Slashdot Mirror

← Back to Stories (view on slashdot.org)

Online Scammers Go Spear-Phishing

Posted by Zonk on from the fishing-with-a-'ph' dept.

Ant wrote to mention an examination at C|NET looking into the increasingly more effective techniques employed by phishers. From the article: "More recently, however, a hybrid form of phishing, dubbed "spear-phishing," has emerged and raised alarms among the digital world's watchdogs. Spear-phishing is a distilled and potentially more potent version of phishing. That's because those behind the schemes bait their hooks for specific victims instead of casting a broad, ill-defined net across cyberspace hoping to catch throngs of unknown victims."

8 of 144 comments (clear)

  1. This is weird. by meringuoid · · Score: 4, Insightful
    According to records of the Israeli investigation, Wieseltier told authorities that she received a Trojan-infested e-mail message bearing the address of gur_r@zahav.net.il, which she believed came from a friend.

    But her friend's e-mail was actually gur-r@zahav.net.il. As Israeli investigators traced the origin of the bogus account they discovered that the person who had opened it lived in London and had charged the cost of the account to his American Express card.

    Are we to believe that these super-phishers don't know how to spoof a From: header?

    --
    Real Daleks don't climb stairs - they level the building.
  2. bullshit article by eobanb · · Score: 5, Insightful

    I particularly love this part:

    Jackont took his computer to the Israeli police last fall and was told to reformat it. But his problems persisted. So the police examined his computer more closely and discovered that a malicious program known as a Trojan horse lay hidden deep inside and had hijacked the machine from a remote location.

    So he reformatted his drive but the virus was still there? What?

    I'm sorry, but does it really take much effort to get the facts right? EVERYONE seems to get it wrong: CNN, MSNBC, the NY Times, CNET. Somehow, the writers chosen to pump out articles like this either don't really understand technology or just pick subjects of which they don't really know anything.

    --

    Take off every sig. For great justice.

    1. Re:bullshit article by Stiletto · · Score: 4, Insightful


      How about we just drop all the silly cyber-words and start calling it what it is: Fraud.

    2. Re:bullshit article by Woldry · · Score: 4, Insightful

      Nah, let's get even less specific and just call it "crime." Or wait! How about maybe just "bad"? While we're at it, let's stop all this silly talk of Fords and Saturns and SUVs and just call 'em all "cars". And we can definitely do without all of the ridiculous kitchen words like "fry" and "roast" and "microwave" and "steam" and "simmer" and just call it what it is: Cooking.

      "All the silly cyber-words" are useful means of distinguishing nuances of meaning -- identifying specific methods of fraud, for instance. "Phishing" refers to a specific method of fraud, and as such adds precision and power to the language. The coining of the new term -- "spear phishing" -- makes it clear that this is a special type of the more general method of phishing, and even provides a pretty clear image to identify the particular type. Identifying this particular subtype also is the first step toward arming people against it -- which may require slightly different methods of self-defense than arming people against more general phishing, or mail fraud, or flimflam scams at the bank, or car-in-distress fraud, or white collar crime, or "blind" panhandlers who can see perfectly well, or any of the other myriad varieties of fraud that exist out there. Lumping them all together with a single word is sometimes useful, but "just dropping" all the language that draws useful distinctions between them is what is "silly".

      --
      How can a post be modded "overrated" or "underrated" when it hasn't been rated yet?
  3. The problem isn't Windows by wk633 · · Score: 4, Insightful

    Phishing isn't a technology problem. If your computer has a virus, the bad guys can get your critical data without tricking it out of you. Phishing will always exist due to human nature.

    Case in point: http://www.schneier.com/cgi-bin/mt/mt-tb.cgi/474/

    in which a bank manager was convinced to leave 5 million under the door to a bathroom stall in a bar in Paris.

  4. Re:the path! Re:This is weird. by Technician · · Score: 4, Insightful

    I have yet too see an applcation that does (only) this. And "8 out of 10 collegues here (in the IT) don't have a clue what a "path" in a e-mail is.

    And if I was phishing, there are ways to get completely valid headers. For example, I live in the US. From here it is a simple task to send you a valid e-mail from the Cayman Islands. I have an account in the Cayman Islands. Using the Webmail interface, I can send an e-mail from there. If I scam someone in England for example and got the password for one of their e-mail accounts, I could scam someone in England by using the ISP Webmail interface and send a perfectly valid e-mail from the US that originated in England. By signing up for an account in England, using a bogus credit card, I could use VOIP and dial into the ISP in England from England (local number) and send a scam that way. Think outside the box. A local call doesn't have to be local anymore.

    Some Nigerian scammers are using Canadian, Australian, and UK VOIP phones so they don't look like Nigerian scammers until you are hooked and find out where to send the Western Union money. I'm in England and not a Nigerian scammer.

    --
    The truth shall set you free!
  5. Re:Not news by Technician · · Score: 4, Insightful

    All you have to do is convince the user to run the program, and if they do that, no matter what the OS, the program the user runs has all the same privlidges as the user.

    This is a little harder to do. In windows all you have to do is convince the user to look at these pictures of my naked wife wife.gif.pif (the .pif does not show)

    In linux you have to convince the user to save the attachment, change it's attributes to include execute and explain why the file must be executed instead of viewed.

    Convincing the user is much harder in Linux. Microsoft has blurred the line between executing a program and viewing a file. Linux still makes it harder to trick a user into running a program.

    --
    The truth shall set you free!
  6. Re:Phishing or not? by Technician · · Score: 4, Insightful

    A couple of months ago I received a message on my home phone from American Express concerning "suspicious activity on my card."

    So did I. I knew it was a phishing call. I was polite and refused to give my paticulars and asked about the activity. I asked if I gave the last 4 digits if they could verify the address. They said no they needed the full number, exp date, name as it is on the card and the verification number. I then told them I do not have an American Express card. I then called American Express and gave them the phishing information.

    If a bank is having their customer base phished, and you don't have an account, let the bank know anyway instead of ignoring it. You may protect your neighbors.

    --
    The truth shall set you free!