New From Cybercrooks: Fake Chrome, Pump-And-Dump

Cybercriminals have found new prey: online brokerage firms. A single hacked PC opened the door to a sophisticated criminal attack on E-Trade, contributing to $18 million in fraud-related costs during the firm's third quarter ended Sept. 30, company officials said last week.

The losses resulted from identity theft, E-Trade officials said. One of the techniques used was an Internet pump-and-dump scheme, in which criminals, using stolen customer accounts acquired from a hacked computer, drove up the prices of low-priced stocks through high-volume purchases and then sold those shares at a profit. The Securities and Exchange Commission, the FBI, and other law-enforcement agencies are investigating the E-Trade crime.

Competitor TD Ameritrade said last week that it had to cover $4 million in fraudulent transactions for its most recent quarter. Details are sketchy; a spokeswoman says TD Ameritrade was a victim of a pump-and-dump scheme similar to the one perpetuated on E-Trade, but Ameritrade has "never had a breach or intrusion" via computers. TD Ameritrade has 6 million clients.

NEW PHISH IN THE SEA
Online brokerages and their customers are just the latest victims of sophisticated cybercrimes involving stolen personal information. E-Trade has traced the source of fraud at its site to a criminal ring operating out of Eastern Europe and Thailand. TD Ameritrade says it's unclear whether it was hit by the same group.

Cyberthieves are deploying new phishing and spyware techniques. One involves faking the browser chrome around a Web page. The chrome contains a page's Window frames, menus, toolbars, scroll bars, SSL indicator, and any other elements that make up its borders. While Web surfers may not be actively thinking about what's on a Web page's chrome, a fake one includes details that will make them look so authentic, viewers are more likely to be duped. A victim might be directed via a link in an E-mail to a Web site masquerading as a company or bank used by the victim. Once at a bogus site--disguised right down to the "https" in the address bar that falsely indicates it's a secure site--the victim could be asked to verify account information and Social Security or credit card numbers. The fake chrome technique is so new that the security community began tracking it less than a month ago, says Sioux Fleming, CA's director of product management.

Only a handful of states, including Arkansas, California, New York, Utah, and Virginia, have anti-phishing laws. A federal law is unlikely to be passed because lawmakers "can't agree on whether to make businesses liable for losses, in addition to the phishers," says Jeffrey Neuburger, a partner with the law firm Brown Raysman Millstein Felder & Steiner. One question is why businesses aren't working harder to develop sites that can't be spoofed. As E-Trade and TD Ameritrade show, businesses often are compelled to cover their customers' losses to cybercrooks, particularly when their own systems are involved. E-Trade also is making available to customers secure ID tokens that automatically change their account passwords every 60 seconds. Customer accounts that use ID tokens are "virtually hack-proof," says an E-trade spokeswoman.

Law enforcement agencies, meanwhile, are encouraging businesses hit by cybercrime to come forward, much the way E-Trade has done. "There's a huge issue with the underreporting of cyberattacks in the corporate world," says Mark Mershon, assistant director of the FBI's New York office.

More than 30 states have passed laws that compel businesses to report when data is lost or stolen because of a security breach, but until law enforcement gets full cooperation from the corporate victims, it will continue to be in reactive mode. Says FBI agent Milan Patel, "Greed and the thirst for money always outpace the ability to stop it."