Tracking the Password Thieves

wiredog writes "From The Washington Post, yet another story about phishers, keyloggers, and viruses. The story is nothing new, but the author has a blog where he describes how he gathered the information that went into the story. Information including the locations of the victims, and the ISPs likeliest to be hit. Some of the victims included "an engineer for the Architect of the Capitol" and a man who "works in computer security for IBM." One victim "was fresh out of college, where he'd just earned a degree in information security. (He was actively looking for a job in the field; I suggested he may want to go back to the classroom.)" A compromised machine was also found in "the new accounts department at Bank of America" (Score!)"

Glad we picked the winner!

[phorest]

Comcast!

Re:A list could be good

[Sunburnt]

A list of vulnerable ISPs may help encourage those ISPs to help change.

Not so much as a series of lawsuits.

Re:A list could be good

[geoffspear]

I doubt it's the ISPs' fault; looking at the list it seems plausible that the "most likely" to be hit are simply the largest ISPs, so you'd expect the largest numbers of affected users to be using those ISPs.

Besides, if 2 supposed "network security" people got hit, do the ISPs really have any hope whatsoever in trying to educate their users to avoid phishing?

Re:

[Sunburnt]

if 2 supposed "network security" people got hit, do the ISPs really have any hope whatsoever in trying to educate their users to avoid phishing?

I bet we'll get to find out if they get successfully sued over it. I'm not saying it's a good idea, BTW. Just saying that it would be a more likely motivator of action than the parent's suggestion of public naming. Hasn't the lesson of the 21st century thus far been: "public opinion's attention span regarding corporate negligence and malfeasance is too trivial f

Re:

[dgatwood]

A large percentage of those phishing sites are hijacked computers, themselves. Aggressive takedowns means educating sysadmins about securing their (mostly Windows) servers against attack.

Want to know how to really stop phishing? Make it unprofitable. Since it would take a decent amount of time to set up a server to provide phishers with data, it's an invetment. Thus, unlike spam zombies, they can't move from machine to machine as quickly, and generally, the site is discovered and shut down long before

Re:

[Synchis]

Besides, if 2 supposed "network security" people got hit, do the ISPs really have any hope whatsoever in trying to educate their users to avoid phishing?

I went to school with people who proved that you can do a college course and PASS without ever learning a single darn thing. Having a diploma or a degree is not always the best measure of knowledge in a particular field.

Re:A list could be good

[Balsamic Moon]

"Likeliest to be hit" is a mislable. It should read "ISP's inept users" who allow themselves to become vunerable due to ignorance or carelessness.

This isn't some war between ISPs. The graph shows clearly what ISP had the most victims due to this virii. But even that isnt conclusive of anything because of the quantity of overall customers isnt revealed. Yeh sure we can say Comcast has the most, but they surely have more customers overall than say, oh Qwest.

Re:

[danpsmith]

"Likeliest to be hit" is a mislable. It should read "ISP's inept users" who allow themselves to become vunerable due to ignorance or carelessness. This isn't some war between ISPs. The graph shows clearly what ISP had the most victims due to this virii. But even that isnt conclusive of anything because of the quantity of overall customers isnt revealed. Yeh sure we can say Comcast has the most, but they surely have more customers overall than say, oh Qwest.

I'm not so sure that what you are saying is true.

Re:A list could be good

[russ1337]

You might still start to get spam, if someone on your list has a compromised address list or computer.

I've often thought of generating some kind of unique e-mail address for each of my friends, to detect if my e-mail address has been compromised by them (or their PC). e.g:

asdf2344ks@gmail.com for my emails to Tom
oieo116i2k@gmail.com for my emails to Liz

The idea is they reply to that address, and mail to these addresses would aggregate to my inbox. If one of those email addresses starts to get spammed, I'll have an idea of who's responsible, change the address for them and see if it continues. After it happening a couple of times I could inform them that they may have a compromised computer and help them out etc.

I just dont have the time to implement such a scheme and rely on Gmails spam filtering which i think is pretty good.

Re:

[stephanruby]

"I've often thought of generating some kind of unique e-mail address for each of my friends, to detect if my e-mail address has been compromised by them (or their PC). e.g:
asdf2344ks@gmail.com for my emails to Tom oieo116i2k@gmail.com for my emails to Liz"

This service already exists. It's been around for a while. It's free. You only need to remember a chunk of your username, and make up the rest (instead of making up the rest of the name, I use the name of the actual site I leave my information with).

ISPs most likely to be hit

[DarkLegacy]

That chart simply looks like a demographic on the amount of users currently using those ISPs. As with spyware, it makes sense of course that the biggest population will be hit the hardest. That's effectively why alternative operating systems are impenetrable to virii and other nasty things. They aren't looked at by the majority of the 'bad people' out there. :P

Re:

[danpsmith]

That chart simply looks like a demographic on the amount of users currently using those ISPs. As with spyware, it makes sense of course that the biggest population will be hit the hardest. That's effectively why alternative operating systems are impenetrable to virii and other nasty things. They aren't looked at by the majority of the 'bad people' out there. :P

That's true, and I understand this argument as it is a familiar one. However, some systems make inherently insecure choices and are slow or late to

Re:

[Sunburnt]

it also helps if you design the code based on security from the beginning instead of attempting to bolt-on security like it's another feature when it definitely isn't.

Or "letting the market handle it" by allowing your company's [microsoft.com] incompetence to effectively subsidize a third [symantec.com]-party [mcafee.com] industry possessing only marginally more competence.

Re:

[maxume]

Has any other os been deployed so widely in a user-managed, hostile network environment? Windows may very well be shitty shitty shitty, but there isn't any reason to conclude that there is actually something out there that isn't shitty shitty shitty.

So you say that "security" does not exist?

[khasim]

Windows may very well be shitty shitty shitty, but there isn't any reason to conclude that there is actually something out there that isn't shitty shitty shitty.

Windows has a specific security model designed and implemented by Microsoft.

Microsoft's choices have been disparaged by security professionals for YEARS because they violate the BASIC rules of security.

Ubuntu follows the basic rules far better than Windows. Ubuntu is far more secure than Windows.

There are different categories of threats and each cat

Re:

[maxume]

If a tree falls in the for.. No wait, if a system has not been as widely deployed as Windows, is it worth comparing the security trade offs that have been made? "Better security" is only a feature if you are actually interested in using it, something which hasn't really been shown to be true. (OS X seems to be doing o.k., but it only has to be a little more secure than Windows to not be an interesting target).

Like, DUH!

[khasim]

No wait, if a system has not been as widely deployed as Windows, is it worth comparing the security trade offs that have been made?

Well DUH! Of course it is.

We have this thing called "The Internet" now which means that machines can be scanned and cracked 24/7.

"Better security" is only a feature if you are actually interested in using it, something which hasn't really been shown to be true.

Hmmm, I guess that the sales or McAfee and Norton anti-virus are not real then.

Re:

[maxume]

The point I am failing to make is that the sales of antivirus, while they are probably due to design flaws in Windows, they might be due to trade offs that are necessary in order to get normal people to use computers. Until there is another system with hundreds of millions of users that just want the computer to work and be easy, the 'necessary trade off' side really can't be disproved.

Re:

[Kadin2048]

I'd say that Linux-based webservers have withstood at least the same (or worse) adversaries and attacks that are plaguing Windows systems, and fared a whole lot better.

Although there are probably more home PCs than servers, the servers are much bigger targets. Until very recently, it wasn't that common to find a home PC that was sitting on a really fat pipe 24/7. Servers, practically by definition, have loads of bandwidth available. If you think that somebody's crappy Windows box getting turned into a spam

Re:

[maxume]

Servers generally have 'competent' admins. Or a firewall policy. Everything you say about the resources available is true, but the weak link on home systems is generally weaker.

Re:

[thrawn_aj]

Also, if hackers are geeks and geeks have an inherent tendency to go Linux, they would be idiots to mess up their own world by writing Linux virii :P. So, I would say (even though I'm a windows user), that the Mac seems to be the most secure =D as whatever Mac users are, "geeks" they ain't :P.

Re:

[Stanistani]

>That's effectively why alternative operating systems are impenetrable to virii and other nasty things. They aren't looked at by the majority of the 'bad people' out there. :P

Ya know, I'm glad that was modded insightful, 'cause I don't think anyone's ever made that point on /. ever before...

Naah, just kidding! You're all right.

"Impenetrable?"

[Rob T Firefly]

That's effectively why alternative operating systems are impenetrable

I don't think that word means what you think it means.

Re:

[eMbry00s]

Like linux servers [netcraft.com], then? No, wait - that just ruined your insinuation that the reason linux is secure is obscurity.

Anyways, with ISPs I would say the demographies are pretty equal (though I have no facts to back that up) - which means the amount of trojans per ISP would rise as the number of users increases.

Re:

[samotano]

A simple incidence rate like (# attacks)/(total users) for each IP would have been much more informative.

Re:

[ericlondaits]

No, you're wrong.

Mapping from an external IP to an internal LAN IP is called NAT. NAT shouldn't be used as a substitute to a real firewall, though you'll find many people who think of NAT as a security measure.

Re:

[pilgrim23]

So the gaping holes in Microsoft products, that any 16 year old with a few hours reading of a VB manual could exploit has nothing to do with it?
Submarine one: "We are sinking because we are the most popular submarine.
Submarine two: "uh, guy.. Try shutting your hatch"

Re:

[PrinceOfStorms]

Except that Submarine One got to be the most popular submarine by giving people what they wanted, namely a convertable submarine that allows all the sunshine in and saves all that hatch opening/closing time. If Submarine Two wants to be the most popular submarine, they're going to have to offer the same "feature".

Re:

[HomelessInLaJolla]

Submarine One got to be the most popular submarine by giving people what they wanted

Editorial suggestion: "Submarine One became the most popular submarine by advertising that everyone should want a submarine at a time when most people didn't know what a submarine was. The advertising was paid for using taxpayer money which was allocated in the form of research grants, business subsidies, and government backed low interest technology sector loans."

In short... a scam.

Re:

[UbuntuDupe]

If you're referring to Linux, that's just not true. Certainly fewer home users have Linux, and those users are generally better-informed about security. However, the bulk of the security comes from a better design[1]. For one, regular users do not have the equivalent of Windows "admin" privileges. Also, the components are more de-coupled. Knowing how to crack the web browser does not automatically imply knowing how to exploit the word processor, or how to hijack all CPU cycles. Critical directory path

Word ordering people!!!!!!

[woolio]

That's effectively why alternative operating systems are impenetrable to virii and other nasty things.

No, no no no. Did you not intend:

That's why alternative operating systems are effectively impenetrable to virii and other nasty things.

The words of ordering make a difference!

Re:

[A_Non_Moose]

As with spyware, it makes sense of course that the biggest population will be hit the hardest.

Target rich environment, eh?

So goes the old addage "One million chinese people can't be wr^H^Hinfected, can they?

Or, "give a man a phish, and his accounts will be emptied, teach a man to phish and we'll hunt your dumb ass
down too!".

Re:

[Random832]

Try using actual well-formed HTML - a <p> tag at the START of your first paragraph, followed by a </p> at the end and a <p> at the start of the second one, etc.

Or you could just do the easy way and type two line breaks with the enter key, if you're using "plain old text".

Looking at the Distribution Map

[Gryle]

It would appear that nobody in South Dakota has an identity worth stealing. That's gotta hurt your pride.

I'm wondering...

[wiredog]

Who the one guy in Southwest Utah is. My Dad lives there...

Re:

[LilGuy]

That's because I moved to Iowa.

AOL is at the bottom of the list

[Frosty Piss]

Interesting how AOL is at the bottom of the list of ISPs likeliest to be hit [washingtonpost.com]. Who would have thought.

Re:

[gEvil (beta)]

Either their customers are still busy trying to get onto the internet in the first place, or those spyware/adware tools that they've been shoveling are actually doing some good...

Re:

[vertinox]

What so surprising about not targeting a group that can't even figure out how to connect to the internet much less figure out they even have online banking?

Re:

[networkBoy]

Besides they're all pwned as open relays and proxies.
-nB

Re:

[Anonymous Coward]

AOL users being mostly dialup users likely has something to do with it. It's much easier for the phishing spyware to work when it has an active internet connection with which to report back. Even your most clueless AOL user would likely realize something is up if their computer "randomly" connected to the net all by itself.

Even if their thing only works when the user is already online, you need to get it to the person to begin with. Sending the payload over dialup may not be feasible.

Re:

[clickclickdrone]

Probably because AOL have almost no customers anymore and those they do have can't find the on/off switch so the scammers know they're not going to get anything useful.

Re:

[clickclickdrone]

Well now, say what you want about AOL quality, but that's just bullshit.

Ya don't say?

It's the Russian mafia! Ahhh!

[PsEvo]

Charts are nice and all, but I would life to see more work done to prevent this. Or perhaps, don't let idiots use the computer (computer license). It's the only way! The biggest security hole in computers isn't the computer, but the user. :(

Re:It's the Russian mafia! Ahhh!

[geoffspear]

The problem is that you apparently need to make the requirements to get a "computer license" more stringent than those required to get a job in network security at IBM or a degree in information security. Good luck legislating that when you're going to have to take away the computers of everyone in Congress and all of their staff.

Re:

[Pollardito]

The problem is that you apparently need to make the requirements to get a "computer license" more stringent than those required to get a job in network security at IBM or a degree in information security. Good luck legislating that when you're going to have to take away the computers of everyone in Congress and all of their staff.

take away their computers, are you mad? but how will they get the internets that their assistants send them through the tubes?

Re:

[LighterShadeOfBlack]

Charts are nice and all, but I would life to see more work done to prevent this.

Agreed.

Or perhaps, don't let idiots use the computer (computer license). It's the only way! The biggest security hole in computers isn't the computer, but the user. :(

And mugging and theft are up in my neighbourhood. It's all these old people. There should be a licence for walking the street! The biggest reason for crime is people who can't put up a fight. Euthanasia at 60 is the only way! :(

Seriously though, users should definitely be educated on computer security wherever and whenever possible (ie. as a fundamental part of job training and IT education in schools). But any talk of computer licences is ridiculous.

Re:

[protected_static]

But any talk of computer licences is ridiculous.

I would have thought so as well, had I not seen how Britain's TV tax [bbc.co.uk] unfolded a few years ago. I know the two situations aren't entirely comparable, but still... Many countries charge license fees for television access - how much of a leap would that be to internet access?

Re:

[geoffspear]

I'm fairly certain that the British don't need to prove they're not too stupid to watch TV to get a TV license, though, so what you're talking about has nothing whatsoever to do with that OP is suggesting.

Re:

[protected_static]

Nothing whatsoever? No, there's no user test for TV, hence my saying that they "aren't entirely comparable." But where I think you're missing the point is that it would be relatively trivial for a government to impose a licensing scheme upon users, therefore making the idea not quite so 'ridiculous.'

I mean really, what would the test consist of? How about a series of check boxes attached to your tax/license form stating that the user understands that they need to install anti-virus software/not click on

Re:

[Moofie]

"it would be relatively trivial for a government to impose"

That phrase gives me the screaming wiggins. ANY government imposition is, by definition, not trivial.

Re:

[protected_static]

I didn't say that I was in favor of such a scheme; just that it would be fairly easy for a government entity to implement...

Re:

[pipingguy]

Why are there not computer/internet security PSAs on television?

What exactly were they doing or not doing?

[ect5150]

While the above information in the article and above links is interesting, and you can sure feel for the victims, I'd be more interested in knowing what the individuals were or were not doing that allowed the viruses/hackers/keyloggers on the systems. Do these individuals/corporations not run behind a firewall? port blocker? run anti-virus software? run anti-spyware?

I'm not the end-all-be-all security expert, but when I help individuals set up a 'net connection, I make sure all firewalls are on (or the r

Re:

[Anonymous Coward]

Do these individuals/corporations not run behind a firewall? port blocker? run anti-virus software? run anti-spyware?

The summary says that a machine was compromised at the Bank of America, though from my reading it seemed to just say at a bank. I happen to have some insight into Bank of America specifically. They run firewalls and configure IP access limitations on machines and run and expensive intrusion protection system that searches for this type of thing on their network. None of those, however, will stop a user from bringing an infected MP3 player into work, or in some cases installing software on their workstatio

Re:

[LilGuy]

I do this as well, not for their benefit but for mine. I don't want calls at 2 in the morning complaining that the computer is a slow piece of crap and I need to come fix it. I set them up with the tools, let them know what they're for, and tell them that any additional support will cost them money.

Seems to work out well.

Re:

[borkus]

It sounds like people opened one bad attachment and that was it. It's easy to blame them for that, but people get personal e-mail with legitimate attachments all the time. All it takes is one mistake to infect your PC. Also, the malware these days often does some devious things -

*Often, the software uses your copy of outlook to hit other people in your address book. Consequently, the infected messages often come from a trusted source - bypassing spam filters as well as the recipients normal level of sus

Re:

[jerkychew]

Read the article; The virus that he back-tracked was sent via email. You can have all the firewalls in the world and your mail servers can be locked down tighter than my mom, but all it takes is one user with IE and a Hotmail account.

Re:

[cyberbob2351]

The botnet problem is a little worse than you may think....And it is these botnets that are allowing such rampant system compromise.

First of all, recognize that botnet malware evolves at a pace in which it is rather difficult for the antivirus vendors to keep up with. All it takes is a download of phatbot, a little code hacking to ensure it is just perfect for your uses, and then you run it through a packer. You won't preserve the same md5sum of course once your binary is customized, so the only other way

Re:

[evought]

According to 2005 FBI Internet Crime Report [ic3.gov], almost all surveyed companies used antivirus, antispyware, firewalls and antispam software. The article also says that many victims in this case were as well. I have also had a Win2K box compromised that was very well protected; malware detectors and updates do not work against new exploits. I generally run Linux and Mac systems, and, although there are many fewer threats, I have them protected to the nines. In this case, as others mention, it is the human eleme

"Likeliest"

[mwvdlee]

"Likeliest" is a perfectly cromulent word.

Ouch...

[wiredog]

But "which are most likely" seems a bit stilted. For a /. write-up, that approaches the "and then there's Albania" [washingtonpost.com] style of writing.

Re:

[soliptic]

I don't get it. If you're trying to imply "likeliest" is not a perfectly cromulent word, I'm afraid you're wrong, it definitely is a real word [reference.com]. If there's no sarcasm / tongue in cheek and you do literally wish to point out the word does exist, I don't understand why you'd pick on "likeliest" instead of any of the other words they used which do exist :)

Good school for "Information Security" ??

[moeinvt]

I suggested that one of my relatives look into computer security as a career.

Any recommendations from /.ers on a good school for studying this?

Re:

[gEvil (beta)]

Any recommendations from /.ers on a good school for studying this?

DeVry

Re:

[east coast]

Hey don't put down DeVry. When I went there it was a great school... oh, wait....

Did you major in arrogance?

[Digital Vomit]

One victim "was fresh out of college, where he'd just earned a degree in information security. (He was actively looking for a job in the field; I suggested he may want to go back to the classroom.)"

Because college creates people who are perfectly skilled at a certain field...

Re:

[Sunburnt]

Because college creates people who are perfectly skilled at a certain field...

It damn well better, for $120,000+ in some cases. After all, isn't that the assumption made by a thousand idiot HR folks every day? /sarcasm

Re:

[Jimbitz]

To bad that person ain't that skilled in Information Security..
I wonder if microsoft would hire him. [/sarcasm]

Re:

[Jimbitz]

Go and report it to your nearest police station Anonymous Coward.

Poison their lists

[Martin Spamer]

The corps that are targeted for login credentials should poison the phishers lists while they are waiting for the phishers ISP to take them down.

When the poison credentials are used by the phisher the targeted corp should use their source ip and browser fingerprints help identify other compromised accounts logged in from the same source. Places like banks and pay-pal could also this information to freeze compromised accounts more quickly.

Trojan != Virus

[tyler.willard]

"...a hidden software virus that recorded his every keystroke."

Yeah I know, everybody files all malware under 'virus'; but since the article comes off as somewhat technical it would be nice if this detail was correct. Keyloggers are almost always* trojans, not a viruses.


*The only reason I say "almost always" is because it would technically be possible to put keylogging functionality in a virus.

Re:

[tyler.willard]

Yeah I RTFA...and the email virus was just a vector for keylogging trojan it dropped.

Re:

[tyler.willard]

Actually, the FA doesn't mention an email.

hacking/phishing/logging != stealing, called fraud

[plasmacutter]

let's use proper diction here..

i'm getting really tired of everything under the sun being called "theft". It just allows certain other interest groups to keep implying greater moral bankruptcy than actually exists.

a more proper term would be "fraud".

Re:hacking/phishing/logging != stealing, called fr

[/dev/trash]

Taking my money without permission is theft. T-H-E-F-T

those likely on computers are vulnerable ;)

[swschrad]

something like a java real time hack respects no particular OS, assuming it has the ability to speak back to the internet.

Compromised machine in Bank of America

[Numbah One]

That machine is probably secure unless the phisher speaks Spanish.

There are no threats

[ehaggis]

Outside of the United States (at least according to the maps.)

I don't want preinstalled LINUX

[ps3udonym]

I want preinstalled NOTHING. That is it, just nothing. No windows, no shovelware, no headaches and no anoyances of paying for crap I don't want, and won't use. Just give me the option to have a empty hard drive ON ALL MODELS.

Seems simple enought to me. Then you can install what you like on it. I am sick of buying a new copy of a OS I already own again and again just to feed the MS machine.