| Ransomware signals trouble for ecommerce users
New attack kidnaps files, holds them hostage
By Nick Smith, Editor
As if spyware and phishing attacks weren�t causing enough problems for businesses, May brought the arrival of a new hacker method that could further erode customer confidence in online transactions. Dubbed �ransomware� because of the way it encrypts files and demands payment from users for their restoration, the new attack forebodes more difficulties to come for those in the business of protecting customer information. Extortion via encryption
Ransomware, like so many other types of malware before it, works by exploiting a hole in Internet Explorer. Hackers infect a website with malicious code � in this case a Trojan horse called Pgpcoder � and unsuspecting users download it upon visiting the page. Once on the PC, the code scans the hard drive for critical files (including documents, spreadsheets, and picture files) and encrypts them � effectively preventing the user from reading them. Around that time, the user receives a message that the files can be decrypted . . . for a price.
Customer trust in e-commerce at risk
Though the attack was flawed � it included a traceable return address and bank account � it almost surely signals the arrival of a new wave of attempts to kidnap files. And the next ones, rather than using the relatively weak encryption of the Pgpcoder attack, will be stronger, leaving users with little choice but to pay the ransom. In this case, the amount was just $200, but that figure looks to go up as new, more sophisticated attacks arrive. And they�re already here. The most recent one is SpywareNo, a bogus anti-spyware program that infects PCs, kidnaps critical files, and invites users to purchase a program to decrypt them. What it all amounts to is just another in a growing list of reasons why consumers are shying away from e-commerce. What can you do about it? | 1. | Educate your customers. Like phishing, ransomware is in large part an awareness issue. Inform your customers about ways they can protect themselves. In the process, you can preserve their trust in online transactions. | | 2. | Configure your Anti-virus software to scan in real time and to update daily, and be aggressive with patch management. Out of date software is an open target for hackers. | | 3. | Use a web browser other than IE. | |  |  | | |  | | E-commerce security deadline approaching. Speaking of online transactions, MasterCard and Visa are now requiring businesses that accept online credit card payments to prove they have secured their systems against potential compromise. Online merchants have until June 30 to comply with the standard, which includes regular technical scans, encryption of data, and firewall management, among other requirements. Those found to be out of compliance could lose their ability to accept Visa or Mastercard purchases online. Check here for a summary of requirements. Evil twin powers activate. Wireless networks posing as legitimate providers are tricking many PDA and laptop users into connecting to rogue hotspots. Known as evil twins, these malicious networks show that identity theft has now gone wireless. Well, it was only a matter of time. Find out how these evil twins operate, and how to stop them. Phishers target smaller organizations. The Anti-Phishing Working Group reports that phishers are increasingly targeting small and medium-sized organizations in their attacks, continuing a shift away from larger institutions. Phishing methods are also becoming more sophisticated, with more sites using hijacked servers and a marked decrease in attacks that just use an IP address. Get the trend report here. | |  | NCUA enacts disclosure law. Possibly motivated by the recent ChoicePoint scandal, the NCUA has finally pushed through its disclosure rule after it spent two years in the comment phase. The new law is similar to California�s disclosure rule (SB 1386) but appears to be stricter. While 1386 mandates disclosure if a breach is �reasonably believed� to have occurred, the NCUA sets the bar higher � for when breaches are found to be �reasonably possible.� Find out more about the new law. Are you in a HIPAA trouble . . . or not? Now that the HIPAA compliance deadline has passed, the next question on everyone�s mind is . . . so what? How are the regulations going to be enforced, and when? There are still so many unknown factors around the rules themselves. Check the industry pulse on the issue. | | | | |  |  | | |  | |
Common Sense of Compliance June 14th, 3 PM Based on in-person interviews with examiners, this webcast offers a practical view of how you can you make the regulatory process work for you. Common Sense of Compliance for Hospitals
June 23rd, 3PM
Though the HIPAA compliance deadline has passed, many hospital and healthcare organizations are still scrambling to meet regulations governing the security of patient health information. Get equipped to close the gaps and make the exam process work for you. Network and SCADA security 101 for Co-ops and utilities
June 30th, 3PM
With compliance deadlines rapidly approaching, network security isn�t just pie in the sky anymore for co-ops. Get concrete tips for implementing an effective security program that will put you in compliance--and secure your network from intrusions. | | Are you missing the boat? As a newsletter subscriber, you receive timely updates about Internet security every month. But you might be missing out on our other informative and educational resources. It�s easy to fix that problem. Just update your profile to receive webcast invitations, white papers, or email advisories at www.secureworks.com | | |  |  | |  |  | | Tradeshows and Conferences | |  | | |  | | | | |
Forward to a Colleague
Forward to a Colleague 
Join List
Unsubscribe
Privacy Policy
No comments:
Post a Comment