While not often talked about, the malicious use of domain names is becoming a serious problem. Domain names provide a means to an end for criminals attempting all kinds of scams and online fraud. In phishing attacks, for example, a hacker-controlled domain name serves as the redirection point for a fake or infected site. In the case of botnet operations, a domain name replaces a unique IP address as the point of command and control, allowing fraudsters access to a much larger set of data with less risk of detection. (more…)

An SC Magazine article, out today, reports that a new phishing attack is now targeting individuals who will be receiving an economic payout later this month.

Phishing attacks are usually at the forefront of identity collection in today’s Fraud as a Service process. Phishing utilizes social engineering, which is both one of the oldest forms of security attack and is one of the hardest to fix. Social engineering tricks users into giving up sensitive data that online criminals would normally have a very difficult time obtaining in any other way. Today, the users personal information is the target of choice, but this is also very effective for obtaining account information and passwords.

Combating phishing isn’t difficult, it just requires the user to keep in mind that online businesses simply will not ask for sensitive information in an e-mail or link to a page that collects that data from an e-mail.

It’s been a busy week at RSA for iovation and I have just about talked myself out of words, but as always it is a great show to connect to security professionals and measure security trends. The show attendance seemed to be down some, but as I have noticed at other shows the quality of attendees seemed to be up in general. There were a lot less people searching for chotchkies and more who seemed to be there to get information and do business. Three quick observations from the show:

1. ROI for security vendors is more important than ever. The time when businesses make investments on loose Fear, Uncertainty and Doubt (FUD) is coming to a close. Companies are looking to solve real, existing problems and more than ever are being held accountable to the impact of their investments on the bottom line of their company.
2. Fraud as a Service resonates. I blogged a couple of weeks ago about a podcast from RSA where they referred to Fraud as a Service to describe the way online criminals are specializing and working together to commit online fraud.  I am officially changing to this term in preference to the Fraud Value Chain.  I spoke to reporters, analysts and security professionals about this concept and it really resonated.  I had an interview with Bank Info Security that included this topic and here is the podcast.
3. Application Whitelisting vs Blacklisting. I spent some time with the folks at CoreTrace and I think that Application Whitelisting may finally be hitting the market at the right time. Eric Ogren, from the Ogren Group, and I spoke about this and we both agreed that blacklisting systems, in other words anti-virus, provide little to no value in preventing attacks and more than ever are relegated to clean up tools that identify infection after the fact and remove it.  Whitelisting has a way to go before it completely replaces anti-virus, but it has a good future.

That’s it from RSA, now it’s time to head back and fight the bad guys.