Card Skimming On the Rise in Bay Area

If you have been listening to local Bay Area newscasts, you may notice increased reports from this last Memorial Day weekend of increased "ATM based thefts" in the South Bay.

These attacks are increasing in prevalence and are targeted at capturing your debit card and credit card numbers along with their associated PINs to execute unauthorized withdrawals or charges to your accounts. The thieves are counting on the fact that you are unlikely to be reviewing your credit card or debit account statements frequently enough to detect these events OR are likely to ignore withdrawals at locations you visit frequently because you can't remember the last visit. If you have multiple credit cards and bank accounts, this may mean checking activity weekly or daily amongst many accounts- something you know is time consuming and likewise, so do the thieves in betting you won't detect the activity.

Card skimming techniques vary from installing cameras to capture key strokes to actually modifying or installing "dummy" card readers, capture devices and key pads to capture data from the magnetic strips and/or keypads. There is evidence this activity is now increasing worldwide and domestically and was the reported vector in attacks orchestrated towards customers at a number of grocery stores (Lunardi's locally) and in variations of attacks that targeted credit card capture and transmission at POS terminals at grocery stores like Hannaford on the East Coast.

Other than being observant of general quirks in ATMs and card readers (admittedly difficult these devices all look different,) the next best thing it to check your account activity regularly for events that either fall out of a pattern or don't match your receipts. If you bank or credit card company offers electronic alerts, sign up for those as well.

This is also a reminder that attacks are not just via email systems but are now via other interfaces which you have traditionally trusted. Thieves continue to try and get around traditional password and pin authentication structures by targeting other weaknesses in systems.

Compromised Accounts, BackScatter Activity or Joe-Jobs?

A number of other campuses have been experiencing large volumes of unexplained nondelivery messages in their user's inboxes. These nondelivery (or “bounced”) messages typically from MAILER-DAEMON appear to indicate that the user has been sending spam to external servers, and the messages have been rejected by the remote servers. (These attacks are also hitting ISPs; I have recently also been receiving a large volume of such bounceback messages in my Comcast.net account for instance.)

These messages have been the source of confusion and concern for the people who receive them and they may often contact a Help Desk with the belief their account has been compromised or hijacked. In fact, in most cases, the users’ accounts have not been compromised.

As you know the nature of the e-mail systems, there are no restrictions on what e-mail address is designated as the “from” address in external e-mail. This means that if a spammer elects to forge a SFSU e-mail address as the “from” address for spam messages, there is nothing preventing the spammer from doing so.

Over the past several weeks, it appears that more and more spammers are doing this, as well as selling such information to execute what is known as a JoeJob- or deliberately targeting individuals using this practice (http://en.wikipedia.org/wiki/Joe_job). This has increased the volume of "backscatter" considerably. Because many spam filtering servers around the Internet are configured to send a nondelivery report to the from address of offending messages (even if the “from” address is forged), many of these nondelivery reports are ending up in our users’ mailboxes. This general phenomenon is called backscatter spam.

Some things you can do to differentiate what might be happening:

• if this is a backscatter problem, you will not likely have outbound spam in your SENT folder (as the account was never actually compromised and used to send spam.)

• a user who divulged sensitive information to a spear phisher or had their credentials compromised say via a keylogger, and the account is truly hijacked, will often have additional problems such as not being able to to access their account and/or will likely have have spam in their sent folder.

We are currently working with our anti-spam vendor, Ironport, to see if they are better able to detect and block backscatter.

Genuine SMS Alert Messages?

Yes, it is legitimate and not a spam message.

If you recently registered for the SF State Emergency Notification System, you may be receiving SMS messages to devices you registered into the system. If you specified a text-enabled device in your emergency contact data you will receive a text message stating:

SFSU TEXT ALERT: You are now confirmed to receive alerts from us. More info text reply "HELP"

The is a test notification and will be sent to phones, e-mails, and any other communication devices on record.

The message will clearly indicate that this a test; however, you may still wish to give advance notice to anyone who might receive the call or voicemail message (e.g., family members at home).

We are currently working with the vendor for additional unique identifiers for such messages.