APWG Announces Availability of Internet Crimeware Report.ID Theft Working Group Addresses Crimeware at Forthcoming Conference LOS ALTOS, Calif. & CAMBRIDGE, Mass. -- The Anti-Phishing Working Group The AntiPhishing Working Group (APWG) is a consortium that brings together businesses affected by phishing attacks, businesses that provide security products and law enforcement. The APWG has more than 2700+ members from more than 1600 companies & agencies worldwide. has issued a joint report with the Department of Homeland Security Noun 1. Department of Homeland Security - the federal department that administers all matters relating to homeland security Homeland Security executive department - a federal department in the executive branch of the government of the United States and SRI International on the role of crimeware in enabling new forms of financial crime on the public Internet. The report is titled "The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond", and can be downloaded here: http://www.antiphishing.org/reports/APWG_CrimewareReport.pdf "Crimeware is the latest technological attack on identity and access control on the Internet. Instead of viruses, which were spread largely to gain notoriety for their authors, crimeware is malicious software designed to steal identity information such as passwords and sensitive user information. Unlike email phishing, crimeware can be very hard to detect, and many organizations are unaware of the scope of this emerging threat. This report hopefully can serve as an educational tool for security professionals and risk managers alike." said David Jevans, Chairman of the APWG APWG Anti-Phishing Working Group APWG Action Plan Work Group APWG Acquisition Policy Working Group APWG Advocates for Prostituted Women and Girls APWG AFSCN Prioritization Working Group APWG AFSCN Priorities Working Group . The report details the innovative and penetrating mechanisms that phishers are employing to spread crimeware including: Attachments sent via email or instant message - or in an apparently discarded hardware devices such as USB keys; Piggybacking schemes in which crimeware is embedded into another piece of software such as an apparent shareware application; Internet Worms that exploit vulnerabilities within networks and PCs to propagate themselves and install back doors and other crimeware applications; Web Browser Exploits in which browser vulnerabilities are leveraged to directly infect PCs from the compromised server by the pages being viewed or by injecting crimeware code remotely via scripting exploits into the PC; Distribution via Hacking in which crimeware is installed manually by hackers who have discovered or exploited vulnerabilities that give them access and control of a PC; And Distribution via Affiliate Marketing in which marketing programs provide incentives to 1) install malware on visitors PCs, some of which can be later exploited to plant crimeware or 2) to directly install crimeware on visitors' PCs. APWG data from the 12 months between May 2005 and May 2006 tells the story of runaway proliferation of crimeware. In that time frame, the number of unique applications for password stealing that were detected in a single month grew from 79 to 215, almost tripling in detected frequency. The number of URLs employed by criminals to spread crimeware expanded at around twice the rate of crimeware code development, however, rising from 495 detected URLs in May 2005 to 2100 in May 2006 after peaking at 2683 in April, 2006. "The crimeware story is one of innovation in developing criminal code to be sure, but we see a lot of the same mechanisms, like keyloggers, being redrafted again and again. The big mission for organized crime is not so much creation of completely new innovations in crimeware but to find ways to deliver it successfully to the PC," said Chairman Jevans. Industry leaders, researchers, law enforcement representatives, government ministers, and Computer Emergency Response Team managers from across the globe are converging on Orlando from November 14 through 17th to attend the APWG's General Members Meeting and the eCrime Researchers Summit, where report author Aaron Emigh will present the paper to principal investigators and conferees in the summit's Phishing and Crimeware segment. The General Members meeting is an event closed to all but APWG members and research partners. The inaugural eCrime Researchers Summit on November 16 and 17, however, is an open event. The agenda for that event is here: http://www.antiphishing.org/events/2006_researchSummit.html The Anti-Phishing Working Group (APWG) is an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing, email spoofing and crimeware. Membership is open to qualified financial institutions, online retailers, ISPs, the law enforcement community and solutions providers. There are more than 1,500 companies and government agencies participating in the APWG and more than 2,500 members. The APWG's web site (http://www.antiphishing.org) offers the public and industry information about phishing and email fraud, including identification and promotion of pragmatic technical solutions that provide immediate protection. APWG's corporate sponsors include: 41st Parameter, 8e6 Technologies, Able NV, ActivCard (ACTI ACTI Advanced Cleanup Technologies, Inc (Rancho Dominguez, CA) ACTI Advanced Computational Technology Initiative ACTI Advisory Committee on Technology Innovation ACTI Aircrew Coordination Training Instructor ), Adobe (ADBE ADBE Adobe Systems, Inc. (stock symbol) ), AhnLab, Aladdin Knowledge Systems Aladdin Knowledge Systems NASDAQ: ALDN is a company that provides solutions for software digital rights management and Internet security since 1985. Its corporate headquarters are located in Tel Aviv, Israel. (ALDN), Anakam, Anonymizer, BBN Technologies, BlueStreak, Brandimensions, Clear Search, Cloudmark, Comodo, Corillian (CORI), Cydelity, Cyveillance, DigitalEnvoy, DigitalResolve, Earthlink (ELNK ELNK EarthLink, Inc. (stock symbol) ELNK Ethernet Link ), eBay/PayPal (EBAY), Entrust (ENTU), Experian, eEye Digital Security eEye Digital Security is a company that specialises in analysis and prevention of security vulnerabilities in software. Founded by Firas Bushnaq and Marc Maiffret in 1997, the company has been credited by Microsoft with bringing a number of security vulnerabilities to their , F-Secure, GeoTrust, GoDaddy, ING Bank, Iconix, InternetIndentity, Internet Security Systems, IOvation, IS3, Kaspersky Labs, Lenos Software, LightSpeed Systems, MailFrontier, MarkMonitor, McAfee (MFE), MasterCard, MessageLevel, Microsoft (MSFT MSFT Microsoft (stock symbol) MSFT Movimento Sociale Fiamma Tricolore (Italy) MSFT Multi-Stage Fitness Test MSFT Master of Science in Family Therapy MSFT Macalester Students for Fair Trade ), Mirapoint, MX Logic, NameProtect, Netcraft, NetStar, PassMark, Panda Software, Phoenix Technologies, Inc. (PTEC PTEC Pinellas Technical Education Centers (Clearwater, FL) PTEC Pharmacy Technician Educators Council PTEC Psychiatric Technician PTEC Plastics Technical Evaluation Center PTEC Page Table Edit Control ), Quova, RSA Security (RSAS RSAS RSA Security, Inc. (stock abbreviation, AMEX) RSAS Royal Swedish Academy of Sciences RSAS RAND Strategy Assessment System RSAS Reactor Safety Assessment System ), SAIC SAIC - http://saic.com. , SecureBrain, Sigaba, SOPHOS, SquareTrade, SurfControl, Symantec (SYMC SYMC Symantec Corporation (stock symbol) ), The 41st Parameter, Trek Blue, Trend Micro (TMIC), Tricerion, TriCipher, Tumbleweed Communications (TMWD), SurfControl (SRF SRF abbr. somatotropin-releasing factor .L), Vasco (VDSI), VeriSign (VRSN), Visa, Websense, Inc. (WBSN), WholeSecurity and ZixCorp. |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion