I’m very much in favor of online paperless billing and, virtually all of my reoccurring monthly bills are delivered this way – directly to my inbox. For example (shown below), is a snapshot of the regular monthly email notice from my natural gas supplier.
A simple click on the embedded link, and …..
there’s the bill – which is identical, I might add, to the bill delivered by regular mail.
A couple of extra clicks to reach my online banking and, the bill is paid.
No stacking up bills to be dealt with (along with all the other bills), at a later date. Done – fini – terminado!
I like it and, I’m sure my utilities suppliers love it – since, in most cases, they get paid far in advance of the required payment date. A perfect system it seems – except, this is the Internet.
Ah, the Internet – the playground of every scumbag cyber criminal from Moscow to Montreal – and, beyond. So, it’s hardly surprising to see online paperless billing come under attack.
Yesterday, Commtouch let me know of an ongoing attack – directed at AT&T customers – which automatically embeds malware onto the targeted machine, once the user clicks on the embedded link in the billing notice.
Since the billing email shows an outrageous balance (in the following screen capture, $943.01), theoretically, the response ratio should be significantly higher than it might otherwise be.
Several months back, I received a billing notice from my cable supplier totaling $650 – versus the normal $150 – and, I can assure you, I clicked on the embedded link, immediately.
It was, of course, a massive screw up at their end. Never the less, I instinctively (and, without thinking) clicked on the link . Being frustratingly annoyed is often a powerful call to action. Cyber criminals know exactly how to wind us up –increasing the odds that we’ll respond inappropriately.
Graphic courtesy of Commtouch.
According to Commtouch, who generously shared their research –
The pattern to be aware of in this case is: <legitimate domain>/<recurring set of random letters>/<index.html>
The index.html file tries to exploit at least the following known vulnerabilities:
·Libtiff integer overflow in Adobe Reader and Acrobat CVE-2010-0188
·Help Center URL Validation Vulnerability CVE-2010-1885
Every link in the email (there are 9 links), leads to a different compromised site with malware hidden inside. Recipients who are unsure whether the email they have received is genuine or not (the malicious version is a very accurate copy), should mouse-over the links.
Genuine emails from AT&T will include AT&T website links. For example the “att.com link will be the same in both places that it appears in the email – unlike the malicious version which uses two very different URLs.
I might add, that I use the WOT Browser add-on and, you’ll notice in the first graphic (at the top of this page), the green circle indicated the embedded link is safe. I strongly suggest that if you currently do not have WOT installed, that you consider doing so. As well, I use the Redirect Remover add-on which removes any redirect links in Firefox. An appropriate way to become aware of redirected links.
Four years ago, when I stated writing this Blog, I was hopeful that the cyber criminal threat to Internet users would be actively addressed. That at some point, governments and law enforcement would step up and actively seek out, and punish, the criminals who have turned the Internet into a minefield.
Governments, (the U.K, the U.S., Canada, Australia, India …) it seems, don’t give a fiddler’s f*ck – they appear to be much more interested in passing regressive Internet legislation directed at you – not cyber criminals. Legislation designed to massively infringe on individual personal privacy, and individual human rights. In the meantime, cyber criminals continue to roam freely.
As for law enforcement agencies – just try reporting a cyber crime to your local police department and, you’ll find that they couldn’t care less. Their focus is on low level behavioral crimes, like busting teenage Pot smokers. Just how much safer does that make you feel on the Internet?
Unless, there is a concerted effort on the part of all of us – and yes, that means you need to get involved – demanding a responsible approach to this outrageous criminality on the Internet – we will all, at some point, become a victim of cyber crime.
Do I sound angry? You bet I am.
Bill Mullins' Weblog - Tech Thoughts 