Slashdot Mirror
Scam Combines Patriot Act FUD With IE Bug
LostCluster writes "CNET, Reuters, and the AP are all reporting this morning about a circulating e-mail scam that claims that people will lose their FDIC bank account insurance because they are suspected of violating the Patriot Act unless they confirm their bank account information with a website. The scammers then use the already documented bug in IE that allows a site in Pakistan to get 'www.fdic.gov' to appear in the URL bar. Where's an MS patch when we really need one?"
This is a combination of using simple X- header lines for the top error part, as well as the "'begin'-then-two-spaces" bug, which lets you create a bogus MIME section that only MS mail readers fall for -- useful for suppressing the message part. The begin-with-two-spaces trigger makes an excellent quoted text header. :)
Apparently they are "still working on it", just like they have been for the last two scheduled patch releases they've had. Unfortunately, the scammers and phishers are "still working on it" as well. And yet despite this, Microsoft still spouts such choice quotes about its software security as "The tool had to to be tested before we could put it on Windows Update... it would be unfair to accuse Microsoft of tardiness." (about a five month wait for an official Blaster clean-up tool) and "Windows is far more commonly afflicted with worm infections than Linux... but Microsoft offers greater accountability and support than open source alternatives".
Well, I'll agreee with one of those points. Can you guess which? ;)
UNIX? They're not even circumcised! Savages!
Does it solve the problem? (I'm genuinely asking; I don't have a Mac around to test it.)
The problem is that IE (and Firebird, and Mozilla) all display the URL as typed, including user name and password information. So if you type http://www.slashdot.org:foo@www.whitehouse.gov/ you get directed to a nasty site, even though the URL appears to say www.slashdot.org.
(I don't seem to be able to reproduce the link exactly here; I think Slashdot may be removing the user name and password info.)
The solution seems fairly simple; remove user name and password information from the displayed URL. But that's not necessarily the Right Thing, displaying a different URL than you clicked. I don't consider the problem a "bug" in the same sense that buffer overflows are a bug.
Clearly it's a problem; I am a professional programmer and wasn't aware of this until it was pointed out to me.
If Safari has a solution, I'd like to know it. Mac developers are pretty good about doing The Right Thing.
many roads lead to a safer internet expirience. mozilla, firewalls, scriptblockers.. however, the method i've found most effective is what i call "security through some old piece of crap". my mIRC client says "copyright 1995-1998", and when I asked 50+ nerds on a channel to try and DoS me, nobody could find a crack old enough! so the lesson is: don't wait for the new patch. revert to a version before the bug was even introduced.
I don't know about the rest of you, but I clicked on a funny link from a prior Slashdot thread that had an intentionally altered URL. The big shocker was, IE parsed it like it was no big deal, but my virus scanner picked up the malicious code. It warned me that the URL was modified by a bug in Internet Explorer, and allowed me to continue or back out.
I always swore by Norton, but from the things I've seen as of late, I think I'm sticking with Network Associates.
Someones comment above made me think about how you could possibly lessen the effects of attacks like these. They mentioned that one of the US providers lines cut access to the IP in question. Indeed its no longer pingable.
:) I'm sure there is plenty, its just an idea. :)
But how long does it take for word to reach them about that?
What I was thinkingwas, a sort of P2P network client that could actively collect IP's from sites like this and, while not outright blocking them (so the next legit user of that IP isnt screwed) could at least sit in a ZoneAlarm-like position on your system and monitor the IP addresses you try to connect to, if it matches the outgoing IP to one on the list, it throws up an error like "Warning! This IP may contain fraudulent information or be dangerous to your computer, only proceed if you are absolutely certain this site is safe!".
The P2P aspect would be nice because once new scams are caught in the wild (honeypots might be a very usefull tool to help catch them fast) users/admins could update the list (though some sort of peer review would almost certainly have to be in place to avoid abuse) and could redistribute itself amongst the network.
Idealy this should not have to be the case, but as in the above example, its not really a "bug" per-se because if you look at it, its quite obvious what they are doing, just the same there should be some way of preventing this kind of thing reaching the uneducated masses. Even 0.001% of the pop. falling for this kind of thing is unacceptable, and will only fuel people like this.
Anyway, commence poking my idea full of holes
"The saddest words of mice and men, are not those which were, but should have been."
Actually, it doesn't need very many ISPs to cooperate... just the ones that operates the trans-continental links that are between where you are and where the scammer is. They just have to set up one of their own servers to be the "bad" IP address and feed redirects, and then set their routers to intercept all traffic destined for that IP address.
I'm pretty sure everyone who provides Internet connectivity to places that are scam havens are used to doing this.
Anyway, check out my sample page that demonstrates the bug.
The basic and easiest way to reproduce this is something like "<a href="http://slashdot.org@www.msn.com/">...</a >".
You are in a maze of twisty little relative jumps, all alike.
Well, on the bright side, maybe some good will come of this. While I doubt many will wake up and suddenly realize that IE is a bad browser (like most of the /. crowd already knows), perhaps some who are ripped off might come to conclusion (for the wrong reasons, but hey, any port in storm) that the Patriot Act is a bad idea.
When I think about how people in other nations look at Americans now, I get depressed. 5 or 6 years ago, I had a lot of fun traveling around meeting people in a lot of different countries (for work). In general, they were friendly & generally had good feelings toward Americans (a few of them explained that "Americans" had an "honest" and "naive" (gullible?) attitude about life which they found appealing - apparently I fit this stereotype pretty well :-).
The last few contacts I've had though - brrr...I felt like a low-on-the-totem-pole wannabe gang member being shunned by the "civilized" members of the school. It's difficult to tell how this new attitude toward Americans might be affecting our sales; I'm pretty sure it doesn't help. It's _really_ terrifying to hear our so-called "leaders" (and the sheeple who bleat their praises) being _proud_ of being able to cause that kind of reaction in the rest of the world.
Anybody can make mistakes. URLs can be quite complicated. Check out the URL in my window just for posting this reply:
l y&threshold=1&commentsort=0&tid=172&mode=nested&pi d=8078184"
"http://slashdot.org/comments.pl?sid=94152&op=Rep
Most URLs these days end up looking like that. All it takes is a moment of distraction to not notice a malicious URL. It's the downside of only being human.
"Derp de derp."
Right now, I feel like my taxes going towards the roads are paying largely for damage done to them by large trucks and buses.
What's their fuel consumption compared to that of your car? Once the more efficient hybrid car models show up on the used market in a couple years, they'll begin to take off among individual drivers. Less money spent on gasoline by individuals will shift the tax burden to those who buy fuel for large trucks and buses. In addition, large trucks and buses tend to run on diesel, and the government could tax that more than gasoline.
They start the letter with To whom it may concern. Then I would think that if they don't even know my name, why should I trust them to know anything about my account? Ergo: it's spam. There should really be a mandatory Internet Safety Course for people who go online the first time. It's easy to be impressed by letters like this but also easy to learn how to distinguish between 'trusted' e-mail and spam like this.
-- Cheers!