Defending The Kingdom

Just a heads up for you Twitter users:

A phishing attack that began striking U.S. Twitter profiles this weekend is still going strong and isn’t showing any signs of letting up. As VentureBeat reports, the scam operates through a direct message reading, “Lol. this you?” Once users click on it, they’re sent to a fake Twitter login page, where they could be tricked into revealing their login and password.

It seems to me that threats like this one are becoming more common, probably because most folks have become pretty good at fending off standard viruses. The major browsers vendors are working hard to inure their software to phishing threats, but it’s hard to protect people from their own gullibility.

First, which browsers are the most common these days? Wikipedia has a useful summary of browser usage statistics collected from various sources. The summary statistics look a little off to me (even after considering the note at the bottom of the table), but you get the basic idea: Internet Explorer and Firefox are running away with it.

Security Update

Internet Explorer 6 remains a hopelessly dangerous browser, but I’ve been impressed by Internet Explorer versions 7 and 8. If you haven’t yet upgraded, do so now.

I wanted to update previous comparisons (see here, here, and here) between the two most prominent browsers, but Secunia, the security consultancy I had been getting figures from, now advises against using its statistics for comparison purposes because of the way it reports them.

Fair enough, and it wouldn’t hurt to go to a second source. I recently ran across a report by NSS Labs, which mentions that “53% of malware is now delivered via internet download versus just 12% via email, while IFrame exploits and other vulnerabilities comprise 7% and 5%, respectively…” (If you’re wondering, IFrame exploits are just another flavour of attack aimed at web browsers.)

Check out the report summary, which has two very interesting graphs. It looks like Internet Explorer 8 is beating Firefox (and other browsers) by a wide margin when it comes to protecting against “socially engineered malware” (links that lead to infected downloads), while the two leading browsers provide about the same amount of protection against phishing attempts.

Curious about the web’s most dangerous search terms?

The categories with the worst maximum risk profile were lyrics keywords (26.3%) and phrases that include the word “free” (21.3%). If a consumer landed at the riskiest search page for a typical lyrics search, one of four results would be risky.

What makes a webpage dangerous?

• Risky downloads—Downloadable files that contain viruses, spyware, or adware or make unrelated
  changes to the downloading computer
• Browser exploits—Also known as a driveby download, this type of malicious code enables viruses,
  keystroke loggers, or spyware to install on a consumer’s computer without consent and/or knowledge
• Email practices—Registration forms and other sign-ups that result in high volume email, highly
  commercial email or both. We also test for difficultly unsubscribing.
• Phishing—Scam sites that try to trick visitors into believing the site is legitimate
• Excessive popups—Sites that engage in aggressive popup behavior or display large numbers
  of popups
• Linking practices—Sites that aggressively link to other red- or yellow-rated sites

The report, by McAfee, mentions that hacking for profit has overtaken hacking for fame. I suspect that is why we no longer worry about viruses that will wipe our hard drives clean — the tactic is attention-getting, but is unlikely to be profitable to anybody. Today, viruses that collect information about our computing habits and personal lives are the primary threats.

The Nigerian scam (also called “419″ or “advance fee fraud”) is, I was surprised to discover via Snopes, a very old one:

The Nigerian Scam has been emptying the pockets of victims for decades, first through letters, then with faxes, and now via e-mail. In its earliest incarnation, which dates to the 1920s, it was known as ‘The Spanish Prisoner’ con. In that long-ago version, businessmen were contacted by someone trying to smuggle the scion of a wealthy family out of a prison in Spain. But of course the wealthy family would shower with riches those who helped secure the release of the boy. Those who were suckered into this paid for one failed rescue attempt after another, with the fictitious prisoner continuing to languish in his non-existent dungeon, always just one more bribe, one more scheme, one more try, away from being released.

The typso are intentional

Who is falling for these scams? The website for London’s Metropolitan Police says it’s not who you might expect:

The letters are often littered with spelling mistakes and bad grammar. This is a deliberate ploy by the fraudsters to induce the potential victim to believe that he is dealing with uneducated people who would not have the ability to defraud him/her. Nothing could be further from the truth! The majority of victims prove to be professional business people, doctors and lawyers.

Low success, high yield

The 2006 Internet Crime Report, prepared by the National White Collar Crime Center and the FBI, shows that the Nigerian scam accounts for a small percentage - just 1.7% - of reported total dollar losses due to cybercrime, but that seems to be a function of a few people losing a lot of money. The median loss for someone tricked by a Nigerian scam is $5,100, seven times greater than the median dollar loss for other referred cases of fraud, including auction fraud, failure to deliver merchandise or payment, and check fraud.

Spin-offs

The Nigerian scam is so popular it has engendered a new cyber-sport called scambaiting. The goal is to “enter into a dialogue with scammers, simply to waste their time and resources”, as well as to entertain fellow scambaiters with the resulting correspondence, photos, and recorded phone conversations.

A Recent Parody

I AM MINISTRY OF THE TREASURY OF THE REPUBLIC OF AMERICA. MY COUNTRY HAS HAD CRISIS THAT HAS CAUSED THE NEED FOR LARGE TRANSFER OF FUNDS OF 800 BILLION DOLLARS US. IF YOU WOULD ASSIST ME IN THIS TRANSFER, IT WOULD BE MOST PROFITABLE TO YOU.

Read the rest of the spoof here.

In the previous post, I calculated the cost, in statistical terms, of identity theft for the typical person. But identity theft is not the only danger - what about the risks of phishing?

Consumer Reports, in their 2008 State of The Net report, claims that the likelihood of getting phished this year is 1 in 94, or just over 1%. The total amount lost to phishers nation-wide is estimated to be $2 billion.

Worry or Keep Cool?

If 1 in 94 American adults lost money to phishers, it means that $2 billion in costs were distributed amongst 2.4 million victims. From that statistic, we can figure that the average cost per person was about $835. If your chances of getting phished are 1 in 94, you can expect to lose (in statistical terms) $9 per year to phishers.

Now, knowing that you are likely to lose $9 per year in statistical terms is a bit of strange concept. In any given year, you will either lose a large sum like $835 or nothing at all. It might be easier to think of the $9 per year as something each person should be willing to spend to avoid the consequences of phishing.

For example, everyone in the country could contribute $9 per year into a phishing fund and distribute the money to the victims of phishing. Those who contribute but don’t fall victim to phishing get peace of mind out of the deal. The victims get compensated for what they lose. Everyone wins as long as peace of mind doesn’t cost more than $9 per year. Beyond that, it’s best to take your chances!