ABS-CBN News Online Beta

Password thieves prey on Pinoy Internet users

---

abs-cbnnews.com | 06/04/2008 6:42 PM

Printer-friendly version | Send to friend | Share your views

• 
• 
• 
• 
• 
• 
• 

(First of three parts)

 

By DAVID DIZON

abs-cbnNews.com

 

2007 Newsbreak Investigative Writing Fellow

 

 

On November 29, 2007, 27 Magdalo officers including Senator Antonio Trillanes IV marched out of a Makati courtroom and holed up at the Manila Peninsula Hotel to demand the resignation of President Arroyo. Hours later, the group would surrender after security forces entered the hotel to arrest the rebel soldiers.

 

Curiously, the Internet and Security Warfare blog, which is allegedly run by hackers, warned readers to avoid Makati City a day before the Manila Peninsula standoff.

 

"Should the e-mails we received are true, something interesting will happen in Makati tomorrow. A group of Greek Hackers intercepted e-mails from, according to them, high ranking officials. This is scary, stay away from Makati tomorrow," read the November 28 entry of the ISAW blog (http://technews-isaw.blogspot.com).

 

Four days after the standoff, the ISAW blog revealed that the intercepted e-mails did not come from ISAW members "but were forwarded by other hackers sympathetic to ISAW's cause -- that is to protect the Philippine information superhighway."

 

"The e-mail containing the info about the Makati incident was among the hundreds of e-mails harvested from an Internet cafe in Manila. ISAW reported just this year about the existence of keyloggers in Metro Manila and the e-mails that we received came from these keyloggers," the blog said in its December 3, 2007 entry.

 

It also said that another hacker who regularly sends "captured" e-mails to ISAW revealed that the Web site of the group involved in the Makati incident is being edited in Internet cafes.

 

At least two sources interviewed for this article confirmed that the alleged interception of government officials’ e-mails is genuine. One source admitted that the interception of government e-mails could continue unless officials take measures to secure all their messages.

 

On December 12, 2007, the ISAW group officially shut down its blog, deleted all old posts and proclaimed itself a "legitimate whitehat community." It also posted the numbers of the National Bureau of Investigation and the Philippine National Police on the blog.

 

Several members of the old ISAW group refused to go legit, however. The new group, which now calls itself Internet Hacking and Warfare (IHAW), said it would continue where ISAW stopped by reporting hacking incidents and vulnerabilities of various Web sites in the Philippines.

 

"While life would be easier now at ISAW because of legitimacy and funding, we believe that the things that we are doing should be done without somebody looking over our shoulders. Yes, there was a promise of independence but what we are doing borders between the white and the black and could be used against us anytime," IHAW said in its first entry (http://technews-ihaw.blogspot.com).

 

Electronic espionage

The interception of government e-mails is not unique to the Philippines. Last November, Swedish IT security consultant Dan Egerstad claimed he had access to 1,000 e-mail accounts of embassies scattered throughout the world by using the Tor anonymity network, which can be downloaded freely on the Web.

 

Tor, a software developed by the US Navy, employs cryptography and allows users to browse the Internet and send e-mails anonymously by connecting Internet requests randomly to volunteer-run Tor network nodes.

 

But the system has weaknesses, one of which, Egerstad allegedly discovered. Egerstad said he installed Tor software on five data centers around the world and discovered that sensitive e-mails that were passing through his Tor exit node could be intercepted.

 

To prove his point, Egerstad posted usernames and passwords for more than 100 e-mail accounts at embassies and governments worldwide. Of the compromised accounts, 10 belong to the Kazakh embassy in Russia and around 40 belong to Uzbeki embassies and consulates around the world.

 

This form of electronic espionage is just one way whereby sensitive information is leaked on the Internet.

 

Before it was shut down, the ISAW blog even revealed that eight out of 10 Internet cafés in Manila have keylogging software or keyloggers that are used to capture keystrokes of the user, including passwords. These passwords can then be extracted at leisure from the keylogger device or sent as a text file via e-mail to the cyber thief.

 

ISAW said these programs can sometimes be used by law enforcers to catch criminals who are using the Internet to communicate with others. However, the same program also makes it easy for criminals to capture sensitive e-mails that are sent through Internet cafés.

 

A bank officer who spoke on condition of anonymity said their company encourages clients to do online transactions on banking kiosks instead of Internet cafés because of the very high risk that their accounts could be compromised as a result of keyloggers.

 

Armand Hernandez, managing director for Netnode Technologies Inc., says hardware keyloggers are sometimes used by private companies to test the typing speed of applicants. He said that while keyloggers are not commercially available, keylogger devices can be purchased in hacking circles.

 

"By nature, [keyloggers] are illegal, but, of course, it is not designed for that. Technology can be tweaked for any purpose including illegal activities," he says.

 

He says that in some countries, keylogger software is used for crime prevention. "This is part of hacktivism and is used more for protection of the company that owns the system. It is also in use in high-profile places where there is a lot of confidential data. In those places, everything is recorded including what you type in your computer," he said.

 

Losing your key

The first key towards getting sensitive data is through password theft.

 

Various Internet security and software companies have identified password theft as one of the top 10 threats affecting Internet users today. Active Internet users in the Philippines have much to fear from it.

 

Almost any secure site needs some form of user ID or password before it can be used. This includes personal e-mail, work e-mail, bank accounts, credit card accounts, online forums, and even social networking sites. Losing a password to these sites could lead to a lot of headaches, especially if one uses the same password for different sites.

 

"Losing your password is like losing your house key to some very bad men. They can steal your identity and impersonate you, steal your stuff, use your phone, and do all kinds of criminal activities," explains Palmer Mallari, an agent of the National Bureau of Investigation Anti-Fraud and Computer Crimes Division.

 

According to Mallari, password theft occurs when a person or group gains unauthorized access to an online system or network after stealing a passkey or pin code provided either by the user or the system itself.

 

In the case of e-mail security breaches, a hacker can steal personal information, exploit contacts, maliciously spread false information about the original e-mail owner, or commit crimes online.

 

Under Section 33 of Republic Act No. 8792, more commonly known as the E-Commerce Act, the crime of hacking or cracking is described as "unauthorized access into or interference in a computer system/server or information and communication system; or any access in order to corrupt, alter, steal, or destroy using a computer or other similar information and communication devices, without the knowledge and consent of the owner of the computer or information and communications system, including the introduction of computer viruses and the like, resulting in the corruption, destruction, alteration, theft or loss of electronic data messages or electronic document."

 

Offenders face a minimum fine of P100,000 and a maximum commensurate to the damage incurred and a mandatory imprisonment of six months to three years.

 

Friends, relatives are suspect

Mallari says the earliest reported cases of password theft in the country involved blackmail. After illegally gaining access to a person’s e-mail through a stolen password, the offender would then threaten to disclose sensitive or malicious information about the e-mail owner until he agrees to pay the cyber crook.

 

"We have cases of people losing control of their e-mail accounts but sometimes the suspects are the relatives of the e-mail owners. Some people are victims of blackmail after a friend or relative finds out harmful information about the e-mail owner, such as an illicit affair, and threatens to reveal it," he says.

 

Buddy Acenas, research and development director for security firm Beacon Information Services, says most cases of online password theft can be traced to the owner’s offline behavior. Some users still write down their passwords on Post-it Notes or a piece of paper and then stick it in places where anyone can see it. Others freely share their passwords to friends or co-workers. Others forget to log off from e-mails or forums after using computers at work or in Internet cafes. This is a passive form of password theft that requires little or no effort on the part of cyber thieves to steal a person’s information.

 

Vital clues

Hernandez notes that a person’s online behavior can also give vital clues that would make it easier to guess his password. For example, a person could post all vital information—age, address, phone number, alma mater, and special interests—in his Friendster or Multiply account. Anyone can then look at this information and use it to guess a password. He says some of the most common passwords are the user’s own name or username, the name of their spouse or relative, birthdates, children’s names, or a combination of any of the information provided.

 

Hernandez, who is one of the few Certified Ethical Hackers in the Philippines, says the Internet has also allowed wannabe "crackers" to easily learn the tricks of the trade in stealing passwords.

 

"You can hack an account with just a computer terminal and a dictionary," he said. Using the method known as "brute force attack," a cyber crook tries to randomly enter passwords into a system until he guesses the correct one.

 

He says that aside from a person’s online and offline behavior, some freely available tools on the Internet have made password cracking easier. "You cannot hack randomly, there has to be a plan. Given enough time and the right tools, a person can hack into an account," he explains.

 

Tools of the cyber thief

One of the most effective methods being used for password theft is social engineering.

 

Mallari describes social engineering as any method used by schemers to acquire valuable information from their targets through ordinary human interaction. "It’s all sweet talk and preys on the gullibility of the person. One can get very crucial information sometimes with just the use of a telephone," he says.

 

He says social engineers can pose as representatives of banks or credit card firms and ask for personal information about the target. With the right persuasion, the person might give them the card number, billing address, social security number, and mother's maiden name. Others pose as relatives or co-workers who call up the secretary of the target and say that he wants to wish the person a happy birthday. The secretary would then volunteer information about his or her boss’s birth date.

 

Social engineering is particularly troublesome for banks and credit card companies because the questions asked of the account owner are personal in nature and should only be known by the owner of the account. A cyber crook who has done his homework can easily bypass any two-step authentication set up by a bank or credit card company after he has stolen the password or pin code of the account owner.

 

The spread of the ILOVEYOU virus by Filipino hacker Onel de Guzman can also be considered as a form of social engineering. Though seemingly simple in nature, the virus spread like wildfire after victims started clicking on the e-mail attachment to find out why people were saying "I love you."

 

Fake Web sites

Another common method used by cyber crooks to steal passwords that utilizes social engineering is through "phishing." Phishing (a play on the word fishing) describes a method used by cyber crooks to criminally and fraudulently acquire sensitive information—such as usernames, passwords, and credit card details—by masquerading as a trustworthy entity in an electronic communication.

 

Phishing usually spreads via e-mails that frighten or entice the user to visit a phony Web page and to enter an ID and password. In most cases, the e-mail says that the user’s account has been hacked and requires the person to click on a link that leads to a fake Web site, which looks exactly like the real thing.

 

Earlier this year, several large banks warned their clients of fake e-mail notices that were asking users to enter their confidential information in phishing sites. Trend Micro Philippines said there have been several reports of credit card details being illegally obtained via phishing.

 

One phishing victim says his password was hacked after he clicked on a forwarded link that was supposed to lead to a Web site that contained photos of his friends. He was surprised, however, when it led back to a Yahoo e-mail login page, which said that he had been logged out. He said he innocently entered his username and password and logged back in, only to find out later that he had been victimized by a phishing site.

 

Gov’t servers used

Most phishing sites are hosted on compromised servers. Some have even been found on domains registered to the Philippine government, according to the Symantec Government Internet Security Threat Report for 2007.

 

The Symantec report revealed that during the first six months of 2007, domains registered to the Philippine government were used in five percent of phishing URLs hosted on government servers in the entire Asia-Pacific region. At the same time, four percent of the unique government domains used to host phishing sites was located in the Philippines.

 

Top government domains used in phishing URLs

Source: Symantec Government Internet Security Threat Report Trends Volume XII

 

 

Rank
Country
Percentage of Phishing URLs on government servers

1
Thailand
16%

2
Argentina
11%

3
United States
10%

4
Brazil
8%

5
Colombia
8%

6
Indonesia
8%

7
Ecuador
8%

8
Philippines
5%

9
Turkey
5%

10
Paraguay
3%
 

The anti-spam company MailFoundry has revealed that the e-mail server of the Department of Labor and Employment (www.dole.gov.ph) running on RedHat Linux was once used to host a phishing outbreak that targeted eBay users.

 

An official of the DOLE’s management information system division admits that their e-mail server might have been compromised by hackers, but insists that it was immediately fixed. He said that one problem faced by government is limited funds for more secure systems to prevent such incidents from recurring.

 

Moving too fast

Acenas says many Filipinos are having a hard time catching up with the latest technological advancements on the Internet that security is furthest from their minds.

 

He said that in the early days of the Web, Filipinos used the Internet mainly for research and chats usually through a dialup, which uses both a username and password. As the technology advanced, however, more In