’Tis the Season to…Get Scammed

Like millions of others, Dawn Karlsson in Gothenburg, Sweden, regularly makes online purchases with her credit card, but this holiday season she will be stepping foot in the stores instead.

Karlsson’s credit card details were stolen, she thinks, via a so-called "safe" retail website. An investigation is ongoing to find out how thousands of Swedish kronor were racked up on her card in Spain.

"I have lost total faith in online purchases and will not be giving my card number out to anyone online again," Karlsson told Lavasoft News.

With an updated system, especially anti-spyware software and a firewall, shoppers like Karlsson are much better prepared to tackle the season's malware challenges. Still, shoppers everywhere are being urged to be extra vigilant this month as cyber criminals gear up to launch organized, large-scale attacks. And it is a big group for these hackers to sink their teeth into.

Consumer Reports predicts that a record 50 per cent of all shoppers will use the web for at least one purchase this holiday season. More than 100 million Americans alone are expected to get their gifts online in 2006.

"Identity fraud picks up during the holidays because that's when the credit-card companies have to turn off their monitoring software that flags suspicious transactions," said Todd Davis, an IT-theft prevention expert at LifeLock Inc. "There are still some triggers the software will catch, but the companies cut it way back - otherwise the system would crash, because there are so many transactions during the holidays."

The holiday shopping season provides the perfect scenario for hackers to use spyware, keyloggers and phishing techniques to steal passwords and private information from shoppers. Fake websites that impersonate real companies or offer fake products and services are a popular choice to lure victims this year.

Here is how to avoid being a victim:

1. Be prepared. Make sure your PC is free from any viruses or spyware before you make an online transaction, and as you’ll see in this month’s Tech Tips, it is wise to have the latest security updates from Microsoft (assuming you have a Windows machine).



2. Do your research. The smartest shoppers will stick to mainstream retailers or well-established e-tailers, but you can always look up unfamiliar sites at the Better Business Bureau (www.bbbonline.org), www.bizrate.com, or www.shopping.com to check the company’s ratings.



3. Know your options. Your regular credit card is not the only method of payment available out there. There are credit “gift” cards that can be bought at many banks and retail outlets in which you specify the amount you want on it, use it once and then throw it away. Paypal is also an option, but there are many phishing scams out there right now using fake Paypal pages, so be careful.



4. Security is key. Look for signs that your online purchases are secure. When providing your payment details, the URL should change from http to shttp or https, indicating the information is being encrypted. Your browser might also indicate a key turning or padlock closing, which means the site is secure.



5. Use your common sense.

Safe shopping!

Call for Consensus Anti-Spyware Legislation

The news that Zango, Inc., one of the world’s largest distributors of adware, settled the U.S. Federal Trade Commission’s (FTC) charges that the company violated federal law by using unfair and deceptive methods to download adware, was a clear victory in the fight against spyware. But the results of the settlement show the limitations of current legislation in deterring spyware vendors, and the challenges that lie ahead in protecting consumers’ privacy.

Just days after the announcement, FTC Commissioner Jon Leibowitz urged the U.S. Congress to give the agency expanded authority to impose civil fines on distributors of hidden spyware.

"The civil penalty authority Congress granted us in the (anti-spam law) gave our anti-spam efforts real teeth. Sadly, in spyware cases, we don't yet have that authority," Leibowitz said. "Right now, all we can get is disgorgement of profits, but we can’t fine the malefactors at all. What kind of deterrence is that?"

Doubt is also being cast on Zango’s adherence to the settlement. Spyware researcher Ben Edelman told Lavasoft News that Zango has not reformed its ways.

"If Zango were to comply with these requirements, in full, users would far better be able to understand what Zango does, and to decide whether or not they want it. Unfortunately, Zango is not in compliance with this settlement. Installations remain, some of them surprisingly widespread that do not do what the settlement requires," Edelman said.

The consumer advocacy group Center for Democracy and Technology (CDT), who in January filed a complaint with the FTC against Zango for deceptively distributing adware to millions of people, hailed the win as a benchmark in the fight against spyware.

"This is a landmark settlement, and one that sends an important message to companies that have built their businesses on the backs of Internet users without any concern for what those users want," said Ari Schwartz, Deputy Director of the CDT, in a press release.

As part of the settlement’s terms, future downloads of Zango’s adware without consumers’ consent are banned; it is required to provide a way for consumers to remove the adware, and must give up $3 million in ill-gotten gains.

The CDT believes the precedents established in this case could vastly improve the Internet experience for millions of users. But it is uncertain if precedent alone is enough to bring about change.

"If Congress really wants to enhance consumer protection in the next decade, it needs to come up with a consensus anti-spyware law that gives us the authority to penalize the purveyors of spyware who cause so much consumer harm," Leibowitz said in his speech.

Under current U.S. law, the FTC can go to court and ask that a company be made to give up ill-gotten profits, but cannot impose additional, civil fines.

Increased anti-spyware legislation has been initiated in the past few years without making a final passage through Congress. Critics have voiced concerns that such laws would define spyware too broadly, perhaps outlawing legitimate software downloads.

"I've never been much concerned about overbroad anti-spyware legislation, because the bills I've looked at just haven't had the problems their critics have claimed. Some advertising companies seek blanket authority to do what they wish to users' computers, but that's just not appropriate, and some of the proposed legislation rightly would not allow that," Edelman told Lavasoft News.

Edelman shares Leibowitz’s view to do more, but takes a different approach. He says he would begin by seeking further disgorgement from spyware vendors. "The FTC is entitled to full disgorgement of Zango's profits attributable to its past and ongoing prohibited business practices."

Edelman says Zango’s profits far outweigh the $3 million dollar settlement the company is due to pay back.

Zero-Day Attacks Top Year’s Threat List

Zero-day attacks (see definition under “Term of the Month”) have evolved from an abstract phenomenon to a regular occurrence in everyday applications.

The SANS (SysAdmin, Audit, Network, Security) Institute’s list, formerly called the Top 20 Security Vulnerabilities, was renamed the Top 20 Internet Attack Targets this year to better explain the nature of threats now faced.

The report states that vulnerabilities in Microsoft Office have tripled from a year earlier, with 45 serious or critical exploits found in the suites. "And about 20 percent of those were zero-day vulnerabilities. The striking thing is that users can get compromised by simply viewing malicious Office files," said Amol Sarwate, a collaborator with SANS on its list. "Hackers have shifted their targets to common users, and away from servers administered by sophisticated users."

Some of the usual suspects like Internet Explorer browser, Microsoft Windows and web applications make SANS’ list this year, but new technologies are posing big risks as well.

Voice-over-Internet Protocol, or VoIP, is something researchers are keeping a close eye on. Attackers can actually intercept and sell company meeting minutes, add misleading messages or create massive outages in the traditional phone network.

"VoIP systems are a front door into a program that runs entire phone systems. Attackers can exploit VoIP to change what you hear and can cause huge outages,” says Allan Paller, research director at the SANS Institute.

The organization says that along with exploiting security vulnerabilities for the purpose of information theft, Internet criminals are honing in on military and other public systems in the U.S., U.K., and Canada with increased spear-phishing attacks, e-mails designed to look credible.

These kinds of attacks also explain why “human error” also made it onto the top 20 for the first time ever. Users continue to open these messages and click on links that expose their computers to criminals around the world.

Paller warns that cell phones and appliances like digital printers will be the next technological targets.

Read the entire SANS Institute list here.

Passwords: One Piece of the Privacy Puzzle

In our technology-centered world, passwords are used to secure everything from bank accounts to cell phones, not to mention computers. Developing strong passwords is a necessary way to protect private cyber information, but exactly how to do this is up for debate.

Should we create strong, complicated passwords that we can’t remember, but need to write down - whether it’s stored on paper or electronically - widening the security risk of them being accessed by another party? Or should we use passwords that are simple enough that we can commit them to memory, but increasing the risk that they can be more easily cracked?

There is no exact science for creating strong passwords. Conventional wisdom from security professionals can help to set a few basic guidelines.

The pros advise that you should never simply use words that are found in a dictionary. Instead, mix characters and numbers in a way that is memorable to you.

When selecting numbers, do not choose ones that may be personally identifiable to you; your birthday, Social Security number and phone number are off limits.

Always use different passwords for accounts that involve monetary transactions. The only thing worse than having one account cracked into, would be to have all of your accounts cracked into. It is also a good idea to change your passwords regularly.

It is not easy to follow these rules, and try to commit passwords to memory. The rampant use of little yellow Post-it notes, cluttering all of our desktops or jammed into our wallets is a telling sign of this.

Keeping passwords secure at the office is not any simpler, and may have larger implications.

According to a recent study by Nucleus Research and Knowledge Storm, one in three workers undermines company security by writing down computer passwords.

Technological shortcuts lie in more advanced methods like biometrics, smartcards, and even password management software, which are all available options, especially for companies looking to ease security risks.

Spyware Shorts

'Spyware' Tops Search Charts

The term ‘spyware’ has trumped web search favorites like ‘poker’ and ‘Pamela Anderson’. Web portal Lycos reports that ‘spyware’ took top spot in search requests in late November, jumping 105 percent from a week earlier. ‘Spyware’ generated more than 80 percent more search activity than ‘Pamela Anderson’ in the number two slot.

 Read more

US Top Spam-Sending Nation

The United States spit out more than one-fifth of the world’s spam in the third quarter of 2006. A security firm says the increase can be due to the emergence of more than 300 strains of the mass-spammed Stratio worm. After the U.S., which accounts for 21.6 percent of relayed spam, come China, France, South Korea and Spain. The security firm also says most unsolicited e-mails are now sent from zombie PCs.

 Read more

UK has Highest Spyware Rate in EU

A recent survey shows that Britain has the highest spyware infection rate within the EU at 89%. A follow-up survey of UK respondents showed that males between the ages of 18 to 29 have the highest risk of having their PC infected with spyware due to risky online behavior, like opening instant messages, downloading files, and visiting adult entertainment sites.

 Read more

Wikipedia Targeted

A booby-trapped page of German Wikipedia that offered a patch for a new version of an old malicious worm, Windows Blaster, was found to infect computer users with a new Windows virus instead of fixing the problem. The malicious hackers then sent out a German-language spam e-mail, made to look like it came from Wikipedia, directing people to visit the page. Wikipedia quickly responded, and deleted the article.

 Read more

End of Spyware Op

A U.S. district court has ordered ERG Ventures, and one of its affiliates, to stop distributing what the Federal Trade Commission (FTC) calls deceptive and unfair software downloads. The operation will also likely be ordered to give up any ill-gotten gains from the program that was installed on millions of computers. The FTC charged the operation with tricking consumers into downloading free software like screensavers and videos, bundled with spyware and malware from a program called Media Motor.

 Read more