Phishers Find Apple Most Tasty Target

“Follow the money” isn’t just the war cry of journalistic bloodhounds hot on the trail of political corruption. It’s the mantra of Web predators, too. That’s why PayPal consistently has been the top brand targeted by phishers — although that appears to have changed.

Apple now has the dubious distinction of most-phished brand, according to the latest report from the Anti-Phishing Work Group.

For the first half of this year, 17.7 percent of all phishing attacks were aimed at Apple — a first for the brand — followed by PayPal (14.4 percent) and Chinese shopping site Taobao.com (13.2 percent), the APWG reported.

Have phishers suddenly become more interested in stocking their music libraries from iTunes than siphoning money from PayPal? Not quite.

“We’re seeing a lot of account takeover types of stuff, and your Apple ID is tied into everything,” report coauthor Rod Rasmussen told TechNewsWorld.

Target Churn

Phishers can get into all kinds of mischief with an Apple ID, suggested Rasmussen, who also is president and CTO of IID.

“I’m betting some of the naked celebrity photos were stolen with the use of Apple IDs,” he said.

“They can be also used to lock a user out of their phone and ransom it back to them for money,” Rasmussen continued. “There are lots of different attack vectors, which adds up to why Apple is being phished as heavily as it is.”

A greater variety of institutions now are being targeted by phishers, compared to the past, the APWG report notes. For example, in the first half of this year, the group found 756 unique institutions targeted by phishers. Almost half those targets — 347 — hadn’t been phished in the previous six-month period.

“This amount of churn, or turnover, shows phishers trying out new targets,” APWG reported. “They are looking for companies that are newly popular, have vulnerable user bases, and/or are not ready to defend themselves against phishing.”

Behavioral Defenses

If the mammoth data breaches in recent months illustrate anything, it’s that perimeter defenses alone aren’t adequate to keep attackers at bay. Defenders need to accept the fact that their systems will be penetrated and deploy defensive strategies to deal with that inevitability.

One strategy is to combine behaviorial analysis with big data to identify those internal threats.

Intruders that have penetrated a system can be very difficult to identify without some kind of machine assistance.

“Once they’re inside, they’ll look like regular employees, because they’ve hijacked an employee’s credentials,” Idan Tendler, CEO of Fortscale, told TechNewsWorld.

Intruders eventually engage in behaviors that give away their masquerade, though.

“The only way to identify these suspicious users is by profiling their behavior, by analyzing system logs that document their behavior,” Tendler said.

The profiles can be used to establish a normal behavior pattern, and “from that, you can automatically spot abnormal behavior by users,” he explained.

Profiling Misbehavior

An added benefit of identifying intruders who’ve compromised an employee’s credentials is that potential malware attacks also can be identified. For example, a large proportion of Advanced Persistent Threats — 76 percent by some estimates — eventually end up stealing credentials on a system.

“Why?” asked Tendler. “Once the malware infiltrates the enterprise, it hijacks credentials to be used for reconnaissance and exfiltration of information from the system.”

Behavioral analysis also can be used to make perimeter defenses stronger.

“If you have a website that’s public-facing, or a mobile app, you want to understand who your customer is — because, as we’ve seen, passwords are becoming less and less effective,” said NuData Security Director Of Customer Success Ryan Wilk.

“You need better ways to find these anomalies to give a customer better insight into who is touching their website and how it’s being used,” he told TechNewsWorld, “so when an account or transaction is created, you can know if that account or transaction is valid.”

Behavioral analysis can be a way for system defenders to see the bad trees in the forest of data moving through their networks every day.

“Bad behaviors will stand out drastically from good behaviors,” Wilk said. “It’s very easy to identify these artifacts when you’re pulling together all this data, creating behavioral profiles and seeing what the anomalies are.”

Breach Diary

• Sept. 29. Provo City School District in Utah reports personal information of some 1,400 employees is at risk after an employee’s email account was compromised in a phishing attack.
• Sept. 29. Albertsons and Supervalu report data breach of their point-of- sales systems affecting an undetermined number of customers. Breach is second reported by the chains this year. Breaches affect the following stores: Albertsons stores in California, Idaho, Montana, Nevada, North Dakota, Oregon, Utah, Washington and Wyoming; Acme Markets in Delaware, Maryland, New Jersey and Pennsylvania; Jewel-Osco stores in Illinois, Indiana and Iowa; Shaw’s and Star Markets stores in Maine, Massachusetts, New Hampshire, Rhode Island and Vermont; and four Cub Foods stores in Minnesota.
• Sept. 30. Four alleged members of an international computer hacking ring charged in United States for stealing more than US$100 million in software and data from Microsoft, the U.S. Army and others. The case is the second-largest hacking case prosecuted by the U.S. Justice Department this year.
• Oct. 1. Cedars-Sinai Hospital in Los Angeles revises patient records at risk from 500 to 31,136 when laptop was stolen from an employee’s home in June.
• Oct. 1. British telecommunications giant BT releases survey of 640 IT pros in which one in four of the respondents said their organizations experienced a data breach incident in which their cloud provider was at fault.
• Oct. 1. Lavely & Singer in letter to Google demands it take action to purge the Internet of images stolen from celebrity accounts on iCloud. Failure to take such action would expose Google to damages exceeding $100 million, the law firm said.
• Oct. 2. JPMorgan Chase reports to U.S. Securities and Exchange Commission that information from 76 million U.S. households — 65 percent of the households in the country — were compromised in a data breach in August.
• Oct. 2. Apple launches service that allows used-phone shoppers to check if an iOS device has Activation Lock feature activated. Feature is used to lock a device if it is lost or stolen.

Upcoming Security Events

• Sept. 29-Oct. 2. ISC2 Security Congress 2014. Georgia World Congress Center, Atlanta. Registration: through Aug. 29, member or government, $895; nonmember, $1,150. After Aug. 29, member and government, $995; nonmember, $1,250.
• Sept. 29-Oct. 2. ASIS 2014. Georgia World Congress Center, Atlanta. Registration: exhibits only, free; before Aug. 30, members $450-$895, nonmembers $595-$1,150, government $450-$895, spouse $200-$375, student $130-$250; after Aug. 29, member $550-$995, nonmember $695-$1,250, government $550-$995, spouse $200-$475, student $180-300; a la carte, $50-$925.
• Oct. 9. Cyberspace as Battlespace. 2 p.m. ET. Black Hat webinar. Free with registration.
• Oct. 9. Fraud Threats Briefing : Who Can You Trust? 2 p.m. ET. Webinar sponsored by Guardian Analyics. Free with registraton.
• Oct. 10-11. B-Sides Warsaw. Andersa 29, Warsaw, Poland. Free.
• Oct. 14-16. 2014 FS-ISAC Summit. Washington Marriott Wardman Park, 2660 Woodley Road NW, Washington, DC. Registration: $1,250-$1,750.
• Oct. 14-17. Black Hat Europe 2014. Amsterdam RAI, Amsterdam, the Netherlands. Registration: before Aug. 30, 1,095 euros; before Oct. 10, 1,295 euros; before Oct. 18, 1,495 euros.
• Oct. 16. SecureWorld Denver. The Cable Center, Denver. Registration: $695, two days; $545, one day.
• Oct. 16. Privacy and Security: Teamwork Required to Tackle Incident Response. 2 p.m. ET. Webinar sponsored by ID Experts. Free with registration.
• Oct. 17. B-Sides Raleigh. Raleighwood, Raleigh, North Carolina. Free.
• Oct. 18. B-Sides Houston. HCC Alief campus, 2811 Hayes Rd., Houston, Texas. Free.
• Oct. 19-20. B-Sides Washington D.C. Washington Marriott Metro Center, Washington, D.C. Free.
• Oct. 19-27. SANS Network Security 2014. Caesar’s Palace, Las Vegas, Nevada. Courses: job-based, $3,145-$5,095; skill-based, $1,045-$3,950.
• Oct. 29-30. Security Industry Association: Securing New Ground. Millennium Broadway Hotel, New York City. Registration: before Oct. 4, $1,095-$1,395; after Oct. 3, $1,495-$1,895.
• Oct. 29-30. Dallas SecureWorld. Plano Centre, 2000 East Spring Parkway, Plano, Texas. Registration: $695, two days; $545, one day.
• Nov. 5. Bay Area Secureworld. Santa Clara Convention Center, Santa Clara, California. Registration: $695, two days; $545, one day.
• Nov. 6. B-Sides Iceland. Tjarnarb, Reykjavk, Iceland. free.
• Nov. 8. B-Sides Dallas-Fort Worth. University of Texas-Dallas (UTD), ECSS building, 800 West Campbell Rd, Richardson, Texas. Free.
• Nov. 12-13. Seattle Secureworld. Meydenbauer Center, Seattle. Registration: $695, two days; $545, one day.
• Nov. 15. B-Sides Jacksonville. The Sheraton Hotel, 10605 Deerwood Park Blvd., Jacksonville, Florida. Free.
• Nov. 19. Stealing from Uncle Sam. 7:30 a.m.-1:30 p.m. ET. Newseum, Washington, D.C. Registration: government and press, free; before Nov. 19, $495; Nov. 19, $595.
• Nov. 21-22. B-Sides Charleston. College of Charleston campus, Charleston, SC. Free.
• Nov. 22. B-Sides Vienna. Top Kino, Rahlgasse 1 (Ecke Theobaldgasse, 1060 Wien, Vienna, Austria. Free.
• Dec. 2-4. Gartner Identity & Access Management Summit. Caesars Palace, Las Vegas, Nevada. Registration: before Oct. 4, $2,150; after Oct. 4, $2,450; public employees, $2,050.
• Dec. 8-11. Black Hat Trainings. The Bolger Center, Potomac, Maryland. Course Registation: before Nov. 1, $2,500-$3,800; before Dec. 6, $2,700-$4,000; after Dec. 10, $3,800-$4,300.