Slashdot Mirror
The Evolution of the Phisher
gurps_npc writes "An article at CNN discusses the how Phishers have moved beyond the typical email scam. Last month, Secunia (Danish security firm) documented a case where a phisher somehow modified a windows host file so that when you type in the correct url in the address, it redirects you to the phisher site.
Worms and spyware are being built for the purpose of phishing, and it is also believed that phishers are attempting to compromise domain name servers. If one of these go down millions could lose their security instantly, even if they themselves have maintened the security of their computers."
And this is when users need to actually read the warnings about certificates being different than the last time accessing the site...
Again, if common-sense is used, 99% of phishing can be stopped.
wdd
Simon called Peter, and Andrew his brother, casting a net into the sea: for they were phishers. And he saith unto them, Follow me, and I will make you phishers of men.
Jesus p0wns you.
Email:
Although I could have written a very complex and well written virus that probably wouldn't work on you operating system I am asking you to reply with you account name, password and any other card numbers you might have.
I further ask that you forward this email message to all your friends and for that matter any one you don't know urging them to send me all your information.
Yours Truly,
Mr Phisher
Everyone knows phish evolved into amphibians.
Fishermen fish.
Phishermen phish.
It's not "Fishers fish".
Carrying the analogy further, IE becomes a "phishing net" and Windows becomes a "phishing boat". The intarweb may be viewed as the "ocean" and your average AOLer a dumb "phish". Smarter geeks could be viewed as smarter"dolphins".
Interesting, huh.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Another one bites the dust
I was going to mod you off topic...
But I'll bite - attacks on DNS servers will direct everyone to the wrong site, Windows, Linux, UNIX, and Amiga users.
Sorry.
Get your Unix fortune now!
Let's be perfectly blunt. The average human being is functionally retarded. They're perfectly capable of being taught a few neat tricks like reading the newspaper or buying a member of the opposite sex a drink before groping them, but when it comes right down to it, about 95% of the species H. sapiens are gibbering morons who will refuse to listen to constant warnings about opening suspicious attachments, paying attention to certificate warnings, but will happily supply their credit card numbers to the first guy that comes along and says "We're from PayPal and we need to verify your account information".
I used to think something should be done about this, but since the average daft ninny who bought a computer from Big Ticket Computer Store is pretty much incapable or unconcerned about these matters, I figure what the hell! Let the scammers steal their money and their identities. People this idiotic and unwilling to learn even the rudiments of keeping themselves safe on the Internet deserve everything they get.
The world's burning. Moped Jesus spotted on I50. Details at 11.
I have noticed this lately as well... so now I scrutenize every email I get, hovering over links, and occasionally, entering the first line or so into google. I do consider myself to be pretty good at figuring out if it's a phish or not though. I found a fun little phishing-finding-outting test to take on i-am-bored.com. Try it out and see how well you do!
~/.sig: No such file or directory
Folks, let's do the math:
Phishers do not need to be successful very often. Think sperm here: if conditions are right, most of time only one gets lucky 20% of the time. (Sorry for the anchorman gag)
Consider the facts:
1) Only a few sites transact critical personal data (Credit cards, identity info) without proper security
2) Only a few sites use security certificates that are A) out of date B) for a different site C) otheerwise invalid.
3) only a modest majority of IE users have been trained into clicking "OK" on every security warning they see, especially for sites they know they trust.
If a phisher jacks a DNS, if they're good and have volume, they'll only go for 1); the certification warnings in 2) are worthless. They're worthless for two reasons. First, browser sgives the user the option of proceeding. Second, browsers don't distinguish between unimportant in-the-clear transmissions and stuff that looks like credit card numbers and identity information. Ideally, all browsers should have a cert mismatch not be an "ignorable" offense, but be one that causes the connection to fail.
3) As a backup, any attempt at in-the-clear transmission of numeric data longer than 5 digits should cause a whole storm of scary looking warnings (get rid of the "saturate the user with needless warnings" garbage that does more harm than good) stating that this is a really bad idea if it's anything valuable and to please, for the love of jeebus, reconsider.
I have no doubt they're hammering away at DNSs around the world; and they'll probably get one.
Oh yeah, and Mandatory Email encrpytion should be enabled, dammit.
Here's where our laws are truly screwed up.
On the one hand, downloading music from "unauthorized" sources such as P2P networks will get million dollar fines and, if the companies get their way, jail time, when there is actually no evidence that they are causing a loss of revenue (even if they are technically violating copyright law).
Meanwhile, people who write spyware, break into computers and DELETE data, shut down networks, and attack DNS servers in order to disrupt all traffic on the Net (roughly the online equivalent of putting tacks all over a major expressway junction) get.... what? Really, I have no problem with seeing these people get 20-life hard time.
When will the people who [ run the country | have money | bought Congress ] realize who the real threat to the Internet and to their bottom line is? It's not cheap Britney Spears fans. It's the people trying to break the Internet in order to get better advertising.
Oh wait, I forgot. Advertising is always good, because companies do it, so they can't object when someone tries to advertise. Silly me. Greedy SOBs have to stick together.
--GrouchoMarx
Card-carrying member of the EFF, FSF, and ACLU. Are you?
Most phishing sites use images pulled from the real sites, as well as direct people to them when they are done entering their information. Many banks and sites such as paypal could easily track these people by watching their referral logs and looking for foreign referrals to things such as their navigation images. They could then contact the nocs of ISPs who are unknowingly hosting them on hacked machines to get them taken down immediately. Most ISPs are extremely willing to take these down quickly, I've had quite a few respond to me within minutes when I've informed them. Eventually phishers would just grab the whole site and host the images as well, but the increased bandwidth would be more likely to be noticed.
Mail clients should also notify users when the displayed http:// url differs from the actual href.
A better fix would be for banks and other organizations to set up contact addresses for people to inform them. Many of them take days to read feedback I've sent them regarding someone trying to scam their customers.
The article was a little vague on this point, but aren't Phisher scams where you pretend to be a slightly paranoid ex-chess geinus hiding out in Japan?
HA! I just wasted some of your bandwidth with a frivolous sig!
Oh, that's right, Windows' nearly non-existent privilege system!
Hmm... lets see.
*runs regedit, tries to modify system registry keys -- ACCESS DENIED*
*runs setup.exe, windows prompts for administrator password, I don't provide it -- ACCESS DENIED*
*try to delete or modify a file on C:\Windows, or C:\Program Files\ -- ACCESS DENIED*
*go into Hardware > Device Manager , tries to change hardware settings -- ACCESS DENIED*
etc...
I dunno... seems to be working pretty well from here.
Don't confuse users choosing to run as root as having a failing privilidge system. Remove your account from the Administrator group and into the User group, and you'll see how extensive the privilidge system is. Conversely, use root as your daily linux account and see how much protection that gives you.
Funny, yes, Insightful, no
Most web sites are hosted on a shared platform. That's the whole reason HTTP 1.1 was invented. Go to any site on there and unless you type in the commands directly and like reading text with html tags (not displayed as web pages), then over 90% of web sites will be inaccessable.
Does anybody really think that compromising a root DNS server will suddenly redirect customers of e.g. Citibank to a phishers site and it wouldn't be immediately noticed ? C'mon:
- DNS is distributed and any change in DNS takes a while to propagate (on the order of days). Moreover, more and more sites are switching for digitally signed updates to DNS, so bogus updates have no chance to go through.
- Do you really think that e.g. a bank or eBay would not notice that somebody hijacked their domain? The only think a potential phisher would achieve is to attract a very close attention to himself and very quickly at that.
More credible threat are tricks like changing the hosts file, however with that we are in the domain of common adware/spyware which hijacks the browsers on Windows routinely.
Finally, any bank worth my money does not use just a stupid username/password for authentication! Most European banks have as a standard feature a challenge/response mechanism (in addition to the username/password pair).
Some banks even go that far, that they issue you a smartcard with a pocket "calculator", which generates correct responses to the challenges from the bank. The smartcard is used as a seed for this and is protected with its own PIN that you have to enter before typing in the challenge code from the bank. The codes transmitted are usable just once, so they are completely useless to the phisher. Oh the mindless scaremongering ...
Now, you have the situation where a hostile stranger poses as a man in the uniform asking joe citizen to do what he's been trained all his life to -- show his papers, give his numbers, sign right here... are you surprised at the results?
Computers are useless. They can only give you answers.
-- Pablo Picasso
*try running many regular programs -- ACCESS DENIED*
There's a reason why many people run Windows as root, and it's not always cluelessness.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
It's very true. But not the fault of Windows. Applications can be written with user priviledges in mind. For example, I was pleasantly surprised recently when I installed Nero v6 and it installed a configurable CD burning service for non-Administrators. Thankfully most of the big ones work (most MS apps, Adobe Apps, Macromedia Apps, Mozilla).
I personally thing it's about time users demand that software makers stop coding applications that require admin access simply to run. That's unheard of in linux/unix.
Add to that society's information overload and most users will click without batting an eye.
I recently opened a new account and they told me "oh, by the way, online banking is free! All you have to do is XYZ to start using it." It turns out my account was already open to all comers if they happened to know my account number and part of my SSN. So I was FORCED to at least set a password. No, I haven't yet written a letter to the bank, because I don't think it will really do any good.
Eventually, as banks find higher profit in not providing physical branches, most people will be forced to do their banking online. In ten years I think we'll find there's not much choice. We'll actually have to pay extra fees NOT to do it that way.
If you don't want those risks, go doing those tasks the traditional way.
You mean like giving your credit card to slacker teens working at the mall?
Everything about phishing comes down to this: The passwords are reusable. If you can just get the password from the user once, you can whatever you want. In scandinavia, all banks use RSA-tokens or lists whith one-time passwords (these are rare nowadays). The file on the token is secret, and the pin that the user puts into the token never have to be plotted into a computer, so that's secret too. The password you get out only lasts for a minute. US banks apparently has the security level of Hotmail. Scandinavian banks (and probably most european) have had this system for like 10 years. Should I laugh or cry?
Though this may be getting a little offtopic, I think it is a valid question and should be addressed.
But why are you linux guys so hung up on the admin/user bit?
From what I was able to gather from your post, you are trying to convey to everyone that it should not matter if a user runs under a "Limited" account, or an "Administrator" account (using Windows terminology).
Unix was designed with multiple users in mind. In fact, many system services run under their own user account. The one, all powerful account is 'root', and is normally used only under special circumstances (i.e. installing a software package). Most other times, even the sysadmin logs on to a limited user account.
The theory is, a system service can only do so much damage as it's user account permits. Similarly, a user can only do so much damage as his/her account permits. If there is some hole in MySQL server, and an attacker is able to exploit it, they gain all the privilages of the MySQL user account. The rest of the system should theoretically remain unaffected.
What does this have to do with Windows? In my experience in a computer repair shop, I have fixed XP box after XP box brought to it's knees by viruses and spyware. The removal of these malware programs can prove to be a quite tedious undertaking, because the entire family who owns the computer each has their own Administrator logon account. If the RPC service is comprimised (a la Blaster), it was running with Administrator privileges and the whole system is vulnerable. If a web site exploits a flaw in IE, the whole system is vulnerable because the user runs as Administrator.
Windows XP is simply designed to where home users need to have administrator privilages, otherwise many things will not seem to work right. For example, many DirectX games will not load at all unless run as an Administrator.
So to answer your question, a "stupid" user could only do so much damage with a unix-based security model. Lets imagine a family using a Linux computer. Assuming a 13 year old kid installed a program that secretly contained a keylogger, the keylogger would be powerless against the mother and father. The keylogger could not wedge itself deep down in the system files, therefore cleaning it would be a relatively painless task for a moderately competent user.
In conclusion, I would like to say that the fact you have never had any unexpected malware (spyware, viruses, etc) installed on your windows machine whatsoever is unusual. You are either mistaken, haven't used your computer much, or are both smart AND lucky. This is my understanding of the current state of security affairs as far as Windows and *nix are concerned - if anyone has anything to add, I'd like to hear it.