The Evolution of the Phisher

gurps_npc writes "An article at CNN discusses the how Phishers have moved beyond the typical email scam. Last month, Secunia (Danish security firm) documented a case where a phisher somehow modified a windows host file so that when you type in the correct url in the address, it redirects you to the phisher site. Worms and spyware are being built for the purpose of phishing, and it is also believed that phishers are attempting to compromise domain name servers. If one of these go down millions could lose their security instantly, even if they themselves have maintened the security of their computers."

Certificates changed?

[wdd1040]

And this is when users need to actually read the warnings about certificates being different than the last time accessing the site...

Again, if common-sense is used, 99% of phishing can be stopped.

Re:Certificates changed?

[gurps_npc]

And when you are using a new computer that has never logged onto that account....

Re:Certificates changed?

[x.Draino.x]

You fail to realize that the typical user doesn't even know what those certificates are for. The Slashdot crowd is probably safe for the most part, but are your parents?

Re:Certificates changed?

[Jedi+Alec]

common sense? is there such a thing? you know you shouldn't stick your fingers in the nice bright firy thingy because either someone told you stringently not to or you tried it once and got burned. to the majority of webusers out there most of this information is as understandable as a description of the precautions that need to be taken before summoning chtulhu. if someone went out and started changing the signs near highway offramps, and you've never been in the area, will common sense tip you off?

Re:Certificates changed?

You lost me.

Say I usually go to site A to do my banking. And I have a trusted security certificate for that site.

I get infected with one of these phishing worms which alters my host file so that whenever I type out the URL to site A, I get the IP address to site B.

I inadvertly go to site B. Site B doesn't require a security certificate. When would I get a warning about "incorrect" security certificates? As opposed to "expired" or "missing" certificates?

Or better yet, these phishing worms pre-install their security certificate at the same time they hack my hosts file. When would I get a warning? As far as my web browser is concerned, I'm going where I intended to go.

I think your solution solves the wrong problem.

Re:Certificates changed?

[Spad]

"Unpatched" Windows 2000 SP4 system.
Clean install.
In the time it took me to download the latest definitions for my antivirus software (less than 5 minutes) I'd already acquired 3 worms/trojans.

My firewall logs are full of worm hits trying to infect my machine.

It's not an urban legend, it's a fact of internet life.

Re:and this is accomplished how?

[ImaLamer]

I was going to mod you off topic...

But I'll bite - attacks on DNS servers will direct everyone to the wrong site, Windows, Linux, UNIX, and Amiga users.

Sorry.

It's not only about certificate errors

[DingerX]

Folks, let's do the math:
Phishers do not need to be successful very often. Think sperm here: if conditions are right, most of time only one gets lucky 20% of the time. (Sorry for the anchorman gag)
Consider the facts:
1) Only a few sites transact critical personal data (Credit cards, identity info) without proper security
2) Only a few sites use security certificates that are A) out of date B) for a different site C) otheerwise invalid.
3) only a modest majority of IE users have been trained into clicking "OK" on every security warning they see, especially for sites they know they trust.

If a phisher jacks a DNS, if they're good and have volume, they'll only go for 1); the certification warnings in 2) are worthless. They're worthless for two reasons. First, browser sgives the user the option of proceeding. Second, browsers don't distinguish between unimportant in-the-clear transmissions and stuff that looks like credit card numbers and identity information. Ideally, all browsers should have a cert mismatch not be an "ignorable" offense, but be one that causes the connection to fail.
3) As a backup, any attempt at in-the-clear transmission of numeric data longer than 5 digits should cause a whole storm of scary looking warnings (get rid of the "saturate the user with needless warnings" garbage that does more harm than good) stating that this is a really bad idea if it's anything valuable and to please, for the love of jeebus, reconsider.

I have no doubt they're hammering away at DNSs around the world; and they'll probably get one.

Oh yeah, and Mandatory Email encrpytion should be enabled, dammit.

Cyber terrorism?

[GrouchoMarx]

Here's where our laws are truly screwed up.

On the one hand, downloading music from "unauthorized" sources such as P2P networks will get million dollar fines and, if the companies get their way, jail time, when there is actually no evidence that they are causing a loss of revenue (even if they are technically violating copyright law).

Meanwhile, people who write spyware, break into computers and DELETE data, shut down networks, and attack DNS servers in order to disrupt all traffic on the Net (roughly the online equivalent of putting tacks all over a major expressway junction) get.... what? Really, I have no problem with seeing these people get 20-life hard time.

When will the people who [ run the country | have money | bought Congress ] realize who the real threat to the Internet and to their bottom line is? It's not cheap Britney Spears fans. It's the people trying to break the Internet in order to get better advertising.

Oh wait, I forgot. Advertising is always good, because companies do it, so they can't object when someone tries to advertise. Silly me. Greedy SOBs have to stick together.

Re:DNS? Bah!

[ziplux]

What about sites hosted on virtual servers? You _need_ DNS for those sites to work, otherwise the server doesn't know what site you want.

Easy Short Term Fix

[ftzdomino]

Most phishing sites use images pulled from the real sites, as well as direct people to them when they are done entering their information. Many banks and sites such as paypal could easily track these people by watching their referral logs and looking for foreign referrals to things such as their navigation images. They could then contact the nocs of ISPs who are unknowingly hosting them on hacked machines to get them taken down immediately. Most ISPs are extremely willing to take these down quickly, I've had quite a few respond to me within minutes when I've informed them. Eventually phishers would just grab the whole site and host the images as well, but the increased bandwidth would be more likely to be noticed.

Mail clients should also notify users when the displayed http:// url differs from the actual href.

A better fix would be for banks and other organizations to set up contact addresses for people to inform them. Many of them take days to read feedback I've sent them regarding someone trying to scam their customers.

Re:and this is accomplished how?

[dioscaido]

Oh, that's right, Windows' nearly non-existent privilege system!

Hmm... lets see.

*runs regedit, tries to modify system registry keys -- ACCESS DENIED*

*runs setup.exe, windows prompts for administrator password, I don't provide it -- ACCESS DENIED*

*try to delete or modify a file on C:\Windows, or C:\Program Files\ -- ACCESS DENIED*

*go into Hardware > Device Manager , tries to change hardware settings -- ACCESS DENIED*

etc...

I dunno... seems to be working pretty well from here.

Don't confuse users choosing to run as root as having a failing privilidge system. Remove your account from the Administrator group and into the User group, and you'll see how extensive the privilidge system is. Conversely, use root as your daily linux account and see how much protection that gives you.

Re:Passwords updated

[lawpoop]

I have to disagree. People evolved to live in small, related, co-operative groups. These days most people live in large hostile cities surrounded by strangers. In order to keep society from breaking down into looting, riots, and revenge killings, the government has to constantly train people from kindergarten to stand in line, sign their name, show their papers, write checks/give their credit card numbers for the bills every month, do what the man in the suit/uniform says.

Now, you have the situation where a hostile stranger poses as a man in the uniform asking joe citizen to do what he's been trained all his life to -- show his papers, give his numbers, sign right here... are you surprised at the results?

Re:and this is accomplished how?

[Cro+Magnon]

*try running many regular programs -- ACCESS DENIED*

There's a reason why many people run Windows as root, and it's not always cluelessness.

Re:Let's face it

[Clod9]

Even ignoring the online banking is getting to be difficult.

I recently opened a new account and they told me "oh, by the way, online banking is free! All you have to do is XYZ to start using it." It turns out my account was already open to all comers if they happened to know my account number and part of my SSN. So I was FORCED to at least set a password. No, I haven't yet written a letter to the bank, because I don't think it will really do any good.

Eventually, as banks find higher profit in not providing physical branches, most people will be forced to do their banking online. In ten years I think we'll find there's not much choice. We'll actually have to pay extra fees NOT to do it that way.