Monday, June 15, 2009

Phishing Toolkits

News-

Use of phishing toolkits on the rise

iTWire, by Peter Dinham, 14 June 2009 

There’s been a huge increase in the use of phishing toolkits, with 42 percent of phishing URLs last month generated using the toolkits, and the emergence of a new trend of phishing attacks towards the popular social networking site, Facebook.

Symantec, in its June phishing report, says it observed an increase in URLs using phishing toolkits during May of 100 percent over the previous month, with a 14 percent decrease in non-English phishing sites compared to February.

The security firm also reports that during May, more than 98 Web hosting services were used, which accounted for six percent of all phishing attacks, which was a decrease of five percent from the previous month.

David Cowings, executive editor security response at Symantec, says phishing sites were categorized based upon the domains they leveraged and “a considerable increase was seen in the number of phishing sites using automated toolkits,” and, he adds, “this increase was a result of a large toolkit attack targeting an information services brand.”

More.......

Posted by at No comments:

Sunday, June 14, 2009

Medical Identity Theft

Medical identity theft is more devastating to the victim than traditional financial identity theft.  This article from the New York Times explains some of the known affects of this crime and the bureaucratic process to fix the erroneous information in medical or health insurance records. 

Medical Problems Could Include Identity Theft

New York Times

By Walecia Konrad, June 12, 2009

Excerpt……

The last time federal data on the crime was collected, for a 2007 report, more than 250,000 Americans a year were victims of medical identity theft. That number has almost certainly increased since then, because of the increased use of electronic medical records systems built without extensive safeguards, said Pam Dixon, executive director of the nonprofit World Privacy Forum and author of a report on medical identity theft.

And uncountable, Ms. Dixon said, are the people who do not yet know they are victims. They may not know that their medical information has been tampered with for months or even years until, as in Mr. Sharp’s case, it shows up in collections on a credit report.

Medical identity theft takes many guises. In Mr. Sharp’s case, someone got hold of his name and Social Security number and used them to receive emergency medical services, which many hospitals are obliged to provide whether or not a person has insurance. Mr. Sharp still does not know whether he fell victim to one calamitous perp who ended up in several emergency rooms or a ring of accident-prone conspirators.

In another variant of the crime, someone can use stolen insurance information, like the basic member ID and group policy number found on insurance cards, to impersonate you — and receive everything from a routine physical to major surgery under your coverage. This is surprisingly easy to do, because many doctors and hospitals do not ask for identification beyond insurance information.

Even more common, however, are cases where medical information is stolen by insiders at a medical office. Thieves download vital personal insurance data and related information from the operation’s computerized medical records, then sell it on the black market or use it themselves to make fraudulent billing claims.

and…..

And there are none of the consumer protections for medical identity theft victims that exist for traditional identity theft. Under the Fair Credit Reporting Act you can get a free copy of your credit report each year, put a fraud alert on your account and get erroneous charges deleted from your record. If your credit card is stolen and the thief goes on a spending spree, you’re not liable for more than $50 worth of the charges.

With medical identity theft, though, the fraudulent charges can remain unpaid and unresolved for years, permanently damaging your credit rating. Under the federal law known as HIPAA — the Health Insurance Portability and Accountability Act — you are entitled to a copy of your medical records, but you may have to pay a hefty fee for them.

Worse, HIPAA privacy rules can actually work against you. Once your medical information is intermingled with someone else’s, you may have trouble accessing your files. Privacy laws dictate that the thief’s medical information now contained in your records must be kept confidential, too.

Even when you are able to correct a record, say in your doctor’s office, the erroneous information may have been passed on to dozens of other health care providers and insurers. Victims must track down and resolve these errors largely on a case-by-case basis, Ms. Dixon says.

More…….

The FTC Red Flags rule require  entities  with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.  This will add another layer of consumer protection against identity theft and greatly expand the reach of the FTC, helping consumers fight fraud. 

I would think that the providers of health care would be the first line of defense in preventing medical identity theft.  The American Medical Association (AMA) is making efforts to persuade the FTC that doctors are not “creditors.”  While the enforcement of the Red Flags rule has been postponed twice (November 2008 – original date, May 2009, and August 2009), the FTC has made it clear (see below:   The “Red Flags” Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft) that the Red Flags rule is based on each individual business.  Only after considering the definition of a “creditor” and “a covered account” can they determine the type of program that must be implemented, based on the risk of identity theft.  

These are references that relate to the Red Flags rule.  

Health care and the Red Flags rule-

-The “Red Flags” Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft

The FTC, by Steven Toporoff, May 2009

-Hot Issues Alerts - Law Firms:  Do The FTC Red Flag Rules Apply To You? What Health Care Companies Should Know About The New FTC Requirements To Prevent Identity Theft

The Metropolitan Corporate Counsel, H. Carol Saul and EpsteinBeckerGreen, 1 June, 2009

The FTC  -

Fighting Fraud with the Red Flags rule 

Do-It-Yourself Program for Businesses at Low Risk For Identity Theft

The World Privacy Forum - The Medical Identity Theft Information Page

An unanswered question - Do ID Theft protection services even provide coverage for medical identity theft? 

Posted by at No comments:

Wednesday, June 3, 2009

Why I Fight Phish

Volunteering to help other people comes naturally to me. At a point, I had been researching Volunteerism and came upon this quote: I am only one, but still I am one. I cannot do everything, but still I can do something. And because I cannot do everything, I will not refuse to do something that I can do. Edward Everett Hale, Ten Times One is Ten (1870) The funny (ironically speaking) part of it was that it was a 13-year old boy, Trevor Ferrell of Philadelphia, Pennsylvania that repeated that quote to President Regan as he received a Presidential certificate for Volunteerism. He started out by taking blankets to the homeless on a cold winter’s day and that spark grew into Trevor’s Place. The point is that anyone can make a difference in the life of others and when you volunteer for something, it is better if it is for something you are interested in. This is even true when you apply that interest to learning or work.

Back in 2006 when the PIRT initiative was announced, I knew that it was something that I wanted to contribute my time to. The first reason was that it was in my opinion a great idea: to send out take-down notices for phishing and keep a public repository of the reports. Private citizens could submit email that is only normally deleted, erasing valuable evidence of a crime. Secondly, it was the military MyPay phishes that hit home for me. To target these Soldiers who give up so many things just to serve our country is like a slap in the face. Last but not least, I had the desire and willingness to learn. What I learned from the experience is that even the little guy (a figure of speech - small business owner, forums, personal websites, etc.) needs help from time to time and no one reached out to them in this aspect for free (at that time).

This PC World article highlights Gary Warner’s career up to 2007. It also backs up my claim that even one private citizen can make a difference.

Digital Vigilantes: The White Knight of Phish-Busting

PC World, 24 Dec 2007

Warner is now focusing on fighting cyber-crime full-time and on training a new generation of network forensics investigators. "You wouldn't believe the looks on their eyes the first time they got an email back from a Webmaster saying, 'Thanks for letting me know. I just shut that down.'"

When he spoke with IDG News, it was five days after final exams at the University of Alabama at Birmingham and though it would have no effect on their marks, four students were still coming into the labs to help shut down phishers.

"That idea that as a private citizen, you can help, that's the kind of thing we're trying to inspire," he said.

More………

I am a member at PhishTank and Digital PhishNet (DPN). I do support the Anti‐Phishing Working Group (APWG), just not as member because I do not belong to any of the member organizations or have the required email address. I wish that they would allow independent security researchers that are not a non-profit organization. The APWG does provide expert advice to the little guy.

What to Do if Your Web Site Has Been Hacked by Phishers

APWG, January 2009

You may receive a notice by phone or email from an individual or organization that claims knowledge of an attack. Obtain as much information from the third party as possible, including:

a) The person’s name

b) Name of their organization

c) Return contact information (phone, email, postal address, organization’s web site)

d) Web page(s), including the URL (link) the party alleges to be a phish web site

e) Nature of attack (attempt to steal personal information, to complete a bogus credit card transaction, to obtain user account credentials, etc.)

f) A description of any malicious content that appears to be downloadable from your web site (e.g., spyware)

and……

APWG encourages you to report the phishing site URL to the APWG via the email address reportphishing@antiphishing.org. Reporting to this address will cause most anti‐phishing organizations to receive a notification of the phishing web site. Security products, e.g., anti‐phishing toolbars, will be updated with the offending URL, thus offering protection to thousands, if not millions of potential victims.

and…..

The APWG provides a standard “you've been phished!” redirection page and instructions for its use at http://education.apwg.org/r/about.html. This strategy will prevent further use of the phishing site, keep your customers informed, keep your web site online for real time analysis, and afford you additional time to perform containment actions.

More………..

Even with CastleCops and PIRT gone, there are still ways to fight phishing on a daily basis. The volunteer opportunities do exist as long as the volunteer is interested and willing to learn. If ten people send a take-down request to the ISP for ten different phish, ten fraudulent websites will be able to remove that content, investigate the crime, and update their servers. If a modest estimate that each phish could have led to twelve cases of ID Theft, 120 people could be spared this. Ten Times One is Ten.

Posted by at 1 comment:
Subscribe to: Posts (Atom)