Slashdot Mirror
"Phishing" Attacks to Increase
neutron_p writes "The number of people who succumb to identity thieves' "phishing" e-mails could go way up if immediate action isn't taken to preempt the next generation of attacks, according to an Indiana University School of Informatics researcher. "Phishing" e-mails appear to be sent by legitimate businesses, but are actually created and distributed by villains who are after your personal information. They describe some thieves' tricks. One kind of context-aware attack tricks eBay bidders into giving out identifying information by leading bidders to believe they've won an auction. In another kind of context-aware attack, a potential victim might receive a message from a known person -- for example, a friend or loved one - asking him or her to go to a Web site to update banking information."
But off-topic, did anyone else notice the "Further Reading" section below the article?
- The Elements of Style, Fourth Edition by Roger Angell
- The Art of Innovation : Lessons in Creativity from IDEO, America's Leading Design Firm by by Tom Peters
- Reporting Technical Information by Thomas E. Pearsall
- Optical Illusions : Lucent and the Crash of Telecom by Lisa Endlich
- National Electrical Code 2002 Handbook
The dead tree compilation of HOWTO: PHISH (except for maybe the last one). Ha!nahh I love these...
I set up a website testing app full of profanity and point it at the "webform" these losers try and scam people with and fill their database.
I let it run until it start's erroring out because it has been taken down.
This is one from a friend I only know online, so take it's truthfulness with a grain of salt. Out of a mix of curiosity and a bet/dare with a co-worker, he engineered to insert a small harmless fake phish into email, one distributed to members of staff around the organisation, which provides financial support for other government departments. It was a completely stupid one, with the email simply asking staff members to go to a site and re-confirm their credit information, and the site took down names/addresses/SS/credit card numbers etc. Out of more than a hundred employees, *ONE* person came to him as support to check what the email might be, and fifteen filled out their complete credit information.
That was around 10% of people, adults who should know better, who simply gave up their personal information to nobody they knew, just because they were asked. My friend lost his bet, he thought it would be closer to 30%, but still... send out hundreds of thousands of phish scams and you're guaranteed a good haul.
Seriously, doesn't the parent have a point here?
I mean, there will be scam artists as long as people are uninformed enough to fall for a scam. Doesn't every single site that you give sensitive information to WARN you that they will never ask you for that information?
I remember the first time I ever logged in to AOL, someone named "SS Rupert" IM-ed me telling me that my credit card number was lost in the last transmission and I needed to re-send it. This is immediately after the old AOL screen that says "We will never ask you for your password or credit card information". I laughed at his IM and asked him how many people fell for that? He told me that he just hung around the "newbie chat" or wherever it was that AOL dumped new users at the time and that he gets about 10 to 15 PER CENT of people to send him one or the other without even questioning him.
I almost completely agree that if you're dumb enough to fall for the scam, you deserve it.
Do you kick down a door, or do you try the knob first?
Also, there are various graduations of criminal, from petty thug to criminal mastermind. There are more thugs than masterminds (mostly because if there were tons of masterminds, all the cool costumes would be taken).
Read it how you will. This is, I assume, much easier than hacking into the bank. Doesn't mean that you couldn't hack into the bank.
One easy way to address this situation would be to have a plugin or feature for most e-mail clients that would prominently display the general source of the message (i.e. "China, Brazil, DSL user in Texas, etc.) as a prominent part of the normally-viewable message headers.
It is well known that most spam and phishing e-mails are coming from one of two sets of IP space: China and Korea and related "rogue IP space", and DSL-based zombie proxies. It would not be difficult to use a database or design an algorhythm which could 'flag' e-mail messages as suspicious based on the comparison between the from header information and the SMTP relay.
Users who then received messages could get a color-coded warning when they view the message, i.e.:
"WARNING: This e-mail claims to be from the domain ebay.com but it originated from a system suspected of being located in China - use caution"
Very simple, elegant and helpful solution. Which probably means it would never be adopted.
I was pleasantly surprised at a commercial I recently heard on the radio while driving. It was a public service announcement laying down the basics of phishing (they even said "spelled with a 'ph'") and what kinds of warning signs to look for. I hope to see more announcements of this type, as computers begin to affect almost 100% of the people in our society.
I use phishing techniques to get 419 scammers to give me their email password so i can shut them down. I usually direct them to a URL promising to contain a scanned image of my passport or whatever. The link usually goes to a log in screen for their particular email provider. This works great. I know they'll just get another email address, but this is a small thing I can do to disrupt them a little.
The couple of beers I had before checking my email on one Saturday night might have effected my judgement a bit, but I got this email from what appeared to be etrade a while ago, they said that there had been an attempt to access my account and that I needed to take action to change my password and verify the account.
What tipped me off was that the URL went to an IP address instead of etrade.com and that they asked too many questions on the page that came up. But the site looked exactly like etrade.com and if they had just asked fewer questions instead of everything then I might have hit submit before I realized what was going on.
Needless to say I now have a no beer and online banking rule, but I wonder how many people are targeted on Weekend nights figuring they might have had a few to drink and might be more susceptible to trickery. Is the company's domain name in the URL the only realistic way to verify that they are who they say they are.
Whenever I get a phishing email I click the link so that I get the real url (the emails usually use Javascript to make it look like you're going to a legitimate website). I try to load the base url to see if it's actually some person's website who's been hacked, and doesn't know that he's hosting phishing pages. But usually, it's someone who's probably hosting a site on a residential connection. A traceroute should tell you where. Then, I blast that site with as much traffic as I can. Because they're often on low bandwidth connections, I can often take them out myself. The apachebench tool is handy for this.
These people are often located in countries where the law enforcement of these crimes may be lax or non-existent. Therefore, I believe that vigilante justice, along with consumer education, are some of the few things we can do to prevent people from getting ripped off.
Perhaps if you finished reading where I said it tells you the domain you're on in the status bar, you'd see it all works together.
I sent e-mail to spoof@ebay.com and abuse@aitcom.net about a spam of an ebay fraud site last week. The site (at this writing) is still up. That doesn't help, but like spam in general, if everyone wouldn't fall for these they'd pretty much go away.
This problem is directly caused by the use of insecure human-readable names, and the use of IP addresses as identifiers. Both things don't work on the Internet. You need names that can be mathematically verified to be owned by the party you're communicating with. Names should be public keys.
Need a Python, C++, Unix, Linux develop
Sad to say, but there are simply too many people out there that believe everything they read on the internet. Once the older generation passes on, I suspect this problem will go away, but until then scams like this and the old telephone ones will be a ripe place for ripoffs.
...his third year uni student brain started ticking over, realised it might be a trap and he should proceed warily, and announced his plan was to give his bank details to the guy so he'd get the cash in his account and then skip out on the scammer.
:P.
It's not just the older ones, not all the time. Take a third year university student I know who came in all excited that he got an email from this guy in africa who needed to transport $20million out of the country...
Never thinking for once that there just might not BE a $20million to start with. Sucked straight in. AFAIK he was just couldn't be bothered going ahead or was warned off by someone else - he still seems to be financially stable
My firewall was subjected to the now-often seen ssh attacks.. but this one was different, there were thousands of attempts.
When I pasted the originating IP address into Firefox, a web-based interface for sending phishing emails was shown, complete with defalt 'paypal' text filled in.
When I followed the link in the 'paypal' email (another IP address) i discovered that not only did the site contain a 'paypal' site, but also an 'ebay' and 'Wells Fargo' site too.
I took a mirror of the offending pages, and I'm about to do a write-up... but I thought I'd post a quick precis of what I found, considering the relevance of the story.
Let's hope nobody sues Google for providing a phishing-detection service which turns out to be less than 100% reliable, and thusly inappropriate to abdicate all personal responsbility to.
My parents call me if they get something like this. My sister calls me. Now, the calls have been getting fewer and fewer since I've been subtly educating them on how to recognize such things. Plus, I've always told them, even if it's me asking you for information in an e-mail, call the person who sent it first. Call Earthlink. Call your bank. Call me if it looks like it came from me. Remember that all of these people should already know the information they are supposedly requesting.
As an aside, kudos to National City Mortgage. Someone published a phishing e-mail, and I got it. First time I looked at it, I said, yeah, phishing. When I looked at it again half an hour later, the banner, which was linked in the e-mail to NCM's website, had "DO NOT REPLY TO THIS E-MAIL! IT IS A SCAM ATEMPTING TO GAIN ACCOUNT NUMBER AND PASSWORD!" overlayed on it. Pretty slick way for NCM to get the word out to everyone who got the e-mail, and not startle people who didn't. Of course, the phishers had to be morons to do something like that.
Do not touch -Willie
I wonder if anyone has thought about using a similar method to audit their own user base for inexperienced users who might fall for E-mail scams. I.e. send a message from a bogus domain registerred to "CompanyX Email Audits" requesting private data. Anyone who responds gets their account suspended until properly re-verified and a followup E-mail about how to avoid phishing attacks.
It might upset a few customers, but my guess is those customers might be a security liability that the company could live without...
I very recently complained to Schwab IT about their online statement delivery. It comes in an email, contains an html doc that contains a java app that directly asks for my account and password info. I wrote them a letter saying how bad an idea that was, and that it encourages less sophisticated users to trust the sender too much.
:)
...blah blah...
...blah...
Their response indicated they didn't even understand what I was talking about. Should I have called it "Phishing"? I doubt it would have helped. How can a customer educate these people, and why should I have to? (Maybe someone in their IT dept reads slashdot
Here is my letter:
To Director of Technology,
I am disappointed in the security offered by the transaction statement I receive each month. I am required to save an html file, which when opened presents me with an account/pin dialog.
- I have no way of knowing where that information is going to be sent.
- I cannot verify the originator of *any* email. How can I be sure that *this* email is definitely from schwab.com? (one b or two?) If the email is spoofed, the contents of the html document are suspect, putting my password etc at risk.
- Since this arrived by email, I did not initiate the connection. It is generally a bad practice to give out personal information when one did not initiate the transaction (even in a phone call).
- The process required by your system encourages less sophisticated users to develop poor security habits, such as responding to emails (of unknowable origins) with personal information.
- I would feel *much* more secure if I initiated an https connection to a web address that *I* know is legitimate. It is significantly less likely an https connection mechanism would be exploited than a simple email message.
Until something changes about this process, I have no alternative but to consider these emails SPAM, and am in fact getting no benefit out of receiving them.
And their response...
I appreciate your concerns regarding your request of electronic statements. In regards to your concerns, PostX technology sends an "HTML envelope" that contains the encrypted payload. This "HTML envelope" opens to present the user with a prompt for the users password. Once the password is entered the local javascript or java applet accepts the user password and decrypts
the payload.
Documents sent through the PostX platform are encrypted with highly secure, industry standard algorithms. Symmetric encryption defaults to ARC4 but AES encryption algorithm is available as well. End to end encryption between users or firms assures the highest levels of confidentiality for critical, sensitive or personal data on public networks. The password is hashed with 160 bit encryption (SHA1) with a large random number. This hash is then used along with the chosen encryption algorithm to encrypt the payload. The encryption is very secure. The most venerable part of the process is the password itself.
If you still have further concerns regarding the security of the contents that you have chosen to have delivered via email, then you may want to elect to cancel this request. You may do so by following these simple steps:
Sincerely,
It is interesting how personal information became a form of capital in the modern age, and people want to have it.
In the past, when we were paying with actual money in person and banks were not widespread, someone who knew our personal info could not hurt us much.
When banks were invented and remote transfer of money became a reality, and especially after the introduction of credit cards, a person knowing your signature and personal details can destroy you.
And now some people are trying to create a personal criminal empire by collecting information and especially personal information.
In that sense personal info has value and people want to have it, so it's a form of capital.
Perhaps this (the malicious collection of information) is the negative side of the transformation of the economy into a knowledge/information-driven model.
It is sure that a solution must be found, otherwise people who have access to vast amounts of personal info and also have malicious intends, might endanger the modern economy.
Technological solutions can help, but I think the answer should be a cultural solution and especially education. i.e. netsurfers should be trained to not give away any personal information to anyone if they don't think about it very carefully. Giving away personal info in today's Internet is very much like giving away your money.
And do you personally audit the security of every online vendor you buy from to see that they're all up-to-date with patches? what about unpatched vulnerabilities? zero-day exploits? or heck, even loaded ATMs, as the required tech gets better, smaller and harder to spot?
Bottom-line, if it were all under your control, then you might reasonably want to assume responsability for it. But this is not the case - and all you need is for one of the points of failure to give in. Are you willing to risk it?
Identity theft is only a problem because we attach so much weight and importance to our individual histories. If we would stop screwing people over for life after things like bankrupcy, or when they fall ill, there wouldn't be a need to get other people's "clean" identities.
As someone who can't even get health insurance because of some mysterious "red flag" in my past, I can see why someone could get desperate enough to try to become someone else! I can't even imagine a scenario where I couldnlt open a checking account because I made a few mistakes as a young adult.
Identity theft won't stop until this "you are your credit score" mentality goes away!
I just got scammed out of a thousand dollars from a crook who used a stolen "verified" Paypal account to pay me. When I saw the payment to be legit I let the guy pick up the merchandize from my house.
A few hours later the item was charged back by Paypal saying it was unauthroized.
Have a question for you guys. What are my chances to find Paypal liable for the loss if I can't find this crook?
Here's my take:
One is that Paypal sees themselves as an escrow service. If such is the case they have the right to intervene and take back funds from transactions that are deemed illegitimate. However if so, then they also have an obligation to ensure that account charges are in fact legit. The only reason I accepted the payment was that it was from a "verified paypal user". Therefore Paypal is liable.
The other argument would be that Paypal isn't an escrow service, but only a payment transfer service. If this is the case, once the money is in my account it belongs to me (like a cash exchange). They have no right to take it out of my account and put it back.
eTrade SUCKS
"Increased success of scams leads to increased fees"
Give Master Card or VISA a completed investigation with the suspect's names, a written confession, an itemized list of goods purchased with stolen credit cards, videotapes of the suspects and THEY STILL WON'T PROSECUTE. They don't give a flying fuck because they can write it off and then pass the screwing on to you the customer. My department almost re-wrote their evidence rules because they were almost categorized as "victimless crimes" (the cc company is the unwilling victim that never claimed their property) and the evidence was almost considered lost and found.
I feel bad for anyone that has their identity stolen - happened to me and it took 3 years to straighten out, but I have *NO* sympathy whatsoever for any cc company (except AmEx, they were militant and have my respect). If they increased prosection and put some of these people away instead of "trying to prevent" it, then they would get somewhere.
and if you wear sluty clothes you deserve to get raped.
If you act in a risky manner, don't complain if something bad happens to you.
Yes, it is the rapist's fault for raping. But it's the woman's fault for walking half-naked and drunk thru the alley. Those are two different things, and one does not abrogate the other.
Poor planning on the SysAdmins part -- they should have set up an 'expires really soon' guest account with sudo
Doesn't help. I've done that. The contractor needs adminnistrative access to the doman because the person that set up the web app was a moron and you couldn't do what you needed to without domain admin rights. So, he is on a 2 month contract. I set it to expire in 3 months. 3 months later, I get a call that the contractor can't get in. I ask when he will be done, another month. I set it to 3 months again. The next time (yes, the 2 month contractor was there over 12 months), I'm told to set it to never expire. I let them know that is a violation of security policy and I won't do it. A few minutes later, my boss orders me to do it.
So, proper security policy was circumvented because schedules were not being met and someone was too impatient to wait a few minutes every 3 months (or warn me in advance they will be staying longer). I don't see how giving an time-unlimited password with full domain admin access to a non-employee was any fault of the sysadmin.
Learn to love Alaska
Yeah, good luck explaining this to the cops when they come knocking on your door
For what? Warning people?
If I stand on a steetcorner and ask people for their passwords, and then warn those who give them to me that it's a dangerous thing to do, would I be arrested? For what?
(before you answer, recall that surveys have been done, where candy or chocolate was given for the users passwords)