PHILIPHALL.COM : CyberSecurity Junkie

Apple are in the process of preparing a patch to fix a security hole on the iPhone.

Charlie Miller has identified a flaw which could enable a hacker to gain remote control of the device using the iPhone’s text-messaging capabilities.

It works by exploiting a weakness in the iPhone’s SMS protocols and could allow cybercriminals to track the phone’s location by tapping in to its GPS features, remotely activate the microphone for eavesdropping, or transform the handset into a botnet used for sending spam or committing online crime, or instigating a distributed denial of service attack that could bring down a website.

Read the full story here.

It appears as though a number of Australian banks - including the Commonwealth Bank have been hit hard by fraudsters over the past few weeks, as they have been inundated with phishing and other fraud attempts which have been splattered across the news headlines. We’ve also seen announcements from the Australian NSW police about a crime syndicate targeting Australian superannuation accounts.

Second Tier Financial Institutions - The 2nd Wave Is Coming

What is more worrying for smaller banks and financial institutions is that what normally happens after the big banks are hit hard is that the fraudsters then turn their focus onto the smaller second tier companies, who often have weaker security controls compared to the big banks.

Fake Call Center Numbers

A recent news article gives details of a new wave of attack… using a fake call center. The Federal Police are investigating this new type of scam which operates a fake bank call centre using an Australian phone number. The “call centre” has automated computer voices to dupe callers into providing their credit card numbers.

This is linked to a large email scam, or phishing, campaign that imitates official messages from the Commonwealth Bank. Read the full news article here.

How To Avoid Becoming A Victim of eFraud:

As always, there are some things you can do to avoid being hit by scams such as those above:

1. Faking an email is incredibly easy to do these days, and as a result - most banks and large financial institutions educate their customers in remembering that they will never send emails asking for personal or account / password information. If in doubt, always contact the bank using their known switchboard phone number, which can be found in most telephone directory listings.

2. Always be suspicious of an email which contains a URL link, and if in doubt contact the sender to confirm it’s authenticity.

3. The majority of banks & financial institutions have also adopted a policy of never sending URL links in emails to their customers, and educate their customers that they never will.

4. For any personal machine(s) you may use, always make sure you are running anti-virus, and have downloaded and installed the latest antivirus & operating system patches. This helps to prevent any malcode which is often included with phishing attacks from being introduced onto your own systems.

Australian NSW police have released details of a known sophisticated crime syndicate who they suspect are now targeting australian superannuation accounts.

The bad guys begin by stealing documents and letters sitting in people’s home mailboxes, and then from these create high quality fake identities which are used to create bank accounts and self managed super funds. They then transfer money from the victims legitimate super funds to the false account, and take off with the funds obtained.

“It’s believed the group has used stolen superannuation statements and counterfeit identity documents to operate Self Managed Superannuation Funds (SMSF) through the Australian Tax Office,” police confirmed in a recent statement.

So far it has been reported that over 50 people have become victims of this new scam, however police have so far arrested 8 people in connection to this case.

Strike force ‘Gamut’ is targetting at least another 6 people involved, and are warning the public to consider securing their home mailboxes to deter mailbox theives from stealing mail in order to carry out this crime.

From reports, the profits have been traced to China and The Philippines.

Further details can be viewed on the NSW Police web site.

Computer fraud may be a big problem for banks and financial institutions today, but the phone is becoming a critical tool for fraudsters, bank executives say. In addition to calling customers about suspicious transactions, financial institutions use SMS (Short Message Service) to request that customers contact them.

SMSs are also used to verify certain transactions, or password resets.

Fraudsters have now begun using a variety of techniques to try to trick the banks and their customers into thinking they’re communicating with the intended respondent.

These techniques include:

“Mobile Phone Porting”
When you want to transfer your existing mobile number from one network provider to another network provider, this facility is called Mobile Number Porting. A fraudster transfers a victims mobile phone number to a different carrier - effectively stealing someone else’s mobile number for fraudulent purposes.

“Spoofing”
Spoofing is a method of faking a caller id for phone calls or SMSs. This is illegal in Australia. Call spoofing, and SMS spoofing are relatively easy to do currently due to lack of regulatory controls internationally.

The Emerging Threat
Sometimes fraudsters who have obtained a victims online banking details through phishing or some other means of attack - will then hack into their bank account and change the customer’s contact phone number. Then, when a suspicious transaction posts to the account, the bank will call the fraudster instead of the customer.

Read the full article on the CIO website.

These days, Big Brother isn’t just watching you… he wants to know your current status, superpower, where you’ve lived in the world, as well as the name of your childhood pet! All found in your new google ‘profile’!

By updating your new Google “profile”, you have more chances of being found online when someone tries to google you. For those who have tried searching for themselves (often referred to as ego surfing or self searching), you just need to check and update your profile…

This is all actually a sneeky way by Google to get back into the Facebook game! Read more about Google Profile here.

GMails CAPTCHA solution used to ensure there’s a real person creating a new user account has been compromised by a new worm.

If you are not familiar with CAPTCHA technology, it’s basically the distorted text image you sometimes come across on some web pages - whereby you have to review the characters and type them in before continuing, and is often used for new account creation, or for user account resets etc. It basically proves that it’ a real person using the web page rather than a computer program - hence standing for CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). It used to be hard for computers to translate the text, but improvements in OCR (optical character recognition) technology have overcome that barrier.

For those that thought CAPTCHAs were pretty solid… think again. Read the full article here.

Obama has likened threats to the internet to that of a nuclear attack!… exqueeze me?

…Quite scary when you read recent tech news of China launching cyber warfare against the US, impacting core infrastructure such as the electricity grid, and stealing latest fighter jet secrets. So what next?

For a start, Obama is now doing something about it…. taking cybersecurity VERY seriously!

Read the full story on various news sites posted today.

Botnets are fast becoming a big threat globally, and no doubt in the next few months there will be more incidents hitting the news.

The key thing to be aware of is that as globally there is a huge downturn in the financial markets, the one thing that goes up in uncertain times… is fraud & criminal activity relating to spam, phishing, id fraud, online scams, and financial institution hacking… all of which are supported by botnet infrastructure.

Read this article about why it’s getting much harder with regard to botnets, and what to do about it…

Read the botnet article here.

The world of spoofing SMS / email etc is still very much a “sharp” and dangerous thing to be into for those who are in the know. Did some detailed lab research this weekend and found all sorts active in the wild. Don’t want to share with the wrong people, so ‘PMail’ me if you want to be in the know.

The Symantec Internet Security Threat report was released today. Overall, 2008 was a continuation of that trend as cybercriminals continued to attempt the spread of malware to be used in an effort to collect confidential information. The bad guys created more than 1.6 million new threats in 2008 - a staggering amount considering that 2007 saw the creation of 624,267 new threats and 2006 saw just 140,690.

Read the full report Symantec report here.