Phishing Attack Targets One-Time Passwords
Swedish bank Nordea's customers are scammed by phishers targeting the bank's online authentication method.
According to anti-virus company F-Secure
, customers of Scandinavia's
largest bank, Sweden's Nordea
, have been the target of a phishing attack.
More interestingly, Nordea uses a one-time password method to afford their online
banking customers increased security.
Nordea issues a list of one-time passwords to each of their customers. The
customer is requested to provide the next password in order, and Nordea keeps
track of which password to expect. In this way, it believes it is assuring the
system is receiving the communication from customers. Should a password be used
by the customer, but for some reason it's not seen or accepted by Nordea, the
customer simply goes to the next password in order. Nordea compensates for these
lost passwords and increments the index for that customer.
This phishing attempt was fully aware of Nordea’s mechanisms. Victims
were prompted to provide their next password, and possibly the password after
that. This made the attack considerably more sophisticated than the standard
bank phishing attempt.
Unlike other password collection schemes, this one would afford the attacker
little time to make use of the password gleaned from the user. Whatever password
the attacker received would only be valid until the victim returned to the actual
Nordea site and authorized themselves, at which point Nordea would skip the
passwords given to the phishing site and make them invalid. So whoever was behind
this attack, their objective must have been to get in as quickly as possible
and take the money and run.
While not infallible, the Nordea list of one-time passwords is better than
only using user name and passwords. It's also a lot cheaper than giving them
electronic tokens. The mechanism is not used at ATMs; only for online banking,
telephone and any other form of remote banking. Nordea has been using this mechanism
since before 1999.
One thing is for sure: Phishers are paying more and more attention to the individual
entity that they're targeting.
Kaspersky Anti-Virus CAB File Buffer Overflow Vulnerability: This product
contains a buffer overflow vulnerability that could allow a remote attacker
to execute arbitrary code on the affected system. Kaspersky allows other vendors
to license the cab.ppl library, so products from other vendors could be vulnerable.
Patches are unavailable, but Kaspersky did release signatures to detect exploits.
This shows that our industry should not forget that security programs are not
immune to attack and are getting attention from people who want to pick at them.
Denial of Service
Intellishield ID 9785: Linux Kernel sys_set_mempolicy Denial of Service Vulnerability:
Versions 220.127.116.11 and prior contain a vulnerability in the kernel implementation
of the set_mempolicy(2) function. The vulnerability could allow a local attacker
to cause a Denial of Service (DoS) condition. The vulnerability has been corrected
in the version 2.6.13 kernel.
Not at all surprisingly, Web sites are the "fastest growing attack
vector" for malcode, according to the Websense Security Trends Report
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
What exactly does it mean to be the "fastest growing attack vector"
anyway? And how would one accurately measure such a thing? More and more Web
sites are coming online, whether it's in the traditional form or blog sites.
In any event, it's certainly no surprise that more of them are here now, and
therefore it should be of no surprise that many are insecure and subject to
having malware placed on them. Given that Web site coders seem not to have learned
anything from past attacks, more and more are being put up without any method
of vetting the content being posted by their users.
California has once again led the way in making laws related to Internet
attacks. In this case, a bill was signed into law making Internet phishing
scams punishable by law, as a civil violation, allowing victims to recover actual
damages or $500,000 for each violation.
By making this a civil violation, victims should find it easier to obtain subpoenas
in trying to determine the actual originator of a phishing scam. On the downside, customers may find themselves mired by such subpoenas should their sites
be compromised by an attacker and used to launch such phishing attacks.
European Union officials are pressing the U.S. to hand over control
of the Internet to the United Nations. The debate is escalating
ahead of November's World Summit on the Information Society (WSIS), due to be
held in Tunisia between Nov. 16 and 18, where the topic of Internet management
is on the agenda.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.