonymous?

The new trend in phishing: instead of sending customers to a phony website, have them call a phony phone number. This is easier than ever using open source PBX software (like Asterisk) and VoIP. Combine these technologies with SPAM, and you have an almost free way to harvest information for identity theft.

…because much of the public is learning not to visit the Web sites these messages try to direct them to, phishers believe asking recipients to dial a phone number instead is novel enough that people will do it, says Adam O’Donnell, senior research scientist at Cloudmark.

I take this with a little grain of salt since it comes from and anti-phishing vendor. In fact, Microsoft wrote a warning article about this back in June.

This does have the potential to become an alarming trend though. Everytime I interact with a company that asks for information to identify me, I think, “Now that you know who I am, how do I know who you are?”

Microsoft’s recommendations are good, but the real answer is some form of two-way authentication.

Network World: Phishing leverages VoIP in New Scam Model