Brian Pennington

A blog about Cyber Security & Compliance


September 2013

Airline Information Group (AIG) accuses hotels and Facebook of being culpable in credit card fraud

The AIG has issued a press released on the threat of credit card fraud and how other parties can help reduce what they call the fast-growing epidemic of credit card fraud”. 

In the release, AIG identifies two main culprits for the theft of the credit cards:-

  1. Hackers who break into customer databases and steal credit card numbers and customer data
  2. Employees with access to credit card numbers and the details of card owners from retailers such as gas stations, restaurants and particularly hotels 

Airline Information’s Managing Partner, Michael Smith, says about hotels: “Front line hotel employees can easily access and steal credit card numbers and your personal details. Couple this with outdated IT and business processes related to franchising and it’s a toxic mix. Hotel chains and their franchises often use different reservations systems, requiring that paper copies of credit cards be used in many hotel properties. This is much less secure than the masked electronic credit card information standard in almost any other industry. The result is that hotels can be traced as the source of nearly one third of all credit card fraud globally, which hits our company’s airline clients particularly hard, since airline tickets are a common item purchased with stolen cards.” 

When credit card numbers are hacked or stolen, they are then sold online to be used for online purchases or for making cloned credit cards. Personal data about the cardholders, widely available on the web and Facebook, may also then be used by fraudsters, as credit card criminals are referred to, to assume the identities of the stolen cardholders. 

AIG also claims Facebook is used for the selling of credit card data, as well as for sharing information between fraudsters on how to successfully steal card numbers and commit identity theft. Jan-Jaap Kramer, CEO of the Dutch fraud prevention consultancy, FraudGuard, says: “There are numerous pages on Facebook set up by criminal rings to facilitate and share information about credit card fraud. Many of these pages show all credit card details like CVC code, expiry code, the PIN code for online payments and personal data of the cardholder including home address, date of birth, social security numbers and more. We have asked Facebook to block these pages, but it takes no action. The result is greater fraud losses for consumers and merchants, ruined credit records and misery trying to sort out fraudulent transactions.” 

The Airline Information “calls on Facebook to stop the practice of facilitating the sharing of fraudulent credit card information via Facebook pages. We encourage consumers and merchants to contact Facebook and their government authorities to have Facebook end this consumer-unfriendly practice

The Cost Of Insecurity

It is simple, your investment in securing your data will be considerably less than the potential cost of a breach and the subsequent clean up.

Professional Security Training is substantially better than PowerPoint or Handouts

Ponemon Institute conducted an experimental study on how participants of a Digital Defense training program experienced substantially higher learning gains when compared to results of a placebo group.

The experiment was conducted in seven participating companies and involved 277 employees, all office workers with routine and regular access to IT services. Approximately half of the participants completed two of three separate SecurED models the other half were asked to read three PowerPoint presentations containing identical content on data security. Both groups completed three quizzes. The first quiz provided a baseline level of knowledge for each subject. The second quiz measured immediate learning after completing the SecurED module or PowerPoint script. The third and final quiz was used to measure each subject’s learning gain about 2 to 3 weeks after the training experiment.

The learning gains for both groups were measured as the difference or net change in quiz results from the baseline reading. In addition to measuring participants’ learning, we asked questions about the importance and relevance of data security training in their workplace.

How learning is improved

SecurED out performs the alternative training intervention, termed placebo. All three SecurED training modules tested in this study held consistently positive results. For instance, with respect to quiz performance, subjects on average scored above an 80% correct response rate.

Results of this study

  • The average subject’s long-term learning gain was a 60% increase from baseline
  • Only 5% showed a decline or “tone down” after 2 or 3 weeks
  • The long-term learning gain for the placebo group was a 15% increase from baseline, and a 20% tone down over 2 to 3 weeks

The following are findings related to staff level, age, function and gender.

  • Staff and associate level employees experienced a higher learning gain than director and VP level employees (70% versus 40%).
  • Employees between 26 to 35 years had the highest learning gain at nearly 75%, while older subjects between 56 to 65 years experiencing an average learning gain at about 30%.
  • Employees in customer services and IT have the highest learning gains at 80 and 70%, respectively. In contrast, respondents in legal and general management have a much lower learning gain at 20 and 30%, respectively
  • Female employees experienced a higher long-term learning gain than their male counterparts (e.g., 65 versus 55%).

Perceptions about security training

Relevancy of training

Debriefings of subjects revealed 72% perceive SecurED as relevant to their present job functions. In addition, 88% of subjects perceive SecurED as enjoyable and worthwhile.

Availability of training

Subjects experiencing SecurED appeared to hold a stronger belief that training on data protection and information security should be made available to all employees, including high-level executives. However, 58 of subjects experiencing SecurED and 65 in the placebo group believe security training should be optional (not mandatory).

Deployment of training

A majority of subjects believe security training should be rolled out top down rather than bottom up. In other words, senior executives taking the time to do security training is helpful in demonstrating the importance of information risk management to rank-and-file employees.

Concluding thoughts

Subjects experiencing SecurED are more likely to believe training will positively impact employee behaviour with respect to more cautious handling of data assets and endpoint devices. We believe training effectiveness should be an essential activity for all organizations due to an increase in privacy and security risks resulting from employee negligence, cyber attacks and insecure devices and platforms.

To illustrate this growing risk, another recent Ponemon study found office workers (employees) are not taking appropriate steps to protect computing devices or company’s information assets. Specifically, 53% said the sharing of business information does not negatively impact or harm the company. 51% said the company has policies that are not strictly enforced and 68% said their organization does not take steps to ensure employees do not wrongfully obtain and misuse competitive information.

Many companies are also failing to keep employees’ access privileges in check. While 51% say their access privileges appropriately match what they need to do in their job, 29% say they allow them to see data that is unnecessary to their work.

According to IT security practitioners, the number one most serious challenge to addressing insider fraud is raising employee awareness. Despite its importance, however, research finds less than half of U.S. companies provide formal security training for their employees, even for those who have privileged access to highly sensitive or confidential data.

Taken together, recent research findings demonstrate employee indifference to the loss or misuse of business information or the theft of mobile devices (such as laptops, tablets and smart phones). In short, they fail to understand the importance of personal accountability in order to achieve and maintain a secure workplace.

3 simple tips to improve security in the cloud

In Sophos’s 2013 Security Threat Report they provided 3 tips on how to be more secure when using the cloud.

The tips are simple but straight to the point so I thought I would share them.

  1. Apply web-based policies using URL filtering, controlling access to public cloud storage websites and preventing users from browsing to sites you’ve declared off-limits. 
  2. Use application controls to block or allow particular applications, either for the entire company or for specific groups. 
  3. Automatically encrypt files before they are uploaded to the cloud from any managed endpoint. An encryption solution allows users to choose their preferred cloud storage services, because the files are always encrypted and the keys are always your own. And because encryption takes place on the client before any data is synchronized, you have full control of the safety of your data. You won’t have to worry if the security of your cloud storage provider is breached. Central keys give authorized users or groups access to files and keep these files encrypted for everyone else. Should your web key go missing for some reason, maybe the user simply forgot the password, the security officer inside the enterprise would have access to the keys in order to make sure the correct people have access to that file.



Based on ISC2 survey, PraetorianGuard have produced an excellent Infographic on Infromation Security in the workforce.

Q&A on Information Security Workforce

RSA’s August 2013 Online Fraud Report featuring a review of “phish lockers”

RSA’s August 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below.

RSA researchers have been increasingly witnessing the activity of highly targeted Trojans, dubbed ‘Phish Lockers’, used at the hands of cybercriminals to steal credentials. The Trojans are deployed as a means to present online users with a phishing page that is generated by malware, while locking the desktop, hence the name.

This type of malware is not defined as a banking Trojan in the traditional sense. It is basic malicious code that can manipulate certain actions on an infected PC, but it is not a rootkit or otherwise able to actively monitor online activity, keylog or perform web injections.

Phish lockers were observed attacking banks in Latin America earlier this year, where local pharming is a very common attack method. However, the lockers are now starting to show up in new regions, attacking one or more banks at a time.

Much like most banking Trojans, phish lockers are activated by trigger. When an infected user logs into a website contained on the malware’s trigger list, the Trojan becomes active. However, unlike banking Trojans, phish lockers don’t have a classic configuration file. Most of the information is hardcoded into the malware and therefore cannot be changed on the fly. The malware is compatible with all major browsers including Internet Explorer, Firefox, Chrome, and Opera.

The first visible action that the user will see is the browser window being shut down, then the desktop’s START button disappearing (a common occurrence with ransomware, for example). Based on the URL initially typed into the browser, the Trojan will pop-up a corresponding web form that looks exactly like legitimate web page, but is actually a phishing page.

The phish locker malware usually comes with a few hardcoded web forms, each requiring a relevant set of credentials from infected bank customers. Usually, the information requested by the malware corresponds with phishing attacks targeting the particular bank. For example, if the bank uses out-of-band SMS for transaction verification, the form might have a request for the user’s mobile number.

When banking Trojans infect user machines, they are present on the device and can log a user’s keystrokes and steal documents, certificates, cookies and other elements dictated by the botmaster. Banking malware regularly sends logs of stolen information to its operator, using pre-defined domains as communication resources. Phish lockers on the other hand, are not designed to carry out such complex activity and use basic methods to transmit stolen data such as email.

In order to facilitate sending emails from the infected PC, the malware’s author programmed it to use Extended SMTP, predefining a sender and a few recipients that will act as a fallback mechanism in case the data gets intercepted or the mailbox blocked/closed for some reason.

Yet another differentiator that separates banking Trojans from phish lockers is the mode of activity. While banking malware steals and listens for data at all times when the browser is open, the locker closes the browser altogether, and then does the stealing. Once the information from the locker’s web forms is sent, the malware remains inactive and does not carry out any other malicious activity on the PC, allowing the user to regain control.

RSA’s conclusion

It is rather interesting to see Trojans of this type, which are considered very basic when compared to most banking Trojans in the wild. It is even more interesting to see them appearing in geographies where banking security is considered to be very advanced.

This phenomenon may be linked with the trend towards privatization of banking Trojans. This has created a barrier for many cybercriminals as they are denied access to purchase more advanced malware kits to launch attacks. This could be perhaps be pushing some cybercriminals to write and deploy simple malicious codes that will at least get their dirty work done.

Phishing Attacks per Month

RSA identified 45,232 phishing attacks launched worldwide in July, marking a 26% increase in attack volume in the last month.

US Bank Types Attacked

National banks continue to be the most targeted by phishing within the U.S. banking sector with 74% of attacks in July while credit unions were targeted by one out of every ten attacks last month.

Top Countries by Attack Volume

The U.S. remained the country most attacked by phishing in July, targeted by 58% of total phishing volume. Germany endured the second highest volume of phishing at 9%, followed by the UK at 8%. India, France, Canada, South Africa and Italy were collectively targeted by 15% of phishing volume.

Top Countries by Attacked Brands

U.S. brands were once again most affected by phishing in July, targeted by 28% of phishing attacks. Brands in the UK, India, Italy and China together endured one-quarter of phishing attack volume.

Top Hosting Countries

The U.S. remained the top hosting country in July with 45% of global phishing attacks hosted within the country, followed by Canada, Germany, and the UK. To date, RSA has worked with more than 15,300 hosting entities around the world to shut down cyber attacks.

Previous 3 RSA Online Fraud Report Summaries

Create a free website or blog at

Up ↑

%d bloggers like this: