A group of computer-savvy youth was nabbed recently after scoring a first of sorts for phishing.
Phishing uses email and fake websites to lure Internet users into providing their personal banking details, which are then used to steal from their accounts.
This group of 13 is believed to have conned at least 26 people by using their particulars to steal more than RM36,000 from their accounts in two weeks.
All 26 victims had accounts in one particular local bank and it was the bank that notified police of the fraudulent transfers.
Following the report, police monitored several homes and cybercafes in three states.
After two weeks of checks, they nabbed 13 suspects, including a woman, in Kelantan, Selangor and here.
The suspects, between 18 and 25, have been described as computer experts with several hackers among them.
Commercial Crime Department assistant director ACP Ismail Yatim said four of the suspects were college and university students.
"The 13 are skilled in different areas and they joined forces to steal confidential data from unsuspecting victims.
"The losses reported may have been bigger if the bank had not been alert in detecting the fraudulent transfers."
Police believe this may only be the tip of the iceberg as more reports were expected.
It was learnt that several of the suspects had the ability to hack into the computer systems of leading firms in the city. Checks revealed that the group used a foreign server and police were trying to ascertain if they had international connections.
The group preyed on those who used Internet banking, sending account holders emails asking them to update their accounts.
In that same email, links would be available for the victims to click on and a new web page would open revealing a web site similar to the bank’s internet login site.
The unsuspecting victims would login, unknowingly giving their usernames and passwords, which would be sent to a decoy website set up by the group.
Using the confidential information, the group would access the victims’ accounts and transfer funds to another account before it is withdrawn.
"We believe there are still groups out there actively involved in such scams," Ismail said.
He urged account holders to check with their banks upon receiving notifications to update their accounts.
Meanwhile, four people were cheated by a group, which sent them text messages claiming they had won cash prizes and obtained their bank account details.
They then made online withdrawals totalling RM7,000.
The group had imitated a similar group of scam artists, who had cheated 36 fans of the reality show Akademi Fantasia.
The victims were told to call a phone number and asked to reveal their Internet banking account details, including their pin number, on the pretext of depositing their winnings.
The victims’ accounts were then cleaned out.
Police have so far received four reports — three from Kuala Lumpur and another from Sabah.
The survey is based on interviews with 359 executives responsible for security, compliance, risk management and legal issues at large organisations in North America.
Facts highlighted:
It is not just small companies who are laggards with security measures. The world's biggest employer, the U.S. government, has performed poorly in this area of content security.
To fend off competition, as well as upcoming technology such as WiMAX (Worldwide Interoperability for Microwave Access) - a rival wireless broadband platform - Celcom said it is looking at upgrading its 3G network to HSDPA (High Speed Downlink Packet Access) standard.
It has already started its HSDPA trials and this is scheduled to end late next month.
HSDPA enables much faster data download speeds (at least 4 times faster) on 3G networks than is possible now. What takes minutes to download now will take only seconds with HSDPA, said Celcom. This will be a boon to corporate users who need to send and receive extensive files on their mobile devices faster.
The only catch is that consumers will need to change their 3G phones and PC datacards to enjoy the benefits of HSDPA technology.
Celcom has selected six Klang Valley sites for its HSDPA trials - Suria KLCC, Mid Valley, Berjaya Times Square, Bangsar and, within Menara Celcom and Menara TM.
Source: TheStar InTech, (20 June 2006, page IT27)
An article from The Star InTech which is related to online threats towards e-commerce and website (Lecture 4)
PETALING JAYA: The Malaysian Computer Emergency Response Team (MyCERT) has detected 300 website defacements up till the end of May this year.
MyCERT said it observed a mass defacement of .my domain websites in early May affecting mostly those on the FreeBSD and Linux platforms.
However, Kol Husin Jazri, director of the National ICT Security and Emergency Response Team (Niser), said in an e-mail interview that the attacks weren’t platform specific but were targeted at virtual webhosts.
MyCERT is a unit of Niser and is responsible for tracking and logging security incidents, as well as analysing major security incidents and trends.
Virtual hosts are multiple websites hosted on a single machine.
"A few of this virtual hosts were targeted resulting in between 20 to 100 web¬sites being defaced at any one time," Husin said. Intelligence and reconnaissance activities are involved before launching the attacks, Husin said.
Husin said the recent attacks indicates attackers have taken due diligence before executing their strategies. "Intelligence and reconnaissance activities are involved before launching the attacks," he said.
MyCERT's analysis of the recent attacks showed that it was done via PHP scripting vulnerability. (PHP is web scripting language).
Husin said this involves modifying computer program scripts to ensure validation of input.
"These vulnerabilities are exploited to allow entry to access certain restricted locations within the host," Husin said. He added that in some cases, these vulnerability exploits even open up arbitrary Net connections and turn some PHP scripts into proxies and open mail relays.
MyCERT has already pro¬vided an alert on the recent attacks and encourages victims to submit the audit trails to MyCERT through the MyCERT website for further analysis.
The Business Software Alliance (BSA) is a trade group representing a number of the world's largest software makers. It is funded through membership dues based on member company's software revenues, and through settlements from companies it successfully brings action against.
Some facts from the report:
Don’t be caught in the piracy trap
This is the second of a six-part weekly series brought to you by the Business Software Alliance. The articles are part of the OpsTulen 2006 antipiracy campaign organised by the Ministry of Domestic Trade and Consumer Affairs.
AS WE have discussed the impact and unravelled the myths of software piracy last week, it is time to look at the different types of software piracy, and how we can differentiate genuine from fake products. While many know that copying and distributing copyrighted software illegally is considered piracy, not many are aware that possessing software that has been illegally copied or using software against its licensing terms is also piracy. There are several types of software piracy:
This is a most common method of piracy, where copies are made of the genuine version and distributed among friends and colleagues in a casual office environment (against the end-user licence terms), and it is also called “softlifting."
Tip: Ensure you keep the genuine software CD-ROM or diskette in a safe locked central location with a single identified person accountable, i.e. the IT or finance manager.
Under-licensing
This happens when one copy of licensed software is purchased and loaded in more than one computer system without proper licensing and monitoring of the number of licences purchased against the number actually installed.
Tip: Ensure you conduct regular software audits (every six months) to ensure the number of licences you have purchased tallies with what has been installed on the computers.
Hard-disk loading
This type of piracy often goes undetected especially when businesses do not check the legitimacy of the application that comes with the purchase of PCs and laptops. It happens when a hardware distributor or reseller installs illegal and/or unlicensed software on to a computer and sells it as a package. Often, this is attractive to buyers as the price is low.
Tip: Ensure you always insist on genuine software pre-installed up front with your purchase and that it comes with the proper licence documentation, i.e. genuine CD-ROM or diskette, manuals, receipt/invoice, end-user license agreement, certificate of authenticity (COA), etc.
Counterfeiting
This happens when pirated software is packaged in a manner that is very similar to the original packaging, thus looking like original. This could easily fool buyers, as counterfeit registration cards with unauthorised serial numbers, boxes and manuals are often a part of these packages.
Tip: Ensure you consult your software principal on how to tell genuine software from the fakes and what licence documentation is required.
Licence misuse
Software vendors often provide various types of licensing, including OEM (original equipment manufacturer), volume licensing, those meant for non-profit organisations and academic institutions, upgrades, etc. Using software against its licensing terms is a form of piracy for example using academic licences in a commercial business or purchasing OEM licences (required to be pre-installed with a new computer system) separately without the new computer system (unless otherwise specified by the licensing terms).
Tip: Ensure you consult the end-user license agreement or the software principal to see what rights you acquired with your software licence type.
Multiplexing
There are many multiplexing devices (pooling, dumb client, thin client = hardware that reduces number of CPUs/ PCs/ input devices) available in the market today that promise the reduction in the number of software licences required. Beware that multiplexing DOES NOT necessarily reduce the number of software licences required.
Tip: Ensure you refer to the specific licensing terms or product usage rights accompanying your software to always be certain.
Renting
This type of piracy works in the same manner as video rental where a licensed copy of software is rented out for temporary use against the licence agreement, or without the owners’ agreement.
Tip: Again, ensure you consult the licensing terms.
Internet piracy
The sharing of illegal and unlicensed copies of software has become easier and more prevalent, as identity over the Internet can be faked easily. Beware of sources selling cheap software online disguised as “on sale” or “OEM version” via what looks to be very professional looking websites or spam e-mail messages.
Online auction is another popular channel for Internet piracy. Unlicensed software could be easily resold over an auction site. In addition, technologies that have emerged to enable easy sharing of files over the Internet such as FTP (File Transfer Protocol) and P2P (Peer-to-Peer), allow faster and easier transfer of pirated software.
FTP allows transferring of large files easily by downloading files to a site. P2P technology allows a community of people to share files. Most people are attracted to the wide range of software resources available for free when they join a P2P community, and they, in turn, contribute by sharing what they have. Often, pirated software is easily available through both FTP and P2P technology users.
Tip: Ensure you purchase your software from reputable and trusted sources only. If the deal seems too good to be true, it probably is.
If you would like to learn more about software piracy and Software Asset Management (SAM) visit www.bsa.org/malaysia. You can also contact the BSA Antipiracy Hotline at 1-800-887-800.
Suit alleges Internet privacy breach
Friday, March 24, 2006; Posted: 8:19 a.m. EST (13:19 GMT)
ALBANY, New York (AP) -- New York's attorney general sued an Internet company Thursday over the selling of e-mail addresses in what authorities say may be the biggest deliberate breach of Internet privacy ever.Attorney General Eliot Spitzer accused Gratis Internet of selling personal information obtained from millions of consumers despite a promise of confidentiality.
The consumers thought they were simply registering to see a Web site offering free iPod music players or DVD movies and video games, Spitzer spokesman Brad Maione said. On sign-up pages, Gratis promised it "does not ... sell/rent e-mails."
Instead of confidentiality, Spitzer said, Gratis sold access to their e-mail information to three independent e-mail marketers, and hundreds of millions of e-mail solicitations followed.
In a statement, Gratis said the allegations that it sold e-mail addresses to e-mail marketers, and that these companies purchased personal user information from Gratis, were "completely untrue."
The company said it hired Datran Media of New York City, a leading e-mail marketer, to manage "the logistics of marketing products and services via e-mail to Gratis' own user base." It said Datran or two other hired companies "at no time ever engaged in a sale or purchase of data."
Gratis, based in Washington, D.C., always controlled and owned the users' information and never profited from any sale of data, the company said.
On March 12, Spitzer sued Datran Media, accusing it of using unauthorized personal data "mined" by other firms from about 6 million e-mail addresses nationwide. Datran agreed to reform its practices under a $1.1 million settlement.
"Unless checked now, companies that collect and sell information on consumers will continue to find ways to erode the basic standards that protect privacy in the Internet age," Spitzer said.
Spitzer's "data mining" investigation began last year amid reports of companies compiling and selling marketing lists.
Gratis owns and operates Web sites that offer free merchandise for registering their e-mail addresses. The state fraud lawsuit accuses its owners, Peter Martin and Robert Jewell, of privacy violations in 2004 and 2005.
Spitzer claims Gratis wrongly shared as many as 7 million "user records," creating the largest deliberate breach of a privacy policy discovered by U.S. law enforcement. He said the company's promises to consumers included: "We will never give out, sell or lend your name or information to anyone," and "We will never lend, sell or give out for any reason your e-mail address or personal information."
An e-mail marketing company, Datran Media Corp. has agreed to pay US$1.1 million to settle accusations that it misused personal data reportedly mined from 6 million e-mail addresses across the country.Read more here. (www.cnn.com)
Datran sends marketing e-mail messages to addresses provided by partner companies, a practice that some people consider "spam."
Its clients include Business Week, Columbia House, Fox Home Entertainment, NASCAR, Orbitz and Pitney Bowes, according to its Web site
