Slashdot Mirror
Scam Combines Patriot Act FUD With IE Bug
LostCluster writes "CNET, Reuters, and the AP are all reporting this morning about a circulating e-mail scam that claims that people will lose their FDIC bank account insurance because they are suspected of violating the Patriot Act unless they confirm their bank account information with a website. The scammers then use the already documented bug in IE that allows a site in Pakistan to get 'www.fdic.gov' to appear in the URL bar. Where's an MS patch when we really need one?"
I hope this isn't what Bill was talking about with The Secure Computing Initiative
...now we're outsourcing scams to India too.
Where's an MS patch when we really need one?
Being prevented by the DMCA?
Ha! Can't get my money - don't have any.
Paul
Wherever you go, there you are.
Any law which is so powerful and ambiguous as to put fear into people by its mere mention must be a bad law. A reasonable person, if accused of violating the Patriot Act, might actually doubt his own innocence because of the sheer labyrinthian might of the Act.
MORTAR COMBAT!
This is a combination of using simple X- header lines for the top error part, as well as the "'begin'-then-two-spaces" bug, which lets you create a bogus MIME section that only MS mail readers fall for -- useful for suppressing the message part. The begin-with-two-spaces trigger makes an excellent quoted text header. :)
For those of us that don't feel like switching to another OS, Opera will do.
Auto-reply to ACs: "Truly, you have a dizzying intellect."
"The scammers then use the already documented bug in IE that allows a site in Pakistan to get 'www.fdic.gov' to appear in the URL bar. Where's an MS patch when we really need one?"
Right here.
"W3 n33d jO0r b@nk @cc0un7 # bc@u$3 FDIC $@ys $0."
I hit delete. Unfortunately some people fall for this. Does anyone have any numbers on just how succesful these e-mails are? Is the American public that ignorant?
.deviatefromtheabsolute.
Here is a repost of the email on news.admin.net-abuse.sightings.
" >http://www.fdic.gov/idverify/cgi-bin/index.htm</a >
The link text:
<a href="http://www.fdic.gov@202.63.206.88/index.htm
There's no point in a slashdotting/DDoS since the U.S. connectivity provider has already choked off the flow of packets to this server in Pakistan. Pinging 202.63.206.88 times out.
Apparently they are "still working on it", just like they have been for the last two scheduled patch releases they've had. Unfortunately, the scammers and phishers are "still working on it" as well. And yet despite this, Microsoft still spouts such choice quotes about its software security as "The tool had to to be tested before we could put it on Windows Update... it would be unfair to accuse Microsoft of tardiness." (about a five month wait for an official Blaster clean-up tool) and "Windows is far more commonly afflicted with worm infections than Linux... but Microsoft offers greater accountability and support than open source alternatives".
Well, I'll agreee with one of those points. Can you guess which? ;)
UNIX? They're not even circumcised! Savages!
And for those of us too cheap to buy a new browser, Mozilla or Firebird will have to do.
"Hu, ho, ho-ah-oh-oh-oh. Hu, ho ho-ah-oh-oh-oh. Mario Paint! Whoaaa!"
The real www.fdic.gov is running a rather standard press release to warn that it's a scam.
Consumers never have any reason at all to send information to the FDIC. They already can get all they need to know out of banks.
It's in the same place they put their concern for their end-users. Once you find that, let the rest of us know.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
But the problem is your solutions also requires one of these upgrades.
;)
I would rather recomend this upgrade.
Or if you have a dislike for linux even just this upgrade helps much.
-- Karma: beyond good and evil - mostly affected by posting political
We are with the government. You are violating the patriot act gullableguy@aol.stupiduser.com. We just want you to go to this site and give us all your compromising information because you are violating the patriot act under provision 1234. Please go to this site otherwise you will lose your FDIC insurance coverage. Please disregard the fact that if you really were suspected, the US government wouldn't actually contact you by email, and that the patriot act doesn't have anything to do with the FDIC. Oh and we would have addressed you by name instead of your email account. Oh, and other obivious and logical stuff too.
Best regards,
A guy who isn't pakistani
Auto-reply to ACs: "Truly, you have a dizzying intellect."
Now that I'm unemployed, I feel more secure knowing that I have no money which can be scammed from me because of a "Patriot" Act. Thank God for the state of our Bushist economy!
The Welkin: Online Music Reviews
The problem was that if you introduced a certain character just before the @ sign, the false url (eg the one that is actually the auth detail) will be the only one displayed. The real url would be left off, and thus people would be tricked. Its interesting to note that a similiar issue has been around a fair while, as there have been scams based on it (eg "banks" emailing you, asking you to click on a link and verify your login details. Page displayed looks real as its just a copy of your banks real site, but the url has @www.scammersurl.com at the end, after what looks like valid HTTP/GET data.
Im going on what official reports of the bug say, because I have never actually been able to replicate the effect myself, on IE5.5, IE5.5sp1, IE6, IE6sp1 and IE6sp2, so it does seem that not all installs are vulnerable, as they all displayed the fake url and the real url as you would expect in the address bar. For the record, I tried this on WinXP (just the IE6 versions) and Win2k.
(puts on asbestos underwear)
The Patriot act invades the privacy and tramples the civil rights of America's citizenry by allowing the DOJ and the CIA to bypass the Bill of Rights whenever they feel like it by declaring someone a suspected terrorist, or, even better, and enemy combatant. The only thing preventing the Executive branch from using this to silence political dissidents is the enormous political fallout should they attempt it. It is, in addition, transparently racist in its implementation because it is being used to focus the eyes of law enforcement on dark-skinned foreigners, while largely ignoring homegrown terrorist groups such as the Ku Klux klan, National Alliance, Posse Comitatus, and the World Church of the Creator.
But, if none of these issues bother you, ignore me. You probably will anyway.
You are not the customer.
I lost money to a similar scam, except in my case the mail came in the form of a white envelope from the "Department of the Treasury, Internal Revenue Service." Short verison, there were papers in there wanting to know my social security number, how much I made, what I spent it on, all of the same information from my wife...and then it ordered me to give a percentage of my income to them or else they would come and put me in jail!
I did a bit of research and found that this money had been taken from me from some group of thugs called the Congress of the United States. Apparently, they took my money and I'm told there's very little chance of getting it back.
They've even got my employer in on the scam - now they are paying some of my paycheck directly to them.
What you described has been known for a long time and arguably isn't a bug, yes. But what they're using is a newer variation that's more dangerous and clearly a bug. If you include a %00 just before the @, only "http://www.slashdot.org" is displayed. (Apparently the display code evalutes the hex escape and treats the %00 as end-of-string, but the engine itself does not.) Your only real indication that something is wrong is the lack of the trailing "/", which you're not likely to notice even if you know what it means.
Where's an MS patch when we really need one?
Honestly, the Patriot Act is so fucked up I doubt a simple patch will fix the problem. We'd have to throw the entire thing away and start from scratch. It's not worth salvaging.
And further more... What? Oh. You meant a patch for IE. Okay, I got it. My bad.
GMD
watch this
Man, I thought I was going to see some nasty Goatse-thing but then ... horror of horrors!! GEORGE BUSH!! AHHHHHHHHHHH!!!!!!!!!!!
That was rude, man...
I don't know about the rest of you, but I clicked on a funny link from a prior Slashdot thread that had an intentionally altered URL. The big shocker was, IE parsed it like it was no big deal, but my virus scanner picked up the malicious code. It warned me that the URL was modified by a bug in Internet Explorer, and allowed me to continue or back out.
I always swore by Norton, but from the things I've seen as of late, I think I'm sticking with Network Associates.
Until we all start signing our emails with PGP.
Remember, it's only defined as critical if it's exploited in the wild.
I do security
People that actually fall for this bullshit don't deserve to have a bank account in the first place. Do you honestly think the feds are gonna contact you via email to tell you that you're violating the patriot act? Go get an education.
Lots of elderly women who outlive thiner husbands, have to deal with the finances for the first time. These people make a great targets, they are computer illiterate. They where given a computer to communicate with their family, and dont know about all the email scams. And with the new homeland security daily threat levels, it confuses them.
Do a little research before you blame the victim.
Here's the text that prompted me into give away my personal info :)
Important News About Your Bank Account
To whom it may concern;
In cooperation with the Department Of Homeland Security, Federal, State and Local Governments your account has been denied insurance from the Federal Deposit Insurance Corporation due to suspected violations of the Patriot Act. While we have only a limited amount of evidence gathered on your account at this time it is enough to suspect that currency violations may have occurred in your account and due to this activity we have withdrawn Federal Deposit Insurance on your account until we verify that your account has not been used in a violation of the Patriot Act.
As a result Department Of Homeland Security Director Tom Ridge has advised the Federal Deposit Insurance Corporation to suspend all deposit insurance on your account until such time as we can verify your identity and your account information.
Please verify through our IDVerify below. This information will be checked against a federal government database for identity verification. This only takes up to a minute and when we have verified your identity you will be notified of said verification and all suspensions of insurance on your account will be lifted.
http://www.fdic.gov/idverify/cgi-bin/index.htm
Failure to use IDVerify below will cause all insurance for your account to be terminated and all records of your account history will be sent to the Federal Bureau of Investigation in Washington D.C. for analysis and verification. Failure to provide proper identity may also result in a visit from Local, State or Federal Government or Homeland Security Officials.
Thank you for your time and consideration in this matter.
Donald E. Powell
Chairman Emeritus FDIC
John D. Hawke, Jr.
Comptroller of the Currency
Michael E. Bartell
Chief Information Officer
Yesterday I received a message that appeared similar in nature to that described by the article. After many phone calls I managed to speak to the fraud section at the Commonwealth Bank (biggest bank in Oz), where the message appeared to come from.
Their solution (after getting some of the bank staff to pull their head from the sand) was to redirect all requests to a specific URL to the Bank's home-page.
Now I for one, think that the only way that they could do that, was with cooperation from ALL ISP's in this country.
The scam and the banks initial response pissed me off, but the redirect scares the *shit* out of me.
Anyone else share my concerns, or should I just crawl back into my box and live with the idea that the Internet has just died...
|>>?
In other news: The Whitehouse is reported that its website, www.whitehouse.gov is under some sort of DDoS. Apparently, thousands of computers around the world are supplying "http://www.slashdot.org" as atempt to login into the server.
The views expressed are mine own and do not express the views of my employer.
And sometimes on that occasion you can put "about:config" in the address bar, change general.useragent.vendor to "MSIE" and have it work anyway. MBNA recently changed their online payment system, and they're telling people to do this if they want to use Firebird. Just change it back when you're done so that the rest of the world is aware of the fact that other browsers are used!
Banks get notified of tons of things like this every day (I work in one), and all the tellers should know of the scams. Before you do anything involving your bank account, call your bank!
We also get memos telling us NOT to let Bin Laden or Saddam open accounts... allong with a list of the US Government's top 100 most wanted. I'm still not quite sure how we're suppossed to memorize all those names...
A lot of people here have suggested Mozilla as a solution. That is a partial answer. But a proper solution has not been implemented yet in Mozilla. See Bugzilla bug 122445, "Spoof prevention: Warn if username/password in link (url) looks like a hostname". The bug has been outstanding for two years now and it's still not been fixed in Mozilla. There is a proposed patch planned to go into 1.7a.
5
For the full discussion see: http://bugzilla.mozilla.org/show_bug.cgi?id=12244