Slashdot Mirror
Online Scammers Go Spear-Phishing
Ant wrote to mention an examination at C|NET looking into the increasingly more effective techniques employed by phishers. From the article: "More recently, however, a hybrid form of phishing, dubbed "spear-phishing," has emerged and raised alarms among the digital world's watchdogs. Spear-phishing is a distilled and potentially more potent version of phishing. That's because those behind the schemes bait their hooks for specific victims instead of casting a broad, ill-defined net across cyberspace hoping to catch throngs of unknown victims."
But her friend's e-mail was actually gur-r@zahav.net.il. As Israeli investigators traced the origin of the bogus account they discovered that the person who had opened it lived in London and had charged the cost of the account to his American Express card.
Are we to believe that these super-phishers don't know how to spoof a From: header?
Real Daleks don't climb stairs - they level the building.
...which you should worry about. Viruses which create havoc and draw attention to themselves should be less of a concern.
If software has been created for a specific attack, then standard virus scanners will never pick up its signature.
http://michaelsmith.id.au
I particularly love this part:
Jackont took his computer to the Israeli police last fall and was told to reformat it. But his problems persisted. So the police examined his computer more closely and discovered that a malicious program known as a Trojan horse lay hidden deep inside and had hijacked the machine from a remote location.
So he reformatted his drive but the virus was still there? What?
I'm sorry, but does it really take much effort to get the facts right? EVERYONE seems to get it wrong: CNN, MSNBC, the NY Times, CNET. Somehow, the writers chosen to pump out articles like this either don't really understand technology or just pick subjects of which they don't really know anything.
Take off every sig. For great justice.
Jackont took his computer to the Israeli police last fall and was told to reformat it. But his problems persisted.
So either he did not format it, or after formatting it, he did not properly protect it and got infected again.
Poor (usually Microsoft Windows) users who also have to be administrators. The key problem is just that current OSes are not for people without CS knowledge to use. They need appliances which are protected, on which they can not install more software and which are protected by a mixed contract of anti-virus anti-spyware and system update vendors.
As long as users have to administrate their system, whatever system, these kind of problems will continu to exist.
My wife's sketchblog Blob[p]: Gastrono-me
People run an operating system known to be vulnerable to Trojan Horse infections. They haven't had the source code independently audited and verified. They believe the headers in e-mail messages. And then they get infected by a Trojan horse.
The only surprise is it's taken this long for it to get noticed.
As long as people have had weaknesses, there have been other people out there seeking to exploit those weaknesses. That's just human nature; and if you fail to account for it, you might just as well have failed to account for gravity. The moment you put someone in front of a computer, they panic and lose all semblance of common sense. That also is human nature.
I believe Microsoft are complicit in all this, because it was Microsoft's deliberate design decision that the users of those computers did not have to give consent for a process to run as root. But whoever picked Microsoft must share some of the blame, since they basically decided that the integrity of their computer systems was less important than a pretty user interface.
Je fume. Tu fumes. Nous fûmes!
Looks like good old-fashioned social engineering to me, probably kicking off with some even more old-fashioned dumpster-diving to get the names and addresses of the target's friends and acquaintances.
When I am king, you will be first against the wall.
als form the article:
Some computer security specialists suggest at least one basic approach that might allow e-mail recipients to learn right away that a communique appearing to come from a company like Amazon.com actually originated somewhere in the Ukraine, Romania, Bulgaria, Poland, Russia or any of the other places that law enforcement officials say are hot spots for phishing scams. "It strikes me that this is just a failure of most e-mail systems to reveal the history of an e-mail," said Whitfield Diffie, a pioneer in computer cryptography who is the chief security officer of Sun Microsystems. "You could post a warning flag indicating that the 'from' address doesn't seem consistent with the path history."
I have yet too see an applcation that does (only) this. And "8 out of 10 collegues here (in the IT) don't have a clue what a "path" in a e-mail is.
Anyway the gist of the article was in the start that some phisher used a fake-emial address where the from was NOT faked, but contained a small alteration that does not show at first. Since no anti-spam/anti-phissher can protect against that ou leave the people who run the most up to date anti-spam will beleive the mail is trusted. Even the journalist has problems to explain that a technical solution is not the final solution.
by the way: you americans do not have to worry so much since you seem to care so much for privacy.
Explicitly casting further with new lures, the phishers trolled, hoping for more bytes on the (on)line. The emails of the species were particularly at risk, as their outlook was not so good to begin with.
Some sought harbour in the eBay, hoping their bet paid off. Last I heard, the feedback was good.
Maybe our only hope is growing legs and migrating to the LAN.
Stuck down a hole! In the middle of the night! With an owl!
Phishing isn't a technology problem. If your computer has a virus, the bad guys can get your critical data without tricking it out of you. Phishing will always exist due to human nature.
Case in point: http://www.schneier.com/cgi-bin/mt/mt-tb.cgi/474/
in which a bank manager was convinced to leave 5 million under the door to a bathroom stall in a bar in Paris.
DO NOT WORRY, my GOOD FRIEND.
PHISHING claims many LIVES, but YOU TOO can be SAFE when you use our SECURE SOFTWARE to protect your family from PHISHING. BUT alas, my COMPANY lacks FUNDS to share this SECURE SOFTWARE with GOOD PEOPLE like you. THIS TRAGIC moment for our company can only be FIXED by your kind SERVICES. PLEASE transfer ONE THOUSAND DOLLARS to me at the GOVERNMENT SOFTWARE FOUNDATION OF NIGERIA so we can all SHARE this SECURE SOFTWARE.
ATTACHED is a special TRIAL of this very SECURE SOFTWARE, just for YOU. DO NOT HESITATE to protect yourself from the deadly THREAT of PHISHING.
I'm calling the "Metaphor and Analogy" police, if there is such a thing.
Why is it that EVERYTHING involving computers and the internets ends up becoming some cutesy-cutesy thing?
What's next?
Employee 1: "You hear about Bob?"
Employee 2: "Yeah, I hear he got spear-phished this weekend. I guess they gutted and scaled him, and supposedly they're going to pan-phry him."
Employee 1: "Well, it beats being served in a tuna salad!"
Employee 2: "What the hell, exactly, are we talking about?"
"Beware of bugs in the above code; I have only proved it correct, not tried it." -- Donald Knuth
People don't like it when I say this, but it's like being raped. It's like my underwear was spread all over the streets. It was a severe breach of privacy.
I'd like to be the cop that treats this like they do when they try to tell young girl rape victims its their fault...
Well, look at ya! is that all you put on as a browser?!
Yea, this is just what I usually put on, Internet Explorer.
Well there ya go... You're going out on the internet putting on nothing but a skimpy browser, making all sorts of purchases, without any sort of protection? No wonder you're gettin yourself raped!
See why whitelisting your contacts is important ? The problem is that people want to use they computer the way they use their washing machine. They think that just because they have "auto-update on" for Windows and Norton, then they're safe. Unfortunately, they're not. If they use emails irresponsibly, they will get spammed/phished/worse. There is no miracle cure, but good internet "security" habits can help a lot. No amount of software can replace good habits and experience.
However, I feel that this is a battle that is already lost. How can I convince strangers to pick up good habits if I can't even convince my sister and father? All they care about is having a functional computer to send their emails and type their .docs whenever they need to do so. Any downtime is unacceptable, yet they refuse to acknowledge the fact that any downtime is usually their fault. PCs have become the 'automobiles' of the 21st century:" I don't care how it works, as long as it gets me to where I want to be."
Bah, maybe I'm wrong. Maybe I have too much free time, others don't have the luxury to care about these things. Still I'm the one who ends up fixing the PC/ taking the car to the mechanic....
Spear-phishing = social engineering via e-mail
Instead of telephoning some company and making believe ur their service provider to try and get the root password for some machine, one sends an email disguised as a legit email from a company with which a target company's employee has a commercial relation. Said email contains as payload an agent program which can be used to gather information/control the machine.
This is more powerfull than old style social engineering, both because you directly get an agent running on a machine inside the target company's network and because the list of potential targets is bigger than just "the person's that have passwords to the company's servers"
CNET takes a year-old story about a bitter divorce and revenge, adds some buzzwords, information about very common, almost "old school", spamming and phishing techniques and we're all supposed to run around yelling "The sky is falling!!". Someone must be way behind on their copy output and have the FUD generators turned up to 11.
I'm sorry for those of you IT types who have managers or "super users" who learned everything they know about computers from reading PC Ragazine or CNET. I'm sure you'll be getting worried calls and emails today. Just what you need on a Monday.
"Well Ranger Brad, I'm a scientist. I don't believe in anything." - Dr. Roger Fleming
I have half a mind to start a company that targets people whose computer freezes from all of the spy/ad/malware by claiming to offer something that will remove it. They, being tired of frozen screens, will give me the info I need.
I'll call it ice phishing.
I got spam-frittered the other day - they used the old 'spam, spam, spam, egg, chips and spam' attack, luckily I was phishing on the back of a trojan horse on my pharm - still, I was pretty phreaked. You know what I mean?
My health insureance company called.
First thing they want is my birthday.
I hesitate, and they say they have to confirm who I am before they can talk to me.
(Federal privacy regs, HIPAA, and all that).
I refuse, because I don't know if they are who they say they are.
They immediately understand, and give me a tool-free number that I can call into.
After I hang up, I realize that their number doesn't help me, becuase *they* gave it to me.
It isn't the number on my health insurance card.
I can't find it on their web page.
I google for it and get no hits.
So I still don't know who they are.
So I don't call the number.
Phishing? Probably not.
It probably was my health insurance company.
But it's been a couple of weeks now, and they haven't called back.
In the past, when they've wanted to talk to me,
they've called every few days until they got hold of me.
So I don't really know...
Hate to beat a dead horse, but here is an older Slashdot story about "spear phishing" here ...
Content Management System: A pretentious way of saying "text editor."
B) The man only left 358,000 Euros, not 5 million.
Your hair look like poop, Bob! - Wanker.
Spear Phishing? Because it "targets specific people" ?
:)
Okay:
Jelly phishing - targeting politicians.
Salmon phishing - targeting gays.
Flounder phishing - targeting christians.
Tuna phishing - targeting pianists.
Shark phishing - targeting lawyers.
I am sure we could come up with others
The sea changes color, but the sea does not change.