You can install the industry’s strongest and most expensive firewall. You can educate employees about basic security procedures and the importance of choosing strong passwords. You can even lock-down the server room, but how do you protect a company from the threat of social engineering attacks?

For any of you that are involved in security awareness efforts, you know what I am talking about. It could happen tomorrow, it could happen today or it might already have happened.

In a recent disclosure posted by renowned hacker and developer DarkCoderSc (Jean-Pierre LESUEUR) explained that how one can easily Socially Engineer Microsoft Skype Support team to get access to any skype account.

From a social engineering perspective, employees are the weak link in the chain of security measures in place. He simply used the weakness of Skype password recovery system itself.

One simply need to request a new password to Skype support and asking to change the password. After the initial step one needs to proof the real ownership of the account requested. You must give 5 contacts accounts to the support desk.

“That’s easy because you just have to add 5 fake temporary accounts to the target account and its done. Another option is to simply ask the target what people he know on Skype. That option wasn’t that hard because I have over 1000 contacts.” he suggests the trick.

Within few seconds attacker can become owner of any victim account by proving very basic information to support team.

“Also Microsoft’s Support Team should make a serious effort to communicate better to their customers. At the moment they do not seem to care that much about their customers.“

A new configuration of the Carberp Trojan that targets Facebook users to commit financial fraud. Unlike previous Facebook attacks designed to steal user credentials from the log-in page, this version attempts to steal money by duping the user into divulging an e-cash voucher.

Carberp replaces any Facebook page the user navigates to with a fake page notifying the victim that his/her Facebook account is “temporarily locked”. The page asks the user for their first name, last name, email, date of birth, password and a Ukash 20 euro (approximately $25 US) voucher number to “confirm verification” of their identity and unlock the account. The page claims the cash voucher will be “added to the user’s main Facebook account balance”, which is obviously not the case. Instead, the voucher number is transferred to the Carberp bot master who presumably uses it as a cash equivalent (Ukash provides anonymity similar to that offered by cash payments), thus effectively defrauding the user of 20 euro/$25.

This clever man-in-the-browser (MitB) attack exploits the trust users have with the Facebook website and the anonymity of e-cash vouchers. Unlike attacks against online banking applications that require transferring money to another account which creates an auditable trail, this new Carberp attack allows fraudsters to use or sell the e-cash vouchers immediately anywhere they are accepted on the internet.

Attacking social networks like Facebook provides cybercriminals with a large pool of victims that can be fairly easily tricked into divulging confidential account information, and even, as illustrated in this case, giving up their cash. With the growing adoption of e-cash on the internet, we expect to see more of these attacks. Like card not present fraud, where cybercriminals use stolen debit and credit card information to make illegal online purchases without the risk of being caught, e-cash fraud is a low risk form of crime. With e-cash, however, it is the account holder not the financial institution who assumes the liability for fraudulent transactions.

The Trusteer research team recently uncovered a stealth new attack carried out by the SpyEye Trojan that circumvents mobile SMS (short message service) security measures implemented by many banks. Using code captured while protecting a Rapport user, researchers discovered a two-step web-based attack that allows fraudsters to change the mobile phone number in a victim’s online banking account and reroute SMS confirmation codes used to verify online transactions. This attack, when successful, enables the thieves to make transactions on the user’s account and confirm the transactions without the user’s knowledge.

Step 1:
In the first step of the attack, SpyEye steals the victim’s online banking login details. This is standard operating procedure for financial malware like SpyEye, Zeus, and others. The fraudsters can now access the victim’s account without raising any red flags that would be picked up by fraud detection systems.

Step 2:
In Step 2, SpyEye changes the victim’s phone number of record in the online banking application to one of several random attacker controlled numbers. In order to complete this operation the attacker needs the confirmation code which is sent by the bank to the customer’s original phone number. To steal this confirmation code the attacker uses the following social engineering scheme.

First, SpyEye injects a fraudulent page in the customer’s browser that appears to be from the online banking application. The fake page purports to introduce a new security system that is now “required” by the bank and for which customers must register. The page explains that under this new security process the customer will be assigned a unique telephone number and that they will receive a special SIM card via mail. Next, the user is instructed to enter the personal confirmation number they receive on their mobile telephone into the fake web page in order to complete the registration process for the new security system. This allows the criminals to steal the confirmation code they need to authorize changing the customer’s mobile number.

Now the fraudsters can receive all future SMS transaction verification codes for the hijacked account via their own telephone network. This allows them to use the SMS confirmation system to divert funds from the customer’s account without their knowledge, while not triggering any fraud detection alarms.

Domain typo-squatting is commonly used to spread malware to users whom accidentally misspell a legitimate domain in their web browser. A new type of domain typo-squatting takes advantage of an omission instead of a misspelling.

A Doppelganger Domain is a domain spelled identical to a legitimate fully qualified domain name (FQDN) but missing the dot between host/subdomain and domain, to be used for malicious purposes. Doppelganger Domains have a potent impact via email as attackers could gather information such as trade secrets, user names and passwords, and other employee information.

Each company in the Fortune 500 was profiled for susceptibility to Doppelganger Domains and 151 companies (or 30%) were found to be susceptible. In large corporations, email usage is extremely high and the likelihood of some email being mis-sent is high which could result in data leakage.

Security researcher Peter Kim and Garrett Gee who set up doppelganger domains to mimic legitimate domains belonging to Fortune 500 companies say they managed to vacuum up 20 gigabytes of misaddressed e-mail over six months. The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions.

WhitePaper : Doppelganger.Domains.pdf

Documents spilled into public by the political unrest in Egypt in recent months has shone a spotlight on the shadowy world of for-profit, custom malware creation for governments around the world.

The anti malware firm F-Secure first called attention to documents uncovered by protesting Egyptians back in March. They included a proposal to sell a product dubbed “Finfisher” to the Mubarak regime.

That “Governmental IT Intrusion” product is targeted at the law enforcement community, but Gamma apparently had no qualms about offering it to the Egyptian government, according to 12 page proposal, dated June 29, 2010. A scanned copy of the proposal is available from the F-Secure Web site.

The documents were reportedly obtained by Egyptian psychiatrist and protester Mostafa Hussein during a takeover of the headquarters of Egypt’s State Security in Nasr City on March 5.

Written in Arabic, the proposal is addressed to the State Security Investigation Department in Cairo, Egypt and purports to offer a wide range of Gamma’s products to the country’s security apparatus, including a “remote intrusion solution,” the FinSpy management software and agent. The total deal was projected to cost the government just over 287,000 Euros.

An attorney for the company, speaking to The Washington Times, denied that Gamma completed its sale to the Egyptian regime and claims that the firm broke no laws in pursuing the sale of the FinFisher technology.

Still, the spectre of state sponsored hacking has come to the fore in recent months, as leaked diplomatic cables from Wikileaks, the Stuxnet worm outbreak targeting Iran and plans uncovered with the compromise at security firm HB Gary Federal raised the spectre of state-sponsored hacking and malware distribution.

The Obama Administration issued guidance in March clarifying the use of the term “cyberspace” to describe a domain analogous to air, land, space and maritime operations.