Compliance and Privacy
Compliance and Privacy News )
Essential Reading for Today's Business 28th March 2006

in this issue:
  • Where Has All the Trust Gone?
  • Money Mules: Sophisticated Global Cyber Criminal Operations
  • What's the Deal With Seals?
  • Online Shopping Survey
  • Banking Community "Metafisher" Attacks

    Dear Visitor,

    Do you trust me? Do you trust this newsletter? Well, assuming that you do, you'll be interested in a powerful new study by DataMonitor that says 86% of consumers now distrust corporations. And it's no surprise really, given the level of threat facing consumers as the latest Webcast on the topic of phishing makes clear. So, we thought it would be worth highlighting the 10th anniversary of TRUSTe - one way for companies to address both issues!

    As always, please let us have your views and comments, trust us, we value your input!

    We also have an offer of a report on "Metaphisher, for the finance community, a phishing tool that could even be packaged for sale to fraudsters and compromises the security of users of online banking!

    Do also participate in our simple survey on Information Security Policies - it appears in the left hand margin on Compliance and Privacy. Do you have one in your organisation? If you do, is it comprehensive enough? This survey will close shortly, to be replaced with a new one, so please get your answers in - the more we get the more valid the sample.

    Peter Andrews

    Where Has All the Trust Gone?

    Reprinted with permission from 1to1 Media , a division of Carlson Marketing Worldwide. � Carlson Marketing Worldwide . All Rights Reserved.

    It's one thing to say trust is important to customer relationships, it's another to have the numbers to back it up. A new report from Datamonitor pinpoints where companies have lost ground, and offers suggestions on how to win trust back.

    According to the report, "Building and Profiting from Consumer Trust," 86 percent of the 3,200 U.S. and European consumers surveyed said that they have become more distrustful of corporations within the past five years. The report also shows that companies are aware of this drop, with 64 percent of industry leaders agreeing that consumer trust in brands has decreased in the past two years.

    Money Mules: Sophisticated Global Cyber Criminal Operations

    Criminals are stealing thousands of credit cards and banking account credentials daily through phishing attacks, Trojan horse attacks and other attack vectors. Thousands of dollars daily are then laundered to offshore banking accounts through dozens of countries by "money mules," or phishing money launderers. Cyber-fronts are created to solicit, hire and exploit these money mules within multiple countries, and they can make as much as $10,000 or more in a month for part time work. This report will take a look inside the world of money mule operations and provide several examples of business fronts and job offers.

    This live webcast is scheduled for 2pm US EST (7pm GMT 8pm BST) on Wednesday 15th March, and requires an audio equipped computer for full participation.

    As usual we will mount a replay on this site a day or two after the webcast.

    What's the Deal With Seals?

    Reprinted with permission from 1to1 Media , a division of Carlson Marketing Worldwide. � Carlson Marketing Worldwide . All Rights Reserved.

    In the nascent days of the Web, consumers jumped from destination to destination with little concern about privacy. Yet even before the media alerted the masses to the twin scourges of identity theft and information brokering, TRUSTe was on the case with its Web privacy seal. Nine years later the firm is working on the tenth iteration of its standards agreement.

    One question remains, however: Do consumers truly pay attention to such seals? And if so, does the absence of a seal make consumers think twice about entering their personal data or ordering a product?

    Online Shopping Survey

    On our home page we've added a four question survey on online shopping. We're interested in whether you look at the security implications and whether, as a shopper, you have ever been the victim of online fraud.

    When we have a good sample of replies we'll summarise the data for you, and announce the closure of the survey in this newsletter

    Banking Community "Metafisher" Attacks

    Over the past few weeks the iDefense Research Team within VeriSign have been monitoring a significant threat to the banking community, known as Metafisher (also known as TanSpy and BZub). Recently, iDefense researchers were able to decrypt this Trojan application, which is of a never before seen sophistication, leading to the discovery of crucial details about this currently ongoing attack against online banking users in the UK, Germany, Austria, and Spain. We have taken the unprecedented step of making available to you a report which is normally only available to iDefense subscribers Details of the threat can be found on page 8 of the attached report but in summary, Metafisher is more accurately described as a suite of malicious applications currently exploiting the well-known Microsoft WMF vulnerability affecting Internet Explorer. Metafisher uses country-specific methods to compromise bank account details, email accounts, and can perform local phishing. It is capable of updating itself, and a hacker can choose from a wide range of exploits. A web-based command and control structure, discovered by iDefense, gives a hacker an unprecedented ability to scale an attack. There are at least two large botnets currently controlled by Metafisher. The sophisticated user interface, logging capabilities, and commercial-qualify software lifecycle has led iDefense to conclude that Metafisher is likely being sold as a toolkit to third parties who then conduct phishing attacks. We hope that this is of use and that it illustrates to you the value of subscribing to VeriSign's iDefense service. This threat has coincided with their current iDefense promotion offering two weeks of the iDefense Weekly Threat report to anyone that registers.

    Compliance and Privacy will be despatching the report on VeriSign iDefense's behalf to all who email me, Peter Andrews with "Report" in the subject line.

    Quick Links...


    Readers should note that references to VeriSign's sponsorship are historical. That sponsorship ended on 28 February 2007, and is simply included here for context and historical purposes. VeriSign is not formally associated with this site in any manner, and has asked us to emphasise this point.