Eideard

A weekend contest at the world’s largest hacking convention in Las Vegas showed one reason why big corporations seem to be such easy prey for cyber criminals: their workers are poorly trained in security.

Amid a spate of high-profile cyber assaults on targets ranging from Sony Corp to the International Monetary Fund, one would think that many companies would be paying special attention to security these days.

But hackers taking part in the competition on Friday and Saturday found it ridiculously easy in some cases to trick employees at some of the largest U.S. companies to reveal information that can be used in planning cyber attacks against them.

The contestants also managed to get employees to use their corporate computers to browse websites the hackers suggested. Had these been criminal hackers, the websites would have likely loaded malicious software onto the PCs.

In one case, a contestant pretended to work for a company’s IT department and persuaded an employee to give him information on the configuration of her PC, data that could help a hacker decide what type of malware would work best in an attack.

“For me it was a scary call because she was so willing to comply,” said Chris Hadnagy, one of the organizers of the contest at the Defcon conference in Las Vegas…

The company whose employees handed over the most data was Oracle Corp, according to Hadnagy. One of the world’s largest software makers, Oracle got its start more than 30 years ago by selling secure databases to the Central Intelligence Agency.

“Oracle was wiped,” said Hadnagy…”

It was the second year that Defcon held a contest in “social engineering,” or the practice where hackers con people into handing over information or taking actions such as downloading malicious software.

Social engineering is frequently used in attacks where the hackers send a “spear phishing” e-mail in which they impersonate a friend of the recipient and ask him or her to open a tainted file or visit a malicious website…

Piece of cake – and, not so incidentally, a technique that predates computers and hacking. A great deal of investigation stretching back into the 19th Century used the same social engineering techniques.

When we sat down I could not only relate that fact; but, I was able to drop the number of employees in each category in the lap of the regional manager. He rolled over. And I never did tell him how we came by the numbers.

A glamorous young Russian woman alleged to have assisted a gang of computer hackers who stole $3 million (£1.9 million) in an internet banking fraud is now in court.

Kristina Svechinskaya, who was arrested in New York earlier this month, is one of 37 people charged over the alleged fraud, in which hackers allegedly broke into people’s computers to steal their money.

It is alleged that they sent victims emails containing Trojan horses, pieces of software which, when clicked, allowed the sender access to the recipients files and passwords.

Miss Svechinskaya, who drew comparisons with the Russian spy Anna Chapman after pictures of her were found online, is charged with conspiracy to commit bank fraud and the false use of a passport. She has been dubbed the “world’s sexiest computer hacker”.

She is accused of helping to provide bank accounts for the hackers, into which $35,000 was fraudulently deposited and $11,000 withdrawn, in return for a ten per cent cut of the stolen money. It is claimed she opened at least five accounts…

Of course, she is not a hacker. She’s a “mule” – the appropriate term in the world of fraud for the service she provided. Not unlike the mules who smuggle heroin or cocaine to a destination in balloons in their stomachs.

An internet firm linked to many of the internet’s criminal gangs has been shut down.

The US Federal Trade Commission said Belize-based 3FN aided gangs that ran botnets, carried out phishing attacks and traded in images of child abuse.

The servers and net hardware of 3FN have been seized and are due to be sold off as the firm is dismantled.

The operators of 3FN must also pay back $1.08 million they are reputed to have made by hosting criminal sites…

It was involved in distributing spyware, viruses and trojans, had a hand in many phishing schemes and helped gangs sell illegal images. It also acted as a discussion forum for many spammers.

In particular, said the FTC, the net firm worked with fraudsters who run botnets and helped them steal data by seeding hijacked computers with keyloggers. It maintained a library of more than 4500 malicious programs that could pilfer data from hijacked PCs.

In June last year, the FTC used an injunction to cut 3FN off from other hosting providers and sever its connections to the net.

Now the FTC has gone a step further and won a court order that will see the company stop trading and its hardware confiscated. The FBI has been ordered to carry out the shut down and seizure operation.

Overdue.

Cyber criminals are using fake messages claiming to be from the Federal Deposit Insurance Corporation (FDIC) to deliver a virus capable of stealing unsuspecting victims’ bank passwords and other sensitive personal information, says Gary Warner, the director of research in computer forensics at the University of Alabama at Birmingham (UAB).

Warner says the spam is being delivered with one of two subject lines:

FDIC has officially named your bank a failed bank

You need to check your Bank Deposit Insurance Coverage

Warner says that once the message is opened the spam asks users to visit a specific Web site, a link to which is included in the message. Those that follow the link are taken to a page that asks them to click and download a copy of “your personal FDIC insurance file.”

“Unfortunately, anyone who clicks that download link will be downloading a version of the Zeus Bot virus, which has the capacity to steal bank passwords and other financial and personal information,” Warner says.

I know this is nothing new to many of our regular geek readers. Just offering the latest tale of social engineering so you can pass it along to your more gullible kith and kin.

This way, people have two days over the weekend to get nervous and pull the trigger.

Hackers have discovered a new way of duping users onto fraudulent websites: fake parking tickets.

Cars in the US had traffic violation tickets placed on the windscreen, which then directed users to a website. The website claimed to have photos of the alleged parking violation, but then tricks users into downloading a virus.

Vehicles in Grand Forks, North Dakota were the targets for this new type of fraud. Drivers found the following message on the yellow ticket on their windscreen: “PARKING VIOLATION This vehicle is in violation of standard parking regulations”.

The ticket then instructed drivers to visit a website, where drivers could “view pictures with information about your parking preferences”.

According to internet security watchdog The SANS Institute, the website then had photos of cars in various car parks around Grand Forks and instructed users to download a tool bar to find photos of their own vehicle.

But the tool bar was actually an executable file which installed a Trojan virus that then displayed a fake security alert when the PC was rebooted. The fake alert then prompted the user to install fake anti-virus software.

You know what I’m going to say. There is no patch for stupidity.

Though I have to admit this stunt is sharp enough to take in folks who usually don’t qualify for stupid!