Rossander’s Security Reader

Recently, four folks went into Cleveland together for a Cavalier’s game. As they pulled into the arena’s parking garage, they noticed that several of the parking spaces had been marked off with traffic cones. One of the parking attendants removed one of the cones and waved them into a very close parking spot on the same level as the pedestrian bridge to the game. They assumed that it was some sort of VIP treatment that came with their tickets. They locked coats and purses in the trunk, then went in to enjoy the game.

Over the next three days, all four reported that their corporate credit cards had been used for fraudulent transactions. Police believe that the car was "marked" by a confederate working as a parking attendant based on the make of their car and their professional appearance. He waved them into the "VIP spot" so his confederate would know which cars to target. The criminals either picked the lock of the car with a slim-jim and popped the trunk from the inside or recorded the electromagnetic code of the trunk’s remote so they could open the trunk themselves.

When the four people each checked their wallets, only these corporate credit cards had been stolen. Personal cards, personal checks and cash were untouched. It’s human nature to pay more attention to our personal accounts than to a faceless corporation’s account. Intelligent criminal exploit that trait and selectively target who and what to steal so they can go undetected as long as possible.

The bank did an excellent job of handling the fraudulent transactions but we all pay when the criminals get away. It is extremely unlikely even with this evidence that criminals will be caught or prosecuted. Sometimes the best we can do is to avoid being targets in the first place.

• If someone’s offering you a service that seems too good to be true, it probably is. Be extra cautious (and a little bit suspicious) when someone is giving you unexpected special treatment.
• Keep your valuables with you whenever possible.
• Watch your credit card accounts (personal and corporate) carefully.
• Always lock your vehicle.

Imagine that you received the following voicemail:

My name is Lillian and I am calling from ABC Company on the morning of Tuesday, February 26. We are conducting a paid study about the types of software used in the Insurance industry. We’re offering $200 in compensation for your time, so if you are interested in participating, you can reach us at 1-800-555-2672, that was 1-800-555-2672. When you call you can ask for reference code p as in pork 8515, that was p as in pork 8515 and this is for a paid survey that pays $200 to answer questions about software. Thank you very much and hope to hear from you soon.

Sounds like a great deal, right? $200 for just answering a few questions. You won’t be buying anything so it’s not like it’s a kickback, is it? And you would never answer any questions about confidential data. Why not call them back?

Although there are some legitimate marketing research firms, this caller was not one of them. These scams can take one of two forms. Most likely, they are vendors trying to get an unethical edge over their competition or an unfair advantage in their negotiations with your company. Sometimes, they are social engineering cons – the caller is trying to pull information out of you in order to sound more like an insider when he/she makes the final scam call against one of your co-workers. Sometimes these scammers claim to be from a vendor, other times they claim to be conducting "research" for a university, etc.

Either way, these callers are trying to con you out of information that they don’t think they could legitimately get. If it was a legitimate business request, they wouldn’t be so eager to bribe you for your participation. When someone emphasizes the money as much as this caller did, something’s not right. You should participate in surveys because it’s in your company’s best interests, not because one person in the company was bribed.

Do your staff know how to respond to survey requests like these? Do you have a policy that requires them to check with your Legal Department or some other group who can validate the request and make sure that all the required non-disclosures are met? Does your policy allow the response to phone surveys or do you require that all surveys be submitted (and replied to) in writing? If compensation or a gift is offered, who does the employee report it to? Is it personal compensation or remitted to the company? Do your staff know how to tell the legitimate from the questionable requests?

Real researchers follow a code of ethics about their surveys. They will give you more upfront information before inviting you to participate in the study and will provide the credentials necessary to prove their identity. They may offer to compensate you for your time but will do so in ethically appropriate ways. They understand your concerns about proprietary information and will work with you to make sure that your information is properly protected. They will provide their Privacy Policy on request and can show you that they live up to it.

Westfield occasionally conducts surveys either directly or through a third party. Our surveys will always be announced as "on behalf of Westfield Marketing Research". Our surveys should never come as a surprise to an Agency. If you receive a survey request claiming to be from Westfield and you are at all suspicious, call us at 1-800-243-2562 or check on Agents Web Passport to confirm the survey.

Hackers are trying to exploit the storms which have been hitting Europe. F-Secure, a Finnish data security firm, announced the identification of the "Storm" email worm in emails with the subject line "230 dead as storm batters Europe." The file attached to the message contains a virus that creates a backdoor into the computer. This allows the hacker to later either steal data or to use the victim’s computer to post spam messages to other victims.

This is part of the growing evidence that hackers are conducting real-time attacks, trying to take advantage of our curiosity and compassion during breaking new stories. Security experts estimate that thousands of computers have already been affected, mostly personal computers. Most corporate systems (including Westfield’s) have already been configured to block this virus but the hackers know that many personal users are not as diligent at keeping their anti-virus software up-to-date.

• Do not open unsolicited emails.
• Keep your anti-virus software up-to-date and run it regularly.

Read this Reuters article for more.

For the past few weeks, we’ve been discussing "spear-phishing" attacks – targeted messages that are highly personalized in their attempts to con you into clicking on their link. This week, we will discuss variations on the “pump-and-dump” stock scam emails.

First, some background. Pump-and-dump scams have been around for as long as there have been stock markets. In this scam, the crook buys shares of some small, low-liquidity stock. He then starts rumors that this stock is “on it’s way up” and “about to explode on Monday”. The rumors are often crafted to appear to be insider tips. They play on the greed and vanity of the recipients. When the victims begin to invest in the penny-stock, the price does go up – temporarily. The scammer immediately sells his shares at the inflated price. After a few days, the price returns to normal and the victims are left holding shares of a stock worth only a fraction of what they paid.

One popular version of this scam is designed to look like a misdirected email. The message starts “Hi. I hope this is your email. It was great to meet you the other day and I hope you’re enjoying New York. The deal I was speaking about yesterday involves a company know as [company name]. It’s already headed up…”

Another opens “Hey, girlfriend. Remember that hot stock exchange guy that I’m dating?” before dropping the fraudulent tip. In both cases, the wording of the “tip” is designed to look like it was intended for someone else and that you got the message because the sender mistyped the email address. In fact, these are mass-mailed spam.

You can read more about this particular scam at www.nasd.com.

Never respond to an unexpected message and never follow the advice of a spammer. It doesn’t matter how good the alleged tip looks. If you’re going to invest in the market, do your homework. Invest in companies with good fundamentals whose business you understand. Don’t invest on “momentum” or insider tips.

Last week, we began a series on particularly targeted phishing attacks – scams using personalization to try to convince you to click on their link. A recently reported case targeted workers at a specific bank and was based on correct email addresses and personal names. The email read:

"Dear John, I am a reporter for Finance News doing a follow up story on the recent leak of customer records from ABC Bank. I saw your name come up in the article from Central News and would like to interview you for a follow-up piece. If you have time I would greatly appreciate an opportunity to further discuss the details of the above article. Regards, Gordon Reily."

The message included what appeared to be a link to the Central News story. The URL included the bank’s name in its characters.

The names in this copy have been changed but the rest of the message is unchanged. Note that there are no misspellings, grammatical errors or typos in the message. It is personalized, professional and has all the earmarks of a legitimate message. This message will sail right through the spam filters.

The message appeals to the natural vanity or curiosity of recipients. A high proportion of readers want to see their own names in print and click on the link.

The link in the email actually took the reader to a website in China. Clicking on the link automatically installed a keystroke logger on the user’s machine. The clear goal was to compromise the computer account of a bank employee – an insider who likely has deep access to accounts and customer information. Hackers know that even if the first employee didn’t have direct access to sensitive information, they can use the compromised account as an entry point to attack other points of the company’s network.

In this case, the bank was able to quarantine its infected computers and blacklisted the chinese website but similar attacks are occurring every day. Hackers are using increasing sophistication in their attempts to compromise the accounts of employees at financial institutions like Westfield. Never click on the link in an unsolicited email. If you are unsure about the message, forward it to your Security department for investigation.