Phishers Are Upping Their Game. So Should You.

Not long ago, phishing attacks were fairly easy for the average Internet user to spot: Full of grammatical and spelling errors, and linking to phony bank or email logins at unencrypted (http:// vs. https://) Web pages. Increasingly, however, phishers are upping their game, polishing their copy and hosting scam pages over https:// connections — complete with the green lock icon in the browser address bar to make the fake sites appear more legitimate.

A brand new (and live) PayPal phishing page that uses SSL (https://) to appear more legitimate.

According to stats released this week by anti-phishing firm Phishlabs, nearly 25 percent of all phishing sites in the third quarter of this year were hosted on HTTPS domains — almost double the percentage seen in the previous quarter.

“A year ago, less than three percent of phish were hosted on websites using SSL certificates,” wrote Crane Hassold, the company’s threat intelligence manager. “Two years ago, this figure was less than one percent.”

A currently live Facebook phishing page that uses https.

As shown in the examples above (which KrebsOnSecurity found in just a few minutes of searching via phish site reporting service, the most successful phishing sites tend to include not only their own SSL certificates but also a portion of the phished domain in the fake address.

Why are phishers more aggressively adopting HTTPS Web sites? Traditionally, many phishing pages are hosted on hacked, legitimate Web sites, in which case the attackers can leverage both the site’s good reputation and its SSL certificate.

Yet this, too, is changing, says Phishlabs’ Hassold.

“An analysis of Q3 HTTPS phishing attacks against PayPal and Apple, the two primary targets of these attacks, indicates that nearly three-quarters of HTTPS phishing sites targeting them were hosted on maliciously-registered domains rather than compromised websites, which is substantially higher than the overall global rate,” he wrote. “Based on data from 2016, slightly less than half of all phishing sites were hosted on domains registered by a threat actor.”

Hassold posits that more phishers are moving to HTTPS because it helps increase the likelihood that users will trust that the site is legitimate. After all, your average Internet user has been taught for years to simply “look for the lock icon” in the browser address bar as assurance that a site is safe.

Perhaps this once was useful advice, but if so its reliability has waned over the years. In November, Phishlabs conducted a poll to see how many people actually knew the meaning of the green padlock that is associated with HTTPS websites.

“More than 80% of the respondents believed the green lock indicated that a website was either legitimate and/or safe, neither of which is true,” he wrote.

What the green lock icon indicates is that the communication between your browser and the Web site in question is encrypted; it does little to ensure that you really are communicating with the site you believe you are visiting.

At a higher level, another reason phishers are more broadly adopting HTTPS is because more sites in general are using encryptionAccording to Let’s Encrypt, 65% of web pages loaded by Firefox in November used HTTPS, compared to 45% at the end of 2016.

Also, phishers no longer need to cough up a nominal fee each time they wish to obtain a new SSL certificate. Indeed, Let’s Encrypt now gives them away for free.

The major Web browser makers all work diligently to index and block known phishing sites, but you can’t count on the browser to save you:

So what can you do to make sure you’re not the next phishing victim?

Don’t take the bait: Most phishing attacks try to convince you that you need to act quickly to avoid some kind of loss, cost or pain, usually by clicking a link and “verifying” your account information, user name, password, etc. at a fake site. Emails that emphasize urgency should be always considered extremely suspect, and under no circumstances should you do anything suggested in the email.

Phishers count on spooking people into acting rashly because they know their scam sites have a finite lifetime; they may be shuttered at any moment. The best approach is to bookmark the sites that store your sensitive information; that way, if you receive an urgent communication that you’re unsure about, you can visit the site in question manually and log in that way. In general, it’s a bad idea to click on links in email.

Links Lie: You’re a sucker if you take links at face value. For example, this might look like a link to Bank of America, but I assure you it is not. To get an idea of where a link goes, hover over it with your mouse and then look in the bottom left corner of the browser window.

Yet, even this information often tells only part of the story, and some links can be trickier to decipher. For instance, many banks like to send links that include ridiculously long URLs which stretch far beyond the browser’s ability to show the entire thing when you hover over the link.

The most important part of a link is the “root” domain. To find that, look for the first slash (/) after the “http://” part, and then work backwards through the link until you reach the second dot; the part immediately to the right is the real domain to which that link will take you.

“From” Fields can be forged: Just because the message says in the “From:” field that it was sent by your bank doesn’t mean that it’s true. This information can be and frequently is forged.

If you want to discover who (or what) sent a message, you’ll need to examine the email’s “headers,” important data included in all email.  The headers contain a lot of information that can be overwhelming for the untrained eye, so they are often hidden by your email client or service provider, each of which may have different methods for letting users view or enable headers.

Describing succinctly how to read email headers with an eye toward thwarting spammers would require a separate tutorial, so I will link to a decent one already written at Just know that taking the time to learn how to read headers is a useful skill that is well worth the effort.

Keep in mind that phishing can take many forms: Why steal one set of login credentials for a single brand when you can steal them all? Increasingly, attackers are opting for approaches that allow them to install a password-snarfing Trojan that steals all of the sensitive data on victim PCs.

So be careful about clicking links, and don’t open attachments in emails you weren’t expecting, even if they appear to come from someone you know. Send a note back to the sender to verify the contents and that they really meant to send it. This step can be a pain, but I’m a stickler for it; I’ve been known to lecture people who send me press releases and other items as unrequested attachments.

If you didn’t go looking for it, don’t install it: Password stealing malware doesn’t only come via email; quite often, it is distributed as a Facebook video that claims you need a special “codec” to view the embedded content. There are tons of variations of this scam. The point to remember is: If it wasn’t your idea to install something from the get-go, don’t do it.

Lay traps: When you’ve mastered the basics above, consider setting traps for phishers, scammers and unscrupulous marketers. Some email providers — most notably Gmail — make this especially easy.

When you sign up at a site that requires an email address, think of a word or phrase that represents that site for you, and then add that with a “+” sign just to the left of the “@” sign in your email address. For example, if I were signing up at, I might give my email address as Then, I simply go back to Gmail and create a folder called “Example,” along with a new filter that sends any email addressed to that variation of my address to the Example folder.

That way, if anyone other than the company I gave this custom address to starts spamming or phishing it, that may be a clue that shared my address with others (or that it got hacked!). I should note two caveats here. First, although this functionality is part of the email standard, not all email providers will recognize address variations like these. Also, many commercial Web sites freak out if they see anything other than numerals or letters, and may not permit the inclusion of a “+” sign in the email address field.

Tags: , , ,

Posted in Security | Leave a comment

Investor Bulletin: Investment Adviser Sponsored Wrap Fee Programs

The SEC’s Office of Investor Education and Advocacy is issuing this Investor Bulletin to provide investors information about investment adviser sponsored wrap fee programs.  This bulletin provides basic information about wrap fee programs and some questions to consider asking your investment adviser before choosing to open an account in a wrap fee program.   

What is a wrap fee program?

A wrap fee program generally involves an investment account where you are charged a single, bundled, or “wrap” fee for investment advice, brokerage services, administrative expenses, and other fees and expenses.  While wrap fee programs may be called different names—such as asset allocation program, asset management program, investment management program, mini-account, uniform managed account, or separately managed account—the defining feature is that they offer bundled investment management and brokerage services for one fee.  There is typically a “sponsor” for a wrap fee program, i.e., the person that, for a portion of the fee, sponsors, organizes, or administers the program or selects, or provides advice to clients regarding the selection of, other investment advisers in the program.  Some wrap fee programs have more than one sponsor.

In a wrap fee program, your fee is generally based on a percentage of the value of your account, rather than upon transactions in your account.  It might be appealing to pay one fee that covers most or all of your investment expenses—but you should be sure you understand what you are actually getting for your money.  Because wrap fee programs bundle services into a single fee, total fees to a client in a wrap fee program may be more or less than obtaining such services separately.

Tip: In general, as an advisory client, a wrap fee based on the value of assets in your investment account may be less if there is a lot of trading activity in your account and the wrap fee covers the costs for executing all or most of the trades.  But if there is little or no trading activity in your advisory account or the trades being made would not otherwise have a transaction fee, a wrap fee arrangement may cost more than separately paying for the services.  You should check your account statements to review the level of trading, and periodically talk to your adviser about the level of trading in your account, the fees involved, and what sort of account makes sense for you. Of course, there may be considerations other than cost, like access to certain managers, that make a wrap fee program right for you.

What services and fees does the wrap fee typically cover?

Wrap fee programs can be a convenient way to include all of your investment services in one fee.  Wrap fee programs vary, so you should always be sure you understand what services are included—or not included—in the wrap fee.

SEC rules require that a wrap fee program brochure be given to you before or at the time you enter into a wrap fee program contract.  The wrap fee program brochure provides you with important information about the program, including information about the services provided and the fees you will pay.  SEC rules also require that a firm brochure be given to you for any investment adviser (other than the sponsor) that provides advisory services to you as part of the wrap fee program.  The firm brochure includes additional important information, including information about the investment adviser’s services and role in the wrap fee program.  Be sure to read the wrap fee program brochure and any firm brochure(s) carefully and to ask questions about anything you do not understand.

You should look for whether the following services and fees are covered by the wrap fee, and consider whether you want or need them to be covered:

  • Investment advice. Investment advisory services are an important on-going component of wrap fee programs.  They may include financial planning, portfolio management, or advice concerning the selection of other investment advisers.   
  • Brokerage costs. Brokerage costs are another important component of wrap fee programs.  They include trade execution costs—the transaction costs of buying and selling securities.  Some broker-dealers may also provide research and/or make recommendations about specific investments. You might pay mark-ups, mark-downs, or spreads in addition to the wrap fee. 
  • Administrative expenses. Certain administrative expenses are sometimes included in a wrap fee.  This could include, for example, custodial fees.
  • Other fees and expenses. Other fees and expenses may or may not be covered by the wrap fee.  For example, you might pay mutual fund fees and expenses in addition to the wrap fee.  
  • Third-party service provider costs and trading away.  Third-party service providers may provide services to the investment adviser sponsoring the wrap fee program and your account.  The wrap fee typically covers these services.  In some cases, a provider may offer these services in a manner that may result in an additional cost to you.  For example, an investment adviser may select a broker-dealer outside of the wrap fee program to execute certain trades in your account—a practice sometimes referred to as “trading away”—that results in your account incurring separate brokerage fees.  

The wrap fee program brochure is required to describe any fees you may pay in addition to the wrap fee and the circumstances under which you might pay such fees.

Example: Trading Away
A wrap fee program charges a single fee that covers investment advisory services from Adviser X and brokerage services from Broker X.   Broker X provides most brokerage services to the wrap fee program, and those services are covered by the wrap fee.  However Adviser X occasionally selects a different broker-dealer—Broker Y—to provide brokerage services to wrap fee program clients for certain types of transactions.  Because services from Broker Y are not covered by the wrap fee, you might be required to pay brokerage fees for Broker Y’s services that are in addition to the wrap fee.

Questions to consider asking your investment adviser about a wrap fee program:

  • What services are included in the wrap fee program?  Why does the wrap fee program make sense for me as opposed to another account type? Will my account be actively traded or will the account pursue a buy and hold strategy?  
  • Who else will be involved in making investment decisions or providing services to my account?  Will I have any direct contact with them?  Are they affiliated with you or independent? 
  • How often will you review whether the wrap fee program still makes sense for me?  What factors will you assess?
  • What fees and expenses are included in the wrap fee?  For example, will the wrap fee include all my trade execution costs?
  • Other than the wrap fee, what other fees and expenses will I pay? Will these include fees and expenses to other managers/service providers associated with the wrap fee program? What is the likely frequency with which I will incur those fees and expenses?
  • How would I change or cancel my wrap fee program contract if I no longer wish to participate in the wrap fee program?

Enforcement Actions

The SEC has brought several enforcement actions for violations of the Investment Advisers Act of 1940 in connection with wrap fee programs.

Two Firms Charged With Compliance Failures in Wrap Fee Programs

Stifel, Nicolaus & Co. Order

SEC Charges Investment Adviser With Failing to Clearly Disclose Additional Costs to Investors

AIG Affiliates Charged With Mutual Fund Shares Conflicts

Additional Information

Details on an investment professional’s background and qualifications, as well as a copy of the wrap fee program brochure, are available on the SEC’s Investment Adviser Public Disclosure (IAPD) website or on the SEC’s website for individual investors, If you have any questions about how to check the background of an investment professional, you can call the SEC’s toll-free investor assistance line at (800) 732-0330 for help.

The Office of Investor Education and Advocacy has provided this information as a service to investors. It is neither a legal interpretation nor a statement of SEC policy. If you have questions concerning the meaning or application of a particular law or rule, please consult with an attorney who specializes in securities law.

Posted in Security | Leave a comment

Matt Blaze on Securing Voting Machines


Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.

Posted in Security | Leave a comment

November 30, 2017: Lynn Man Pleads Guilty to Counterfeit Steroid Conspiracy

OCI Small Clear Seal 


Food and Drug Administration 
Office of Criminal Investigations


BOSTON – A Lynn man pleaded guilty yesterday in federal court in Boston for his role in a conspiracy to traffic counterfeit steroids, including testosterone and trenbolone, to customers across the country.

Philip Goodwin, 37, pleaded guilty to one count of conspiracy to distribute controlled substances, one count of conspiracy to traffic counterfeit drugs, one count of trafficking counterfeit drugs, one count of possession with intent to distribute controlled substances, and one count of money laundering conspiracy. U.S. District Court Judge Nathaniel M. Gorton scheduled sentencing for Feb. 28, 2018.

In April 2017, Goodwin and five others, including Tyler Bauman, a/k/a “musclehead 320,” were arrested and charged with operating a counterfeit steroid operation on the North Shore.


According to court documents, from approximately May 2015 until April 12, 2017, the conspirators manufactured steroid products – made from raw materials purchased overseas – in Goodwin’s home, and marketed them as “Onyx” steroids using “Onyx” labels that were also ordered from overseas suppliers. Onyx, now owned by Amgen Inc., is a legitimate pharmaceutical company that does not manufacture steroids. 


The defendants allegedly sold the steroids to customers across the United States using email and social media platforms, collected payment through money remitters, such as Western Union and MoneyGram, and used false identifications and multiple remitter locations to pick up the proceeds.  Some of the defendants laundered proceeds from the steroid sales through Wicked Tan LLC, a tanning business located in Beverly, which they owned and operated specifically to launder the proceeds of the steroid operation.


In August 2017, Bauman pleaded guilty to his role in the conspiracy and is scheduled to be sentenced on Jan. 23, 2018.

The charges of conspiracy to traffic in counterfeit drugs and conspiracy to distribute controlled substances provide for a sentence of no greater than five years in prison, three years of supervised release, and a fine of up to $250,000 or twice the gross gain or loss of the conspiracy. The charge of possession of a controlled substance provides for a sentence of no greater than 10 years in prison, three years of supervised release, and a fine of up to $250,000 or twice the gross gain or loss of the conspiracy. The charge of trafficking in counterfeit drugs provides for a sentence of no greater than 20 years in prison, three years of supervised release, and a fine of $5 million. The charge of money laundering conspiracy provides for a sentence of no greater than 20 years in prison, three years of supervised release, and a fine of $500,000 or twice the value of the property involved in the laundering transactions. Sentences are imposed by a federal district court judge based upon the U.S. Sentencing Guidelines and other statutory factors.


Acting United States Attorney William D. Weinreb; Michael Shea, Acting Special Agent in Charge of Homeland Security Investigations in Boston; Shelly Binkowski, Inspector in Charge of the U.S. Postal Inspection Service; and Jeffrey Ebersole, Special Agent in Charge of the Food and Drug Administration, Office of Criminal Investigations, New York Field Office, made the announcement today. Assistant U.S. Attorneys Amy Harman Burkart and David J. D’Addio of Weinreb’s Cybercrime Unit are prosecuting the case. 


Drug Trafficking


USAO – Massachusetts


Posted in Security | Leave a comment

November 30, 2017: Paramedic Sentenced for Stealing Fentanyl from Ambulance Company

OCI Small Clear Seal 


Food and Drug Administration 
Office of Criminal Investigations


BOSTON – A paramedic was sentenced today in federal court in Boston for diverting fentanyl intended for patients for his own use and for extracting fentanyl from vials stocked on ambulances and replacing the fentanyl with saline.

Joseph V. Amello, 50, of Rowley, Mass., was sentenced by U.S. District Court Judge Douglas P. Woodlock to 30 months in prison and three years of supervised release.  In June 2017, Amello pleaded guilty to one count of acquiring a controlled substance by deception, fraud, and forgery, and one count of tampering with a consumer product.

From approximately November 2014 to August 2015, while working as a paramedic for an ambulance company, Amello stole over 650 5-ml vials of fentanyl for his own use.  In addition, beginning around July 1, 2015, Amello removed fentanyl from a number of vials intended for ambulance patients and replaced the fentanyl with saline.

Acting United States Attorney William D. Weinreb; Jeffrey Ebersole, Special Agent in Charge of the U.S. Food and Drug Administration, Office of Criminal Investigations, New York Field Office; and Commissioner Monica Bharel, M.D., M.P.H., of the Massachusetts Department of Public Health, Division of Food and Drugs, Drug Control Program, made the announcement today. Assistant U.S. Attorney Miranda Hooker of Weinreb’s Narcotics and Money Laundering Unit prosecuted the case. 


Prescription Drugs

Consumer Protection


USAO – Massachusetts


Posted in Security | Leave a comment