Brian Pennington

A blog about Cyber Security & Compliance


October 2012

RSA’s October Online Fraud Report 2012 including summary of Phishing and Social Networking

In their October Online Fraud Report RSA reports on the activity of online fraudsters, a summary is below

Following global trends in online threats, the RSA Anti-Fraud Command Centre continues to see large increases in phishing attacks. Looking back to the first half of 2012 and comparing it with the second half of 2011, RSA reported a 19% increase in global phishing attacks.

Not only is phishing still rampant, it is resulting in significant losses to global organizations.

RSA estimates that phishing cost organizations an estimated $2.1 billion in losses over the last 18 months

Phishing and the Social World

Just four years ago, slightly more than 20% of U.S. citizens were users of social networks. That number has since more than doubled and stands at around 50% today. Facebook membership alone has increased nearly 10 times since 2008 and Twitter shows that membership has increased by a factor of five over the same period.

With the world turning into a smaller and more ‘social’ village, fraudsters and blackhats are certain to join the party. Cybercrime follows the money, and as user behaviour shifts, fraudsters have been following their target audience (potential victims) to the virtual world’s hot spots. According to a research study by Microsoft, phishing via social networks in early 2010 was only used in 8.3% of all attacks by the end of 2011 that number stood at 84.5% of attacks delivered through social media.

What’s so great about phishing via social media?

Using social networks, people behave more socially and are less discriminating with messages or comments they receive on their profiles. With new user numbers soaring every year, phishers get to cast a very wide net. One phishing attack tailored for the look and feel of a single social network can effectively target a very large amount of people, resulting in less work for the fraudster to do and a better yield of potential victims.

With social media, a core component of a successful phishing attack is already built-in: Trust. Users ‘follow’ people they know or trust, they receive messages from people or services they are familiar with (emails from a site’s team for example, a group, a friend’s hijacked account, or comments containing poisoned links).

Rogue communications can sometimes be visually spotted, but most times they look good enough to have the recipient click and go to the phishing site or download a malicious piece of software. In cases where a social network makes heavy use of URL shorteners, telling a suspicious hyperlink before browsing to it is very difficult.

It only gets better (for Phishers)

Social networking sites are getting much better at knowing their users and leveraging that information for more targeted marketing and sales. One of the factors that help enhance the credibility factor in the ever-evolving social media platform is the emerging Freemium model.

Perhaps one of the most popular activities on some social networks is playing social games with other users. The games are free, but only until the user wants to really get ahead in the game or obtain special powers upgrades. This is where the payment prompt jumps in, suddenly making it okay to perform financial transactions through a platform like Facebook.

What does this mean for the user? It legitimizes using their credit card details on the social networking site.

What does this mean for Phishers? More ways to Phish, more data to steal (alongside all the other personal information already shared by users), more attacks and more successful phishing!

Another factor that has been encouraging phishing to come through social networks is enterprises going social. For example, banks that wish to market themselves using social media open user groups people can join, inadvertently providing phishers with a model to follow (not any different from online banking portals being imitated for phishing).

As with any online-borne threat, keeping a close watch on trends is essential to any organization serving customers via the Internet. This new and increasingly ‘social’ nature of delivering phishing attacks is a reflection of user behaviour, a factor that will always be the most significant driver for online crime trends.

Growing use of social networking is going to make phishing via that media more popular with time, and just further supporting the need for on-going and timely user-education and awareness campaigns to help consumers protect their online identities and accounts.

Phishing Attacks per Month

In September, RSA identified 35,440 phishing attacks launched worldwide, marking a 28% decrease from August. RSA data shows that the bulk of this decrease is a result of fewer phishing campaigns launched against a series of European financial institutions, which have accounted for significant spikes in attacks through the past few months.

Number of Brands Attacked

In September, 314 brands were targeted by phishing attacks, marking an 8% increase from August. Increases in the number of brands attacked suggests cybercriminals are casting wider nets at organizations that may not be as well protected or are less familiar with the threat.

US Bank Types Attacked

In the U.S. banking sector, nationwide bank brands witnessed a 10% increase in attacks, accounting for about three out of every four attacks in September. This is not surprising as phishers tend to seek a brand that is well-known and has multiple locations within a region, such as nationwide banks. In this case, there is a larger pool of potential victims and the chance of a spam recipient being an account holder of the targeted brand is much higher.

Top Countries by Attack Volume

Despite a 22% decline in attacks, the UK continues to be the country that endured the highest attack volume, marking the seventh consecutive month, with 47% of attack volume. In turn, Canada absorbed most of this with 17% of attack volume in September.

Top Hosting by Attacked Brands

In September, U.S. brands continued to be the most targeted by phishing, targeted by 29% of attack volume, followed by the UK and Australia.

Top Hosting Countries

In September, the U.S. continued to be the top hosting country for phishing attacks hosting 77% of attacks. Poland, the UK, Canada, and France accounted for hosting just over 10% of attacks in September.

Previous RSA Online Fraud Report Summaries:

  • The RSA September 2012 Online Fraud Report Summary here.
  • The RSA August 2012 Online Fraud Report Summary here.
  • The RSA July 2012 Online Fraud Report Summary here.
  • The RSA June 2012 Online Fraud Report Summary here.
  • The RSA April 2012 Online Fraud Report Summary here.
  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.


One in four consumers are victims of card fraud – new study reveals

A global study of more than 5,200 consumers across 17 countries conducted by ACI Worldwide and Aite Group has revealed that one-in-four respondents has been victimised by credit, debit or pre-paid card fraud during the past five years.

More than 20% respondents reporting that they will stop using, or switch from, the card impacted by fraudulent activity.

The report also found the top two countries affected by credit fraud were

  1. Mexico with 44% of residents affected
  2. 42% of United States

The countries with the lowest levels of fraud were The Netherlands and Sweden with fraud at 12%

“The results of this survey show that card fraud continues to be one of the greatest threats and concerns for consumers, financial institutions and retailers,” said Mike Braatz, Senior Vice President, Payments Fraud, ACI Worldwide. “While there have been significant advances in fraud prevention technology, it is clear that more needs to be done to educate consumers about fraud and engage them as allies when it occurs. These results should serve as a call-to-action for financial institutions and retailers to remain constantly vigilant and earn the trust of customers by working with them to combat fraud.”

The 2012 Fraud Survey also found that:

Financial institutions risk losing customers due to fraud

  • Attrition rates after experiencing card fraud average 21% among cardholders.
  • Of cardholders who received replacement cards as a result of a data breach or fraudulent activity in the past year, 46% used the new card less than the original.
  • After experiencing fraud, more than 50% of cardholders used cash or an alternate form of payment instead of their credit or debit card.

Consumers fear identity theft yet continue risky behaviour

  • Identity theft replaced credit card fraud as the greatest concern from fraud exposure in the 2012 survey, with 49% of respondents indicating they were very concerned about possible harm to their financial standing and rating.
  • Many consumers continue to exhibit risky behaviours that put them at higher risk of financial fraud, including keeping written records of PIN numbers, throwing un-shredded documents containing sensitive information into trash bins and using public computers or computers without security software for Internet banking services and to shop online.

Consumers want to partner with banks for fraud prevention

  • If their financial institution notices unusual activity on their bank account or card, 82% of respondents are “very interested” in being notified prior to the bank taking action.
  • Consumers prefer immediate and direct communication from their banks when fraudulent activity is detected. The most preferred method of contact was found to be a call to the respondents’ mobile phone, followed closely by e-mail or text message.  This illustrates a change from 2011 where contact via home phone was the second most preferred method.

“The 2012 Fraud survey paints a compelling picture of the global nature and threat of fraud,” said Shirley Inscoe, Senior Analyst, Aite Group.  “Financial institutions, issuers and retailers need to enlist customers in the fight against fraud, educate them on prevention best practices, and reassure them of policies should fraud occur.  Maintaining customer satisfaction, loyalty and preserving wallet share can be achieved by communicating with and enlisting the customer in the fight against fraud”.

The ACI press release can be found here.


Overall the UK needs to improve its approach to the Data Protection Act

The Information Commissioner’s Office (ICO) has published its audits for of the UK’s four largest sectors and whilst it was positive about the approach of the Private Sector it raised concerns about the Public Sector.

The audit reports (below) summarise the outcomes of over 60 ICO audits carried out in the private, NHS, local and central government sectors.

Announcing the reports, Louise Byers, Head of Good Practice, at the ICO said:

“We have been providing free audits to help organisations look after the personal information they collect and publishing the results for two years now. During this time we have seen some innovative and well thought out approaches to keeping people’s personal information secure and complying with the Data Protection Act. Today’s reports allow for this knowledge to be shared, while raising areas of continued concern.”

Each report provides a summary of the level of assurance the organisations in each sector have provided during their audit, along with relevant examples of good practice and existing areas for improvement. The audits were all carried out between February 2010 and July 2012.

Within the private sector, the ICO had a high level of assurance that 11 out of the 16 companies audited had policies and procedures in place to comply with the Act. This included having robust security measures in place and providing thorough training for their staff.

Commenting on the report for the private sector, Louise Byers continued:

“The private sector organisations we have audited so far should be commended for their positive approach to looking after people’s data. However this does not mean that businesses in the UK should rest on their laurels. We are still seeing relatively few companies agree to an ICO audit and further improvements can be made, particularly when it comes to the retention and deletion of data.”

In the health service only one of the 15 organisations audited provided a high level of assurance to the ICO, with the local government sector showing a similar trend with only one out of 19 organisations achieving the highest mark. Central government departments fair little better with two out of 11 organisations achieving the highest level of assurance.

Louise Byers continued:

“While the NHS and central government departments we’ve audited generally have good information governance and training practices in place, they need to do more to keep people’s data secure. Local government authorities also need to improve how they record where personal information is held and who has access to it.

“The results of these reports show why we have requested an extension to our compulsory audit powers to cover the NHS and local government sectors. Organisations in these areas will be handling sensitive information, often relating to the care of vulnerable people. It is important that we have the powers available to us to help these sectors improve.”

Good Practise Audit outcomes analysis NHS – February 2010 to July 2012 

Good Practise Audit outcomes analysis Local authorities – February 2010 to July 2012

Good Practice Audit outcomes analysis Central Government – February 2010 to July 2012

Good Practice Audit outcomes analysis Private sector – February 2010 to July 2012


Cloud maturity study reveals the top 10 issues eroding cloud confidence

Website: www.isaca.orgThe Cloud Security Alliance (CSA) and ISACA have issued the results of their survey of how organisations feel about the “cloud”.

The report provides detailed insight on the adoption of cloud services among all levels within today’s global enterprises and businesses. I have summarised the report below.

The study reveals that cloud users in 50 countries were least confident about the following issues (ranked from least confident to most confident):

  1. Government regulations keeping pace with the market (1.80)
  2. Exit strategies (1.88)
  3. International data privacy (1.90)
  4. Legal issues (2.15)
  5. Contract lock in (2.18)
  6. Data ownership and custodian responsibilities (2.18)
  7. Longevity of suppliers (2.20)
  8. Integration of cloud with internal systems (2.23)
  9. Credibility of suppliers (2.30)
  10. Testing and assurance (2.30)

While there are many positive indicators that support the planned adoption and perceived use and value of cloud services in the years ahead, there remains much progress to be made to engage and gain the buy-in among business leaders.

“As a first step, we as an industry must still work to provide a clearer definition of what cloud is and how the many innovative and secure services can help positively impact today’s businesses,” said J.R. Santos, global research director at CSA. “But, we need to start at the top and engage senior management. Cloud needs can no longer be thought of as a technical issue to address, but rather a business asset to embrace.”

“One of the most interesting findings is that governance issues recur repeatedly on the list of the top 10 concerns. Cloud users recognize the value of this model, but are wrestling with such questions as data ownership, legal issues, contract lock-in, international data privacy and government regulations,” said Greg Grocholski, CISA, international president of ISACA. “As cloud services continue to evolve, it is critical that we work together as an industry to provide insights and recommendations on these issues so that service and solution providers can look to innovate and deliver what the cloud services market needs to advance and what enterprises need to succeed.”

Survey Overview

Results of the study provide much insight on the progression of cloud adoption. For example,

  • Business enablers (score 4.08) rather than financial considerations (score 3.5) are the primary factors in making cloud decisions, with the least important factor being the ability to reduce the environmental footprint of the organization (score 2.67)
  • The business enablement factors that most influence cloud computing decision making are related to the reliability and availability of services (mean score 4.59) and quality of service (score 4.29)

Respondents feel there is room for improvement when it comes to innovation in the cloud.

  • 24% survey takers indicate that there is no or limited levels of innovation in the market
  • 43% of respondents believe there is a moderate level of innovation
  • 33% report that the level of innovation in terms of products, services and business use is significant

“Survey results show that CIOs and IT management understand cloud best and are most involved in driving cloud innovation in their organizations. This limits cloud maturity and innovation since cloud continues to be viewed as a technical solution and not as a business enabler,” said Yves Le Roux, a member of CSA and the ISACA Guidance and Practices Committee. “Cloud can provide business-building innovation, but to get to that point, there needs to be more buy-in and a better understanding among business leaders and C-level executives of the cloud’s value and risk.”

Nearly all respondents feel that cloud computing is far from reaching maturity, with only software as a service (SaaS) cautiously placed at the earliest state of growth level, with infrastructure and platform services still considered in the infancy stages.

Respondents remain moderately confident that cloud services are meeting service and strategy expectations and that problems are being addressed. Many rated cloud services as providing confidence in strategy and problem resolution (means score 3.47), indicating cautious optimism that cloud will advance in maturity and problems limiting its adoption will be addressed.


Create a free website or blog at

Up ↑

%d bloggers like this: