Slashdot Mirror
Online Scammers Go Spear-Phishing
Ant wrote to mention an examination at C|NET looking into the increasingly more effective techniques employed by phishers. From the article: "More recently, however, a hybrid form of phishing, dubbed "spear-phishing," has emerged and raised alarms among the digital world's watchdogs. Spear-phishing is a distilled and potentially more potent version of phishing. That's because those behind the schemes bait their hooks for specific victims instead of casting a broad, ill-defined net across cyberspace hoping to catch throngs of unknown victims."
But her friend's e-mail was actually gur-r@zahav.net.il. As Israeli investigators traced the origin of the bogus account they discovered that the person who had opened it lived in London and had charged the cost of the account to his American Express card.
Are we to believe that these super-phishers don't know how to spoof a From: header?
Real Daleks don't climb stairs - they level the building.
...which you should worry about. Viruses which create havoc and draw attention to themselves should be less of a concern.
If software has been created for a specific attack, then standard virus scanners will never pick up its signature.
http://michaelsmith.id.au
I particularly love this part:
Jackont took his computer to the Israeli police last fall and was told to reformat it. But his problems persisted. So the police examined his computer more closely and discovered that a malicious program known as a Trojan horse lay hidden deep inside and had hijacked the machine from a remote location.
So he reformatted his drive but the virus was still there? What?
I'm sorry, but does it really take much effort to get the facts right? EVERYONE seems to get it wrong: CNN, MSNBC, the NY Times, CNET. Somehow, the writers chosen to pump out articles like this either don't really understand technology or just pick subjects of which they don't really know anything.
Take off every sig. For great justice.
Jackont took his computer to the Israeli police last fall and was told to reformat it. But his problems persisted.
So either he did not format it, or after formatting it, he did not properly protect it and got infected again.
Poor (usually Microsoft Windows) users who also have to be administrators. The key problem is just that current OSes are not for people without CS knowledge to use. They need appliances which are protected, on which they can not install more software and which are protected by a mixed contract of anti-virus anti-spyware and system update vendors.
As long as users have to administrate their system, whatever system, these kind of problems will continu to exist.
My wife's sketchblog Blob[p]: Gastrono-me
People run an operating system known to be vulnerable to Trojan Horse infections. They haven't had the source code independently audited and verified. They believe the headers in e-mail messages. And then they get infected by a Trojan horse.
The only surprise is it's taken this long for it to get noticed.
As long as people have had weaknesses, there have been other people out there seeking to exploit those weaknesses. That's just human nature; and if you fail to account for it, you might just as well have failed to account for gravity. The moment you put someone in front of a computer, they panic and lose all semblance of common sense. That also is human nature.
I believe Microsoft are complicit in all this, because it was Microsoft's deliberate design decision that the users of those computers did not have to give consent for a process to run as root. But whoever picked Microsoft must share some of the blame, since they basically decided that the integrity of their computer systems was less important than a pretty user interface.
Je fume. Tu fumes. Nous fûmes!
Looks like good old-fashioned social engineering to me, probably kicking off with some even more old-fashioned dumpster-diving to get the names and addresses of the target's friends and acquaintances.
When I am king, you will be first against the wall.
Spear-phishing, say security specialists, is much harder to detect than phishing. Bogus e-mail messages and Web sites not only look like near perfect replicas of communiqués from e-commerce companies like eBay or its PayPal service, banks or even a victim's employer, but are also targeted at people known to have an established relationship with the sender being mimicked. ,it carries names of people whom you know.but they have always been around!What is so new here?
Its just phishing.Yea
Why does yahoo do this
als form the article:
Some computer security specialists suggest at least one basic approach that might allow e-mail recipients to learn right away that a communique appearing to come from a company like Amazon.com actually originated somewhere in the Ukraine, Romania, Bulgaria, Poland, Russia or any of the other places that law enforcement officials say are hot spots for phishing scams. "It strikes me that this is just a failure of most e-mail systems to reveal the history of an e-mail," said Whitfield Diffie, a pioneer in computer cryptography who is the chief security officer of Sun Microsystems. "You could post a warning flag indicating that the 'from' address doesn't seem consistent with the path history."
I have yet too see an applcation that does (only) this. And "8 out of 10 collegues here (in the IT) don't have a clue what a "path" in a e-mail is.
Anyway the gist of the article was in the start that some phisher used a fake-emial address where the from was NOT faked, but contained a small alteration that does not show at first. Since no anti-spam/anti-phissher can protect against that ou leave the people who run the most up to date anti-spam will beleive the mail is trusted. Even the journalist has problems to explain that a technical solution is not the final solution.
by the way: you americans do not have to worry so much since you seem to care so much for privacy.
Explicitly casting further with new lures, the phishers trolled, hoping for more bytes on the (on)line. The emails of the species were particularly at risk, as their outlook was not so good to begin with.
Some sought harbour in the eBay, hoping their bet paid off. Last I heard, the feedback was good.
Maybe our only hope is growing legs and migrating to the LAN.
Stuck down a hole! In the middle of the night! With an owl!
Phishing isn't a technology problem. If your computer has a virus, the bad guys can get your critical data without tricking it out of you. Phishing will always exist due to human nature.
Case in point: http://www.schneier.com/cgi-bin/mt/mt-tb.cgi/474/
in which a bank manager was convinced to leave 5 million under the door to a bathroom stall in a bar in Paris.
DO NOT WORRY, my GOOD FRIEND.
PHISHING claims many LIVES, but YOU TOO can be SAFE when you use our SECURE SOFTWARE to protect your family from PHISHING. BUT alas, my COMPANY lacks FUNDS to share this SECURE SOFTWARE with GOOD PEOPLE like you. THIS TRAGIC moment for our company can only be FIXED by your kind SERVICES. PLEASE transfer ONE THOUSAND DOLLARS to me at the GOVERNMENT SOFTWARE FOUNDATION OF NIGERIA so we can all SHARE this SECURE SOFTWARE.
ATTACHED is a special TRIAL of this very SECURE SOFTWARE, just for YOU. DO NOT HESITATE to protect yourself from the deadly THREAT of PHISHING.
I'm calling the "Metaphor and Analogy" police, if there is such a thing.
Why is it that EVERYTHING involving computers and the internets ends up becoming some cutesy-cutesy thing?
What's next?
Employee 1: "You hear about Bob?"
Employee 2: "Yeah, I hear he got spear-phished this weekend. I guess they gutted and scaled him, and supposedly they're going to pan-phry him."
Employee 1: "Well, it beats being served in a tuna salad!"
Employee 2: "What the hell, exactly, are we talking about?"
"Beware of bugs in the above code; I have only proved it correct, not tried it." -- Donald Knuth
Technology is advancing on all sectors.
Or does it? Jackont took his computer to the Israeli police last fall and was told to reformat it. But his problems persisted. So the police examined his computer more closely and discovered that a malicious program known as a Trojan horse lay hidden deep inside and had hijacked the machine from a remote location. Trojan horse? That's sooo 1000 BC. Was this trojan hiding in his BIOS or is this guy incompetent?
The only new thing is this "spear-phishing" is a specialized group of phishers concentrating on specific targets, using usual techniques but more effectively. Hmm, I just *might* use a CD from a friend. I suppose I should point out that Linux is perfectly vulnerable to trojans (sure they won't run as root, but they can do nasty enough stuff as you)
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
When you install the OS, the MBR is overwritten.
Memory resident ones? If he reformatted then he reinstalled the OS and if he reinstalled he rebooted and if he rebooted.... you figure it out.
GP is correct, the story makes no sense.
People don't like it when I say this, but it's like being raped. It's like my underwear was spread all over the streets. It was a severe breach of privacy.
I'd like to be the cop that treats this like they do when they try to tell young girl rape victims its their fault...
Well, look at ya! is that all you put on as a browser?!
Yea, this is just what I usually put on, Internet Explorer.
Well there ya go... You're going out on the internet putting on nothing but a skimpy browser, making all sorts of purchases, without any sort of protection? No wonder you're gettin yourself raped!
See why whitelisting your contacts is important ? The problem is that people want to use they computer the way they use their washing machine. They think that just because they have "auto-update on" for Windows and Norton, then they're safe. Unfortunately, they're not. If they use emails irresponsibly, they will get spammed/phished/worse. There is no miracle cure, but good internet "security" habits can help a lot. No amount of software can replace good habits and experience.
However, I feel that this is a battle that is already lost. How can I convince strangers to pick up good habits if I can't even convince my sister and father? All they care about is having a functional computer to send their emails and type their .docs whenever they need to do so. Any downtime is unacceptable, yet they refuse to acknowledge the fact that any downtime is usually their fault. PCs have become the 'automobiles' of the 21st century:" I don't care how it works, as long as it gets me to where I want to be."
Bah, maybe I'm wrong. Maybe I have too much free time, others don't have the luxury to care about these things. Still I'm the one who ends up fixing the PC/ taking the car to the mechanic....
Of course the shashdot human-test image word was infects.
I got one 'spear-phising' email; it was easy of course to detect the scam involved, but initially it looked like sincere since I am a programmer and from the Netherlands as claimed in the email.
It reads as follows:
Hello,
My friend give me your e-mail address. I think you are from Nederland,so you can help me. I ama programmer, I have some clientsfrom Nederland thatready to paymesending money by Bank transfer toa Nederlandbank account, they cannont use WesternUnion office neartheirplace, but I can receive only WesternUnion transfers here in my country. So - I need to findsomebody who can receive this Bank transfer and re-send moneytome by sending WesternUnion transfer.
If you help me -you will get 10% from transferred money (10% from 4000EUR=400EUR to you from onetransfer).
If you are ready to help,please e-mail me to LOOKJOB@AOL.COM.
Spear-phishing = social engineering via e-mail
Instead of telephoning some company and making believe ur their service provider to try and get the root password for some machine, one sends an email disguised as a legit email from a company with which a target company's employee has a commercial relation. Said email contains as payload an agent program which can be used to gather information/control the machine.
This is more powerfull than old style social engineering, both because you directly get an agent running on a machine inside the target company's network and because the list of potential targets is bigger than just "the person's that have passwords to the company's servers"
NO FREAKIN WAY!
This must be a first.
CNET takes a year-old story about a bitter divorce and revenge, adds some buzzwords, information about very common, almost "old school", spamming and phishing techniques and we're all supposed to run around yelling "The sky is falling!!". Someone must be way behind on their copy output and have the FUD generators turned up to 11.
I'm sorry for those of you IT types who have managers or "super users" who learned everything they know about computers from reading PC Ragazine or CNET. I'm sure you'll be getting worried calls and emails today. Just what you need on a Monday.
"Well Ranger Brad, I'm a scientist. I don't believe in anything." - Dr. Roger Fleming
"It's like the Yom Kippur War or Pearl Harbor in the Israeli business market because of the great surprise the victims had when the problem was exposed,"
Hard to believe anything is a surprise in that area of the world anymore.
Join the Slashcott! Feb 10 thru Feb 17!
The latest tricks seem to be offering some special deal and all you have to do is login. Soon I expect most of them will be like "Dear Big Bank customer, you've been picked for 200,000 frequent miles" and the a log in screen with spots for bank and airline details and people may just give away all that info.
I've seen two messages that are heading in this direction and the banks better step up their education because more people will fall for these than the older scams.
And this isn't new.... This type of social engineering has been involved in fraud for a very long time.
will there ever be a big push to standardise digital signatures and encryption in mail clients, both online (GMail etc.) and applications?
It seems to me it would help a lot.
It's possible that the user had an infected secondary hard drive.
I have half a mind to start a company that targets people whose computer freezes from all of the spy/ad/malware by claiming to offer something that will remove it. They, being tired of frozen screens, will give me the info I need.
I'll call it ice phishing.
I got spam-frittered the other day - they used the old 'spam, spam, spam, egg, chips and spam' attack, luckily I was phishing on the back of a trojan horse on my pharm - still, I was pretty phreaked. You know what I mean?
My health insureance company called.
First thing they want is my birthday.
I hesitate, and they say they have to confirm who I am before they can talk to me.
(Federal privacy regs, HIPAA, and all that).
I refuse, because I don't know if they are who they say they are.
They immediately understand, and give me a tool-free number that I can call into.
After I hang up, I realize that their number doesn't help me, becuase *they* gave it to me.
It isn't the number on my health insurance card.
I can't find it on their web page.
I google for it and get no hits.
So I still don't know who they are.
So I don't call the number.
Phishing? Probably not.
It probably was my health insurance company.
But it's been a couple of weeks now, and they haven't called back.
In the past, when they've wanted to talk to me,
they've called every few days until they got hold of me.
So I don't really know...
From the article:
The offer required them to respond to INFO@targetdata.biz, a site registered to Haephrati. Responding to them would unleash the Trojan, which, according to records of the investigation, was impervious to antivirus and anti-Trojan software.
How does simply sending an email "unleash" the trojan?
I will never open my email or install anything on a PC again, I will become a self-contained unit.
I am a rock I am an island. And a rock feels no pain, and and island never gets phished.
He who knows best knows how little he knows. - Thomas Jefferson
Hate to beat a dead horse, but here is an older Slashdot story about "spear phishing" here ...
Content Management System: A pretentious way of saying "text editor."
For the love of god! They took screenshots of his family! The BASTARDS!
I predict dynamite phishing.
For sale: one sig space, gently used. Inquire for details.
Egg (credit cards, UK)
Phoned me on my cellphone to check an unusual transaction (which I had actually made).
Fine, except it wasn't even a real person, and the system's first questions were the standard security questions I get when I call them.
So I hung up and called the number I knew, they confirmed it was them that called. I told them I thought what they were doing was very foolish, but there's only so much you can say to the call centre.
Still a bit surprised, but what can you do? I wonder if they are still doing it.
By the way this was months ago.
Respect copyright - the GPL relies on it.
Here's an editorial from over a year ago. The top topic is about a virus sent to a user of outpostnine from "management@outpostnine.com". The sender of the email didn't realize that the intended victim was actually the sole manager of the site.
B) The man only left 358,000 Euros, not 5 million.
Your hair look like poop, Bob! - Wanker.
Spear Phishing? Because it "targets specific people" ?
:)
Okay:
Jelly phishing - targeting politicians.
Salmon phishing - targeting gays.
Flounder phishing - targeting christians.
Tuna phishing - targeting pianists.
Shark phishing - targeting lawyers.
I am sure we could come up with others
The sea changes color, but the sea does not change.
I placed a local classified ad (print newspaper in rural Idaho) to sell a puppy a couple weeks back. It included my e-mail address if anyone wanted pictures.
One response I received was one in broken English asking for pictures and if the price was firm. I responded with photos and the price. The next response was 4 paragraphs of an overdraft money order scam, telling me they'd arrange for someone to pick up the dog, but to wire the excess funds back to an account in London, etc.
I was sort of impressed, considering how targeted the scam was.
-Charles
Learning HOW to think is more important than learning WHAT to think.
I am amazed to no end that once in a long while the media gets its hands around a concept that has been around for years. They then trump it up as this Next Big Thing (tm), only to shamefully admit later on that, no, it's actually been done before.
This is really not much different from remote dumpster diving. If I wanted specific, personal information from someone, I wouldn't need to go through very much trouble in getting it. Just as a security-conscious person would shred sensitive documents before committing them to the bin, one should also be careful revealing personal information to unknown individuals or companies asking for such sensitive information.
He correctly points out that webmail does put the originating IP in the email-header, and therefor can be traced.
I have discovered a truly remarkable proof for my post which this sig is too small to contain.
It's New York Times. CNET posted NYT's story on their Web site.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
It would be helpful if large companies had a simple way for their customers to authenticate email and telephone calls from that company. The phishers are getting better at what they do, and sometimes it is almost impossible to tell if an email is fake.
Mea navis aericumbens anguillis abundat
I have had two of those calls, and the person on the other end wanted to confirm recent transactions. Both calls were legit, but it's hard to know given the limited info they give. So I called the bank's number on the back the second time, and found out that someone was trying to use my card number in Sweden.
Old number cancelled, new card issued, situation resolved.
But still, the banks should let you know the numbers of the fraud departments that will be calling beforehand. The number they wanted me to call back on was totally different than the other numbers I had.
SYS 64738
If they are going to use the word "phishing" they at least need to haxor-up the word "spear" a little bit. Call is "Sphear phishing" or something 1337 like that.
Don't blame me, I voted for Cthulhu.
1) He was told to; this does not mean he did it.
2) He may not have done a proper full (MBR) reformat
3) He may have backed up the infection vector with his "important" files, on other infected media.
4) If the infection vector was via email, he might have redownloaded and reopened the message from a POP/IMAP server that retained a copy.
It is also theoretically possible to make something that will survive anything short of degaussing or reformatting after taking apart the hard drive. Modern hard drives often include flashable firmware, a simple (roughly 486 grade) processor, and as much as 16MB of RAM. This is potentially powerful enough for a custom microkernel on the drive itself, able to meddle with the boot process and rootkit the OS as it loads into the machine's RAM. To implement something like this, a Black Hat would need to know the exact model drive and its firmware release, probably know the same on the motherboard as well, be able to work at (likely proprietary) machine language level for that model hard drive control board, and there would be nil room for error. On the bright side for the black hat, if done with the skill I'd expect from someone able to do the work at all, the only signs of infection would be a modest decrease in the hard drive performance, a few sectors marked as "bad", and the odd bit of (potentially intermittent and encrypted) network traffic.
I'd bet on numbers 1-4, though. A hard drive native rootkit is at least one full level beyond what Sysinternals called "a level of sophistication not seen in rootkits to date" on their RootkitRevealer page. Probably more than one. As far as I know, not even a lab example of such has been reported developed, and it doesn't sound like this guy is high enough on the NSA's SPECIAL Christmas card list to be likely to encounter one of their toys. But I like keeping the tin-foil hat crowd awake at night. =)
//Information does not want to be free; it wants to breed.
What gets me about this is that it's not new. Telephone scams of a similar nature have been around forever. And the defense is the same for both: never trust the other party if you didn't originate the call. Whether I'm getting an e-mail from PayPal about my account being locked or a phone call from American Express about potentially fraudulent activity on my card, my first reaction is to simply ignore everything the caller/sender tells me. I go to my own bookmarks and get to my account on the respective web sites from my own links, or I call the customer-service phone numbers I've already got for them. If the problem's real, there'll be a notice when I log in to my account or the customer service people will know about it. My URLs and phone numbers can't be fudged by the phishers, so I can be sure I got to the right site or company. This is simple, basic and easy. If people can't apply this simple rule, I have to ask "What's wrong with this picture?".
I just got an email from "EBay" (yeh, sure) that said they would add $20 to my account for taking a short survey. After the survey they ask for your credit card "so they can make the deposit". If it were real they would deposit to your PayPal registered at Ebay. I also got a letter from Canada telling me I had won $95,000 and enclosed was a check on an Illinois bank for a Minnesota company that ostensibly was for the tax I need to pay to release the 95. I think they call this a 419 scam if I remember rightly. Check bounces and you are out the $1900 you paid the "taxes" with. Very psychological but I know if it seems to be too good to be true ... well it for sure is.
I called the sheriff but they told me attempted fraud is not a crime - I actually have to be defrauded before they get involved. If that isn't the stupidest thing I ever heard I don't know what is. A genuine WTF.