No warrant, no problem: How the government can still get your digital data

The US government isn’t allowed to wiretap American citizens without a warrant from a judge. But there are plenty of legal ways for law enforcement, from the local sheriff to the FBI, to snoop on the digital trails you create every day. Authorities can often obtain your e-mails and texts by going to Google or AT&T with a simple subpoena. Usually you won’t even be notified. The Senate last week took a step toward updating privacy protection for emails, but it's likely the issue will be kicked to the next Congress. In the meantime, here’s how police can track you without a warrant now:

Stuff they can get

Phone records: Who you called, when you called

How they can get it: Listening to your phone calls without a judge's warrant is illegal if you're a US citizen. But police don't need a warrant—which requires showing "probable cause" of a crime—to get just the numbers you called and when you called them, as well as incoming calls, from phone carriers. Instead, police can get courts to sign off on a subpoena, which only requires that the data they're after is relevant to an investigation—a lesser standard of evidence.

What the law says: Police can get phone records without a warrant thanks to Smith v. Maryland, a Supreme Court ruling in 1979, which found that the Constitution's Fourth Amendment protection against unreasonable search and seizure doesn't apply to a list of phone numbers. The New York Times reported last week that the New York's police department "has quietly amassed a trove" of call records by routinely issuing subpoenas for them from phones that had been reported stolen. According to The Times, the records "could conceivably be used for any investigative purpose."

Read 14 remaining paragraphs | Comments

Football Phishing Fever Continues

Contributor: Avdhoot Patil

Several phishing attacks using football have been observed during 2012. Phishers have shown their interest in football clubs, football celebrities, and the 2014 FIFA World Cup. In November 2012, the trend continued with phishers spoofing the 2014 FIFA World Cup in Brazilian Portuguese on a free web hosting site.

In one example, a phishing site prompted users to sign up for a  daily offer to win prizes worth hundreds of dollars, including trips to the World Cup. The phishing page featured the World Cup mascot Fuleco on the right hand side. While signing up for the offer, the user is asked to select from three Brazilian electronic payment brands. After the brand is selected, the phishing site requests the user’s confidential information.

The information required includes the user's:

  • Card number
  • Electronic signature
  • Card holder name
  • Password
  • Email address
  • Email password

After the information is entered, the phishing site acknowledges the registration and provides the user with a lucky number, “L2Y7DQ852”, that is allegedly required when a user wins a prize.

Figure 1. Electronic payment brand choice

Figure 2. Confidential information request

Figure 3. Information acknowledgement

In the second example, a phishing site spoofing a Brazilian credit and debit card operator prompted users to sign up for a similar offer. The phishing site featured popular footballer Neymar da Silva. The offer stated that users would get a lucky number for every $30 purchase on their card. The lucky number is then drawn for a daily sweepstakes prize. In order to sign up, users are asked to enter their personal information.

The information required includes the user's:

  • Name
  • CPF (a number related to taxes in Brazil)
  • Phone number
  • City
  • Father’s name

If users fall victim to the phishing sites, phishers would have successfully stolen the information for financial gain.

Figure 4. User information request

Internet users are advised to follow best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages
  • Do not provide any personal information when answering an email
  • Do not enter personal information in a pop-up page or screen
  • Ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar when entering personal or financial information
  • Update your security software (such as Norton Internet Security 2012) frequently, which protects you from online phishing

Sophisticated botnet steals more than $47M by infecting PCs and phones

Behold—the Eurograbber, visualized.

A new version of the Zeus trojan—a longtime favorite of criminals conducting online financial fraud—has been used in attacks on over 30,000 electronic banking customers in Europe, infecting both their personal computers and smartphones. The sophisticated attack is designed to circumvent banks' use of two-factor authentication for transactions by intercepting messages sent by the bank to victims' mobile phones.

The malware and botnet system, dubbed "Eurograbber" by security researchers from Check Point Software and Versafe, was first detected in Italy earlier this year. It has since spread throughout Europe. Eurograbber is responsible for more than $47 million in fraudulent transfers from victims' bank accounts, stealing amounts from individual victims that range from 500 Euros (about $650) to 25,000 Euros (about $32,000), according to a report published Wednesday (PDF).

The malware attack begins when a victim clicks on a malicious link, possibly sent as part of a phishing attack. Clicking on the link directs them to a site that attempts to download one or more trojans: customized versions of Zeus and its SpyEye and CarBerp variants that allow attackers to record Web visits and then inject HTML and JavaScript into the victim's browser. The next time the victim visits their bank website, the trojans capture their credentials and launch a JavaScript that spoofs a request for a "security upgrade" from the site, offering to protect their mobile device from attack. The JavaScript captures their phone number and their mobile operating system information—which are used in the second level of Eurograbber's attack.

Read 3 remaining paragraphs | Comments

Online marketer tapped browser flaw to see if visitors were pregnant

An advertising network that served banners on cnn.com, orbitz.com, and 45,000 other sites has settled federal charges that it illegally exploited a decade-old browser flaw that leaks the history of websites users visit.

Epic Marketplace used data mined from the history sniffing exploit to assign interests to visitors so the ad network could deliver targeted ads, according to a complaint filed by the Federal Trade Commission. Interest categories included "pregnancy-fertility getting pregnant," "incontinence," "memory improvement," and "arthritis." The FTC brought the case against New York City-based Epic Marketplace after the practice was revealed by Stanford University researcher Jonathan Mayer in July 2011.

Epic Marketplace settled the charges by agreeing to destroy the data it gathered and to curb the practice in the future, according to a release issued on Wednesday. The settlement also bars the company from making misrepresentations about the data it collects about people browsing the Web.

Read 2 remaining paragraphs | Comments