"Phishing" Attacks to Increase
neutron_p writes "The number of people who succumb to identity thieves' "phishing" e-mails could go way up if immediate action isn't taken to preempt the next generation of attacks, according to an Indiana University School of Informatics researcher. "Phishing" e-mails appear to be sent by legitimate businesses, but are actually created and distributed by villains who are after your personal information. They describe some thieves' tricks. One kind of context-aware attack tricks eBay bidders into giving out identifying information by leading bidders to believe they've won an auction. In another kind of context-aware attack, a potential victim might receive a message from a known person -- for example, a friend or loved one - asking him or her to go to a Web site to update banking information."
But off-topic, did anyone else notice the "Further Reading" section below the article?
- The Elements of Style, Fourth Edition by Roger Angell
- The Art of Innovation : Lessons in Creativity from IDEO, America's Leading Design Firm by by Tom Peters
- Reporting Technical Information by Thomas E. Pearsall
- Optical Illusions : Lucent and the Crash of Telecom by Lisa Endlich
- National Electrical Code 2002 Handbook
The dead tree compilation of HOWTO: PHISH (except for maybe the last one). Ha!nahh I love these...
I set up a website testing app full of profanity and point it at the "webform" these losers try and scam people with and fill their database.
I let it run until it start's erroring out because it has been taken down.
This is one from a friend I only know online, so take it's truthfulness with a grain of salt. Out of a mix of curiosity and a bet/dare with a co-worker, he engineered to insert a small harmless fake phish into email, one distributed to members of staff around the organisation, which provides financial support for other government departments. It was a completely stupid one, with the email simply asking staff members to go to a site and re-confirm their credit information, and the site took down names/addresses/SS/credit card numbers etc. Out of more than a hundred employees, *ONE* person came to him as support to check what the email might be, and fifteen filled out their complete credit information.
That was around 10% of people, adults who should know better, who simply gave up their personal information to nobody they knew, just because they were asked. My friend lost his bet, he thought it would be closer to 30%, but still... send out hundreds of thousands of phish scams and you're guaranteed a good haul.
Seriously, doesn't the parent have a point here?
I mean, there will be scam artists as long as people are uninformed enough to fall for a scam. Doesn't every single site that you give sensitive information to WARN you that they will never ask you for that information?
I remember the first time I ever logged in to AOL, someone named "SS Rupert" IM-ed me telling me that my credit card number was lost in the last transmission and I needed to re-send it. This is immediately after the old AOL screen that says "We will never ask you for your password or credit card information". I laughed at his IM and asked him how many people fell for that? He told me that he just hung around the "newbie chat" or wherever it was that AOL dumped new users at the time and that he gets about 10 to 15 PER CENT of people to send him one or the other without even questioning him.
I almost completely agree that if you're dumb enough to fall for the scam, you deserve it.
Do you kick down a door, or do you try the knob first?
Also, there are various graduations of criminal, from petty thug to criminal mastermind. There are more thugs than masterminds (mostly because if there were tons of masterminds, all the cool costumes would be taken).
Read it how you will. This is, I assume, much easier than hacking into the bank. Doesn't mean that you couldn't hack into the bank.
One easy way to address this situation would be to have a plugin or feature for most e-mail clients that would prominently display the general source of the message (i.e. "China, Brazil, DSL user in Texas, etc.) as a prominent part of the normally-viewable message headers.
It is well known that most spam and phishing e-mails are coming from one of two sets of IP space: China and Korea and related "rogue IP space", and DSL-based zombie proxies. It would not be difficult to use a database or design an algorhythm which could 'flag' e-mail messages as suspicious based on the comparison between the from header information and the SMTP relay.
Users who then received messages could get a color-coded warning when they view the message, i.e.:
"WARNING: This e-mail claims to be from the domain ebay.com but it originated from a system suspected of being located in China - use caution"
Very simple, elegant and helpful solution. Which probably means it would never be adopted.
I was pleasantly surprised at a commercial I recently heard on the radio while driving. It was a public service announcement laying down the basics of phishing (they even said "spelled with a 'ph'") and what kinds of warning signs to look for. I hope to see more announcements of this type, as computers begin to affect almost 100% of the people in our society.
I use phishing techniques to get 419 scammers to give me their email password so i can shut them down. I usually direct them to a URL promising to contain a scanned image of my passport or whatever. The link usually goes to a log in screen for their particular email provider. This works great. I know they'll just get another email address, but this is a small thing I can do to disrupt them a little.
My parents call me if they get something like this. My sister calls me. Now, the calls have been getting fewer and fewer since I've been subtly educating them on how to recognize such things. Plus, I've always told them, even if it's me asking you for information in an e-mail, call the person who sent it first. Call Earthlink. Call your bank. Call me if it looks like it came from me. Remember that all of these people should already know the information they are supposedly requesting.
As an aside, kudos to National City Mortgage. Someone published a phishing e-mail, and I got it. First time I looked at it, I said, yeah, phishing. When I looked at it again half an hour later, the banner, which was linked in the e-mail to NCM's website, had "DO NOT REPLY TO THIS E-MAIL! IT IS A SCAM ATEMPTING TO GAIN ACCOUNT NUMBER AND PASSWORD!" overlayed on it. Pretty slick way for NCM to get the word out to everyone who got the e-mail, and not startle people who didn't. Of course, the phishers had to be morons to do something like that.
Do not touch -Willie
I very recently complained to Schwab IT about their online statement delivery. It comes in an email, contains an html doc that contains a java app that directly asks for my account and password info. I wrote them a letter saying how bad an idea that was, and that it encourages less sophisticated users to trust the sender too much.
:)
...blah blah...
...blah...
Their response indicated they didn't even understand what I was talking about. Should I have called it "Phishing"? I doubt it would have helped. How can a customer educate these people, and why should I have to? (Maybe someone in their IT dept reads slashdot
Here is my letter:
To Director of Technology,
I am disappointed in the security offered by the transaction statement I receive each month. I am required to save an html file, which when opened presents me with an account/pin dialog.
- I have no way of knowing where that information is going to be sent.
- I cannot verify the originator of *any* email. How can I be sure that *this* email is definitely from schwab.com? (one b or two?) If the email is spoofed, the contents of the html document are suspect, putting my password etc at risk.
- Since this arrived by email, I did not initiate the connection. It is generally a bad practice to give out personal information when one did not initiate the transaction (even in a phone call).
- The process required by your system encourages less sophisticated users to develop poor security habits, such as responding to emails (of unknowable origins) with personal information.
- I would feel *much* more secure if I initiated an https connection to a web address that *I* know is legitimate. It is significantly less likely an https connection mechanism would be exploited than a simple email message.
Until something changes about this process, I have no alternative but to consider these emails SPAM, and am in fact getting no benefit out of receiving them.
And their response...
I appreciate your concerns regarding your request of electronic statements. In regards to your concerns, PostX technology sends an "HTML envelope" that contains the encrypted payload. This "HTML envelope" opens to present the user with a prompt for the users password. Once the password is entered the local javascript or java applet accepts the user password and decrypts
the payload.
Documents sent through the PostX platform are encrypted with highly secure, industry standard algorithms. Symmetric encryption defaults to ARC4 but AES encryption algorithm is available as well. End to end encryption between users or firms assures the highest levels of confidentiality for critical, sensitive or personal data on public networks. The password is hashed with 160 bit encryption (SHA1) with a large random number. This hash is then used along with the chosen encryption algorithm to encrypt the payload. The encryption is very secure. The most venerable part of the process is the password itself.
If you still have further concerns regarding the security of the contents that you have chosen to have delivered via email, then you may want to elect to cancel this request. You may do so by following these simple steps:
Sincerely,
I just got scammed out of a thousand dollars from a crook who used a stolen "verified" Paypal account to pay me. When I saw the payment to be legit I let the guy pick up the merchandize from my house.
A few hours later the item was charged back by Paypal saying it was unauthroized.
Have a question for you guys. What are my chances to find Paypal liable for the loss if I can't find this crook?
Here's my take:
One is that Paypal sees themselves as an escrow service. If such is the case they have the right to intervene and take back funds from transactions that are deemed illegitimate. However if so, then they also have an obligation to ensure that account charges are in fact legit. The only reason I accepted the payment was that it was from a "verified paypal user". Therefore Paypal is liable.
The other argument would be that Paypal isn't an escrow service, but only a payment transfer service. If this is the case, once the money is in my account it belongs to me (like a cash exchange). They have no right to take it out of my account and put it back.
eTrade SUCKS
Poor planning on the SysAdmins part -- they should have set up an 'expires really soon' guest account with sudo
Doesn't help. I've done that. The contractor needs adminnistrative access to the doman because the person that set up the web app was a moron and you couldn't do what you needed to without domain admin rights. So, he is on a 2 month contract. I set it to expire in 3 months. 3 months later, I get a call that the contractor can't get in. I ask when he will be done, another month. I set it to 3 months again. The next time (yes, the 2 month contractor was there over 12 months), I'm told to set it to never expire. I let them know that is a violation of security policy and I won't do it. A few minutes later, my boss orders me to do it.
So, proper security policy was circumvented because schedules were not being met and someone was too impatient to wait a few minutes every 3 months (or warn me in advance they will be staying longer). I don't see how giving an time-unlimited password with full domain admin access to a non-employee was any fault of the sysadmin.
Learn to love Alaska