Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

AfterBites: Parking Ticket Social Engineering

(This column is one of what I am going to call "afterbites" - extended random commentary on topics raised in SANS' Newsbites column. As some of you know, I am one of the volunteer editors/commenters on the weekly Newsbites and it probably won't surprise you to discover that sometimes the discussions we have on the editors' mailing list can get - interesting. Usually, there's not enough space to rant at length, so I'm going to periodically fire unaimed salvoes from the safety of my blog, here.)

The story:

Parking Tickets as Cyber Attack Social Engineering Vector
(February 4 & 5, 2009)

Cyber criminals in Grand Forks, North Dakota planted phony parking
violation notices on cars. The notices direct the users to a website
for more information, which leads the users through a set of links
that downloads malware onto their computers. That malware then urges
users to download an anti-virus scanner that is worthless.
http://www.techweb.com/article/showArticle?articleID=213200005&section=News
http://news.bbc.co.uk/2/hi/technology/7872299.stm
http://isc.sans.org/diary.html?storyid=5797

A few years ago, I was sitting in a hotel bar at a security conference, matching my tequila-drinking skills against all comers, when we got to discussing the next generations of identity theft attacks. One of the ideas I suggested was related to what we see above, and I'm really unhappy to see that The Bad Guys are showing no sign of stopping their creative engines.

My idea was simply to have an onion-routed dead-drop and encourage kids to bicycle around wealthy neighborhoods and rummage through mailboxes looking for bank account and brokerage statements. Take them home, scan them, and Email a PDF to the dead drop, and you'll get a payoff in the mail, in the form of something valuable purchased for you on Ebay, (doubtless, using a stolen Paypal account) paypal, or WoW cash. The attackers could recruit kids by targeting Emails based on searching myspace. Having a paper bank statement would allow the attackers to open Paypal accounts and - in many cases - enable online banking for accounts based on the account number and mailing address. There are lots of variations one could employ around this theme, but basically they would all take advantage of the observation that a lot of banks and brokerages still assume the mail is safe. Which, if you think about it for a second, is patently absurd. I could have a dozen crack addicts rummaging mailboxes in Washington, DC, in 24 hours; it's a relatively safe attack vector for the mailbox-exploiter and completely safe for the remote exploiter.

Where does this all lead us?

Eventually scammers are going to force the online financial industries to radically re-think how they do authentication. They will no longer be able to assume that there is a "split" between online and offline transactions; I'm not sure where that leaves us.

I do my banking at a small local bank. One that is so unsophisticated that their online banking scheme required only account + last-4 digits of social to enroll. The branch manager was surprised when I was suddenly clutching my temples and banging my forehead against the teller's counter-top. After we'd cleared everything up, the branch manager and I came up with a list of operations that my account is flagged to only allow if I, personally, walk into the branch and show ID. My guess is that that's where the end-game lies. I expect that banks, brokerages, etc, will offer a customer a menu of options regarding what can be done and how.

Frankly, I'm amazed that nobody seems to have (yet) hit upon the idea of being able to tell a credit card company "only authorize purchase of goods that are being shipped to my home address." Or "I only apply for credit by appearing in person." By having a menu of options. there's now a good chance that a Bad Guy will stumble across denied options (thereby flagging the account!)   I can't wait for the day when some bank says "no transactions allowed from computers running Internet Explorer."

I'm depressed and disgusted by the rapidity with which humanity has brought all of its worst behaviors into cyber-space.

Related Posts

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.