Identity Theft

Rob Forsyth

Managing Director, Sophos, Asia Pacific

“On the Internet, nobody knows you’re a dog”

5th July 1993

The New Yorker

Overview – Identity Theft

• Some background

• Has legislation helped?

• Examples of attacks and the implications for an individual or company

• What vulnerabilities can be created and what impact can these have?

• What defences can be deployed to defeat this form of attack?

• Where will this problem go next?

History

• Identity theft as a specific IT term first appeared in the 1990s

• This lead to the US Identity Theft and Assumption Deterrence Act 1998

• Now it can occur much more anonymously than ever before

• Now the attack can be made from a greater distance

• It can build over time rather than just be a one off attack

• It can have a greater impact then ever before

ID theft costs Australia $5b a year**source The Australian Institute of Criminology

Methods - some old and some new

•Dumpster Diving

•Changing Your Address

•"Old-Fashioned" Stealing

•Installation of Trojan Horses (trojans) on to your computer

•Phishing and spear-phishing

Australian Legislation

• Cybercrime Act 2001

• Criminal Code Amendment (Theft, Fraud, Bribery & Related Offences) Act 2000

• Financial Transaction Reports Act 1998

• The Spam Act 2003

• State based Crimes Acts - various years

• The NSW Crimes Act 1900

• The NSW Crimes Amendment (Computer Offences) Act 2001

In common language – most legislation protects against fraud

So, we are well protected by the Law, but it still happens

Please note that these following companies were innocent victims, and no adverse implied implication

Some examples, there are a number of different messages

NOTM – September 2006

• National Online Talent Management agency

• IT theft may have been tied to recruitment of child porn

• Company appears to have closed

Coca Cola – August 2006

• Poor grammar and muddled dialogue a clue

• Campaign to recruit mules or for future spear phishing

• Very short lived campaign with ‘disposal’ email contacts

• International Brand – Hong Kong focus

• Advanced fee fraud?

• Seeking mules?

Microsoft - March 2007

• A banner ad was served on MSN sites and Windows Live Messenger• "SystemDoctor 2006" ran scripts that popped up a security warning

directing people to install a registry scanner that was itself malware

Defence requires web visibility to identify block the high risk links, script and malware detection to block malicious downloads and call home protection to block malware from updating and reporting its activity

Troy Inc. March 2007

• Complete rip-off of a legitimate site

• Offered employment

• “Just download an application”

• Attacks the vulnerable and desperate

• May not have been for identity theft

• Hundreds of these attacks each day

Troy Inc.

Three website examples

• Visa

• Westpac

• Avis

Please note that these following companies were innocent victims, and no adverse implied implication

The URL is proceeded by numbers -everything after that is irrelevant

The URL is misspelt - note that the keyboard can also be used by phishers

The URL is HTTP and not HTTPS and no padlock.

Too much information is being sought

Newer or future challenges – will ID theft follow?

• Spam (defined by the Spam Act and the following would be covered)

• Spasms (spam over SMS)

• Spim (spam over instant messaging)

• Spit (spam over IP telephony)

Further reading at <www.theregister.co.uk>

•Illinois couple sued for sending 5 million

spam cell phone messages

Image spam

• Has moved through various file types

Real fears for the ‘newbie's’

So what’s the impact if a trojan is installed?

Many of these attacks will download a trojan horse to the victims computer

Vulnerabilities that can be created

• Phishing - user name and password or just information

• Bank, eBay, PayPal, on-line gaming, your CV etc.

• Ransomware

• Botnet or ‘zombification’ to carry out other attacks• Security reduction for future attack

• Rogue webserver (porn server)

• Webcam control

• Infection of your employer's network

• Become a person of interest to the police

Risks are not always obvious or immediate

What should we do about this?

What defences can be deployed to defeat this?

• Endpoint anti-malware software• Combined protection covering viruses, worms, Trojans,

spyware, adware + unwanted applications

• Functioning endpoint firewall

• Gateway email protection

• Gateway web protection

• OS and anti-malware correctly patched

• Network Access Control (NAC)

Defense in depth

Education is much of the answer

Knowledge and access to information is the best defense

Sensible online behavior reinforced by a good IT / HR policy

Some final thoughts

Security threat report 2007 – some ‘highlights’

• Malware authors continuing to deliver more focused attacks

• Explosive growth of web-based downloaders to spy on users

• New mass-mailing worm, Stratio had over 1000 unique variants

• Most spam continuing to be relayed by poorly protected computers

Further reading at <www.sophos.com>

Where will this problem go next?

• More of the same issues but 'better' and faster

• They will follow the money

• Chase new vulnerabilities

• New technologies like IM and VoIP

• Mobile devices2005 2006

Identity Theft

Rob Forsyth

Managing Director, Sophos, Asia Pacific