Graham Cluley’s blog

Windows 7 security - A great leap forward or business as usual?

T-Mobile customers' personal data sold to rivals

The story dominating the British news this evening is the revelation that staff at one of the leading mobile phone company's sold the personal details of thousands of customers for "substantial sums".

Information Commissioner Christopher Graham refused to name the company concerned as it could prejudice a future prosecution, but told the media that the names, addresses, telephone numbers and information about customers' contracts was stolen and sold on to other competitors.

You can imagine just how attractive it would be for one mobile phone company to know when another phone operator's customers were approaching contract renewal.

Newshounds, ever keen to find out who might have been at the heart of the incident, approached Orange, Vodafone, 3, O2 and Virgin - all of whom said they were not being investigated. This left remaining operator T-Mobile in the uncomfortable position of confirming its involvement.

BBC News reports that a T-Mobile spokesman confirmed that it was their customers whose data had been sold to rival phone firms and that the information had been sold without their knowledge.

One of the central problems here is that many companies are not doing enough to secure the data they hold about every one of us. The cheapness and availability of devices like USB thumb drives has just made it easier than ever before to scoop up large databases and waltz out of the office without any suspecting a thing.

Technology does exist to help intercept and control the movement of personal data inside organisations - but many firms have still not taken even the most basic steps to halt it dead in its tracks.

I'm not saying that technology can help prevent any data leaks inside your company - after all, a bad guy in your call centre could write down customer details on paper and put them in his back pocket - but it's only sensible today to take all the precautions you can, and reduce the risk.

Certainly the authorities seem interested in doing what they can to fight this growing problem. For instance, Christopher Graham of the Information Commissioner's Office has questioned whether the current fines of £5,000 are really a sufficient deterrent for this kind of crime. In his opinion, the most serious offenders should face a spell in prison for deliberate data theft.

And I have to say that I agree with him - £5,000 is peanuts compared to the huge amount of money that can be earnt by stealing personal data from inside a large corporation.

One big question still remains, however. We know that it was T-Mobile who had the data stolen from them - but who was buying it?

Posted on November 17th, 2009 by Graham Cluley, Sophos
Filed under: Data loss, Identity Theft, Law and Order, Mobile, Video

                                         

"Payment request from" emails carry dangerous payload

Cybercriminals are up to their dirty tricks again, this time spamming out en masse a dangerous email carrying a Trojan horse.

The emails pretend to come from the "Customer Support" division of an online banking organisation and be in connection to payments requested from a variety of different organisations, using the subject line:

payment request from "[company name]"

Here's just a small sample of the possible subject lines:

Here's the text of a typical email, but remember that the company's name and the amount of money that they are requesting payment for can vary:

We recorded a payment request from "Time Warner Cable" to enable the charge of $66.10 on your account.

The payment is pending for the moment.

If you made this transaction or if you just authorize this payment, please ignore or remove this email message. The transaction will be shown on your monthly statement as "Time Warner Cable".

If you didn't make this payment and would like to decline it, please download and install the transaction inspector module (attached to this letter).

Attached to the email is a file called module.zip.

Sophos proactively detects the attached malware as the Mal/EncPk-LP Trojan horse.

It's clear that the hackers behind this attack are deliberately using a wide variety of company names and different payment amounts to try and make it harder to spread a warning about this threat. Remember to always be suspicious of unsolicited attachments.

If you panic and open the attachment thinking that you may be being billed in error, you could find that you have made a costly mistake.

Posted on November 17th, 2009 by Graham Cluley, Sophos
Filed under: Malware, Spam

                                         

Your mailbox has NOT been deactivated

SophosLabs is currently intercepting a widespread malware attack, being spammed out to innocent internet users under the disguise of a mailbox deactivation notice.

The emails, which have a subject line of "your mailbox has been deactivated", pretend to come from the recipient's domain. For instance, if your email address was john.smith@example.com the emails would pretend to be from notifications@example.com.

Subject:

your mailbox has been deactivated

Message body:

We are contacting you in regards to an unusual activity that was identified in your mailbox. As a result, your mailbox has been deactivated. To restore your mailbox, you are required to extract and run the attached mailbox utility.

Best regards, [domain name] technical support.

Attached to the emails is a zip file - utility.zip. Under no circumstances should you run the program contained inside the Zip file as it contains the Mal/EncPk-LP Trojan horse.

The clever thing about this attack, of course, is the social engineering. We've seen this trick before (of pretending to be from the administrators of your email system) but the reason why it is still being used is because it works. Users panic if they think they might be at risk of having their umbilical cord to the internet cut off and may race to open the attachment before thinking about the malice that might lie behind it.

Posted on November 17th, 2009 by Graham Cluley, Sophos
Filed under: Malware, Spam

                                         

Complete our quick survey and win Sophos goodies

Never let it be said that I don't go the extra mile for dedicated readers of the Clu-blog.

I have once again braved the Sophos crypt, where we dangle manacled virus writers above shark-infested custard, to find a delightful selection of goodies as competition prizes for you.

To be in the running for one of these fabulous prizes all you need to do is fill in a quick one-page survey about social networking sites like Facebook and Twitter.

Just complete the survey and you could be the proud recipient of a Sophos Threatsaurus - which puts computer security threats in easy-to-understand language. Five runners-up pulled out of the hat will have this guide winging its way to them in a padded envelope posted by my own fair hands.

But the top prize winner will receive the Threatsaurus and a luxurious Sophos laptop bag, a USB flexible light thing, an exclusive Sophos polo shirt, a biro, a clean Sophos mug, some Sophos post-it notes and possibly more..

The only way you can be win is to take part in the survey. Chop chop!

Small print: You get the runner-up prizes if you're one of the first five names pulled out of the hat. The winner of the super-duper top prize will be the sixth name drawn out of the hat. We have to ask you for your email address so we can contact you if you win the prize, but feel free to ignore it if you're paranoid that we're going to do something crazy like spam you or hand it over to our sales team. Of course, you won't win the prizes then - but you'll still have helped us with the survey.

Posted on November 17th, 2009 by Graham Cluley, Sophos
Filed under: Clu-blog, Competition, Malware, Spam, Web 2.0

                                         

Get Safe Online week 2009

Get Safe Online is one of the first websites I direct computer users to if they want to learn more about internet safety.

It's a particularly good resource for consumer and small businesses as it explains the sometimes complex subject of computer security in simple, easy-to-understand language.

The biggest shame about the Get Safe Online website is that it's not very well known. Indeed, the only people - in my experience - who know about it are journalists working in the security arena and computer security professionals themselves.

That's not ideal - after all, what we really need is my Aunty Hilda to know all about how to protect her computer from malware, how to shop more safely online, and how to avoid those charming business opportunities which arrive from Nigeria.

To help raise awareness of the site, and spread advice about internet security, this week has been declared Get Safe Online week here in the UK.

Some other sites are helping support the campaign - for instance, Tesco Finance currently have a prominent link to Get Safe Online on their home page:

I hope the awareness week is successful in raising the profile of the site and safe computing practices amongst the general public. I think it would be great if the government put much more effort into educating the masses into how to surf safely online.

Posted on November 17th, 2009 by Graham Cluley, Sophos
Filed under: Banking, Data loss, Identity Theft, Malware, Spam, WWW

                                         

13 years jail for bank robbers who used Trojan horse

Four London-based men, found guilty of using a sophisticated Trojan horse to steal money from online bank accounts, have been sentenced to a total of over 13 years in prison by a British court.

The malware deployed by Azamat Rahmonov, Shohruh Fayziev, Joao Dos Santos Cruz, and Paulo Jorgi (also known as Ricardo Pereira) waited until internet users tried to log in to their online bank, before displaying a fake login page to steal credentials.

The Trojan horse then altered the customer's account without their knowledge, creating a new payee in what is known as a "man-in-the-browser" attack.

Later in the day a third party would access the bank account and transfer funds to a specially-recruited money mule. The mule, in turn, would be instructed to withdraw the stolen cash at another bank, earning a commission in the process, before ultimately wiring the illegal proceeds to Eastern Europe.

Rahmonov and Fayziev, who are both Uzbekistan nationals, and Angolan-born Dos Santos Cruz were charged with conspiracy to defraud various financial organisations and money laundering. At Southwark Crown Court at the end of last week, they received 4 and a half years, 4 years, and 21 month long jail sentences respectively. 36-year-old Jorgi, a Portuguese national, pleaded guilty to money-laundering offences and was sentenced to 21 months in prison.

"As a result of this Trojan virus fraud very many people - 138 customers - were affected in this way with just under £600,000 being fraudulently transferred. Some of that money, nearly £140,000, was recouped by NatWest's parent company the Royal Bank of Scotland after they became aware of this scam," prosecutor Dominic Connolly told the court.

The arrest of the gang in April 2009 was heralded as the first success of the newly-created British PCeU (Police Central e-crime Unit).

A fifth member of the gang, 21-year-old Venezuelan Edgar Orlando Henriques who has pleaded guilty to money-laundering offences, failed to appear for sentencing, and the authorities are requesting assistance in locating his whereabouts.

Remember to tell your friends and family - if you are approached out-of-the-blue by a "financial organisation" offering you a career moving money from bank accounts that you could be getting yourself in hot water. The crime fighting authorities are likely to take a dim view of you if you've been helping the hackers by acting as their money mules.

Posted on November 16th, 2009 by Graham Cluley, Sophos
Filed under: Banking, Law and Order, Malware

                                         

Hackers break into controversial WWII historian's AOL account

World War II historian David Irving is a highly controversial figure. In 2006 he was jailed in Austria for denying the Holocaust, and his recent speaking tour of America has been dogged by protesters.

The latest headache for the 71-year-old Brit, however, is an attack of an electronic nature.

Wired Magazine reports that hackers have broken into Irving's website and personal AOL account, posting information they found there on Wikileaks.

As well as posting David Irving's email correspondence, the hackers have also posted the username and password he uses for his AOL account, and revealed that he uses an identical password for his website. As regular readers of the Clu-blog should know well by now, it's never a good idea to use the same password for different sites.

With that information it would be possible for hackers to plant malicious code on Irving's website - potentially infecting visiting internet users.

In a further breach of security, the hackers have posted the names, phone number and credit card billing addresses of individuals who have purchased books or tickets from Irving. In addition, the email addresses of almost 500 people in Irving's online address book have been made public via Wikileaks.

All because hackers were able to break into David Irving's accounts.

Many people find Irving's views of what happened during World War II highly offensive and objectionable, but it seems to me that that doesn't make it right to leak personal private information onto the internet.

Everybody needs to stop being in denial about the importance of rigorous password security. That means don't tell anyone your password, never use dictionary words, and don't ever use the same password on different websites.

It may also mean having a regular "spring-clean" of your online email account - making sure that other people's sensitive data which may be lurking in old messages is regularly wiped from the archives.

Posted on November 16th, 2009 by Graham Cluley, Sophos
Filed under: Data loss, Identity Theft

                                         

Palestinian suspected of phishing Israeli bank accounts

The Israeli media is reporting that authorities have arrested a 22-year-old Palestinian man in relation to a phishing attack against customers of two banks.

The man, who has not been named, was arrested by the IDF (Israeli Defence Force) and police after allegedly sending emails asking customers of Bank Leumi adn the Bank of Israeli to confirm their account details for "security reasons".

Clicking on the links contained inside the emails reportedly took banking customers to fake login pages, pretending to be the legitimate sites.

Israeli authorities claim that information about dozens of customers was scooped up in the phishing operation, and credit card details used to make illegal purchases.

Of course, these kind of phishing attacks are happening all the time - but it's useful to remember that they can take place on a local scale in any country in the world as well as against well-known international brands. The advice remains the same: always be suspicious of unsolicited emails from your bank, especially if they request you confirm your details by clicking on a link embedded inside the message.

The suspect is being questioned by the police, and is scheduled to appear in a Tel Aviv court for a remand hearing.

Posted on November 16th, 2009 by Graham Cluley, Sophos
Filed under: Banking, Identity Theft, Law and Order, Scam, Spam

                                         

Don't buy drugs online, don't put your health at risk

I posted earlier today about the millions of dollars that hackers are making promoting pharmaceutical websites.

Aside from the risk that, if you buy medication from a fake pharmaceutical website, you are handing them your credit card information - you are also potentially putting your life at risk.

Pfizer has recently released data revealing that more than one in seven British adults has admitted bypassing the healthcare system to get hold of prescription only medicine without a prescription. What's worrying about this figure is that 50-90% of medications sold through unregulated websites are counterfeit - which could mean you are seriously endangering your health.

To raise awareness about the problem, Pfizer has produced a controversial hard-hitting TV advert, which is only allowed to be shown on British television after 11 o'clock at night.

The video is rather grotesque, as it shows a man throwing up a rat. So think about whether you really want to watch it before pressing "play".

Pfizer has produced a website discussing the dangers of purchasing counterfeit medicines where you can find out more: www.realdanger.co.uk

Posted on November 16th, 2009 by Graham Cluley, Sophos
Filed under: Spam, Video, WWW

                                         

Swine flu fears making millionaires out of Russian hackers

As the number of reported swine flu cases climbs, it's time a strong message was sent out against buying Tamiflu over the internet.

Research published by Sophos exposes the profit model of the Russian cybercriminals making millions of pounds from counterfeit medicines, including Tamiflu.

Panic-induced stockpiling by individuals who aren't officially classified as being at risk of contracting swine flu, and therefore anxious they won't receive Tamiflu from the NHS, will not only line cybercriminals' pockets with millions of pounds in cash but also grant them access to sensitive personal data to be used for other crimes.

You can learn more about how these underground web affiliates, which form networks called the Partnerka, profit from online sales of drugs such as Tamiflu in a whitepaper published today by Sophos entitled "The Partnerka - what is it, and why should you care?" [PDF]

Working inside an organised criminal network alongside the businesses running online pharmacies, the Partnerka generate traffic to those sites for an agreed share of the profit. Many of these pharmaceutical sites brand themselves as "Canadian Pharmacy" in order to appear as a more trusted website to unsuspecting internet users.

This year, Sophos has intercepted hundreds of millions of fake pharmaceutical spam adverts and fake pharmaceutical websites, promoted by affiliate members. Working day and night, thousands of affiliates use criminal methods including spam, adware and malware to drive as much traffic to their partners' stores as possible, which then sell high-profit illegal goods as part of a multi-million dollar industry.

The top five countries purchasing various drugs from the Canadian Pharmacy, and thus unwittingly assisting additional criminal activity, are:

1. United States
2. Germany
3. United Kingdom
4. Canada
5. France

Although the precise number of affiliates is ever-changing, it is projected that there are thousands in operation at any one time. Sophos's research has discovered that on one of the more popular affiliate networks operated out of Russia, it is possible to earn an average of $16,000 a day promoting pharmaceutical websites - totalling $5.8 million a year. But the criminals can be members of more than one affiliate network, and some have boasted of earning more than $100,000 per day.

Sophos is warning that concerns about the severity of swine flu, which has led to more than 6,500 deaths worldwide and may reach as high as 40,000 before the end of pandemic, has the potential to drive even greater volume of traffic and total sales to Partnerka websites.

The worrying trend of stockpiling Tamiflu has already been seen in Britain. Not only did large corporations come under fire for stockpiling Tamiflu this summer, Sophos further uncovered that this July, when concerns that global Tamiflu production were falling behind schedule, there was a 1400% increase in UK internet searches for Tamiflu.

The worry is that there's a very good chance that the swine flu pandemic has not yet hit its peak, and that more people might rush to the internet and unwittingly pass cash and personal details to Partnerka affiliates.

The business model for exploiting online purchases is fairly simple.

Once someone searches online for Tamiflu and other medicines, they are directed to online pharmacies to purchase a generic and very possibly counterfeit version of the drug. What most people don't know is that cybercriminals have often manipulated internet search engine results to drive as much online traffic as possible to these sites. Furthermore they bombard innocent users with adverts via spam email sent from hijacked botnet computers and hacked social networking accounts.

Profits can range between 20% - 40% for each of the parties involved, depending on who has the upper hand in the relationship. Although unwitting buyers do often receive some kind of drug as result of the transactional exchange, at best the drug doesn't work and at worse it can pose serious health risks.

As more and more cases of swine flu in the UK come to light, it is essential that we all resist the panic-induced temptation to purchase Tamiflu online.

The criminal gangs working behind the scenes at fake internet pharmacies are putting their customers' health, personal information and credit card details at risk. They have no problem breaking the law to promote these websites, so you can be sure they'll have no qualms in exploiting your confidential data or selling you medications which may put your life in danger. If you think you need medication contact your real doctor, and stay away from quacks on the internet.

Learn more about how the Partnerka profits from online drug sales in Sophos's whitepaper: "The Partnerka - what is it, and why should you care?" [PDF]

Posted on November 16th, 2009 by Graham Cluley, Sophos
Filed under: Botnet, Data loss, Identity Theft, Malware, Spam, Web 2.0