Slashdot Mirror
No-Click Phishing On The Way
An anonymous reader writes "MessageLabs has discovered a pretty nasty - though fairly crude - phishing scam which doesn't even require recipients to click on a link in order to hand over personal data.
Simply opening the email is enough to activate a script which 'lies in wait for its victim' according to one report. The script rewrites the host files of the machine and directs users to a fake web page the next time they legitimately attempt to access an online banking page. ... However, this will only affect users who have Windows Scripting Host enabled and certain ActiveX controls, according to MessageLabs."
...doesn't execute HTML or scripts. Use it, be safe!
are people that are, for example, at work, and can't turn off Windows Scripting Host and certain ActiveX controls? Not open emails? Surely there should be a solution to this.
When anger rises, think of the consequences.
Confucius (551 BC - 479 BC)
No-click phising? That's infringing on Amazon's one-click patent!
The virus apparently also redirects visitors of AOL Support Forums to Ask Slashdot, which explains the recent postings.
for those who don't know what phishing is, see the definition
[Phishing] is the luring of sensitive information, such as passwords and other personal information, from a victim by masquerading as someone trustworthy with a real need for such information.
Marge, get me your address book, 4 beers, and my conversation hat.
but you have to manual make the suggested changes to your /etc/hosts file after getting root access and using your editor of choice.
not quite "no-click", but linux does support this feature.
[/humor]
that's why I never keep any personal info on a computer. in fact I have outlook filled with entirely made up crap. names like 'hootie McBoob' and such
I've set my mail display to always be text based. It's a lot easier to detect spam that way too as most of the onscreen stuff is usually garbage, or funnily "get a real mail client".
Rhymes that keep their secrets will unfold behind the clouds.There upon the rainbow is the answer to a neverending story
For making products so easy to use that even someone you don't know can use them for you.
Well, I was going to switch over from Linux to Windows, because I heard Bill Gates said that ``security is our top priority'', but now I think he must have been misquoted. Maybe I'll stick with Linux just a little longer, until Windows gets those last few little bugs ironed out.
See what I've been reading.
I ssh into my ISP and use pine to read email. Been doing it this way for over 10 years. Some people find this a bit quaint, but I don't have to worry about any worm/virus/phishing issues.
Just don't use ActiveX - biggest security risk ever. I sincerely hope no one here is using Outlook/Outlook Express.
this will only affect users who have Windows Scripting Host enabled and certain ActiveX controls
Or in other words, this will probably not affect non-Windows or non-Internet Explorer users.
Well we could see plenty of comments along those lines coming, but here's a further thought:
Hey banks: All of your users have plastic cards that you issued. Mandate two-factor authentication already and watch Phishing scams go bye bye.
Indy Media Watch-Proctologist of the Internet
Are you saying they should start arresting Microsoft programmers?
Overwriting your Hosts file is an obvious way to trick people, and Outlook is a prime target for this kind of hack, because it gives incoming email rediculous amounts of control over the rest of the computer.
Remind me to tell my mother to start using Thunderbird and Firefox and install a firewall.
ActiveX is insecure!
WSH is insecure!
Windows is insecure!
HTML mail can be used to exploit security flaws in user agents!
Film at 11!
Please correct me if I got my facts wrong.
Will the innovation never end?
-Peter
to set the file attribute on the hosts file to read only. ugh.
This is what happenes when applications try to do more than what they are supposed to do. An email client is just supposed to read and send messages. All "dynamicness" and interactivity must be left to the appropriate programs. And this is exactly where *NIXes excell. You can't do a scripting exploit in 'mail' - Why? Because you can't do scripting. Let the current do-eveything software industry led by Microsft be a lesson to all programmers. Let's keep our programs simple. Let's continue the UNIX philosophy of one program for one task.
attrib -r %WINDIR%\system32\drivers\etc\Hosts
C:\WINDOWS\system32\drivers\etc>attrib hosts
A R C:\WINDOWS\system32\drivers\etc\hosts
I've got it set so only administrators can unset this flag.
This means
1) I'd have to run IE as administrator
2) the script would have to change the permissions before doctoring the script
First though it'd have to get past my spyware- and other-nasty- blockers
The only aparently safe way to use mail is in a Unix shell. I've got my doubts about webmail too. Its a bit too slow compared to on-line mailing, but it may contain other unwanted elements, depending on the mailer. I've never had a real problem with any worm using mutt, the Unix mailer.
Very recently some joker in France sent me a worm that prevented me from reporting the abuse. The solution was simple: Delete the worm, restart mutt and mail it to abuse@wanadoo.fr. (Personal note: Wanadoo sounds like wanabee, they are little known among 'my crowd' and somewhat of a worry. This is not intended as put down to the French!) So the moral here is simply if you use Unix, call it *BSD or Linux, you may not be 100% safe, but certainly safer than using Outlook which should be called "Lookout".
Zero click exploits seem hardly new to me. Aren't most exploits, atleast in the past, done without the victim being imeadiately aware? This is from the computer-litterate camp.
I find it hard to believe that our gov't is willing to spend $200 Billion to bomb the living fuck out of a country for no good reason, but can't get their shit together enough to start arresting people for the avalanche of fraud online.
What's so hard to believe? When they spend $200 billion to bomb the living fuck out of a country, they have a reason. It's called croneyism. Halliburton, oil infrastructure companies, and military contractors get a big-ass portion of that $200 billion.
When Halliburton can figure out a way to make an assload of money off of eradicating online fraud, this government will get serious about stamping it out.
Hey banks: All of your users have plastic cards that you issued. Mandate two-factor authentication already and watch Phishing scams go bye bye.
You obviously have no idea how these scams work. Mostly, they trick the unsuspecting user into giving out their PIN number, and name and home address. As soon as you give out your PIN, all your "two-factor" authentication is useless.
Why?? Here is why. Your bank card is absolutely trivial to duplicate.
All a theif needs is a card from the same bank (easy to obtain by simply creating an account), and a 50 dollar stripe reader/writer. They read the card, find out the format, and where the card number is stored (your account number is not on the stripe - it is associated with the card number in the bank's minaframe - this lets them easily replace your card if it is lost or stolen.),
Since they know your name and where you live, they can then just stake you out, until you go to an atm or restaurant or store with an improperly configured machine, that prints your whole card number on the slip, and not just the last few digits. They then wait for you to throw a slip away in a public trash can, and pick it up later.This is why you should NEVER throw away a debit slip in public - and if possible, shred it. (Or, at least do what I do - throw them in the kitchen trash with all the rotting meat and apples - the moisture, worms and bacteria will eat the slips up in no time.)
Did you read the article? It says " the most recent versions of Outlook, where such features are switched off as standard, will be protected." This has been the same with many recent exploits. They only affect old versions of ms software, but it immediately gets spun here to say that no one should be using the current, safe versions. It's similar to the recent status bar spoofing issue posted here which affected firefox rc1 and opera and pre-sp2 IE, but not sp2 IE, and was of course disscussed as being a "hole in IE".
I'd rather be lucky than good.
If you want to gather a bunch of personal data and cover your butt at the same time start an ad company and release your virus, er demographics data gathering software and just claim it's business.
Shop smart, Shop S-Mart.
Windows Script Host (WSH) is a Windows administration tool.
WSH creates an environment for hosting scripts. That is, when a script arrives at your computer, WSH plays the part of the host -- it makes objects and services available for the script and provides a set of guidelines within which the script is executed. Among other things, Windows Script Host manages security and invokes the appropriate script engine.
WSH is language-independent for WSH-compliant scripting engines. It brings simple, powerful, and flexible scripting to the Windows platform, allowing you to run scripts from both the Windows desktop and the command prompt.
Windows Script Host is ideal for noninteractive scripting needs, such as logon scripting, administrative scripting, and machine automation. WSH Objects and Services
Windows Script Host provides several objects for direct manipulation of script execution, as well as helper functions for other actions. Using these objects and services, you can accomplish tasks such as the following:
* Print messages to the screen
* Run basic functions such as CreateObject and GetObject
* Map network drives
* Connect to printers
* Retrieve and modify environment variables
* Modify registry keys
Where Is WSH?
Windows Script Host is built into Microsoft Windows 98, 2000, and Millennium Editions. If you are running Windows 95, you can download Windows Script Host 5.6 from the Microsoft Windows Script Technologies Web site (http://msdn.microsoft.com/scripting).
Note You can also go to the web site listed above to upgrade your current engines. The version of WSH in Windows 98, 2000, and Millennium Editions is either version 1.0 or 2.0. You must upgrade to version 5.6 to get the new features.
IMHO, it shouldn't even have the "feature". You don't need ActiveX in emails.
Some of us don't have the choice (at work).
At least I can install firefox, but mail clients that aren't OE are a big no-no.
However, this will only affect users who have Windows Scripting Host enabled and certain ActiveX controls, according to MessageLabs.
That's like saying, "this will only affect users who have not yet switched to Linux or MacOS."
I would say that a good 98% of installations have WSHost enabled. Those that are SP2 or up to date might have the latest MS patch that I believe sets a kill bit on the Internet Explorer side of WSHost scripting under all circumstances.
This is also not really anything new. Spy and adware companies have been manipulating hosts files now for at least a year, no doubt phishers have done exactly the same thing, this is just the first reported time of it happening.
One thing you have to keep in mind is that severay so-called security experts are very bright individuals but succumb to what some call: media-whoring. This is a specific instance of a "media-whoring" by Message Labs. Let me explain my proof of this: they use ASP and IIS as opposed to something like PHP and Apache.
They are obviously not very concerned about legitimate security. There's a website that keeps track of the media fanatics: http://www.vmyths.com/
The site is run by a guy who has over a decade of solid security experience. He knows when there is something legit to worry about, and he knows when something is hype.
I suppose the best way to know is years and years of experience. If you read a lot of the security mailing lists, you'd be under the impression that the world was about to revert back to the stone age with the security threats.
But the reality is, a huge amount of idiots exist that love to overhype the security risks when it comes to viruses and worms like "I Love You" and "Sasser". Most of us know when there is going to be a big problem, but there are a huge number of others that like to spread false info.
There are others, like Mikko Hypponen of F-Secure that don't sell media hype, they sensationalize the truth. Yes, there have been instances of zombie-net owners selling their networks to spammers, but I have yet to actually see the sales, and I've been running a honeypot for well over a year now and track nearly a dozen different botnet herders.
For the most part, it looks like botnetting is still used for two things, Americans (north and south america) for File Sharing/FXPing, and Germans for DDoSing. The Russians who have been spamming have been using IE exploits and web controls, not so much IRC connections. Thus, they cannot be truly considered "botnets".
would it be so difficult ... to set the file attribute on the hosts file to read only.
a) Why should Joe Newbie Windowsbuyer be expected to KNOW that he needs to change the permissions on the host file from the install defaults?
b) If he can do it, he can UNdo it, and so can the bad guy's script.
c) How many OTHER holes would he have to fix? Thousands? Tens of thousands? (Remember, he only has to miss ONE.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
With the amount of crapware out there and the amount of guides and articles written about this subject you would think people would still be a bit more secure. Unfortunately it does not seem to be the case.
This guide explains how to keep your damn computer from being stupidly compromised:
Simple and easy ways to keep your computer safe and secure on the Internet
Also heres a tutorial for switch from IE to firefox:
Switching from Internet Explorer to Firefox
Yeah, especially when those fraudulent jerks are outside of the US.
Wait a second...
You need to restart your computer. Hold down the Power button for several seconds or press the Restart button.
But you get it because IE is used as the rendering engine, thereby ensuring that any security problems in one application are shared amongst as many others as possible.
Why are WSH and ActiveX even an options for Outlook? Bad ideas, poorly implemented, and not secure.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
...if you're required to go through an HTTP proxy anyway? (Like most corporate environments)
Maybe the next generation of home ADSL routers would have one in their firmware and tout it as a "security feature"?
Just be sure your ISP keeps their installation of pine up-to-date. I've seen all too many installations of pine that haven't been updated since sometime in the 90s.
Granted, I doubt pine is a big target for phishing scams, but nonetheless...
DNA just wants to be free...
However, this will only affect users who have Windows Scripting Host enabled and certain ActiveX controls, according to MessageLabs.
If only Microsoft would back out of this insistence on making the browser a completely general web applications framework with the ability to provide full access to local resources.
Microsoft: split the HTML rendering engine out of the web client components, and get rid of the "security zones" hacks. You've been trying to come up with a design that lets you do this safely for over seven years now, and never succeeded in holding off attackers for more than a few weeks at the most... it's time to admit that even all the brilliant people at Microsoft (and you have some bloody amazing blokes over there) won't be able to make it work. Please consider that you may have been mistaken.
Last year I bought a new laptop. When I was setting up my apps, I decided to ditch Eudora and look for a better mail client.
I tried out Pegasus Mail, Fox Mail, Mozilla mail, the Thunderbird standalone and PocoMail. PocoMail was the only one that wasn't free, and it was the one I chose in the end.
A number of reasons led to my choice:
1 - Built in spam engine (Bayesian filtering added in 3.1) and the best auto-junkmail filter of the apps I tested, includes learning filters
2 - UI totally configurable
3 - Ease of use. Everything was intuitive; layouts, menu items being where you would think they were, etc.
4 - Internal HTML viewer: it doesn't use embedded IE and thus IE exploits go out the window
5 - Doesn't execute JavaScript or VBScript: only supports PocoScript and only then if you tell it to. NOTE: also not affected by the latest JPG vulerability.
6 - Integrated automatically with both Panda Antivirus and later, Norton without me doing anything special.
I've used it for a little more than a year now and love it. It was worth the $40 I paid for it, and Poco has updates frequently. If you're looking for a new mail client, I would recommend taking a look at it.
More info.
R(k)
Why is this attack lumped together with phishing attacks? It sounds to me like this attack involves a hole that lets the attacker run arbitrary code with the user's permissions, which could just as easily be used to install a keylogger.
The shareholder is always right.
When I was younger, I used to write little batch files that would mess up my friends autoexec.bat file. I would give them a game on a disk, and then tell them to play the game they had to type go (go.bat). The batch file would then backup their autoexec.bat file and replace it with my tampered version. Then when they rebooted their computer, blammo.
I would have it execute gwbasic programs that would continiously loop "your computer is screwed", or that would just bleep out sounds from the PC speaker. I even wrote a program that would pretend to format your floppy drive (a continous loop that constantly tried to load a file from A:>)
People were so clueless they actually thought they had a virus. After people started using 2000 and XP I kinda figured that this sort of simple fake hack was over, but then I forgot about the hosts file. I think I'm goona change my grandma's computer so that google.ca resolves to playboy.com :)
Another simple fake hack is to erase the boot.ini file. It makes your uncle think his hard drive is mangled.
Ah windows, it's the one constant I can always rely on.
The last line of defense for a lot of people was checking the actual URL of a link and seeing that it wasn't really "ebay.com" or "citibank.com," and it sounds like this flaw provides a way to defeat even that test. So this is pretty serious, it would seem, which is why it's surprising that the article is so sparse on details. Wouldn't it be good to know:
1) What e-mail applications are vulnerable (can I get this through web-based mail)?
2) What can be disabled to prevent this? Scripting? Active-X?
3) Is a patch on the way?
That article is pretty crummy.
Terrorism or not, why doesn't the government track all kinds of online fraud generally?
*yawn*
Other people may have different needs or use software in a different environment from you and this moralizing attitude that you can decide for everyone what their software should be able to do is frightening.
Name one. If you're passing activeX around in email, it could probably be done better some actual way. In the meantime, we all have to deal with the results of malicious activeX email.
Incidentally, my moralizing attitude is that you shouldn't be dumping benzene upstream of me. Is that also not for me to decide?
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
Except HTTPS uses the name and not the IP, so that if they got a cert that said they were www.somebank.com and the signer was a legitimate signer (or they convinced the user that they needed to accept that it was legit) it wouldn't set off the alarms.
Plus I'll agree that I doubt many people check the lock (or key or whatever) says it is encrypted. Part of the reason I have my brower set to tell me everytime I enter(or leave) an encrypted site.
Didn't Amazon patent no-click phishing? Oh wait, that was 1-click phishing. Sorry!
Outlook 2002 added it with SP1. See Q307594 for details.
In outlook 2003 its even easier, just check the option for it.
And in XPSP2, Outlook express now reads mail in plain text (Q883257).
Because your Windows account has non admin privileges, of course. A low privilege user can't overwrite the hosts files, or screw around with the HKLM registry. And personally, my own mail client doesn't even try to support HTML or script-like thingies. Too difficult, too weird, unnecessary, dangerous.
Recent versions of Outlook (2000 SP1 and beyond) and Outlook Express (IE SP1 and beyond) display emails in the restricted sites zone. Neither ActiveX nor Javascript are allowed to execute in the restricted sites zone.
This also doesn't affect anyone using SP2 either.
Move along, another already patched Microsoft vulnerability.
Uh, that's amusing, but wrong. Pine was the first mail program to use IMAP. Both Pine and IMAP were created at the University of Washington.