Slashdot Mirror
No-Click Phishing On The Way
An anonymous reader writes "MessageLabs has discovered a pretty nasty - though fairly crude - phishing scam which doesn't even require recipients to click on a link in order to hand over personal data.
Simply opening the email is enough to activate a script which 'lies in wait for its victim' according to one report. The script rewrites the host files of the machine and directs users to a fake web page the next time they legitimately attempt to access an online banking page. ... However, this will only affect users who have Windows Scripting Host enabled and certain ActiveX controls, according to MessageLabs."
I've set my mail display to always be text based. It's a lot easier to detect spam that way too as most of the onscreen stuff is usually garbage, or funnily "get a real mail client".
Rhymes that keep their secrets will unfold behind the clouds.There upon the rainbow is the answer to a neverending story
IANAL. no, it's quite different.
now if amazon patented no-click shopping (we send you stuff because your profile says you like the over-stock stuff we have), then they might have a case.
this will only affect users who have Windows Scripting Host enabled and certain ActiveX controls
Or in other words, this will probably not affect non-Windows or non-Internet Explorer users.
Well we could see plenty of comments along those lines coming, but here's a further thought:
Hey banks: All of your users have plastic cards that you issued. Mandate two-factor authentication already and watch Phishing scams go bye bye.
Indy Media Watch-Proctologist of the Internet
Overwriting your Hosts file is an obvious way to trick people, and Outlook is a prime target for this kind of hack, because it gives incoming email rediculous amounts of control over the rest of the computer.
Remind me to tell my mother to start using Thunderbird and Firefox and install a firewall.
to set the file attribute on the hosts file to read only. ugh.
These people don't have to do anything at all. Their company chose to use Windows, thus the company has to accept any consequences of that decision. If the company disallows users from making their Windows installation more secure, that's also the company's choice, and they have themselves to blame if it goes wrong.
Please correct me if I got my facts wrong.
The only aparently safe way to use mail is in a Unix shell. I've got my doubts about webmail too. Its a bit too slow compared to on-line mailing, but it may contain other unwanted elements, depending on the mailer. I've never had a real problem with any worm using mutt, the Unix mailer.
Very recently some joker in France sent me a worm that prevented me from reporting the abuse. The solution was simple: Delete the worm, restart mutt and mail it to abuse@wanadoo.fr. (Personal note: Wanadoo sounds like wanabee, they are little known among 'my crowd' and somewhat of a worry. This is not intended as put down to the French!) So the moral here is simply if you use Unix, call it *BSD or Linux, you may not be 100% safe, but certainly safer than using Outlook which should be called "Lookout".
Zero click exploits seem hardly new to me. Aren't most exploits, atleast in the past, done without the victim being imeadiately aware? This is from the computer-litterate camp.
I'm a mac user and administrator, but everytime someone posts a new win vulnerability/exploit do you all really have to post the smarmy 'glad i am a mac user' post? Its just like some punk kid saying 'I told you so", rude and inciteful. I don't even know you, but I want to punch you in the face already.
(sorry, i have the post election annoyed by everything syndrome)
music lover since 1969
I find it hard to believe that our gov't is willing to spend $200 Billion to bomb the living fuck out of a country for no good reason, but can't get their shit together enough to start arresting people for the avalanche of fraud online.
What's so hard to believe? When they spend $200 billion to bomb the living fuck out of a country, they have a reason. It's called croneyism. Halliburton, oil infrastructure companies, and military contractors get a big-ass portion of that $200 billion.
When Halliburton can figure out a way to make an assload of money off of eradicating online fraud, this government will get serious about stamping it out.
Did you read the article? It says " the most recent versions of Outlook, where such features are switched off as standard, will be protected." This has been the same with many recent exploits. They only affect old versions of ms software, but it immediately gets spun here to say that no one should be using the current, safe versions. It's similar to the recent status bar spoofing issue posted here which affected firefox rc1 and opera and pre-sp2 IE, but not sp2 IE, and was of course disscussed as being a "hole in IE".
I'd rather be lucky than good.
If you want to gather a bunch of personal data and cover your butt at the same time start an ad company and release your virus, er demographics data gathering software and just claim it's business.
Shop smart, Shop S-Mart.
IMHO, it shouldn't even have the "feature". You don't need ActiveX in emails.
> the attacker would have to know the URL you go to for online banking and replace it in your hosts file with a different site. It seems unlikely that it would work on too many people
Yeah, because it would be too hard to fill a hosts file with the URLs for Citibank, Chase, BankAmerica, and the rest of the top 10 or top 100 banks. Nobody could do that.
- For the complete works of Shakespeare: cat
Some of us don't have the choice (at work).
At least I can install firefox, but mail clients that aren't OE are a big no-no.
Yes. Don't do your personal banking at work.
If the company's information gets phished because of inept IT staff, that's not your problem.
Unless of course, you ARE the IT staff.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
would it be so difficult ... to set the file attribute on the hosts file to read only.
a) Why should Joe Newbie Windowsbuyer be expected to KNOW that he needs to change the permissions on the host file from the install defaults?
b) If he can do it, he can UNdo it, and so can the bad guy's script.
c) How many OTHER holes would he have to fix? Thousands? Tens of thousands? (Remember, he only has to miss ONE.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Yeah, especially when those fraudulent jerks are outside of the US.
Wait a second...
You need to restart your computer. Hold down the Power button for several seconds or press the Restart button.
But you get it because IE is used as the rendering engine, thereby ensuring that any security problems in one application are shared amongst as many others as possible.
Why are WSH and ActiveX even an options for Outlook? Bad ideas, poorly implemented, and not secure.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
...if you're required to go through an HTTP proxy anyway? (Like most corporate environments)
Maybe the next generation of home ADSL routers would have one in their firmware and tout it as a "security feature"?
Right, and if you work at one of these companies and your information gets phished, they'll take care of it for you...
Meow. Now!
It should be noted that Windows Scripting Host and "Certain ActiveX controls" have to be downloaded and installed manually and configured by the administrator, and are not installed and configured by default.
Thats why this is classified as extremely low risk. It is simply a demonstration (concept) of a method of spoofing a website by modifying the host files.
However, this will only affect users who have Windows Scripting Host enabled and certain ActiveX controls, according to MessageLabs.
If only Microsoft would back out of this insistence on making the browser a completely general web applications framework with the ability to provide full access to local resources.
Microsoft: split the HTML rendering engine out of the web client components, and get rid of the "security zones" hacks. You've been trying to come up with a design that lets you do this safely for over seven years now, and never succeeded in holding off attackers for more than a few weeks at the most... it's time to admit that even all the brilliant people at Microsoft (and you have some bloody amazing blokes over there) won't be able to make it work. Please consider that you may have been mistaken.
Why is this attack lumped together with phishing attacks? It sounds to me like this attack involves a hole that lets the attacker run arbitrary code with the user's permissions, which could just as easily be used to install a keylogger.
The shareholder is always right.
The last line of defense for a lot of people was checking the actual URL of a link and seeing that it wasn't really "ebay.com" or "citibank.com," and it sounds like this flaw provides a way to defeat even that test. So this is pretty serious, it would seem, which is why it's surprising that the article is so sparse on details. Wouldn't it be good to know:
1) What e-mail applications are vulnerable (can I get this through web-based mail)?
2) What can be disabled to prevent this? Scripting? Active-X?
3) Is a patch on the way?
That article is pretty crummy.
Policy also probably says that you can't use your work computer for anything but work, and unless you happen to be the finance person checking the company account, you shouldnt be doing your banking at work, sure everyone does it, but in a contract/liabilty sense - you werent supposed to.
Don't Tread on Me
Terrorism or not, why doesn't the government track all kinds of online fraud generally?
Other people may have different needs or use software in a different environment from you and this moralizing attitude that you can decide for everyone what their software should be able to do is frightening.
Name one. If you're passing activeX around in email, it could probably be done better some actual way. In the meantime, we all have to deal with the results of malicious activeX email.
Incidentally, my moralizing attitude is that you shouldn't be dumping benzene upstream of me. Is that also not for me to decide?
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
Except HTTPS uses the name and not the IP, so that if they got a cert that said they were www.somebank.com and the signer was a legitimate signer (or they convinced the user that they needed to accept that it was legit) it wouldn't set off the alarms.
Plus I'll agree that I doubt many people check the lock (or key or whatever) says it is encrypted. Part of the reason I have my brower set to tell me everytime I enter(or leave) an encrypted site.
Informative? Read the writeup. It doesn't matter which browser you use. Opening email overwrites your hosts file (for you nooobz: your hosts file is like a local DNS server). Any browser that tries to go to your bank (by domain name) will go to their fake site instead.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Because your Windows account has non admin privileges, of course. A low privilege user can't overwrite the hosts files, or screw around with the HKLM registry. And personally, my own mail client doesn't even try to support HTML or script-like thingies. Too difficult, too weird, unnecessary, dangerous.
Uh, that's amusing, but wrong. Pine was the first mail program to use IMAP. Both Pine and IMAP were created at the University of Washington.
Actually that is bullshit. There is a good reason things like boldface and italics and different font sizes and proportional letters evolved in print media many, many years before email came along. It improves readability. Dramatically.
I seriously wish you snotty i-love-unix-terminal types came who tell everyone in the world that monospace ASCII is good enough for everyone would read a good book about type design. Try Robert Bringhurst's Elements of Typographic Style.
No, ASCII is not good enough. People like you make other people whine about the fact that computer as difficult to use. Remember, these things do not exist for the amusement of techies. They exist so that normal people can increase their efficiency.
The dangers of excessive individualism are nothing compared to the oppressiveness of excessive collectivism