Slashdot Mirror
No-Click Phishing On The Way
An anonymous reader writes "MessageLabs has discovered a pretty nasty - though fairly crude - phishing scam which doesn't even require recipients to click on a link in order to hand over personal data.
Simply opening the email is enough to activate a script which 'lies in wait for its victim' according to one report. The script rewrites the host files of the machine and directs users to a fake web page the next time they legitimately attempt to access an online banking page. ... However, this will only affect users who have Windows Scripting Host enabled and certain ActiveX controls, according to MessageLabs."
for those who don't know what phishing is, see the definition
[Phishing] is the luring of sensitive information, such as passwords and other personal information, from a victim by masquerading as someone trustworthy with a real need for such information.
Marge, get me your address book, 4 beers, and my conversation hat.
Just don't use ActiveX - biggest security risk ever. I sincerely hope no one here is using Outlook/Outlook Express.
Maybe they can install a different browser alongside IE for doing anything personal. If not, then they're just screwed I guess.
I doubt many people would be affected anyhow. If I understand correctly, the attacker would have to know the URL you go to for online banking and replace it in your hosts file with a different site. It seems unlikely that it would work on too many people.
You had me at "dicks fuck assholes".
attrib -r %WINDIR%\system32\drivers\etc\Hosts
C:\WINDOWS\system32\drivers\etc>attrib hosts
A R C:\WINDOWS\system32\drivers\etc\hosts
I've got it set so only administrators can unset this flag.
This means
1) I'd have to run IE as administrator
2) the script would have to change the permissions before doctoring the script
First though it'd have to get past my spyware- and other-nasty- blockers
Hey banks: All of your users have plastic cards that you issued. Mandate two-factor authentication already and watch Phishing scams go bye bye.
You obviously have no idea how these scams work. Mostly, they trick the unsuspecting user into giving out their PIN number, and name and home address. As soon as you give out your PIN, all your "two-factor" authentication is useless.
Why?? Here is why. Your bank card is absolutely trivial to duplicate.
All a theif needs is a card from the same bank (easy to obtain by simply creating an account), and a 50 dollar stripe reader/writer. They read the card, find out the format, and where the card number is stored (your account number is not on the stripe - it is associated with the card number in the bank's minaframe - this lets them easily replace your card if it is lost or stolen.),
Since they know your name and where you live, they can then just stake you out, until you go to an atm or restaurant or store with an improperly configured machine, that prints your whole card number on the slip, and not just the last few digits. They then wait for you to throw a slip away in a public trash can, and pick it up later.This is why you should NEVER throw away a debit slip in public - and if possible, shred it. (Or, at least do what I do - throw them in the kitchen trash with all the rotting meat and apples - the moisture, worms and bacteria will eat the slips up in no time.)
Windows Script Host (WSH) is a Windows administration tool.
WSH creates an environment for hosting scripts. That is, when a script arrives at your computer, WSH plays the part of the host -- it makes objects and services available for the script and provides a set of guidelines within which the script is executed. Among other things, Windows Script Host manages security and invokes the appropriate script engine.
WSH is language-independent for WSH-compliant scripting engines. It brings simple, powerful, and flexible scripting to the Windows platform, allowing you to run scripts from both the Windows desktop and the command prompt.
Windows Script Host is ideal for noninteractive scripting needs, such as logon scripting, administrative scripting, and machine automation. WSH Objects and Services
Windows Script Host provides several objects for direct manipulation of script execution, as well as helper functions for other actions. Using these objects and services, you can accomplish tasks such as the following:
* Print messages to the screen
* Run basic functions such as CreateObject and GetObject
* Map network drives
* Connect to printers
* Retrieve and modify environment variables
* Modify registry keys
Where Is WSH?
Windows Script Host is built into Microsoft Windows 98, 2000, and Millennium Editions. If you are running Windows 95, you can download Windows Script Host 5.6 from the Microsoft Windows Script Technologies Web site (http://msdn.microsoft.com/scripting).
Note You can also go to the web site listed above to upgrade your current engines. The version of WSH in Windows 98, 2000, and Millennium Editions is either version 1.0 or 2.0. You must upgrade to version 5.6 to get the new features.
However, this will only affect users who have Windows Scripting Host enabled and certain ActiveX controls, according to MessageLabs.
That's like saying, "this will only affect users who have not yet switched to Linux or MacOS."
I would say that a good 98% of installations have WSHost enabled. Those that are SP2 or up to date might have the latest MS patch that I believe sets a kill bit on the Internet Explorer side of WSHost scripting under all circumstances.
This is also not really anything new. Spy and adware companies have been manipulating hosts files now for at least a year, no doubt phishers have done exactly the same thing, this is just the first reported time of it happening.
One thing you have to keep in mind is that severay so-called security experts are very bright individuals but succumb to what some call: media-whoring. This is a specific instance of a "media-whoring" by Message Labs. Let me explain my proof of this: they use ASP and IIS as opposed to something like PHP and Apache.
They are obviously not very concerned about legitimate security. There's a website that keeps track of the media fanatics: http://www.vmyths.com/
The site is run by a guy who has over a decade of solid security experience. He knows when there is something legit to worry about, and he knows when something is hype.
I suppose the best way to know is years and years of experience. If you read a lot of the security mailing lists, you'd be under the impression that the world was about to revert back to the stone age with the security threats.
But the reality is, a huge amount of idiots exist that love to overhype the security risks when it comes to viruses and worms like "I Love You" and "Sasser". Most of us know when there is going to be a big problem, but there are a huge number of others that like to spread false info.
There are others, like Mikko Hypponen of F-Secure that don't sell media hype, they sensationalize the truth. Yes, there have been instances of zombie-net owners selling their networks to spammers, but I have yet to actually see the sales, and I've been running a honeypot for well over a year now and track nearly a dozen different botnet herders.
For the most part, it looks like botnetting is still used for two things, Americans (north and south america) for File Sharing/FXPing, and Germans for DDoSing. The Russians who have been spamming have been using IE exploits and web controls, not so much IRC connections. Thus, they cannot be truly considered "botnets".
With the amount of crapware out there and the amount of guides and articles written about this subject you would think people would still be a bit more secure. Unfortunately it does not seem to be the case.
This guide explains how to keep your damn computer from being stupidly compromised:
Simple and easy ways to keep your computer safe and secure on the Internet
Also heres a tutorial for switch from IE to firefox:
Switching from Internet Explorer to Firefox
Im sick of people suggesting not to use outlook/any other rich client.
It is upto an individual to select if they want a rich experience in their emails. I, personally would prefer plain old text mails, but that is a choice I made. A rich client like outlook supports rich mail, but the MIME RFC clearly recommends that if the mail contains HTML, it should be a html/txt MIME attachment, with a plan text copy attached as the main message. Thus, a non rich mail client, can still display this primary message (which is supposed to be the simple text representation of the formatted rich mail, but often not followed by spammers).
If grandma wants to send johnny a birthday greetings, trust me, in big letters with all formatting, it has more inherent value. If it has a flash content, so much the better.
Flamebait: If you want to live in the dark ages, be my guest, just dont thrust your opinion/prejudices on the rest of us. Many of us are aware of the risks and have a consious choice
Just be sure your ISP keeps their installation of pine up-to-date. I've seen all too many installations of pine that haven't been updated since sometime in the 90s.
Granted, I doubt pine is a big target for phishing scams, but nonetheless...
DNA just wants to be free...
Last year I bought a new laptop. When I was setting up my apps, I decided to ditch Eudora and look for a better mail client.
I tried out Pegasus Mail, Fox Mail, Mozilla mail, the Thunderbird standalone and PocoMail. PocoMail was the only one that wasn't free, and it was the one I chose in the end.
A number of reasons led to my choice:
1 - Built in spam engine (Bayesian filtering added in 3.1) and the best auto-junkmail filter of the apps I tested, includes learning filters
2 - UI totally configurable
3 - Ease of use. Everything was intuitive; layouts, menu items being where you would think they were, etc.
4 - Internal HTML viewer: it doesn't use embedded IE and thus IE exploits go out the window
5 - Doesn't execute JavaScript or VBScript: only supports PocoScript and only then if you tell it to. NOTE: also not affected by the latest JPG vulerability.
6 - Integrated automatically with both Panda Antivirus and later, Norton without me doing anything special.
I've used it for a little more than a year now and love it. It was worth the $40 I paid for it, and Poco has updates frequently. If you're looking for a new mail client, I would recommend taking a look at it.
More info.
R(k)
That sure makes things easy when someone sends you some pictures. Or you want to reply to an email and attach a file on your local computer, having to initiate an sftp session is lots of fun, right?
There's this cool new thing called IMAP. Look into it and get with the 90's.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
If you open HTML mail, stuff like pictures embedded in the HTML gets loaded, and that is one way spammers know that a) they've stumbled upon a valid e-mail address, and b) the user read the mail. I can imagine that with a spam run, a sudden surge in image loads from a target site might be used to calculate payments for the spammer, identify valid e-mail addresses used, use the latest browser exploit to install spy/addware, etc. etc. So in a way, just opening that HTML mail helps the spammer with his business.
Read plain text only, and if it's spam: delete, never reply (don't attempt to 'unsubscribe' either!). That way the spammer gets 0 info, or rewards for his effort. If everybody would do this, there wouldn't be any spam. The problem is only kept alive by those 0.1% STUPIDS that do click on links, and proceed to order the penis-enlargement crap.
Outlook 2002 added it with SP1. See Q307594 for details.
In outlook 2003 its even easier, just check the option for it.
And in XPSP2, Outlook express now reads mail in plain text (Q883257).
it does, and you don't need to restart anything.
the thing is, if you already accessed the url, the result for the dns query (or hosts file) is cached and it doesn't need to do the query again.. try it with a url you never accessed before.