Slashdot Mirror
No-Click Phishing On The Way
An anonymous reader writes "MessageLabs has discovered a pretty nasty - though fairly crude - phishing scam which doesn't even require recipients to click on a link in order to hand over personal data.
Simply opening the email is enough to activate a script which 'lies in wait for its victim' according to one report. The script rewrites the host files of the machine and directs users to a fake web page the next time they legitimately attempt to access an online banking page. ... However, this will only affect users who have Windows Scripting Host enabled and certain ActiveX controls, according to MessageLabs."
are people that are, for example, at work, and can't turn off Windows Scripting Host and certain ActiveX controls? Not open emails? Surely there should be a solution to this.
When anger rises, think of the consequences.
Confucius (551 BC - 479 BC)
No-click phising? That's infringing on Amazon's one-click patent!
The virus apparently also redirects visitors of AOL Support Forums to Ask Slashdot, which explains the recent postings.
for those who don't know what phishing is, see the definition
[Phishing] is the luring of sensitive information, such as passwords and other personal information, from a victim by masquerading as someone trustworthy with a real need for such information.
Marge, get me your address book, 4 beers, and my conversation hat.
but you have to manual make the suggested changes to your /etc/hosts file after getting root access and using your editor of choice.
not quite "no-click", but linux does support this feature.
[/humor]
For making products so easy to use that even someone you don't know can use them for you.
Well, I was going to switch over from Linux to Windows, because I heard Bill Gates said that ``security is our top priority'', but now I think he must have been misquoted. Maybe I'll stick with Linux just a little longer, until Windows gets those last few little bugs ironed out.
See what I've been reading.
I ssh into my ISP and use pine to read email. Been doing it this way for over 10 years. Some people find this a bit quaint, but I don't have to worry about any worm/virus/phishing issues.
this will only affect users who have Windows Scripting Host enabled and certain ActiveX controls
Or in other words, this will probably not affect non-Windows or non-Internet Explorer users.
Well we could see plenty of comments along those lines coming, but here's a further thought:
Hey banks: All of your users have plastic cards that you issued. Mandate two-factor authentication already and watch Phishing scams go bye bye.
Indy Media Watch-Proctologist of the Internet
Overwriting your Hosts file is an obvious way to trick people, and Outlook is a prime target for this kind of hack, because it gives incoming email rediculous amounts of control over the rest of the computer.
Remind me to tell my mother to start using Thunderbird and Firefox and install a firewall.
Will the innovation never end?
-Peter
attrib -r %WINDIR%\system32\drivers\etc\Hosts
Very true. Just recently I discovered that a business partner (telecom industry) has begun rejecting HTML email. I wonder if that policy will survive?
UNIX/Linux Consulting
Did you read the article? It says " the most recent versions of Outlook, where such features are switched off as standard, will be protected." This has been the same with many recent exploits. They only affect old versions of ms software, but it immediately gets spun here to say that no one should be using the current, safe versions. It's similar to the recent status bar spoofing issue posted here which affected firefox rc1 and opera and pre-sp2 IE, but not sp2 IE, and was of course disscussed as being a "hole in IE".
I'd rather be lucky than good.
Windows Script Host (WSH) is a Windows administration tool.
WSH creates an environment for hosting scripts. That is, when a script arrives at your computer, WSH plays the part of the host -- it makes objects and services available for the script and provides a set of guidelines within which the script is executed. Among other things, Windows Script Host manages security and invokes the appropriate script engine.
WSH is language-independent for WSH-compliant scripting engines. It brings simple, powerful, and flexible scripting to the Windows platform, allowing you to run scripts from both the Windows desktop and the command prompt.
Windows Script Host is ideal for noninteractive scripting needs, such as logon scripting, administrative scripting, and machine automation. WSH Objects and Services
Windows Script Host provides several objects for direct manipulation of script execution, as well as helper functions for other actions. Using these objects and services, you can accomplish tasks such as the following:
* Print messages to the screen
* Run basic functions such as CreateObject and GetObject
* Map network drives
* Connect to printers
* Retrieve and modify environment variables
* Modify registry keys
Where Is WSH?
Windows Script Host is built into Microsoft Windows 98, 2000, and Millennium Editions. If you are running Windows 95, you can download Windows Script Host 5.6 from the Microsoft Windows Script Technologies Web site (http://msdn.microsoft.com/scripting).
Note You can also go to the web site listed above to upgrade your current engines. The version of WSH in Windows 98, 2000, and Millennium Editions is either version 1.0 or 2.0. You must upgrade to version 5.6 to get the new features.
However, this will only affect users who have Windows Scripting Host enabled and certain ActiveX controls, according to MessageLabs.
That's like saying, "this will only affect users who have not yet switched to Linux or MacOS."
I would say that a good 98% of installations have WSHost enabled. Those that are SP2 or up to date might have the latest MS patch that I believe sets a kill bit on the Internet Explorer side of WSHost scripting under all circumstances.
This is also not really anything new. Spy and adware companies have been manipulating hosts files now for at least a year, no doubt phishers have done exactly the same thing, this is just the first reported time of it happening.
One thing you have to keep in mind is that severay so-called security experts are very bright individuals but succumb to what some call: media-whoring. This is a specific instance of a "media-whoring" by Message Labs. Let me explain my proof of this: they use ASP and IIS as opposed to something like PHP and Apache.
They are obviously not very concerned about legitimate security. There's a website that keeps track of the media fanatics: http://www.vmyths.com/
The site is run by a guy who has over a decade of solid security experience. He knows when there is something legit to worry about, and he knows when something is hype.
I suppose the best way to know is years and years of experience. If you read a lot of the security mailing lists, you'd be under the impression that the world was about to revert back to the stone age with the security threats.
But the reality is, a huge amount of idiots exist that love to overhype the security risks when it comes to viruses and worms like "I Love You" and "Sasser". Most of us know when there is going to be a big problem, but there are a huge number of others that like to spread false info.
There are others, like Mikko Hypponen of F-Secure that don't sell media hype, they sensationalize the truth. Yes, there have been instances of zombie-net owners selling their networks to spammers, but I have yet to actually see the sales, and I've been running a honeypot for well over a year now and track nearly a dozen different botnet herders.
For the most part, it looks like botnetting is still used for two things, Americans (north and south america) for File Sharing/FXPing, and Germans for DDoSing. The Russians who have been spamming have been using IE exploits and web controls, not so much IRC connections. Thus, they cannot be truly considered "botnets".
would it be so difficult ... to set the file attribute on the hosts file to read only.
a) Why should Joe Newbie Windowsbuyer be expected to KNOW that he needs to change the permissions on the host file from the install defaults?
b) If he can do it, he can UNdo it, and so can the bad guy's script.
c) How many OTHER holes would he have to fix? Thousands? Tens of thousands? (Remember, he only has to miss ONE.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
The last line of defense for a lot of people was checking the actual URL of a link and seeing that it wasn't really "ebay.com" or "citibank.com," and it sounds like this flaw provides a way to defeat even that test. So this is pretty serious, it would seem, which is why it's surprising that the article is so sparse on details. Wouldn't it be good to know:
1) What e-mail applications are vulnerable (can I get this through web-based mail)?
2) What can be disabled to prevent this? Scripting? Active-X?
3) Is a patch on the way?
That article is pretty crummy.