Slashdot Mirror
"Phishing" Attacks to Increase
neutron_p writes "The number of people who succumb to identity thieves' "phishing" e-mails could go way up if immediate action isn't taken to preempt the next generation of attacks, according to an Indiana University School of Informatics researcher. "Phishing" e-mails appear to be sent by legitimate businesses, but are actually created and distributed by villains who are after your personal information. They describe some thieves' tricks. One kind of context-aware attack tricks eBay bidders into giving out identifying information by leading bidders to believe they've won an auction. In another kind of context-aware attack, a potential victim might receive a message from a known person -- for example, a friend or loved one - asking him or her to go to a Web site to update banking information."
But off-topic, did anyone else notice the "Further Reading" section below the article?
- The Elements of Style, Fourth Edition by Roger Angell
- The Art of Innovation : Lessons in Creativity from IDEO, America's Leading Design Firm by by Tom Peters
- Reporting Technical Information by Thomas E. Pearsall
- Optical Illusions : Lucent and the Crash of Telecom by Lisa Endlich
- National Electrical Code 2002 Handbook
The dead tree compilation of HOWTO: PHISH (except for maybe the last one). Ha!wasnt there a recent article about google doing something about this here: http://it.slashdot.org/article.pl?sid=04/10/18/023 6201&tid=111&tid=217&tid=95&tid=1
as I understand it, yahoo's signing technology, which hopefully will become a standard, will help stop such attacks. Google signing on to it helps push it quite a bit
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
Number of Idiots On the Internet To Increase...
Was the addition of yellow highlighting for secure sites, and the domain in the status bar. It really makes picking up when you're on a secure site easier. In the past you had to really look for that little lock icon or whatever.
Phishing is just conmen moving to the internet. They use similar tricks in the real world, just on a smaller audience. Here in the DC area there are several police imposters running around, some of them tricking people into withdrawing all the money from their bank (it's counterfeit!!!) and others actually using flashing lights to pull over people on the road.
Give anyone who falls for one a Darwin award.
[ Monday is a terrible way to spend one seventh of your life. ]
Social engineering will always work, and will always be very easy, because users are stupid.
Phishing is just technology-enabled social engineering.
- Adam L. Beberg - The Cosm Project - http://www.mithral.com/
Until the majority of the people out there have the critial thinking skills to deal with this sort of thing the problems will continue. The same people who are stupid enough to give out their info to someone who e-mails them are the one buying shit from SPAM e-mails.
Humor from a Genetically Molested Mind
In related news, Google has recently updated Gmail with an automatic detection of phishing attempts / spoofed emails; suspicious emails will be displayed with a warning:
"Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information. Learn more"
Like spam detection, it's not perfect, of course, but I think it's a very good idea.
quidquid latine dictum sit altum videtur.
The author of the article is just jealous because I'm going to get millions from Nigeria, and he isn't!
For example
1.) fleetbank send out some email advertisment
2.) hackers now have a model email to modify
3.) hackers can just redirect some links and resend it to different users.
So to fix this, real companies need to STOP sending out spam.
for example, a friend or loved one - asking him or her to go to a Web site to update banking information
OK, hands up, whose mother has a habit of wanting one to provide bank account info via some web site? I can see the duplicitous falling for the fake 'from your bank' emails, but from friends and loved ones???
And some people want democracy to be MORE direct???
This is one from a friend I only know online, so take it's truthfulness with a grain of salt. Out of a mix of curiosity and a bet/dare with a co-worker, he engineered to insert a small harmless fake phish into email, one distributed to members of staff around the organisation, which provides financial support for other government departments. It was a completely stupid one, with the email simply asking staff members to go to a site and re-confirm their credit information, and the site took down names/addresses/SS/credit card numbers etc. Out of more than a hundred employees, *ONE* person came to him as support to check what the email might be, and fifteen filled out their complete credit information.
That was around 10% of people, adults who should know better, who simply gave up their personal information to nobody they knew, just because they were asked. My friend lost his bet, he thought it would be closer to 30%, but still... send out hundreds of thousands of phish scams and you're guaranteed a good haul.
How are we supposed to tell the difference between a legitimate email from a company and a phishing attempt when places like CapitalOne use skeezy companies like bfi0.com for sending email to their customers? A link that says "Click here to access your statement" that actually goes to http://capitalone.bfi0.com/T8RT044ABB6D98DEB357FB2 EDD4A80 makes me feel safe inside.
Do you kick down a door, or do you try the knob first?
Also, there are various graduations of criminal, from petty thug to criminal mastermind. There are more thugs than masterminds (mostly because if there were tons of masterminds, all the cool costumes would be taken).
Read it how you will. This is, I assume, much easier than hacking into the bank. Doesn't mean that you couldn't hack into the bank.
One easy way to address this situation would be to have a plugin or feature for most e-mail clients that would prominently display the general source of the message (i.e. "China, Brazil, DSL user in Texas, etc.) as a prominent part of the normally-viewable message headers.
It is well known that most spam and phishing e-mails are coming from one of two sets of IP space: China and Korea and related "rogue IP space", and DSL-based zombie proxies. It would not be difficult to use a database or design an algorhythm which could 'flag' e-mail messages as suspicious based on the comparison between the from header information and the SMTP relay.
Users who then received messages could get a color-coded warning when they view the message, i.e.:
"WARNING: This e-mail claims to be from the domain ebay.com but it originated from a system suspected of being located in China - use caution"
Very simple, elegant and helpful solution. Which probably means it would never be adopted.
Yeah, that's a likely scenario. Your dad or mom writing you all concerned that your bank information needs updating. Has anyone, anywhere, ever had that happen in real life? OK, never mind, I'm sure it has happened to someone, and for sure that person is reading this comment and will respond all indignantly. But you get the point. I cannot believe this approach would be accepted. This is not a typical, 'Hey, check this out' type of email from a relative. It's just a little too strange to work.
Now I have been phished, usually by Citibank-looking emails asking me to click here and update my information. The fact that I don't have a Citibank account was my first clue. The fact that I read /. and know about phishing was my second clue. The fact that I know banks don't operate that way was my third clue. But they are professionally looking emails, until you look closely and find all the typos. But pretending the email comes from Mom?? The first thing I would do is call her up and ask what's going on. And then she could say, "You called, it worked!"
Oh wait, this is a phishing expedition, not from bad guys, but from parents who want more phone calls from their children!
You can read more about efforts to combat phishing here. Lots of purty charts and plenty of specific examples.
#!
I was pleasantly surprised at a commercial I recently heard on the radio while driving. It was a public service announcement laying down the basics of phishing (they even said "spelled with a 'ph'") and what kinds of warning signs to look for. I hope to see more announcements of this type, as computers begin to affect almost 100% of the people in our society.
I use phishing techniques to get 419 scammers to give me their email password so i can shut them down. I usually direct them to a URL promising to contain a scanned image of my passport or whatever. The link usually goes to a log in screen for their particular email provider. This works great. I know they'll just get another email address, but this is a small thing I can do to disrupt them a little.
The same folks will fall for Pharting scemes.
"It has come to our attention that your Scents information may have been compromised. In order to prevent you becoming victim to an incorrect Rose scent on a virtual bouquet, or an invalid Roast Turkey smell this Christmas you should log in and sniff at our server to verify your sniffers.
Thank you!"
Ewwww!
Busy aligning my non-linear thoughts.
An interesting thing about these scams is how game theory applies to them. If they don't send out any emails, of course they don't make any money. If they send out only a thousand or so per day, they'll probably succeed one or two people, and make a decent amount of money. Additionally, they'll remain more anonymous and reduce the risk of word spreading about this scam. If EVERY scammer sends out millions of these emails, people will catch on quickly and profits will plummet. That's what they did now. Everyone jumped on the bandwagon and the scam bubble burst.
I believe that the success of these scams will decline over time. Just like with the 409 scams, there will a larger number of people who fall for it at the beginning, but then numbers will drop. Will it always be profittable for them? Most likely, yes, unless email verification becomes much more standard. Will they go away? No. Will they eventually find some new scheme that is even more clever? Without a doubt.
I dunno what my point is. Someone agree with me.
I got a phishing e-mail (should it be called 'bate'?) a week or so ago, but there were two key things that let me know it was a scam (aside from general common sense):
1) I don't have an account at the bank listed (Citibank, in this case.)
2) The e-mail itself was a giant GIF. (It did have the 'fail-to-get-around-spamblocker' words in text at the bottom, though.)
Instead of getting rid of phishing scams, we should get rid of low-common sense/stupid people on the net. Then we wouldn't have this problem. Or many others.
A leader is only a leader when he has followers.
It's "Phishing", and the general idea behind it is to send someone an email saying something like "We, Citibank, need you to update your banking information due to a database crash." They then send you to a site that LOOKS legit, and you then enter your information or even just your username / password. The phishers then have your account information, and they are free to do whatever they please with it. As has been said, it's only because uneducated grandmas and fools actually do what the emails say that the Phishers keep sending their crap. - Yolego
Americans lose $500 mln yearly to phishing.
That's large enough amount for personal scale, especially if you've lost the savings that have been put up against a new house or new car.
But on the large scale, banks won't care, the loss is $3-4 a person, you lose more per year on some dubious surcharges.
its so easy to blame the problem being stupid. but people that grew up with only the 'real world' don't really have any referance to understand this by. I mean, I'd be dumb to fall for a trick where a dumpster across the street from me claims to be my bank. but you don't have to settle for that online, copys are easy. if a building across the street from me became a perfect copy of the bank I went to, I'd be like "hey, new branch, convenient"
-You're wasting your time. Alfador only likes me.
Credit card companies, banks, paypal, and any site that deals with financial transactions that could be comprimised by phishing scams need to establish a 1-point policy for client email: never link back to the site from the email. If every company did this, and users were instructed to always type the url in the browser to access thier account, and made if clear that the company would never send an email with links to the site or account, eventually people would be able to tell the phishing from the real. I know its not a perfect solution, but the convenience of "click here to access your account" emails is what fuels the phishing scams.
OTOH, I have yet to personally get a phising scam (and I get them every day) that purported to be from a company I actually do business with, with the exception of paypal. And all my credit cards are from big, national companies.
"I forgot my mantra."
I've actually recieved one of these emails. It looked legit.
Really legit.
In fact, the only clue that it wasnt an official notice was the email came from ebay.(official sounding name).com
That and they asked for my l/p, which I know not to give over email.
Honestly, I can say that this goes beyond normal user stupidity. People are being scammed, and these are expert scams. Yeah, people need to apply more critical thinking skills to these things, but I think you are not giving the creators of these emails enough credit.
I mean, they look _really_ official.
no
Here the /. article and here is the test. I think those test were bogus though because it didn't let you see the full source email.
So far I've read multiple 'stupid user' accounts. It amazes me that so many people are so arrogant because they see this type of stuff day in and day out that they'd expect every person out there to think of people this evil to come up to them with this type of attack.
People genuinely trust folks, that's why they call it social engineering. You can walk just about anywhere with a clipboard and a pen and get access to just about anything in a standard business environment.
Working for a vendor I've had many 'seasoned sysadmins' rattle off a password to me like it was nothing. Granted I've never once used them outside the context that they were given but the fact that some of them would affect the bottom line of the company with a few simple commands would not be the best thing.
Do I call those admins stupid? no, not really. Guess that is where I differ. I don't find the BOFH and similar things funny either though.
As a rock-in-roll Physicist once said, No matter where you go, there you are.
It's not North Korea, it's South Korea. The place is full of ridiculously fat broadband connections, and the ISPs don't seem too bothered about what goes on on the networks. Since Koreans aren't any brighter than the rest of us, an awful lot of those broadband connections go to Windows machines which have been 0wnz0red since about 30 seconds after they were first switched on.
And that's before we even consider the mail servers installed in every school in the country, which are wide-open mail relays out of the box. Aaarrrggghhh!
South Korea would be paradise to be in - fat connection and nobody giving a filesystem check what you're doing with it - but the consequences for the rest of the world are becoming a nightmare.
Real Daleks don't climb stairs - they level the building.
Gmail now will mark suspicious email with a banner that says something to the effect of "This email does not appear to be from who it claims. Learn More...", with a link to information about phishing scams.
Well, if you think you are, then why not see if your prone to phishing scams, or if it's a legitimate e-mail offer! Take the Mail Phishing Test
;)
Enjoy!
Does anyone else think that the only real problem here is HTML email? It's good for nothing, wastes resources, and enables pretty much every kind of annoying spam, hidden redirect, tracking bug--it just keeps coming. Why do we have to build all these widgets to help users see that URLs aren't what they say they are, and such? Do we really want to wait for the spammers to start building javascript messages that alter the url after/when clicking, or whatever next becomes really annoying to people?
Isn't this enough of a problem yet to get the asinine companies that forced HTML down our throats (I'm looking at you AOL, MS, etc) to reconsider? Make the common clients block/ignore the HTML by default and *never* send HTML messages, instead of the current tactic of trying to trick or force users to send as HTML (maybe with an additional text version, if we're lucky), to just drown out the people asking for plain text.
Maybe I'm just bitter. It's always so difficult to watch stupid obvious mistakes blossom so thoroughly predictably. At least I can filter most all the spam by dumping HTML messages.
I very recently complained to Schwab IT about their online statement delivery. It comes in an email, contains an html doc that contains a java app that directly asks for my account and password info. I wrote them a letter saying how bad an idea that was, and that it encourages less sophisticated users to trust the sender too much.
:)
...blah blah...
...blah...
Their response indicated they didn't even understand what I was talking about. Should I have called it "Phishing"? I doubt it would have helped. How can a customer educate these people, and why should I have to? (Maybe someone in their IT dept reads slashdot
Here is my letter:
To Director of Technology,
I am disappointed in the security offered by the transaction statement I receive each month. I am required to save an html file, which when opened presents me with an account/pin dialog.
- I have no way of knowing where that information is going to be sent.
- I cannot verify the originator of *any* email. How can I be sure that *this* email is definitely from schwab.com? (one b or two?) If the email is spoofed, the contents of the html document are suspect, putting my password etc at risk.
- Since this arrived by email, I did not initiate the connection. It is generally a bad practice to give out personal information when one did not initiate the transaction (even in a phone call).
- The process required by your system encourages less sophisticated users to develop poor security habits, such as responding to emails (of unknowable origins) with personal information.
- I would feel *much* more secure if I initiated an https connection to a web address that *I* know is legitimate. It is significantly less likely an https connection mechanism would be exploited than a simple email message.
Until something changes about this process, I have no alternative but to consider these emails SPAM, and am in fact getting no benefit out of receiving them.
And their response...
I appreciate your concerns regarding your request of electronic statements. In regards to your concerns, PostX technology sends an "HTML envelope" that contains the encrypted payload. This "HTML envelope" opens to present the user with a prompt for the users password. Once the password is entered the local javascript or java applet accepts the user password and decrypts
the payload.
Documents sent through the PostX platform are encrypted with highly secure, industry standard algorithms. Symmetric encryption defaults to ARC4 but AES encryption algorithm is available as well. End to end encryption between users or firms assures the highest levels of confidentiality for critical, sensitive or personal data on public networks. The password is hashed with 160 bit encryption (SHA1) with a large random number. This hash is then used along with the chosen encryption algorithm to encrypt the payload. The encryption is very secure. The most venerable part of the process is the password itself.
If you still have further concerns regarding the security of the contents that you have chosen to have delivered via email, then you may want to elect to cancel this request. You may do so by following these simple steps:
Sincerely,
I just got scammed out of a thousand dollars from a crook who used a stolen "verified" Paypal account to pay me. When I saw the payment to be legit I let the guy pick up the merchandize from my house.
A few hours later the item was charged back by Paypal saying it was unauthroized.
Have a question for you guys. What are my chances to find Paypal liable for the loss if I can't find this crook?
Here's my take:
One is that Paypal sees themselves as an escrow service. If such is the case they have the right to intervene and take back funds from transactions that are deemed illegitimate. However if so, then they also have an obligation to ensure that account charges are in fact legit. The only reason I accepted the payment was that it was from a "verified paypal user". Therefore Paypal is liable.
The other argument would be that Paypal isn't an escrow service, but only a payment transfer service. If this is the case, once the money is in my account it belongs to me (like a cash exchange). They have no right to take it out of my account and put it back.
eTrade SUCKS
I see a lot of people blaming stupid people for this. And stupidity, naivete, etc. are definitely part of it.
But the fact is, some of the phishing emails look really good. I got one last week that was identical to a legit Citibank email, except that it went to http://citibankgroup.biz instead of https://citibank.com. Given all the weird URLs and bulk mailing companies banks use (and the fact that a lot of normal users view URLs to be voodoo), it not surprising to me at all that people fall for this stuff.
In the end, this is just a special case of spam. Verifying the sender using SPF or any of the other systems being adopted right now, will solve this problem. And disabling HTML email (among the worst design decisions ever made, IMHO), would also help a lot.
-Esme
I'm going to state the obvious because I'm bored at work.... As the "People in the Know", it is our responsibility to inform our grandmothers, friends, co-workers, etc. of all the pitfalls of the online world. For each person close to us that we can warn, that's one more person who will learn the "easy" way. The rest will have to learn the "hard" way by getting burned. Eventually everyone will learn. Unfortunately, there will always be new and more creative scams. "Fool me once - shame on you! Fool me twice - shame on me!"
...I just hope the font people have set in the status bar is legible enough to catch the trickier ones. Look at these three characters: "I" "l" "1". In some fonts they are identical (uppercase i, lowercase L and the number one).
Paypal was one of the earliest business victims of phishing scams, which were successful becasue of the unfortunate last character in the name. The scammers registered paypai.com (shown in the url as paypaI.com) and paypa1.com (number one at the end) and set up convincing, secure sites to scam people.
I applaud the Mozilla people for giving users the tools to help spot scams, but people still have to use their heads.
- I posted an item for sale
- I realized I owed eBay about $40 in back listing fees
It was just before I was going to get into bed, and I skimmed over the message as I usually do before deleting it. My usual thinking: "Sure", I thought, "I'll get back to it tomorrow and pay them." This time around, I clicked the link and got the "standard" eBay login screen. Being tired and lazy, at this point I didn't even glance at the URL. I entered my login and password for eBay, and as it was redirecting I glanced at the address bar, and in horror I saw "cgi2.eb4y.com" or something munged like that.
In a panic, I immediately changed my eBay password, and all is once again well on my happy little computing planet. That being said, had I not caught that and gone straight to bed, who knows what I would've woken up to. The moral of the story is that you really have to be on your toes. The circumstances surrounding this dodged-bullet really were a perfect setup for me: owed eBay money, just posted a new item for sale that day, fatigue...
Common sense is the key!