Slashdot Mirror
"Phishing" Attacks to Increase
neutron_p writes "The number of people who succumb to identity thieves' "phishing" e-mails could go way up if immediate action isn't taken to preempt the next generation of attacks, according to an Indiana University School of Informatics researcher. "Phishing" e-mails appear to be sent by legitimate businesses, but are actually created and distributed by villains who are after your personal information. They describe some thieves' tricks. One kind of context-aware attack tricks eBay bidders into giving out identifying information by leading bidders to believe they've won an auction. In another kind of context-aware attack, a potential victim might receive a message from a known person -- for example, a friend or loved one - asking him or her to go to a Web site to update banking information."
Was the addition of yellow highlighting for secure sites, and the domain in the status bar. It really makes picking up when you're on a secure site easier. In the past you had to really look for that little lock icon or whatever.
Phishing is just conmen moving to the internet. They use similar tricks in the real world, just on a smaller audience. Here in the DC area there are several police imposters running around, some of them tricking people into withdrawing all the money from their bank (it's counterfeit!!!) and others actually using flashing lights to pull over people on the road.
Social engineering will always work, and will always be very easy, because users are stupid.
Phishing is just technology-enabled social engineering.
- Adam L. Beberg - The Cosm Project - http://www.mithral.com/
Until the majority of the people out there have the critial thinking skills to deal with this sort of thing the problems will continue. The same people who are stupid enough to give out their info to someone who e-mails them are the one buying shit from SPAM e-mails.
Humor from a Genetically Molested Mind
For example
1.) fleetbank send out some email advertisment
2.) hackers now have a model email to modify
3.) hackers can just redirect some links and resend it to different users.
So to fix this, real companies need to STOP sending out spam.
Maybe the scammers are just too technically challenged to hack and prefer using the good old social engineering.
This is totally insecure, but very convenient.
for example, a friend or loved one - asking him or her to go to a Web site to update banking information
OK, hands up, whose mother has a habit of wanting one to provide bank account info via some web site? I can see the duplicitous falling for the fake 'from your bank' emails, but from friends and loved ones???
And some people want democracy to be MORE direct???
How are we supposed to tell the difference between a legitimate email from a company and a phishing attempt when places like CapitalOne use skeezy companies like bfi0.com for sending email to their customers? A link that says "Click here to access your statement" that actually goes to http://capitalone.bfi0.com/T8RT044ABB6D98DEB357FB2 EDD4A80 makes me feel safe inside.
I KNOW they are all bogus and just ignore them, but I'm worried that friends or family will fall to them. I have a number of elderly family members that surf and no matter how hard you try to explain things to them, they just don't get it.
Some of these things look very legit to the untrained eye and some of them are pretty frightening, such as warnings that your account has been abused and that you need to log in to update your security profile or some such nonsense.
I finally got it through to my elderly aunt to CALL ME FIRST before clicking on anything that comes in email telling her to click or log in or whatever. She still wants to click everything that comes in, I guess she's just goofy in the head.
Sad thing is, there are so many people out there that don't have someone they can call about this stuff and don't know what to do when they get one of these things.
I've tracked a LOT of these ebay scams to Korea.
Dubya was right, North Korea is a threat.
Last time I checked, I've never seen a phishing attack from Iraq.. We should have attacked North Korea instead. Hell, let's just nuke them and stop this nonsense...
Yeah, that's a likely scenario. Your dad or mom writing you all concerned that your bank information needs updating. Has anyone, anywhere, ever had that happen in real life? OK, never mind, I'm sure it has happened to someone, and for sure that person is reading this comment and will respond all indignantly. But you get the point. I cannot believe this approach would be accepted. This is not a typical, 'Hey, check this out' type of email from a relative. It's just a little too strange to work.
Now I have been phished, usually by Citibank-looking emails asking me to click here and update my information. The fact that I don't have a Citibank account was my first clue. The fact that I read /. and know about phishing was my second clue. The fact that I know banks don't operate that way was my third clue. But they are professionally looking emails, until you look closely and find all the typos. But pretending the email comes from Mom?? The first thing I would do is call her up and ask what's going on. And then she could say, "You called, it worked!"
Oh wait, this is a phishing expedition, not from bad guys, but from parents who want more phone calls from their children!
Now that we're in the PTO War that will last the rest of our lives, is Congress cracking down on the phishers who depend on trademark violation to bait their hooks as hard as the RIAA is persecuting perceived violators of their copyrights?
--
make install -not war
An interesting thing about these scams is how game theory applies to them. If they don't send out any emails, of course they don't make any money. If they send out only a thousand or so per day, they'll probably succeed one or two people, and make a decent amount of money. Additionally, they'll remain more anonymous and reduce the risk of word spreading about this scam. If EVERY scammer sends out millions of these emails, people will catch on quickly and profits will plummet. That's what they did now. Everyone jumped on the bandwagon and the scam bubble burst.
I believe that the success of these scams will decline over time. Just like with the 409 scams, there will a larger number of people who fall for it at the beginning, but then numbers will drop. Will it always be profittable for them? Most likely, yes, unless email verification becomes much more standard. Will they go away? No. Will they eventually find some new scheme that is even more clever? Without a doubt.
I dunno what my point is. Someone agree with me.
Why do you think this would work? Its the mail server that generates such mail header content. When the "server" is a compromised home box sitting on a DSL connection, why would the trojan/virus/what have you be honest about the origins of the email it generates?
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
its so easy to blame the problem being stupid. but people that grew up with only the 'real world' don't really have any referance to understand this by. I mean, I'd be dumb to fall for a trick where a dumpster across the street from me claims to be my bank. but you don't have to settle for that online, copys are easy. if a building across the street from me became a perfect copy of the bank I went to, I'd be like "hey, new branch, convenient"
-You're wasting your time. Alfador only likes me.
Credit card companies, banks, paypal, and any site that deals with financial transactions that could be comprimised by phishing scams need to establish a 1-point policy for client email: never link back to the site from the email. If every company did this, and users were instructed to always type the url in the browser to access thier account, and made if clear that the company would never send an email with links to the site or account, eventually people would be able to tell the phishing from the real. I know its not a perfect solution, but the convenience of "click here to access your account" emails is what fuels the phishing scams.
OTOH, I have yet to personally get a phising scam (and I get them every day) that purported to be from a company I actually do business with, with the exception of paypal. And all my credit cards are from big, national companies.
"I forgot my mantra."
Where did this term Phishing come from?
Whenever I see it I think of the Band Phish who are now retired as a band. And weren't at all about attacks or fraud. Heck they probably hold a trademark on Phish, and should sue everyone for using it in this manner. This is a lot differnt then the spam and hormel thing. Spam ala hormel was bad ala mail spam. Phish ala the band isn't nearly as relatable to this "phishing" stuff.
Phishing schemes and scams are based upon taking advantage of people's ignorance.
Proper education is key to solving this problem. All the techonology in the world isn't going to prevent someone from passing their info to some criminal.
Think about this, this scam could have been conducted for regular brick and mortar bank by having a scam artist walk door to door asking people to update on a paper form their account information. Of course no one will do this because we all know better than to just give our information to a stranger knocking on our door.
The same applies to email. Once people realize this is not an acceptable method to update or pass information, then these scams fall out of favour.
Education of the internet is a must for everyone that uses it. Sort of like financial management education when you get your first credit card, the same should be applied to those getting internet access.
Live forever, or die trying.
So far I've read multiple 'stupid user' accounts. It amazes me that so many people are so arrogant because they see this type of stuff day in and day out that they'd expect every person out there to think of people this evil to come up to them with this type of attack.
People genuinely trust folks, that's why they call it social engineering. You can walk just about anywhere with a clipboard and a pen and get access to just about anything in a standard business environment.
Working for a vendor I've had many 'seasoned sysadmins' rattle off a password to me like it was nothing. Granted I've never once used them outside the context that they were given but the fact that some of them would affect the bottom line of the company with a few simple commands would not be the best thing.
Do I call those admins stupid? no, not really. Guess that is where I differ. I don't find the BOFH and similar things funny either though.
As a rock-in-roll Physicist once said, No matter where you go, there you are.
Does anyone else think that the only real problem here is HTML email? It's good for nothing, wastes resources, and enables pretty much every kind of annoying spam, hidden redirect, tracking bug--it just keeps coming. Why do we have to build all these widgets to help users see that URLs aren't what they say they are, and such? Do we really want to wait for the spammers to start building javascript messages that alter the url after/when clicking, or whatever next becomes really annoying to people?
Isn't this enough of a problem yet to get the asinine companies that forced HTML down our throats (I'm looking at you AOL, MS, etc) to reconsider? Make the common clients block/ignore the HTML by default and *never* send HTML messages, instead of the current tactic of trying to trick or force users to send as HTML (maybe with an additional text version, if we're lucky), to just drown out the people asking for plain text.
Maybe I'm just bitter. It's always so difficult to watch stupid obvious mistakes blossom so thoroughly predictably. At least I can filter most all the spam by dumping HTML messages.
Perhaps the best way to handle these is to get even.
Write a script which will go to the size and fill in bogus name/account/credit card info. Let's slashdot the phishers!
"-1 Troll" is the apparently the same as "-1 I disagree with you."
The lesson to learn is that when an account is online, you have to KEEP YOUR OWN LINKS. That way, (1) if you don't have an account with an institution, ignore the mail, or (2) if you do, use the front door you've used before.
This guideline is all anybody needs to protect themselves from these scams.
why dont banks just set up 'monitored' accounts and put a little bit of money in it, then follow the trail :)
Phisher thinks theyve caught someone out, logs in and transfers money away ( im guessing to a relay account unless they`re REAL stupid ) , which relays on and on until it eventually gets somewhere the phisher can do something with
the money ( or goods they might buy with it online ) have got go to somewhere, right?
I see a lot of people blaming stupid people for this. And stupidity, naivete, etc. are definitely part of it.
But the fact is, some of the phishing emails look really good. I got one last week that was identical to a legit Citibank email, except that it went to http://citibankgroup.biz instead of https://citibank.com. Given all the weird URLs and bulk mailing companies banks use (and the fact that a lot of normal users view URLs to be voodoo), it not surprising to me at all that people fall for this stuff.
In the end, this is just a special case of spam. Verifying the sender using SPF or any of the other systems being adopted right now, will solve this problem. And disabling HTML email (among the worst design decisions ever made, IMHO), would also help a lot.
-Esme
The solution to this is a little white lie. When you recieve those messages, report them to Schwab that you believe that they are fraudulent and attempting to obtain your account details.
When they reply saying that 'these are legitimate emails', ask them how you are supposed to tell that they're legitimate. If they give a good answer, your problem is solved. If they are unable to give a good answer, hopefully they'll realize the point that you're trying to make.
Lather rinse and repeat on any other vendor that sends emails that can be easily mistaken for phishing.
No, it's all about a new class of "context aware" attacks which the author believes will have a much higher rate of success than the current ones (50% versus an estimated 3% now). You can disagree with the author's conclusions, but the article is at least talking about something I hadn't heard of before.
I'm going to state the obvious because I'm bored at work.... As the "People in the Know", it is our responsibility to inform our grandmothers, friends, co-workers, etc. of all the pitfalls of the online world. For each person close to us that we can warn, that's one more person who will learn the "easy" way. The rest will have to learn the "hard" way by getting burned. Eventually everyone will learn. Unfortunately, there will always be new and more creative scams. "Fool me once - shame on you! Fool me twice - shame on me!"
- I posted an item for sale
- I realized I owed eBay about $40 in back listing fees
It was just before I was going to get into bed, and I skimmed over the message as I usually do before deleting it. My usual thinking: "Sure", I thought, "I'll get back to it tomorrow and pay them." This time around, I clicked the link and got the "standard" eBay login screen. Being tired and lazy, at this point I didn't even glance at the URL. I entered my login and password for eBay, and as it was redirecting I glanced at the address bar, and in horror I saw "cgi2.eb4y.com" or something munged like that.
In a panic, I immediately changed my eBay password, and all is once again well on my happy little computing planet. That being said, had I not caught that and gone straight to bed, who knows what I would've woken up to. The moral of the story is that you really have to be on your toes. The circumstances surrounding this dodged-bullet really were a perfect setup for me: owed eBay money, just posted a new item for sale that day, fatigue...
Common sense is the key!