Slashdot Mirror
Online Scammers Go Spear-Phishing
Ant wrote to mention an examination at C|NET looking into the increasingly more effective techniques employed by phishers. From the article: "More recently, however, a hybrid form of phishing, dubbed "spear-phishing," has emerged and raised alarms among the digital world's watchdogs. Spear-phishing is a distilled and potentially more potent version of phishing. That's because those behind the schemes bait their hooks for specific victims instead of casting a broad, ill-defined net across cyberspace hoping to catch throngs of unknown victims."
But her friend's e-mail was actually gur-r@zahav.net.il. As Israeli investigators traced the origin of the bogus account they discovered that the person who had opened it lived in London and had charged the cost of the account to his American Express card.
Are we to believe that these super-phishers don't know how to spoof a From: header?
Real Daleks don't climb stairs - they level the building.
I particularly love this part:
Jackont took his computer to the Israeli police last fall and was told to reformat it. But his problems persisted. So the police examined his computer more closely and discovered that a malicious program known as a Trojan horse lay hidden deep inside and had hijacked the machine from a remote location.
So he reformatted his drive but the virus was still there? What?
I'm sorry, but does it really take much effort to get the facts right? EVERYONE seems to get it wrong: CNN, MSNBC, the NY Times, CNET. Somehow, the writers chosen to pump out articles like this either don't really understand technology or just pick subjects of which they don't really know anything.
Take off every sig. For great justice.
Jackont took his computer to the Israeli police last fall and was told to reformat it. But his problems persisted.
So either he did not format it, or after formatting it, he did not properly protect it and got infected again.
Poor (usually Microsoft Windows) users who also have to be administrators. The key problem is just that current OSes are not for people without CS knowledge to use. They need appliances which are protected, on which they can not install more software and which are protected by a mixed contract of anti-virus anti-spyware and system update vendors.
As long as users have to administrate their system, whatever system, these kind of problems will continu to exist.
My wife's sketchblog Blob[p]: Gastrono-me
Phishing isn't a technology problem. If your computer has a virus, the bad guys can get your critical data without tricking it out of you. Phishing will always exist due to human nature.
Case in point: http://www.schneier.com/cgi-bin/mt/mt-tb.cgi/474/
in which a bank manager was convinced to leave 5 million under the door to a bathroom stall in a bar in Paris.
See why whitelisting your contacts is important ? The problem is that people want to use they computer the way they use their washing machine. They think that just because they have "auto-update on" for Windows and Norton, then they're safe. Unfortunately, they're not. If they use emails irresponsibly, they will get spammed/phished/worse. There is no miracle cure, but good internet "security" habits can help a lot. No amount of software can replace good habits and experience.
However, I feel that this is a battle that is already lost. How can I convince strangers to pick up good habits if I can't even convince my sister and father? All they care about is having a functional computer to send their emails and type their .docs whenever they need to do so. Any downtime is unacceptable, yet they refuse to acknowledge the fact that any downtime is usually their fault. PCs have become the 'automobiles' of the 21st century:" I don't care how it works, as long as it gets me to where I want to be."
Bah, maybe I'm wrong. Maybe I have too much free time, others don't have the luxury to care about these things. Still I'm the one who ends up fixing the PC/ taking the car to the mechanic....
Hate to burst your bubble here, but it's incredibly EASY to create a trojan horse in Linux. All you have to do is convince the user to run the program, and if they do that, no matter what the OS, the program the user runs has all the same privlidges as the user. Meaning if I want to covertly send all the user's files to an offsite location, I can because the user has read access to all those files. Sure I can't delete the whole hard drive, but seriously, what is the point in doing that? Even if you do delete the whole drive, outside of the home directories, who cares? Seriously, the kernel files are easily replaceable, the home directory files much less so....In conclusion, that was a pointless, completely wrong post by an open source fanboy, ie something that is incredibly common here...
*Note:I did not say that open source OSs do not have any security advantages, they usually do. However, the parent decided to mention trojan horses which are the easiest of all malware to write and probably the hardest to protect against.
Monstar L
CNET takes a year-old story about a bitter divorce and revenge, adds some buzzwords, information about very common, almost "old school", spamming and phishing techniques and we're all supposed to run around yelling "The sky is falling!!". Someone must be way behind on their copy output and have the FUD generators turned up to 11.
I'm sorry for those of you IT types who have managers or "super users" who learned everything they know about computers from reading PC Ragazine or CNET. I'm sure you'll be getting worried calls and emails today. Just what you need on a Monday.
"Well Ranger Brad, I'm a scientist. I don't believe in anything." - Dr. Roger Fleming
I have yet too see an applcation that does (only) this. And "8 out of 10 collegues here (in the IT) don't have a clue what a "path" in a e-mail is.
And if I was phishing, there are ways to get completely valid headers. For example, I live in the US. From here it is a simple task to send you a valid e-mail from the Cayman Islands. I have an account in the Cayman Islands. Using the Webmail interface, I can send an e-mail from there. If I scam someone in England for example and got the password for one of their e-mail accounts, I could scam someone in England by using the ISP Webmail interface and send a perfectly valid e-mail from the US that originated in England. By signing up for an account in England, using a bogus credit card, I could use VOIP and dial into the ISP in England from England (local number) and send a scam that way. Think outside the box. A local call doesn't have to be local anymore.
Some Nigerian scammers are using Canadian, Australian, and UK VOIP phones so they don't look like Nigerian scammers until you are hooked and find out where to send the Western Union money. I'm in England and not a Nigerian scammer.
The truth shall set you free!
All you have to do is convince the user to run the program, and if they do that, no matter what the OS, the program the user runs has all the same privlidges as the user.
.pif does not show)
This is a little harder to do. In windows all you have to do is convince the user to look at these pictures of my naked wife wife.gif.pif (the
In linux you have to convince the user to save the attachment, change it's attributes to include execute and explain why the file must be executed instead of viewed.
Convincing the user is much harder in Linux. Microsoft has blurred the line between executing a program and viewing a file. Linux still makes it harder to trick a user into running a program.
The truth shall set you free!
A couple of months ago I received a message on my home phone from American Express concerning "suspicious activity on my card."
So did I. I knew it was a phishing call. I was polite and refused to give my paticulars and asked about the activity. I asked if I gave the last 4 digits if they could verify the address. They said no they needed the full number, exp date, name as it is on the card and the verification number. I then told them I do not have an American Express card. I then called American Express and gave them the phishing information.
If a bank is having their customer base phished, and you don't have an account, let the bank know anyway instead of ignoring it. You may protect your neighbors.
The truth shall set you free!
Certainly, it is quite easy to nuke a home directory, but that doesn't mean there aren't any benefits. The first that occurs to me is that a normal user can't install a service that runs at boot automatically. They also don't have permission to do things like open certain ports.
So, on Windows, as long as the average user is running your code, you can very easily have an FTP server running at boot which the user can't kill. It can run silently for a very long time, making available keylogs or whatever else.
On Linux/BSD/OS-X, the danger is slightly reduced. Sure, you can monitor a single user's access, and you can open up a port > 1024. You can certainly nuke the home directory, which would be horribly bad news for a lot of users. But, it is always possible to log in as another user and kill whatever it is. When you are running as another user, you will be fairly confident that you can at least see any problems that might present themselves. With windows, any app can make itself invisible to normal means of inspection (See Sony rootkit!).
There are some *nix fanboys who overstate the protections, certainly. But, "not much real extra security" is a hell of a lot better than "what in god's name were those chimp brained fucktards thinking?"