Slashdot Mirror
"Phishing" Attacks to Increase
neutron_p writes "The number of people who succumb to identity thieves' "phishing" e-mails could go way up if immediate action isn't taken to preempt the next generation of attacks, according to an Indiana University School of Informatics researcher. "Phishing" e-mails appear to be sent by legitimate businesses, but are actually created and distributed by villains who are after your personal information. They describe some thieves' tricks. One kind of context-aware attack tricks eBay bidders into giving out identifying information by leading bidders to believe they've won an auction. In another kind of context-aware attack, a potential victim might receive a message from a known person -- for example, a friend or loved one - asking him or her to go to a Web site to update banking information."
wasnt there a recent article about google doing something about this here: http://it.slashdot.org/article.pl?sid=04/10/18/023 6201&tid=111&tid=217&tid=95&tid=1
as I understand it, yahoo's signing technology, which hopefully will become a standard, will help stop such attacks. Google signing on to it helps push it quite a bit
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
In related news, Google has recently updated Gmail with an automatic detection of phishing attempts / spoofed emails; suspicious emails will be displayed with a warning:
"Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information. Learn more"
Like spam detection, it's not perfect, of course, but I think it's a very good idea.
quidquid latine dictum sit altum videtur.
fixed link
here
oh, and btw, how the hell is my post offtopic???
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
You can read more about efforts to combat phishing here. Lots of purty charts and plenty of specific examples.
#!
I got a phishing e-mail (should it be called 'bate'?) a week or so ago, but there were two key things that let me know it was a scam (aside from general common sense):
1) I don't have an account at the bank listed (Citibank, in this case.)
2) The e-mail itself was a giant GIF. (It did have the 'fail-to-get-around-spamblocker' words in text at the bottom, though.)
Instead of getting rid of phishing scams, we should get rid of low-common sense/stupid people on the net. Then we wouldn't have this problem. Or many others.
A leader is only a leader when he has followers.
It's "Phishing", and the general idea behind it is to send someone an email saying something like "We, Citibank, need you to update your banking information due to a database crash." They then send you to a site that LOOKS legit, and you then enter your information or even just your username / password. The phishers then have your account information, and they are free to do whatever they please with it. As has been said, it's only because uneducated grandmas and fools actually do what the emails say that the Phishers keep sending their crap. - Yolego
Phishing is the act of scamming a user into giving money, credit cards, valuable information SSN, the like. they use email, IM, what have you to convince the person they are a trusted business and then rob them blind. Pretty depressing
You have been sig'd
Americans lose $500 mln yearly to phishing.
That's large enough amount for personal scale, especially if you've lost the savings that have been put up against a new house or new car.
But on the large scale, banks won't care, the loss is $3-4 a person, you lose more per year on some dubious surcharges.
If the URL in the bar says citibank.com, and its yellow, and I didn't do some jackass thing like ignore the certificate name mismatch, it sure does mean that.
I've actually recieved one of these emails. It looked legit.
Really legit.
In fact, the only clue that it wasnt an official notice was the email came from ebay.(official sounding name).com
That and they asked for my l/p, which I know not to give over email.
Honestly, I can say that this goes beyond normal user stupidity. People are being scammed, and these are expert scams. Yeah, people need to apply more critical thinking skills to these things, but I think you are not giving the creators of these emails enough credit.
I mean, they look _really_ official.
no
Here the /. article and here is the test. I think those test were bogus though because it didn't let you see the full source email.
short for password harvesting fishing
Because your email server (i.e. the one on which your account is located) adds to the headers the location of the machine it got the mail from.
So zombiexp43964.dsl.bigisp.com might send out an email claiming to be from paypal.com, but the email server at e.g. myrealbox.com adds to the headers of the message the fact that it came from zombiexp43964.dsl.bigisp.com.
I suffer from attention surplus disorder.
I constantly get phoney phishing renewals attempting to switch me to another domain registrar (this means you, asshole Domain Registry of Canada). But Netsol doesn't help matters by using things like "fivedayrenewal.com" and "renewyourstupiddomainnowmoron.com" in the emails they keep sending me.
Seriously, you have the domain, people know it, USE it. "blahblahblah.domain.tld" for pity's sake. You don't need "15dayrenew.com", you can say "15dayrenew.networksolutions.com" and people will KNOW it's you.
and if email worked that way you'd have a point. The whole reason for all these server signing systems that microsoft/google/etc are starting to use is because in standard SMTP the server trusts the mail header and will not make corrections. In otherwords, your server has no way to confirm that the mail didn't come from the source it claims.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Gmail now will mark suspicious email with a banner that says something to the effect of "This email does not appear to be from who it claims. Learn More...", with a link to information about phishing scams.
Well, if you think you are, then why not see if your prone to phishing scams, or if it's a legitimate e-mail offer! Take the Mail Phishing Test
;)
Enjoy!
You do the intelligent (or lazy) thing: Go to their site and log in normally. If they want your attention, it'll prompt you. That's what I do if I get one that is legit. I just go log in as normal. If it's really legit, the site will then prompt me for what it wants. If not, no problem.
IE in XP SP2 does that too.
How fair is that? I check all my incoming phishing emails. One went to a tiny school district in Missouri. I thought some smart teenager had set it up, but then I noticed that all the collected info was sent to another site in Florida. I sent emails to the admins of both sites, and the Florida one wrote back in a couple of hours and said he had shut down the account. I don't know where it went after that (the email had originated in Romania), but I had succeeded in breaking one link in the chain, and alerted the Missouri webmaster that he had problems he needed to take care of- without crashing his system.
I'm not a great net guru, but I try and do my part. I send all phishing emails to uce@ftc.gov and reportphishing@antiphishing.org and to the abuse addresses at the hosting IP's. I know it would be better if all the "stupid" users could be educated to spot these things themselves, but that just isn't going to happen. We who know better should be doing more to stop this instead of laughing at the gullible.
Darwin Awards are usually reserved for people who do something stupid and die. Losing all of your money (or even a great deal of it) does not qualify as removing yourself from the gene pool.
...I just hope the font people have set in the status bar is legible enough to catch the trickier ones. Look at these three characters: "I" "l" "1". In some fonts they are identical (uppercase i, lowercase L and the number one).
Paypal was one of the earliest business victims of phishing scams, which were successful becasue of the unfortunate last character in the name. The scammers registered paypai.com (shown in the url as paypaI.com) and paypa1.com (number one at the end) and set up convincing, secure sites to scam people.
I applaud the Mozilla people for giving users the tools to help spot scams, but people still have to use their heads.
E-mail scam plays on US elections3 714944.stm
By Alfred Hermida
Published: 2004/10/05 08:50:43 GMT
BBC News Online technology editor
http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/
People are being warned about a scam e-mail which uses the US presidential poll to con them out of their money.
A junk e-mail invites people to dial a premium rate number to express their support for President George W Bush or rival John Kerry.
E-mail filtering firm BlackSpider estimates that almost a quarter of a million are being sent out every day.
In the past, net fraudsters have tried to use the 9/11 attacks and the tragedy in Beslan to get money.
900 number
At first glance, the presidential election message appears to be legitimate, saying it was sent from a Lycos.com address.
But BlackSpider Technologies said it had traced some of the e-mails to a server in the Czech Republic.
No doubt we will be seeing some messages like this in the next general election in the UK John Cheney, BlackSpider Technologies The mail reads: "Fellow Citizen: The extremely jubilant crowds in Baghdad appeared to vindicate President George Bush's belief that the military action in Iraq was the right move.
"But many questions still remain over the lack of hard evidence of Saddam's weapons of mass destruction. With these tough times before us, let us know."
It goes on to ask readers if they support President Bush, prompting them to call a 900 premium rate number.
It says votes will be sent to the Bush and Kerry campaigns.
In an effort to convince people it is a genuine message, the e-mail says who commissioned the poll.
The mail adds that the calls will cost $1.99, saying this is "a little price to pay for a better democracy".
"This is a relatively new scam," said BlackSpider CEO, John Cheney.
"The question is, are they breaking the law? In the UK they are, in the US they are not."
Sending unsolicited messages to personal e-mail is barred in the UK. But in the US, people have to opt out of receiving these sorts of messages.
Hotbed of scams
BlackSpider estimates that 240,000 of the presidential scam e-mails are being sent out worldwide a day.
The lack of any spelling mistakes and its resemblance to a genuine message means that it could slip through the spam filtering of home users.
This latest scam reflects how the nature of spam is changing.
In the past, spam was dominated by pornography. These days spam is a hotbed of financial scams, as well as a black market for fake pharmaceuticals and software.
E-mail scams known as phishing have tried to trick customers into giving away confidential bank details.
Other scams known as 419 try to part people from their cash by telling them they in line for millions from a deposed African leader.
The US presidential mail is just the latest trick used by spammers to part the unwary from their money.
"No doubt we will be seeing some messages like this in the next general election in the UK," said Mr Cheney.
There are no quick ways to explain to an 'average joe' how to check an email for legitimacy. The only hard and fast rule should be:
Do not EVER enter personal financial or identification information on a website you reach by using a 'link' in an email.
Instead open a new instance/tab/window of your webbrowser (It also helps to avoid using the browser most well known for its vulnerabilities, cough), and hand enter the original known address for the site belonging to the organization that you beleive is contacting you. If you dont *KNOW* the correct address, call them and *ASK*. If they need information from you, they will confirm the requirement there.
If you are not 100% certain of both the legitimacy of the request and your ability to tell, *CALL* the organization (IGNORE any suggestions given in the email not to call) and *ask* them if it is legitimate. (*NOT* using a phone number given in the email, use one you obtained when you established the relationship with the organization, or one you looked up yourself from a phonebook or directory assistance line)
Obviously, if you dont *HAVE* an existing online relationship with the bank/company/etc that the email comes from, then assuming it *IS* a fraud.
Actually there are several encrypted messaging companies that use this model as at least one of their options. There are two main reasons why this "push" method is used:
1.) Because the user can access their statements even if they're not on-line (although the contents stay encrypted on their hard disk).
2.) Because the financial institution chooses when they want to use their bandwidth to send the messages and doesn't receive random spikes that they would get if the user was "pulled" back to the site to view the content.
Of the two, obviously #1 is the overwhelming reason.
Several encrypted messaging providers also use a method that was patented by my employer (Tumbleweed Communications) that simply sends a notification message that allows the user to "pull" the data down from a secured webserver over an SSL connection. The user enters their credentials to the webserver (which can use a Single Sign-On system, or a variety of other methods) and at that point they may veiw the message and it's contents.
The draw-back of this method is that the user must be connected to view the information. If they download it to their desktop, it's not encrypted at rest on their machine. it also forces the provider to use more bandwidth and servers, but that's fairly trivial compared to other factors.
The argument essentially boils down to convenience vs. security, and in the real world convenience wins every time end-users are involved. Financial institutions want to provide services that are easy to access and give their users the relevant account information in readily usable formats. Statements can be delivered electronically more cheaply than in paper via the mail, and most times customers actually prefer it.
The other aspect which many people don't consider is that it's also vary possible for rogue postal employees to hijack data in transit, or for someone to simply steal it from your mail box before you pick up your mail. Given that, electronic delivery is actually a security improvement over the traditional paper statement delivery.
Also, it's worth noting that this entire method of encrypted delivery was invented because encrypted e-mail had such a poor adoption rate. Client support for S/MIME is excellent, but no one knows how to use it and organizations don't want to maintain the PKI that it takes to "do it right". Support for OpenPGP is much less ubiquitous and it's just as confusing to users. Add to that the fact that many users have a webmail account as their primary point of contact (Hotmail, Yahoo!, Gmail, etc) and none of those will support S/MIME or OpenPGP encryption (at least, not to my knowledge). You need a way to communicate with those folks.
Medium-strength security that is easy-to-use is a whole lot better than near bullet-proof security that only a few percent of the population will tolerate learning and using.
Someone is WRONG on the Internet!
Yep. story (IT subdomain removed to preserve eyes)
test
Enjoy.
In theory there is no difference between theory and practice.
In practice, however, there is.
Usually, phishing also involves cracking a server somewhere. I'm in the email security business, so I feel almost as close as family to hundreds of wealth but desperate Nigerians (who don't get to deliver much mail on the networks I protect) and loads of phishers (who don't get to deliver much more mail than the Nigerians).
In almost all cases, the link in the phishing mail leads to a compromised host. Phishers (most of them, anyway) aren't dumb enough to put the phishing site on a host that's actually theirs. Usually, it's all too obvious that the rightful admin of the host in question is utterly clueless that he/she has been owned.
You're dead right about the ROI, though. Stealing usable financial data off of a server is a lot harder than phishing. People report successfully filtered phishing mails to me as false positives every single day, and I always wonder if they sent it in before or after they gave away all of their financial info.