Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
Security Communications The Internet

Evolving Phishing Attacks Using Web Vulnerabilities? 179

Posted by Cliff from the how-to-protect-against-the-new-generation-of-annoyance dept.
miahrogers writes "The IRS Scam from a few weeks ago was not the the usual canned phishing attack; it exploited a vulnerability in the IRS benefits website to make users think they were at a government site. Also, according to Infoworld, eBay's own fraud team was tricked into thinking a phishing email was legitimate eBay correspondence. Mix the above IRS exploit with a phony email and you have misplaced trust that foils even professional fraud teams. Interestingly enough, the newest addition to my bookshelf predicted these attacks in full detail. From chapter 4: 'Combined with vulnerable Web servers allowing the "trusted" domain to launch the attack, it will be harder to determine whether the email is or isn't legitimate. When a person turns in the e-mail to question its legitimacy, due to the known marketing campaign a tech support representative may overlook the fraud report and tell the customer that XYZ company did send out such a marketing e-mail and it is OK to click the links.' Are phishers using this book as a tool, or is it a legitimate prediction? As an IT professional, what efforts should our corporate IT department be making to proactively to eliminate these vulnerabilities?"
This discussion has been archived. No new comments can be posted.

Evolving Phishing Attacks Using Web Vulnerabilities? More

Evolving Phishing Attacks Using Web Vulnerabilities?

Comments Filter:
  • Ever, ever, ever....
    • As we can see, even professionals can be fooled! Caution should always be exercised. You have to determine what level of trust you grant to everything you come across on the internet, and you cannot rely solely on others to determine at what level you should trust information. You need to use a combination of your personal experience and outside information to set that level of trust.
    • So are you saying I shouldn't order anything from the email I received yesterday that had the subject "MASTERDICK!"?

      BTW, I'm not kidding about the email, either. Definitely one of the better pieces of spam that's come my way...

  • All this will stop on the day... (Score:4, Funny)

    by b4k3d b34nz ( 900066 ) on Tuesday December 20, 2005 @01:04PM (#14299497)
    ...that IE7 comes out with it's phishing filter. :P

    • Re:All this will stop on the day... (Score:4, Funny)

      by ThosLives ( 686517 ) on Tuesday December 20, 2005 @01:15PM (#14299599) Journal
      Only because of your sig: Did you really mean "The phishing filter owned by IT (Information Technology, or perhaps the Stephen King demon)," or did you incorrectly form the possessive of 'it'?

    • Only because of your sig: Did you really mean "The phishing filter owned by IT (Information Technology, or perhaps the Stephen King demon)," or did you incorrectly form the possessive of 'it'?

      Well isn't that ironic. Actually, I rephrased myself at the last minute and didn't catch that. Let's see if I can get modded up for the same joke twice. Here "it's" again:

      All this will stop on the day...that IE7 comes out with its phishing filter. :P

    • Is it too late to trade-mark the name 'philter'?
    • ...the day that IE7 comes out with it's phishing filter.

      The Applied Cryto Group [stanford.edu] has had two anti phising extensions out for some time. One is for IE and Firefox, the other is for IE only.

      From the site: " SpoofGuard [stanford.edu] is a browser plug in that is compatible with Microsoft Internet Explore. SpoofGuard places a traffic light in your browser toolbar that turns from green to yellow to red as you navigate to a spoof site. If you try to enter sensitive information into a form from a spoof site, SpoofGuard will sav

    • ...that IE7 comes out with it's phishing filter. :P

      Then in the sig...

      Grammar Lesson: "you're" is a contraction of "you are"; "your" means you possess something; "yore" means days gone by.

      That's too rich. Let me try:

      Grammar Lesson: "it's" is a contraction of "it is"; "its" is the possesive form of "it"; "IT" was the last decent Stephen King novel. :) (couldn't resist)

  • Simple: Ensure that your "trusted" sites really ca (Score:5, Insightful)

    by eldavojohn ( 898314 ) * <eldavojohn.gmail@com> on Tuesday December 20, 2005 @01:06PM (#14299513) Journal
    I would suggest reading up on the security measures you currently use. Maybe you use HTTPS and should read up about the security zones [microsoft.com] you can make using HTTPS.

    If you can verify that your trusted sites really are trusted, then you should feel safer.

    I think a lot of companies fall victim to using a security method X with out investigating security methods W, Y & Z. After minimal investigation, it might be clear that X has had problems in the past and there is a lot of buzz about possible future problems (like the book in the article might point out).

    I don't know a ton about security but I would suggest you simply make yourself a subject matter expert and look out for possible problems with your particular security method.

    • Re:Simple: Ensure that your "trusted" sites really (Score:5, Insightful)

      by Ed Avis ( 5917 ) <ed@membled.com> on Tuesday December 20, 2005 @01:12PM (#14299565) Homepage
      Why on earth don't Ebay GPG sign their messages? Even if most users wouldn't check the signature, at least their own fraud team could tell what was genuine Ebay correspondence and what wasn't...

      • Why on earth don't Ebay GPG sign their messages? Even if most users wouldn't check the signature, at least their own fraud team could tell what was genuine Ebay correspondence and what wasn't...

        I think this is simply a case example of one security measure being sufficient up to this point and so there is no reason to go through all the trouble of implementing a possibly better method.

        Another thing to add to your list of security DO's, always keep your eye open for a better (even if it's different) sol

      • Why on earth don't Ebay GPG sign their messages?

        Why do that, when they won't even use their server software to rewrite requests for ebay.com graphics from unexpected referrers to ones that have "THIS IS A SCAM" overlaying them? When a phisher can build a near-perfect replica of a message from EBAY, PAYPAL, CHASE BANK, or wherever, just by linking to the official website graphics, cryptographic signing of messages is virtual fluff.

        • If they do that then people will just save the images to their own (or a cracked) server and send phishing attacks with the images on there.
        • Why do that, when they won't even use their server software to rewrite requests for ebay.com graphics from unexpected referrers to ones that have "THIS IS A SCAM" overlaying them?

          Who's the referrer when it's your email package that's requesting the image?

          (And yes, I know you should allow your email package to display HTML with remote images, but people do and this is the main technique phishers use to make their messages look legitimate.)

          • (And yes, I know you should allow your email package to display HTML with remote images, but people do and this is the main technique phishers use to make their messages look legitimate.)

            Exactly.

            And that is exactly why people like eBay, banks, etc should never send mail which embeds remote images, and, ideally, should never send HTML formatted mail at all (or, probably, any other format more complex than plain text).

      • Perhaps because it's trivial to forge a signature? It's just the public key stuck on the end of the message - if spammers can forge a few Received-by: headers and make links like <a href="http://spamsite.com/">http://ebay.comlt/a&g t [ebay.comlt];, how much harder would it be to also add a couple more headers and a fake signature to their spam?

        The "right" way to do it would be for everyone to send eBay their key once and then for eBay to send out encrypted mail using that key - but that'd increase eBay's proc

        • digital signature (Score:2, Informative)

          by Anonymous Coward
          FYI, a signature is not the public key. Rather, it is a hash of the message, that has been encrypted by the private key of the sender.

          You find the senders public key, use it to decrypt the hash, then compare it to a hash of the message that you've made yourself.

          If the two match, you know the message has not been tampered.

          (all this is typically done more or less transparently by software)

      • Because... (Score:2)

        by jd ( 1658 )
        ...they're stupid? Well, maybe that's a little unfair - many e-mail clients don't support PGP or GPG. However, Thunderbird DOES support X.509 certificates and therefore they could certainly use X.509 to sign their e-mails. I believe X.509 is also the system used by Outlook (bah! bumbug!) and other "popular" e-mail clients. Dunno why - there are more people with GPG keys than X.509 certificates, but that's what's supported at present. At the very least, signature support DOES exist and COULD be used, so damn
        • I wish I had mod points. Seems like an easy enough task for companies to do and would sure reduce the ammount of phishing spam we see.
      • PGP/GPG signatures - The software exists but would preclude traditional webmail. The only way it would work on webmail is if your machine has a cerification server the webmail could send the e-mail to. The cerification server would then digitally sign the e-mail and return it to the webmail server. Very very few regular clients support PGP or GPG. The only way to make this mobile is to have the encryption keys stored on a USB device and even then, not all libraries or cyber-cafes allow you to plug in USB de

  • Don't click the links. (Score:3, Informative)

    by Harmonious Botch ( 921977 ) on Tuesday December 20, 2005 @01:06PM (#14299518) Homepage Journal
    It's that simple. Just go to the web page directly.
    • The problem with the govbenefits.gov Web site isn't serious and doesn't leak sensitive data about individuals. However, it does provide an easy way for scam artists to make their phishing attack more convincing, Cluley said. The phishers even advise recipients to cut and paste the Web link into their Web browser rather than clicking on it, Sophos said.
    • But typing http://www.f773js93skv0fjdakd9da4js0d9skdsdll23-39 sdksdf.ebay-h4xx0r.com/ [ebay-h4xx0r.com] is too hard. It's much easier to click the link...
    • I don't even do that, if I don't have a bookmark saved, I Google for the company name and click on a link from there, rather than risk making a typing mistake that could take me to a fake site. At least when I'm going to be doing financial transactions, like on paypal or my bank or something.
    • 100% with ya.
      I don't understand why anyone with a clue would click on anything in email.

      Don't even cut and paste, just type. Companies could make it easier by using shorter and easier to type urls as well. Banks and other sites with sensitive info, should make it policy to not include links at all.

      Then they should send an email (or letter) to customers informing them of the policy.

      • Personally, about 90% of the legitimate emails I receive from companies & websites include clickable links as the primary way of directing you to their site.

        "Click here to track your Amazon.com purchase", "Click here to read more of this Onion article", "Click here to complete the registration process for your forum account", "Click here to pay your latest Cellphone/Electricity/Cable TV bill".

        Of course there's secure ways to do each of these (navigate to the home page and log in, then enter tracking/aut

  • This reeks (Score:5, Insightful)

    by Deep Fried Geekboy ( 807607 ) on Tuesday December 20, 2005 @01:07PM (#14299525)
    It's flippin' ridiculous that email still doesn't have any form of simple sender verification, which would eliminate not just phishing but about 90% of spam.
    • I fully agree with you. Preferably, in order for mailservers to accept mail you should have to be registered with community database of 4048 bit SSL public keys. That way as soon as a mailserver started sending out spam you'd just revoke their SSL certificate. No more zombie pcs sending out spam and phishing crap.

    • Re:This reeks (Score:2, Insightful)

      by griffindj ( 887533 )
      if the USPS has no such sender verification on standard mail... what makes you think you'll ever see it on the internet?

      As long as their are uneducated people who are willing to sign up to this month's publisher's clearing house lottery or free chance to win an ipod, there will be people willing to take advantage of that.

      Educate as many people as you can. And when they laugh at your paranoia, be content in knowing that your tin foil hate keeps the government from listening in on your thoughts.

    • Re:This reeks (Score:5, Insightful)

      by CastrTroy ( 595695 ) on Tuesday December 20, 2005 @01:21PM (#14299641)
      It does. It's called PGP. The problem is, nobody uses it. Most webmail clients don't work well with it, how could they? they'd need to store your private key, which I wouldn't trust any free webmail client with. I'm surprised that EBay and Paypal don't support PGP encrypted/signed email. I get tons of phishing messages with their names on it. They also send out a lot of email, as it's often the only way to communicate with their customers. I think it would help out their customers a lot if they provided a way to verify that a message was actually from Paypal/Ebay. Maybe not everyone would be savvy enough to take advantage of it, but it would be nice for those who knew how it worked.

      • Re:This reeks (Score:2, Interesting)

        by GigsVT ( 208848 ) *
        how could they?

        A browser plugin could do it easily without exposing your private key. Start writing! :)
      • I agree with you that public key cryptography could help sophisticated users avoid these schemes more easily. However, there are several problems with this approach which must be resolved before such a solution could become widely adopted:

        1) As you said, the PGP integration with popular e-mail clients, and web clients in particular, is either non-existent or cumbersome.

        2) The level of sophistication required to deploy and use public key cryptography is above the competence level of the average e-mail
        • 4) I said it would be nice if they had the option. It wouldn't take that much effort to implement, and it would let them see how much interest there really is in a system like this. They would only send out signed/encrypted emails to those who opted in, and send the regular old emails to everyone else. They'd just have to have a way of letting people know about the new feature. A story on slashdot would probably go a long way in notifying interested people.
      • Hushmail. [hushmail.com]
      • Maybe not everyone would be savvy enough to take advantage of it, but it would be nice for those who knew how it worked.

        Unfortunately, the tech savvy among the users would be the least likely to need such a feature to determine if the email was legitimately from ebay, paypal, their bank, etc. We know the rules about suspicious email. It is the so-called "unwashed masses" that don't.
    • Hopefully, more people/companies will start using SPF (spf.pobox.com). I believe this would help prevent this kind of attack. It's pretty easy to start publishing SPF records...
      • I'll start using it as soon as I see that about 80% of the rest of the world is using it.
        • It costs nothing to publish SPF records, and publishing them does not require you to treat incoming mail any differently.
          • What about for personal e-mail servers running via DynDns.org for DNS? Currently I can run my e-mail server for free, and get the benefits of IMAP and other features without paying extra fees to various organizations. I do have to relay outgoing mail through my ISPs mail servers, but otherwise it works fine.

            How would I set up SPF for this?
      • The biggest issue I have with SPF is that too many of the big players don't want to use it. Or they use it but seem indecisive about what hosts are allowed to send email for them. For example:

        yahoo.com, peoplepc.com, sbc.com, fbi.gov, irs.gov, irs.com, whitehouse.gov - no SPF records at all

        gmail.com, google.com, aol.com, verizon.com - includes ?all in their SPF record which basically says "these are my authorized senders but other hosts are probably ok too.

        hotmail.com, msn.com, charter.net, ebay.com, usba
        • Companies like ebay, paypal and citibank need to be sure that if someone sends a legitimate email, it goes through even if IT forgot to add a new mail server to the SPF record (or whatever it might be). That email might be something from paypal telling you that they have frozen your account and that it is now in the red and that if you dont pay up right now, they will send debt collectors after you. Or something else important.
           
          • And if it is rejected and they get a bounce message they could jump on the IT dept for not doing their job. eMail isn't and shouldn't be relied upon for extremely critical communications. What if there is a disk crash? A software bug, etc?

            Besides, It's not like mail servers just bring themselves online and start participating in sending mail without anyone knowing that it is going to happen. Plus they could just as easily provide all full netblocks that they control in their SPF record. Then the record

  • Wellll (Score:3, Funny)

    by OverlordQ ( 264228 ) on Tuesday December 20, 2005 @01:08PM (#14299529) Journal
    As an IT professional, what efforts should our corporate IT department be making to proactively to eliminate these vulnerabilities?

    Hard code your error messages, hard code everything you can, rely on user input as little as you can, and always treat it like nuclear waste.

  • Personal Responsibility (Score:4, Insightful)

    by WickedClean ( 230550 ) on Tuesday December 20, 2005 @01:08PM (#14299530) Homepage
    Why does it always have to be the fault of the business websites? No matter how safe and secure you think something is, there will always be some jackass that falls victim to something because there will always be criminals preying on the ignorant. The REAL problem is uneducated users. It isn't that hard to spot a fraud if you just take a minute to look around. I know it is a lot to expect people to have a more than basic understanding of how the web works, but maybe they should try to learn something before casually posting their personal and financial info online.
    • When I post something about users being uneducated (ok, so I called the morons) I get modded down to troll.....

      Anyway, I've been saying that for years. I have a solution though, and have mentioned it before. Licensing. Want to own a computer? Fine, buy one. When you want to go online, you'll need a license. Like to send and receive email? That requires an endorsement. Same goes for running a server of any type. Messages cannot be sent without license identification and abusing users can cause their
      • That's an interesting theory, but how would you enforce international internet licensing? Who would be responsible for kicking unauthorized users off the internet? How would they even know who is licensed? While this might theoretically solve many problems, it seems too impractical to even begin to implement.
      • I have a solution though, and have mentioned it before. Licensing. Want to own a computer? Fine, buy one. When you want to go online, you'll need a license. Like to send and receive email? That requires an endorsement. Same goes for running a server of any type. Messages cannot be sent without license identification and abusing users can cause their operators license to be revoked. No valid license, no connectivity.

        Sounds just peachy, but who's going to be in charge of enforcement? What will the penalties

      • How do you know who is who?

        Its a felony to forge addresses when mailing which is why you dont see it commonplace. But its perfectly legal to do this on the net. Why?

        If it becomes illegal here in the US then the phishers will just rent a server in India or Korea where its legal and continue. There is no way to track down forgers.

        My father keeps getting email responses requesting to stop spamming them. It turns out its an old handle he didn't like. Verizon got hacked and refuses to acknowledge or even block o
      • Screw all that licensing nonsense. That's keep the feds out of the net. Otherwise, we'll all be paying sales tax for Ebay purchased before long.

        Shopping on the Internet is like visiting a foreign country. People need to get real familiar with how transactions work, otherwise stay away.

        Why create a whole new level of government just because people falls for emails where somebody asks for their ATM pin number?
    • If a business web site claims to implement extraordinary security to protect its users, it needs to live up to that claim. If a web site discloses that "coding errors could make it easier for criminals to spoof our web site, so caveat emptor," fewer people would use that site for e-commerce. So they don't say that. They say they have great security and you should trust them. If your security is strong, that's a win-win. If your security isn't that strong, don't blame the user after the fact.

  • Registrar Responsibility (Score:5, Informative)

    by rjstanford ( 69735 ) on Tuesday December 20, 2005 @01:09PM (#14299535) Homepage Journal
    From the InfoWorld article:

    EBay has also been trying to shut down the Web site by working with the Internet registrar that was used to acquire the ebaychristmas.net domain, Pires said. Despite these efforts, however, the site has remained operational.

    That registrar, which does business under the name Joker.com, has the power to shut down the scam Web site, Jennings said. "If they were taking their responsibilities seriously, the site would have been shut down weeks ago," he said.

    Last time I checked, the Registrar wasn't responsible if a server that happened to be pointed to by a record on a DNS server is registered as primary for one of the domains that they registered contained fraudulent or misleading content. In fact, checking Joker's TOS [joker.com], while Joker may have the "power" to shut him down, I don't immediately see that they have any legal right to do so.
  • Educate your users. The most effective way to stop phishing is to educate the "phish". If you put your users in a constant state of awareness and teach them to never, ever, ever give out their credit card over the phone/internet unless they have initiated the transaction.

    Excuse me, I misplaced my tin foil hat
    • "Educate your users."

      This is a common folly of passenger seat admins. I've had very intelligent, educated users who normally wouldn't fall for phishing scams fall for the latest innovations in social engineering via email. It's inevitable that they'll fall victim to social engineering. People have always fallen for scams, going back thousands of years. No amount of training is going to prepare them, short of forcing them to read a book on social engineering and teaching them to think like a scammer 100%

      • Sorry to be blunt but that bit about "no amount of training" is pure bs and I don't care who says it be it admins, back-seat driving admins or anybody else. Yes social engineering will always exist and some people will fall for it, deservedly or not, but for your own sake the issue is not to eradicate social engineering: the issue is to make it too costly/inefficient for whoever does it. Stopping phising scams is simple: treat every link in any unencrypted email as a scam and be careful about encrypted ones
    • Re: The most effective way to stop phishing is to educate the "phish".

      I suppose while we're at it we should teach people to manually examine every IP packet they recieve? Silly idea, eh? Clearly you're thinking about this wrong.

      We need to develop the technologies to help users manage their secure relationships. An authenticated connection to a web server (bank, ebay, etc) must be bidirectionally authenticated. And the web browser needs to help make this distinction clear. A couple of areas for improv

  • Flood the Phishers (Score:2, Interesting)

    by OYAHHH ( 322809 ) *
    A,

    Possible way to stop phishing is to simply flood them with too many responses to their emails.

    When you get a phishing email simply go to the pointed site, enter false information and then click the submit button....

    For every false set of data they receive they have to try to use that invalid credit card number, ebay password, etc... Thus, costing them extreme amounts of time.

    • For every false set of data they receive they have to try to use that invalid credit card number, ebay password, etc... Thus, costing them extreme amounts of time.

      Hmm. You take the time to fill out their form. They have an automated batch verification process that checks the ID/Pass and, separately, the credit card. I can't see that you're hurting anyone except yourself there, unless you actually start running script attacks against their website which are, well, also illegal...

      • Re:Flood the Phishers (Score:4, Insightful)

        by British ( 51765 ) <british1500@gmail.com> on Tuesday December 20, 2005 @01:50PM (#14299877) Homepage Journal
        Or maybe VISA and other credit card companies get in on this. Go to a known phishing site, put in a specially assigned VISA card #, trace the merchant on VISA's end when a transaction is attempted.... then hurt them. A "poison credit card", so to speak.

        • Re:Flood the Phishers (Score:2, Insightful)

          by vinn01 ( 178295 )
          Using a "marked" credit cards numbers goes back to the 1970's.

          The problem is that the credit card companies are not motivated to stop fraud. They mostly view fraud as an acceptable business loss. Fraud is a very small percentage bump in their profits. They are not the victims of fraud.

          The victims are mostly small businesses and credit card holders. They can't afford to ignore the loss. They spend hours of time working through fraud related clean-up measures. But their time and efforts cost the credit c

    • Re:Flood the Phishers (Score:4, Informative)

      by Jjeff1 ( 636051 ) on Tuesday December 20, 2005 @01:39PM (#14299775)
      No.

      Don't try to con the con, they've been at it longer than you have. That same web site is likely to try and exploit holes in your browser and start installing who knows what on your machine.

  • Sign your emails (Score:5, Insightful)

    by Bogtha ( 906264 ) on Tuesday December 20, 2005 @01:11PM (#14299557)

    As an IT professional, what efforts should our corporate IT department be making to proactively to eliminate these vulnerabilities?"

    There's been a way of eliminating phishing since before phishing existed. Sign your emails with a digital certificate. Get your users to use a mail client that displays big warning signs when an email is unsigned or is signed with an untrusted key. Get your users to trust your key.

    If your users don't follow this advice and get scammed, well then it's their own fault. But it's not their fault if you don't sign your emails, and I can think of only a handful of companies that do this right now. Being one of them is being more proactive than most.

  • You just need user vulnerabilities (Score:5, Interesting)

    by TedRiot ( 899157 ) on Tuesday December 20, 2005 @01:13PM (#14299572)
    In Finland there was a large scale phishing attack targeted at users of a major online bank. It had an url with a numeric IP address, was translated from an earlier English message by machine and was thus very bad Finnish. The earlier English message got wide publicity also in mainstream media. I got one of the messages and just out of curiosity checked out the website. The website was equally bad Finnish language and asked for username, PIN number and payment authorisation codes. Money was transferred from accounts of about 10 people to somewhere in Latvia. 8 transfers got cancelled by the bank, 2 accounts were already emptied on an ATM and about 20 thousand euros were stolen.

    The bank has taken responsibility and promised to return the money of their customers, but a couple of days ago after this Finnish attack was still saying that the attacks are a scheme to undermine the trust of online banking, but maybe it was just a way to steal money from ignorant people?

  • Thoroughly educate your staff (Score:5, Informative)

    by digitaldc ( 879047 ) * on Tuesday December 20, 2005 @01:14PM (#14299586)
    As an IT professional, what efforts should our corporate IT department be making to proactively to eliminate these vulnerabilities?"

    Educate your staff on the vulnerabilities of phishing and email scams. Give them specific examples of how these attacks work and how people are usually duped into them. Use some sort of visual presentation or photocopied handouts of how these attacks look and work. Make the staff very aware of the vulnerabilities on the internet/via email and tell them to ask themselves if it is potentially harmful, and if unsure, to contact an IT professional who would know.
    Hopefully, at least 3/4 of those briefed will remember this information and put it to good use.

    You can also buy "Phishing Exposed: Uncover Secrets from the Dark Side" to help explain the attacks.
    This is essential reading for those who want to learn the ways of the Farce.
    • Another useful book that can raise awareness and understanding is "Phishing: Cutting the Identity Theft Line," by Rachael Lininger and Russell Dean Vines. It covers everything from the basics to detailed strategies, with summary sections of action points for IT staff, users and financial execs. About $20.

  • Phishing Attacks Do Not Evolve (Score:1, Funny)

    by Anonymous Coward
    Phishing attacks are Intelligently Designed, not evolved! It is improbable to the point of absurd for a random number generator to produce a phishing website in the same way that it is absurd for random events to result in a new liver. Only the actions of an Intelligent Designer like a programmer can produce a phishing vulnerability.

  • Simple resolution (Score:3, Insightful)

    by Todd Knarr ( 15451 ) on Tuesday December 20, 2005 @01:26PM (#14299682) Homepage

    There's a fairly simple way to avoid these attacks: never ever trust any link in any e-mail, period. If you think the e-mail is legitimate, ignore the links in it and use your own bookmarks to go to the relevant site and check your account or similar page there. If it really is legitimate, there'll be a way to find the information without depending on the e-mail links. It's not completely fool-proof, but for a phisher to fool you when you do this they'd have to vandalize the legitimate web-site to include their links on it's actual pages. That's harder than just faking an e-mail.

    Why should I have to tell anyone this? It's received wisdom that if you receive a phone call from someone claiming to be your bank and asking to verify things like your PIN you should hang up, look up the bank's phone number in the phone book, call them yourself and ask Customer Service about the situation. First rule: never trust the identity of the other end unless you called them. Why should e-mail be any different?

    • It's received wisdom that if you receive a phone call from someone claiming to be your bank and asking to verify things like your PIN you should hang up, look up the bank's phone number in the phone book, call them yourself and ask Customer Service about the situation.


      Oops! Now, you tell me!
  • The weak point in phishing seems to be the people's reason ... lack of, I mean.
    Sometimes we tend not to use reason and this is what phishers try to exploit.
    I receive a dozen of such emails every month. Almost all of them are pitiful attempts, clearly showing they are fake without any special check.
    Nonetheless is seems that lots of people get trapped into them.
    Maybe people needs more real education in "Internet etiquette" than anti-anything software.


  • If a well known web site claims to link to an IP address to collect your sensitive information that's a pretty big red flag.

    If a Who-Is lookup of the owner of that IP address reads: China that's another pretty big flag.

    Of course if the email is from Prince Uba-bott-toomu-slam-botta and he needs your help in liberating the jewel of Thesia you're good to go.
  • Let's look at the problem:

    1) Email arrives promising free money .
    2) User clicks or copy/pastes URL
    3) User is redirected to a site which asks for very personal information.

    The vulnerability is a PEBKAC problem.

    Some are excusing the users because the link first went to a government website. BS. That carries the implied assertion that because the government is involved people should absolutely believe what is being said, shown, or asked for .
  • It sure seems to me that a big part of the solution is to establish some legitimate trust mechanism for domains. This applies to email and to HTTP packets.

    No I don't have a solution, but to use a famous analogy, lack of trust on domain addressing is equivalent to unlocked doors. It's still against the law to open the unlocked door, but at some point you really do need to install the locks.

            dave

  • PhishFighting.com (Score:3, Interesting)

    by fak3r ( 917687 ) on Tuesday December 20, 2005 @01:42PM (#14299802) Homepage
    While I have plenty of defense on my mail server (Spamassassin, Clamav, dcc, razor, MailScanner) to stop this stuff from reaching my users mailboxes, a good offense is needed to help polute the Phishers database with garbage. Enter:

    http://www.phishfighting.com/ [phishfighting.com]

    "Just enter the Phishing emails REAL url below and watch as realistic looking, fake, entries are continously sent to the Phishers fake site. The criminal will receive hundreds or thousands of fake entries and he won't be able to tell which are fake and which are real."

    Nice stuff.
  • Distribute refrigerator magnets at work with witty propoganda slogans and cartoons on them. Examples at http://www.diggerhistory.info/pages-posters/americ an3.htm [diggerhistory.info]
  • You already have certificates for websites, why don't ebay, paypal and the others digitally SIGN their email... So far the system is: Ok the email can be crap but them the links point to websites that are signed... Urr sorry, why not sign the email directly ?

  • Two Different Threats, Both Problematic (Score:3, Informative)

    by miller60 ( 554835 ) on Tuesday December 20, 2005 @02:36PM (#14300578) Homepage
    The two examples feature separate problems that are both serious, but not easy to combine. The IRS phishing scam was enabled by an open redirect [netcraft.com] on the govbenefits.gov web site that allowed phishers to craft a URL that uses the govbenefits.gov URL but instead sends users to a web server in Italy. Security flaws in trusted sites are found and exploited quite often by phishing crews, who look for applications that are likely to allow redirection or cross-site scripting. The NIST site, which hosts the US cyber-vulnerability database, was recently found to be briefly vulnerable to cross-site scripting [netcraft.com].

    The eBay issue was simply a case of a tech support staffer who failed to recognize a scam domain, rather than any technical wizardry or social engineering expertise on the part of the scammers. It's a good argument for adopting defense at the browser level (i.e. toolbars and in-browser blocking) rather than counting on banks, registrars or hosting companies to shut sites down.

  • I recently got an email from citibank.com asking for information about my bank account and asked to go to a website. The email from was from the citibank website and looked like it checked out, except, I dont have a citibank account...not now or ever in my life. Not even a citibank credit card, etc. Looking into things such as this in my free time, there is alot of loopholes and exploits that people can use to genereate a legit looking web pages. We expierements with DNS poisoning and also setting routes i
  • The following security measures should be possible to take today:
    1. Enforcing the use of signed emails for all users.
    2. After a limited time bounce ALL non-signed emails.
    3. Be up-to date with the latest scams running around trying to fool web browsers.
    4. Use a web browser that is less common. (Opera is not so common, but now both IE and Firefox are very common as browsers).
    5. Cut down the use of plugins to the browsers - One way is "flashblock" for Mozilla. Also a plug in for IE called BHODemon may be useful. (or a

Slashdot Top Deals

I had the rare misfortune of being one of the first people to try and implement a PL/1 compiler. -- T. Cheatham

Close