Online Scammers Go Spear-Phishing

Ant wrote to mention an examination at C|NET looking into the increasingly more effective techniques employed by phishers. From the article: "More recently, however, a hybrid form of phishing, dubbed "spear-phishing," has emerged and raised alarms among the digital world's watchdogs. Spear-phishing is a distilled and potentially more potent version of phishing. That's because those behind the schemes bait their hooks for specific victims instead of casting a broad, ill-defined net across cyberspace hoping to catch throngs of unknown victims."

This is weird.

[meringuoid]

According to records of the Israeli investigation, Wieseltier told authorities that she received a Trojan-infested e-mail message bearing the address of gur_r@zahav.net.il, which she believed came from a friend.

But her friend's e-mail was actually gur-r@zahav.net.il. As Israeli investigators traced the origin of the bogus account they discovered that the person who had opened it lived in London and had charged the cost of the account to his American Express card.

Are we to believe that these super-phishers don't know how to spoof a From: header?

bullshit article

[eobanb]

I particularly love this part:

Jackont took his computer to the Israeli police last fall and was told to reformat it. But his problems persisted. So the police examined his computer more closely and discovered that a malicious program known as a Trojan horse lay hidden deep inside and had hijacked the machine from a remote location.

So he reformatted his drive but the virus was still there? What?

I'm sorry, but does it really take much effort to get the facts right? EVERYONE seems to get it wrong: CNN, MSNBC, the NY Times, CNET. Somehow, the writers chosen to pump out articles like this either don't really understand technology or just pick subjects of which they don't really know anything.

Re:bullshit article

[Sir+Runcible+Spoon]

There is more than one way to format a disk. If you do it with FDISK and don't provide the /MBR option it does not recreate the master boot record. If your virus is hiding there it will survive.

Re:bullshit article

[Motherfucking+Shit]

EVERYONE seems to get it wrong: CNN, MSNBC, the NY Times, CNET. Somehow, the writers chosen to pump out articles like this either don't really understand technology or just pick subjects of which they don't really know anything.

And unfortunately, it's not all that unusual. After reading the article, I'm not so sure that "phishing" played a part at all, and I'm disappointed that C|Net is playing the media-hype-buzzword game beyond what could reasonably be expected. I figure that [MS]NBC, CNN, and the other networks will get this sort of thing wrong, but C|Net is fairly reputable when it comes to tech reporting.

FTA,

Last spring, staff, faculty and students at the University of Kentucky opened e-mail messages purporting to be from the university's credit union and requesting confidential information to access their accounts (something no financial institution in the country ever seeks via e-mail).

That isn't "spear phishing," and sure as hell doesn't warrant the coining of a new term. It might be considered normal "phishing," if only the author had a clue. Just because a "phish" is targeted at a particular group doesn't make it any more special than the everyday eBay "phish" spammed at random to ten million email addresses. This whole "spear phishing" thing is a contrived buzzword like "spim" (or "Cyber Monday"). Spam over IM is still spam, it doesn't need a new term. Phishing for particular targets is still phishing - I even hate that term, really - and doesn't need a new cyberbuzzword.

Free clue-by-four: the term "phishing" gained popularity on AOL some 6 or 8 years ago, and described the practice of attempting to solicit passwords from unsuspecting users. No matter how simplistic or elaborate the scheme, and regardless of whether normal users or employees were targeted in a blanket or with a direct ploy, it was always "phishing" (or ><> 'ing). Back then, the media hadn't yet caught on to the idea. Now that they've caught up, they want to call anything and everything "phishing."

From TFA,

About two weeks ago, a more traditional phishing scam infected about 30,000 individual computers worldwide, according to CipherTrust, a computer security firm.

Are you kidding me? How does a "phishing scam" "infect" computers? "Phishing" is asking for information; it's impossible for a "phish" to infect anything.

I've really lost some respect for C|Net on this one.

Re:bullshit article

[Stiletto]

How about we just drop all the silly cyber-words and start calling it what it is: Fraud.

Re:bullshit article

[Woldry]

Nah, let's get even less specific and just call it "crime." Or wait! How about maybe just "bad"? While we're at it, let's stop all this silly talk of Fords and Saturns and SUVs and just call 'em all "cars". And we can definitely do without all of the ridiculous kitchen words like "fry" and "roast" and "microwave" and "steam" and "simmer" and just call it what it is: Cooking.

"All the silly cyber-words" are useful means of distinguishing nuances of meaning -- identifying specific methods of fraud, for instance. "Phishing" refers to a specific method of fraud, and as such adds precision and power to the language. The coining of the new term -- "spear phishing" -- makes it clear that this is a special type of the more general method of phishing, and even provides a pretty clear image to identify the particular type. Identifying this particular subtype also is the first step toward arming people against it -- which may require slightly different methods of self-defense than arming people against more general phishing, or mail fraud, or flimflam scams at the bank, or car-in-distress fraud, or white collar crime, or "blind" panhandlers who can see perfectly well, or any of the other myriad varieties of fraud that exist out there. Lumping them all together with a single word is sometimes useful, but "just dropping" all the language that draws useful distinctions between them is what is "silly".

the path! Re:This is weird.

[leuk_he]

als form the article:

Some computer security specialists suggest at least one basic approach that might allow e-mail recipients to learn right away that a communique appearing to come from a company like Amazon.com actually originated somewhere in the Ukraine, Romania, Bulgaria, Poland, Russia or any of the other places that law enforcement officials say are hot spots for phishing scams. "It strikes me that this is just a failure of most e-mail systems to reveal the history of an e-mail," said Whitfield Diffie, a pioneer in computer cryptography who is the chief security officer of Sun Microsystems. "You could post a warning flag indicating that the 'from' address doesn't seem consistent with the path history."

I have yet too see an applcation that does (only) this. And "8 out of 10 collegues here (in the IT) don't have a clue what a "path" in a e-mail is.

Anyway the gist of the article was in the start that some phisher used a fake-emial address where the from was NOT faked, but contained a small alteration that does not show at first. Since no anti-spam/anti-phissher can protect against that ou leave the people who run the most up to date anti-spam will beleive the mail is trusted. Even the journalist has problems to explain that a technical solution is not the final solution.

by the way: you americans do not have to worry so much since you seem to care so much for privacy.

Re:the path! Re:This is weird.

[Technician]

I have yet too see an applcation that does (only) this. And "8 out of 10 collegues here (in the IT) don't have a clue what a "path" in a e-mail is.

And if I was phishing, there are ways to get completely valid headers. For example, I live in the US. From here it is a simple task to send you a valid e-mail from the Cayman Islands. I have an account in the Cayman Islands. Using the Webmail interface, I can send an e-mail from there. If I scam someone in England for example and got the password for one of their e-mail accounts, I could scam someone in England by using the ISP Webmail interface and send a perfectly valid e-mail from the US that originated in England. By signing up for an account in England, using a bogus credit card, I could use VOIP and dial into the ISP in England from England (local number) and send a scam that way. Think outside the box. A local call doesn't have to be local anymore.

Some Nigerian scammers are using Canadian, Australian, and UK VOIP phones so they don't look like Nigerian scammers until you are hooked and find out where to send the Western Union money. I'm in England and not a Nigerian scammer.

C Food

[mysticwhiskey]

From the beginning, life in the C was perilous. Once in the 'net, our shells were vulnerable. They tried to bait us with spam & worms, and while most found those tasteless, some were hooked.

Explicitly casting further with new lures, the phishers trolled, hoping for more bytes on the (on)line. The emails of the species were particularly at risk, as their outlook was not so good to begin with.

Some sought harbour in the eBay, hoping their bet paid off. Last I heard, the feedback was good.

Maybe our only hope is growing legs and migrating to the LAN.

The problem isn't Windows

[wk633]

Phishing isn't a technology problem. If your computer has a virus, the bad guys can get your critical data without tricking it out of you. Phishing will always exist due to human nature.

Case in point: http://www.schneier.com/cgi-bin/mt/mt-tb.cgi/474/

in which a bank manager was convinced to leave 5 million under the door to a bathroom stall in a bar in Paris.

FROM GOVERNMENT SOFTWARE FOUNDATION OF NIGERIA

[n0dalus]

DO NOT WORRY, my GOOD FRIEND.

PHISHING claims many LIVES, but YOU TOO can be SAFE when you use our SECURE SOFTWARE to protect your family from PHISHING. BUT alas, my COMPANY lacks FUNDS to share this SECURE SOFTWARE with GOOD PEOPLE like you. THIS TRAGIC moment for our company can only be FIXED by your kind SERVICES. PLEASE transfer ONE THOUSAND DOLLARS to me at the GOVERNMENT SOFTWARE FOUNDATION OF NIGERIA so we can all SHARE this SECURE SOFTWARE.

ATTACHED is a special TRIAL of this very SECURE SOFTWARE, just for YOU. DO NOT HESITATE to protect yourself from the deadly THREAT of PHISHING.

That does it.

[sticks_us]

I'm calling the "Metaphor and Analogy" police, if there is such a thing.

Why is it that EVERYTHING involving computers and the internets ends up becoming some cutesy-cutesy thing?

What's next?

Employee 1: "You hear about Bob?"

Employee 2: "Yeah, I hear he got spear-phished this weekend. I guess they gutted and scaled him, and supposedly they're going to pan-phry him."

Employee 1: "Well, it beats being served in a tuna salad!"

Employee 2: "What the hell, exactly, are we talking about?"

Drama queen

[bumptehjambox]

Sorry for the 'spoiler,' but what a grand finale at the end of the article.

People don't like it when I say this, but it's like being raped. It's like my underwear was spread all over the streets. It was a severe breach of privacy.

I'd like to be the cop that treats this like they do when they try to tell young girl rape victims its their fault...
Well, look at ya! is that all you put on as a browser?!
Yea, this is just what I usually put on, Internet Explorer.
Well there ya go... You're going out on the internet putting on nothing but a skimpy browser, making all sorts of purchases, without any sort of protection? No wonder you're gettin yourself raped!

Phishing or not?

[swm]

My health insureance company called.
First thing they want is my birthday.
I hesitate, and they say they have to confirm who I am before they can talk to me.
(Federal privacy regs, HIPAA, and all that).

I refuse, because I don't know if they are who they say they are.
They immediately understand, and give me a tool-free number that I can call into.
After I hang up, I realize that their number doesn't help me, becuase *they* gave it to me.

It isn't the number on my health insurance card.
I can't find it on their web page.
I google for it and get no hits.
So I still don't know who they are.
So I don't call the number.

Phishing? Probably not.
It probably was my health insurance company.
But it's been a couple of weeks now, and they haven't called back.
In the past, when they've wanted to talk to me,
they've called every few days until they got hold of me.

So I don't really know...

Re:Phishing or not?

[Lord+Grey]

I'm glad to see that I'm not the only one.

A couple of months ago I received a message on my home phone from American Express concerning "suspicious activity on my card." The message said really only that, and that I should call some toll-free number that wasn't printed on my card. There was no identifying information at all in the message, and to make matters stranger they were calling about a business card (they called me at home, not at work).

So I called the number. I get a person almost immediately and there is quite a bit of background noise on the line. They ask for my card number. When I didn't tell them and started asking questions (trying to determine if the person really did work for AmEx), the guy got insistent and asked for my social security number. I refused to answer and asked more questions, but never got a good answer.

I eventually hung up on the guy and then looked up AmEx's fraud prevention number in Google and called THAT. It turned out that someone really did hijack the card number from some vendor's database and there were 4-5 bogus purchases. We got the problem cleared up relatively quickly.

The problem, however, is that the AmEx representative did not come across in a professional manner and his conversation with me served only to make me more suspicious. With all the phishing going on, I'm extremely leery of simply providing personal information upon request.

Re:Phishing or not?

[Technician]

A couple of months ago I received a message on my home phone from American Express concerning "suspicious activity on my card."

So did I. I knew it was a phishing call. I was polite and refused to give my paticulars and asked about the activity. I asked if I gave the last 4 digits if they could verify the address. They said no they needed the full number, exp date, name as it is on the card and the verification number. I then told them I do not have an American Express card. I then called American Express and gave them the phishing information.

If a bank is having their customer base phished, and you don't have an account, let the bank know anyway instead of ignoring it. You may protect your neighbors.

Re:Not news

[Technician]

All you have to do is convince the user to run the program, and if they do that, no matter what the OS, the program the user runs has all the same privlidges as the user.

This is a little harder to do. In windows all you have to do is convince the user to look at these pictures of my naked wife wife.gif.pif (the .pif does not show)

In linux you have to convince the user to save the attachment, change it's attributes to include execute and explain why the file must be executed instead of viewed.

Convincing the user is much harder in Linux. Microsoft has blurred the line between executing a program and viewing a file. Linux still makes it harder to trick a user into running a program.

"Spear" phishing?

[Entropy]

Spear Phishing? Because it "targets specific people" ?

Okay:

Jelly phishing - targeting politicians.

Salmon phishing - targeting gays.

Flounder phishing - targeting christians.

Tuna phishing - targeting pianists.

Shark phishing - targeting lawyers.

I am sure we could come up with others :)