Shark Thoughts

The problems with fake two factor authentication

Lars Harvey — Tue, 21 Aug 2007 15:11:39 -0700

This is a great podcast from CNET with Brendan O'Connor, an independent security researcher who gave a talk at this ...

Responding to online security breaches

Lars Harvey — Tue, 07 Aug 2007 12:20:11 -0700

From CreditUnions.com, a quick overview of how to respond to online security breaches. Unfortunately the list is incomplete. They forgot ...

Consumer Reports' State of the Net Survey

Lars Harvey — Tue, 07 Aug 2007 11:32:01 -0700

Consumer Reports has released their 2007 State of the Net survey results. According to the survey, 8% of respondents ...

The ROCK hits GoDaddy

Lars Harvey — Fri, 03 Aug 2007 12:05:22 -0700

Yes, it has finally happened - big time phishers going after control of domain names. What does this mean for Financial Institutions? You should be afraid - very afraid.

Talking about the Rock

Lars Harvey — Fri, 03 Aug 2007 08:34:59 -0700

John LaCour, my counterpart at a competitor penned a good overview of the Rock phishing gang's methods. I would add that ...

A Credit Union responds the right way

Lars Harvey — Wed, 01 Aug 2007 16:33:28 -0700

Here is an example of a strong response from a credit union attacked for the first time. Most banks and ...

Phishing costs more than physical bank robberies

Lars Harvey — Tue, 31 Jul 2007 16:42:31 -0700

According to this note from Credit Union tech-talk , the FBI reported physical bank heists were responsible for $70 million ...

Off line criminals use the Internet too

Lars Harvey — Fri, 13 Jul 2007 16:21:39 -0700

Just ironic. A couple of burglars were stymied when they tried to crack a safe, so they found a ...

Getting NIC AT in line

Lars Harvey — Fri, 06 Jul 2007 15:51:12 -0700

Nice post from Chris Barton at McAfee's Avert Labs about the lack of response to phishing by NIC AT (Austria). ...

Another phisher caught

Lars Harvey — Thu, 21 Jun 2007 16:14:34 -0700

Another phisher has been indicted. Yay! This time from Michigan, the 20-year old phisher allegedly stole over 7,000 identities, including ...

Horror story about dual DDOS and phishing attack

Lars Harvey — Thu, 07 Jun 2007 15:56:20 -0700

This horror story published by Bank Info Security is definitely a very-bad-case scenario. Getting DDOS'ed off the net AND dealing ...

Fraud spreading to smaller targets

Lars Harvey — Tue, 15 May 2007 16:05:19 -0700

Here's a high level look from Bank Systems & Technology at how fraud is moving to the smaller institutions. We take Gartner ...

McAfee does a nice consumer education piece

Lars Harvey — Wed, 02 May 2007 16:55:29 -0700

McAfee just recently released this "What is Phishing" flash video. It's a bit long, but does a great job ...

Data theft cost calculator

Lars Harvey — Tue, 17 Apr 2007 11:56:53 -0700

A specialty insurance company has just put out a calculator tool that helps banks and others get a rough idea ...

Some web hosts profit from phishing... but most don't

Lars Harvey — Tue, 03 Apr 2007 10:03:33 -0700

Most ISPs and web hosts don't actively patrol and police their own web space, and it is not so they can make a buck.

Another Tool in the Customer Education Shed

Chris Richardson — Thu, 19 Oct 2006 08:57:01 -0700

With the October 18th release of Internet Explorer 7, users now have the capability to enable the Phishing Filter components with a few simple mouse clicks. Microsoft is aggregating data on verified phishing sites from several sources, including the data we submit on behalf of our PowerShark clients - so this feature becomes a powerful tool in your customer protection efforts. Even if your customers do not activate the phishing filter upon installation of IE 7, they can still use this feature under the tools menu to "manually" ask whether a site is suspicious.

We encourage all financial institutions and phishing targets to include language about the IE 7 Phishing Filter in customer education campaigns. If 100% of your online banking customers utilize this technology or something similar to it, and if you submit 100% of the phishing site URLs targeting your brand for blocking, then the percentage of customers who are duped becomes far less important -- the phishing site will be blocked before it ever reaches your customer's computer screen.

Malware Money Tough to Trace

Lars Harvey — Mon, 18 Sep 2006 11:07:14 -0700

eWeek paints a pretty bleak picture about law enforcement's efforts to stop phishing. "Law enforcement officials agree that it's almost pointless to go after the fraudsters carrying out targeted attacks such as phishing schemes against banks and other financial institutions." I disagree. It is NOT pointless to pursue phishers.

Swinging the club with domain control

Lars Harvey — Tue, 22 Aug 2006 09:16:50 -0700

Microsoft has gone public with a project we have been working with them for some time. We are of course pleased that we can share some of the story of this work, especially since most of our work must be kept out of the public eye.

One phishing arrest - why aren't there more?

Lars Harvey — Fri, 28 Jul 2006 14:08:25 -0700

A California man was arrested for phishing yesterday. Why don't we see more such arrests? Was this man just stupid and easy to catch?

Domain-Based Misinformation

Lars Harvey — Tue, 18 Jul 2006 16:43:43 -0700

In a case of mis-interpretation of an already mis-stated and mis-leading statistic, WebHosting.info is reporting "Domain-Based Phishing at a Spree, Reports MarkMonitor". The "story" (and it is a story, all right) is based on a statistic that MarkMonitor presented in a recent public webinar.

Two-Factor Authentication Makes Phishing Much More Difficult

Lars Harvey — Wed, 12 Jul 2006 12:57:51 -0700

What the Security Fix post and all the comments attached to it fail to realize is that the two-factor authentication DOES work. Yes, the token credential (usually a random number) can be stolen by phishing. But that credential is only good for breaking into the account for about ONE MINUTE. Phishing a two factor site has a higher risk and much lower reward for the phishers.

Phishing continues to rise

Lars Harvey — Fri, 23 Jun 2006 12:14:52 -0700

It should come as no surprise that phishing volume continues to grow, with nearly 12,000 phishing sites reported in the month of May. That's about 400 sites per day. The number of new targets continues to grow as well, though the 80/20 rule definitely applies as 80% of phishing sites target just 20 out of the 137 brands targeted in May. From our perspective working with many of the smaller targets, we're seeing that there are two kinds of phishers.

Corruption of Data Feeds as a Strike-back Measure by Cybercriminals?

Chris Richardson — Thu, 15 Jun 2006 17:32:13 -0700

http://209.83.147.85/esubscribe/eSubscribe_login.jsp was submitted to a raw aggregated customer phishing report queue today. Presumably, a visitor to the site simply became wary seeing an IP-based URL and wanted to report it. If this URL was included as a hyperlink in a legitimate email campaign, then that's even more problematic. According to recent research (pdf) on why phishing works, consumers are still plenty confused - even if companies adopt best practices in URL management.

Turning Credentials into Cash

Lars Harvey — Fri, 09 Jun 2006 12:43:54 -0700

Martha Baer has written an article that does a great job of illustrating the myriad ways that criminals collect identity credentials and turn them into cash.

Hacked bank home pages a REAL problem

Lars Harvey — Thu, 08 Jun 2006 10:03:17 -0700

The home pages for about 300 small banks in the Midwest were hacked en masse when the systems at their service provider were breached on May 25. They say that this breach is "non-transactional" in nature and therefore not "material." But that is WRONG THINKING.

Designing for the new smart browsers

Lars Harvey — Wed, 07 Jun 2006 10:55:02 -0700

I just read a good discussion in the Register about the need for legitimate websites to be designed so that they do not trigger the "suspicious" warnings in IE7, Firefox 2.0 and other anti-fraud browser toolbars. Much of the advice provided in the article is commonsense

Your customers need your help to be safe from phishing

Lars Harvey — Tue, 04 Apr 2006 16:12:30 -0700

In an excellent, just-published paper entitled Why Phishing Works (pdf), a group of Harvard and Berkeley researchers present startling results about how ordinary users interact with phishing web sites. The upshot is that a decent phishing site will fool 50% of visitors, while a high quality phishing site with a cousin domain will fool over 90% of visitors. For financial services and e-commerce companies, these findings make clear that your customers need your help to be protected from phishing.

One person's phishing server is another person's livelihood

Lars Harvey — Tue, 14 Mar 2006 16:22:27 -0800

Most "phishing" servers are actually honest computers doing real work for real companies. And they are doing this work even during that time that the phishers are using those honest computers to perpetrate their criminal schemes. So be careful with how you treat them.