The Evolution of the Phisher

gurps_npc writes "An article at CNN discusses the how Phishers have moved beyond the typical email scam. Last month, Secunia (Danish security firm) documented a case where a phisher somehow modified a windows host file so that when you type in the correct url in the address, it redirects you to the phisher site. Worms and spyware are being built for the purpose of phishing, and it is also believed that phishers are attempting to compromise domain name servers. If one of these go down millions could lose their security instantly, even if they themselves have maintened the security of their computers."

Certificates changed?

[wdd1040]

And this is when users need to actually read the warnings about certificates being different than the last time accessing the site...

Again, if common-sense is used, 99% of phishing can be stopped.

Re:Certificates changed?

[x.Draino.x]

You fail to realize that the typical user doesn't even know what those certificates are for. The Slashdot crowd is probably safe for the most part, but are your parents?

Re:Certificates changed?

[Jedi+Alec]

common sense? is there such a thing? you know you shouldn't stick your fingers in the nice bright firy thingy because either someone told you stringently not to or you tried it once and got burned. to the majority of webusers out there most of this information is as understandable as a description of the precautions that need to be taken before summoning chtulhu. if someone went out and started changing the signs near highway offramps, and you've never been in the area, will common sense tip you off?

Re:Certificates changed?

[LithiumX]

Not very familiar with the threat level against XP?

I've tested this myself. Put up a fresh brand new install of XP. Before I could even start patching it, I had worms homing in. I think the record so far (not for me but for another article here) is 45 seconds from first boot.

By the time you get around to hitting your bank records, you're already hit. If it's a brand new computer, unless it's fully patched and defended against these specific threats, you would likely already be hit long before you browsed your first site, let alone a critical one.

Think before you flame.

Re:Certificates changed?

You lost me.

Say I usually go to site A to do my banking. And I have a trusted security certificate for that site.

I get infected with one of these phishing worms which alters my host file so that whenever I type out the URL to site A, I get the IP address to site B.

I inadvertly go to site B. Site B doesn't require a security certificate. When would I get a warning about "incorrect" security certificates? As opposed to "expired" or "missing" certificates?

Or better yet, these phishing worms pre-install their security certificate at the same time they hack my hosts file. When would I get a warning? As far as my web browser is concerned, I'm going where I intended to go.

I think your solution solves the wrong problem.

Re:Certificates changed?

[Jarn_Firebrand]

That's why you have all the stuff you need to patch it on a floppy/CD/flash drive, and don't have it connected to the internet right away. Common sense. Okay, maybe not common sense to most people.

Re:Certificates changed?

[statusbar]

I haven't tried this, but I heard that it is possible to create an un-signed certificate set to use 'plaintext' encryption which most web browsers will not complain about. No encryption is done and no signature is possible or required.

Does anyone know if that is correct? If so, then this is possibility.

--Jeff++

Re:Certificates changed?

[silicon-pyro]

The parents of the slashdot crowd are behind a secure proxy located in the basement. They just call us up and ask us if its ok to procede.

Re:Certificates changed?

[Spad]

"Unpatched" Windows 2000 SP4 system.
Clean install.
In the time it took me to download the latest definitions for my antivirus software (less than 5 minutes) I'd already acquired 3 worms/trojans.

My firewall logs are full of worm hits trying to infect my machine.

It's not an urban legend, it's a fact of internet life.

Re:Certificates changed?

[soft_guy]

Not only that, but what if the "new" computer you are buying has been opened, modified, reboxed, and sold to you? Do you trust the store where you bought it, or just buy on price? This doesn't have to be totally the store's fault either (but could be).

Also, what if someone on the inside were to modify the master disk used to image the hard drives at a factory. Sure it might make the news and eventually you'd hear about it, but it still wouldn't be fun to be one of the people affected?

Matthew 4:16-19

Simon called Peter, and Andrew his brother, casting a net into the sea: for they were phishers. And he saith unto them, Follow me, and I will make you phishers of men.

Jesus p0wns you.

Phising on Linux

[stecoop]

Email:

Although I could have written a very complex and well written virus that probably wouldn't work on you operating system I am asking you to reply with you account name, password and any other card numbers you might have.

I further ask that you forward this email message to all your friends and for that matter any one you don't know urging them to send me all your information.

Yours Truly,
Mr Phisher

Evolution of the phish?

[drivinghighway61]

Everyone knows phish evolved into amphibians.

Shouldn't it be....

[GillBates0]

phisherman.

Fishermen fish.
Phishermen phish.

It's not "Fishers fish".

Carrying the analogy further, IE becomes a "phishing net" and Windows becomes a "phishing boat". The intarweb may be viewed as the "ocean" and your average AOLer a dumb "phish". Smarter geeks could be viewed as smarter"dolphins".

Interesting, huh.

DNS? Bah!

[saintp]

it is also believed that phishers are attempting to compromise domain name servers. If one of these go down millions could lose their security instantly, even if they themselves have maintened the security of their computers.

That's why only sissies and noobs use DNS. "Don't have to remember numbers," they cry. "Makes life easier," they whine. Hah! So does Gator! But I've got the upper hand now! My security won't be compromised while posting on 66.35.250.150, bitches.

Re:and this is accomplished how?

[ImaLamer]

I was going to mod you off topic...

But I'll bite - attacks on DNS servers will direct everyone to the wrong site, Windows, Linux, UNIX, and Amiga users.

Sorry.

Cyber terrorism?

[GrouchoMarx]

Here's where our laws are truly screwed up.

On the one hand, downloading music from "unauthorized" sources such as P2P networks will get million dollar fines and, if the companies get their way, jail time, when there is actually no evidence that they are causing a loss of revenue (even if they are technically violating copyright law).

Meanwhile, people who write spyware, break into computers and DELETE data, shut down networks, and attack DNS servers in order to disrupt all traffic on the Net (roughly the online equivalent of putting tacks all over a major expressway junction) get.... what? Really, I have no problem with seeing these people get 20-life hard time.

When will the people who [ run the country | have money | bought Congress ] realize who the real threat to the Internet and to their bottom line is? It's not cheap Britney Spears fans. It's the people trying to break the Internet in order to get better advertising.

Oh wait, I forgot. Advertising is always good, because companies do it, so they can't object when someone tries to advertise. Silly me. Greedy SOBs have to stick together.

Easy Short Term Fix

[ftzdomino]

Most phishing sites use images pulled from the real sites, as well as direct people to them when they are done entering their information. Many banks and sites such as paypal could easily track these people by watching their referral logs and looking for foreign referrals to things such as their navigation images. They could then contact the nocs of ISPs who are unknowingly hosting them on hacked machines to get them taken down immediately. Most ISPs are extremely willing to take these down quickly, I've had quite a few respond to me within minutes when I've informed them. Eventually phishers would just grab the whole site and host the images as well, but the increased bandwidth would be more likely to be noticed.

Mail clients should also notify users when the displayed http:// url differs from the actual href.

A better fix would be for banks and other organizations to set up contact addresses for people to inform them. Many of them take days to read feedback I've sent them regarding someone trying to scam their customers.

Re:and this is accomplished how?

[dioscaido]

Oh, that's right, Windows' nearly non-existent privilege system!

Hmm... lets see.

*runs regedit, tries to modify system registry keys -- ACCESS DENIED*

*runs setup.exe, windows prompts for administrator password, I don't provide it -- ACCESS DENIED*

*try to delete or modify a file on C:\Windows, or C:\Program Files\ -- ACCESS DENIED*

*go into Hardware > Device Manager , tries to change hardware settings -- ACCESS DENIED*

etc...

I dunno... seems to be working pretty well from here.

Don't confuse users choosing to run as root as having a failing privilidge system. Remove your account from the Administrator group and into the User group, and you'll see how extensive the privilidge system is. Conversely, use root as your daily linux account and see how much protection that gives you.

Re:Passwords updated

[lawpoop]

I have to disagree. People evolved to live in small, related, co-operative groups. These days most people live in large hostile cities surrounded by strangers. In order to keep society from breaking down into looting, riots, and revenge killings, the government has to constantly train people from kindergarten to stand in line, sign their name, show their papers, write checks/give their credit card numbers for the bills every month, do what the man in the suit/uniform says.

Now, you have the situation where a hostile stranger poses as a man in the uniform asking joe citizen to do what he's been trained all his life to -- show his papers, give his numbers, sign right here... are you surprised at the results?

Re:Let's face it

[Clod9]

Even ignoring the online banking is getting to be difficult.

I recently opened a new account and they told me "oh, by the way, online banking is free! All you have to do is XYZ to start using it." It turns out my account was already open to all comers if they happened to know my account number and part of my SSN. So I was FORCED to at least set a password. No, I haven't yet written a letter to the bank, because I don't think it will really do any good.

Eventually, as banks find higher profit in not providing physical branches, most people will be forced to do their banking online. In ten years I think we'll find there's not much choice. We'll actually have to pay extra fees NOT to do it that way.