Slashdot Mirror
Evolving Phishing Attacks Using Web Vulnerabilities?
miahrogers writes "The IRS Scam from a few weeks ago was not the the usual canned phishing attack; it
exploited a vulnerability in the IRS benefits website to make users
think they were at a government site. Also, according to Infoworld, eBay's own fraud team was tricked into thinking a phishing email was legitimate eBay correspondence. Mix the above IRS exploit with a phony
email and you have misplaced trust that foils even professional fraud
teams. Interestingly enough, the newest addition to my bookshelf predicted these attacks in full detail. From chapter 4: 'Combined with vulnerable Web servers allowing the "trusted" domain to launch
the attack, it will be harder to determine whether the email is or
isn't legitimate. When a person turns in the e-mail to question its
legitimacy, due to the known marketing campaign a tech support
representative may overlook the fraud report and tell the customer
that XYZ company did send out such a marketing e-mail and it is OK to
click the links.' Are phishers using this book as a tool, or is it a
legitimate prediction? As an IT professional, what efforts should our
corporate IT department be making to proactively to eliminate these
vulnerabilities?"
Ever, ever, ever....
Evil Overlord Rule #86. I will make sure that my doomsday device is up to code and properly grounded.
...that IE7 comes out with it's phishing filter. :P
Grammar Lesson: you're is a contraction of "you are"; your means you possess something; yore means days gone by.
Restricting user's access rights to their own machine is an obvious preventative step.
The Windows registry is a powerful tool for controlling what people can do to screw up a machine (sadly it isn't really well documented)...
It isn't a miracle cure, nothing is... but it's a good idea.
MoM++ - A Classic Expanded - [Master of Magic 1.5]
http://mompp.sourceforge.net/
Sorry, me first!
Evil Overlord Rule #86. I will make sure that my doomsday device is up to code and properly grounded.
I would suggest reading up on the security measures you currently use. Maybe you use HTTPS and should read up about the security zones you can make using HTTPS.
If you can verify that your trusted sites really are trusted, then you should feel safer.
I think a lot of companies fall victim to using a security method X with out investigating security methods W, Y & Z. After minimal investigation, it might be clear that X has had problems in the past and there is a lot of buzz about possible future problems (like the book in the article might point out).
I don't know a ton about security but I would suggest you simply make yourself a subject matter expert and look out for possible problems with your particular security method.
My work here is dung.
It's that simple. Just go to the web page directly.
It's flippin' ridiculous that email still doesn't have any form of simple sender verification, which would eliminate not just phishing but about 90% of spam.
I'm not wrong. You haven't thought about it hard enough.
As an IT professional, what efforts should our corporate IT department be making to proactively to eliminate these vulnerabilities?
Hard code your error messages, hard code everything you can, rely on user input as little as you can, and always treat it like nuclear waste.
Your hair look like poop, Bob! - Wanker.
Why does it always have to be the fault of the business websites? No matter how safe and secure you think something is, there will always be some jackass that falls victim to something because there will always be criminals preying on the ignorant. The REAL problem is uneducated users. It isn't that hard to spot a fraud if you just take a minute to look around. I know it is a lot to expect people to have a more than basic understanding of how the web works, but maybe they should try to learn something before casually posting their personal and financial info online.
...All I can say is that my life is pretty strange...
From the InfoWorld article:
EBay has also been trying to shut down the Web site by working with the Internet registrar that was used to acquire the ebaychristmas.net domain, Pires said. Despite these efforts, however, the site has remained operational.
That registrar, which does business under the name Joker.com, has the power to shut down the scam Web site, Jennings said. "If they were taking their responsibilities seriously, the site would have been shut down weeks ago," he said.
Last time I checked, the Registrar wasn't responsible if a server that happened to be pointed to by a record on a DNS server is registered as primary for one of the domains that they registered contained fraudulent or misleading content. In fact, checking Joker's TOS, while Joker may have the "power" to shut him down, I don't immediately see that they have any legal right to do so.
You're special forces then? That's great! I just love your olympics!
Educate your users. The most effective way to stop phishing is to educate the "phish". If you put your users in a constant state of awareness and teach them to never, ever, ever give out their credit card over the phone/internet unless they have initiated the transaction.
Excuse me, I misplaced my tin foil hat
A,
Possible way to stop phishing is to simply flood them with too many responses to their emails.
When you get a phishing email simply go to the pointed site, enter false information and then click the submit button....
For every false set of data they receive they have to try to use that invalid credit card number, ebay password, etc... Thus, costing them extreme amounts of time.
Caution: Contents under pressure
There's been a way of eliminating phishing since before phishing existed. Sign your emails with a digital certificate. Get your users to use a mail client that displays big warning signs when an email is unsigned or is signed with an untrusted key. Get your users to trust your key.
If your users don't follow this advice and get scammed, well then it's their own fault. But it's not their fault if you don't sign your emails, and I can think of only a handful of companies that do this right now. Being one of them is being more proactive than most.
Bogtha Bogtha Bogtha
Why on earth don't Ebay GPG sign their messages? Even if most users wouldn't check the signature, at least their own fraud team could tell what was genuine Ebay correspondence and what wasn't...
-- Ed Avis ed@membled.com
In Finland there was a large scale phishing attack targeted at users of a major online bank. It had an url with a numeric IP address, was translated from an earlier English message by machine and was thus very bad Finnish. The earlier English message got wide publicity also in mainstream media. I got one of the messages and just out of curiosity checked out the website. The website was equally bad Finnish language and asked for username, PIN number and payment authorisation codes. Money was transferred from accounts of about 10 people to somewhere in Latvia. 8 transfers got cancelled by the bank, 2 accounts were already emptied on an ATM and about 20 thousand euros were stolen.
The bank has taken responsibility and promised to return the money of their customers, but a couple of days ago after this Finnish attack was still saying that the attacks are a scheme to undermine the trust of online banking, but maybe it was just a way to steal money from ignorant people?
As an IT professional, what efforts should our corporate IT department be making to proactively to eliminate these vulnerabilities?"
Educate your staff on the vulnerabilities of phishing and email scams. Give them specific examples of how these attacks work and how people are usually duped into them. Use some sort of visual presentation or photocopied handouts of how these attacks look and work. Make the staff very aware of the vulnerabilities on the internet/via email and tell them to ask themselves if it is potentially harmful, and if unsure, to contact an IT professional who would know.
Hopefully, at least 3/4 of those briefed will remember this information and put it to good use.
You can also buy "Phishing Exposed: Uncover Secrets from the Dark Side" to help explain the attacks.
This is essential reading for those who want to learn the ways of the Farce.
He who knows best knows how little he knows. - Thomas Jefferson
The ask slashdot was on web vulnerabilities/phishing attacks.
Some malware/spyware that may be included in a linked to site... these things may need certain rights to modify certain elements of the registry.
I'm assuming you are the mod who modded -1 Overrated... if you really thought I was 'Offtopic', wouldn't that have been the better choice?
Regardless, it is on topic, with regards to the question... since you seem incapable of reading the actual Ask Slashdot question... here it is...
"""
As an IT professional, what efforts should our corporate IT department be making to proactively to eliminate these vulnerabilities?"
"""
As you can see, this would be a PROACTIVE measure... cheers!
MoM++ - A Classic Expanded - [Master of Magic 1.5]
http://mompp.sourceforge.net/
I think this is simply a case example of one security measure being sufficient up to this point and so there is no reason to go through all the trouble of implementing a possibly better method.
Another thing to add to your list of security DO's, always keep your eye open for a better (even if it's different) solution to your security needs. If security is so important to the big wigs, make your case and ask for money to research/test other possibilities.
My work here is dung.
http://news.bbc.co.uk/2/hi/americas/4545822.stm
Thought I'd pre-empt the inevitable slashdot article on the subject.
Tee Hee Hee
The bikini - security through obscurity since 1943
Phishing attacks are Intelligently Designed, not evolved! It is improbable to the point of absurd for a random number generator to produce a phishing website in the same way that it is absurd for random events to result in a new liver. Only the actions of an Intelligent Designer like a programmer can produce a phishing vulnerability.
... at how many times a developer has been instructed to use a certain security measure and he/she went about implementing it without giving it a second thought.
This is also very dangerous when security implementations are very simple to implement because it may provide a false sense of security without ever having to know the nitty gritty details of what's going on.
My work here is dung.
Why do that, when they won't even use their server software to rewrite requests for ebay.com graphics from unexpected referrers to ones that have "THIS IS A SCAM" overlaying them? When a phisher can build a near-perfect replica of a message from EBAY, PAYPAL, CHASE BANK, or wherever, just by linking to the official website graphics, cryptographic signing of messages is virtual fluff.
Hopefully, more people/companies will start using SPF (spf.pobox.com). I believe this would help prevent this kind of attack. It's pretty easy to start publishing SPF records...
by the world's most dangerous leader.
Seditiously,
Kilgore Trout, C.E.O.
There's a fairly simple way to avoid these attacks: never ever trust any link in any e-mail, period. If you think the e-mail is legitimate, ignore the links in it and use your own bookmarks to go to the relevant site and check your account or similar page there. If it really is legitimate, there'll be a way to find the information without depending on the e-mail links. It's not completely fool-proof, but for a phisher to fool you when you do this they'd have to vandalize the legitimate web-site to include their links on it's actual pages. That's harder than just faking an e-mail.
Why should I have to tell anyone this? It's received wisdom that if you receive a phone call from someone claiming to be your bank and asking to verify things like your PIN you should hang up, look up the bank's phone number in the phone book, call them yourself and ask Customer Service about the situation. First rule: never trust the identity of the other end unless you called them. Why should e-mail be any different?
Just amazing.
/.? He works for the felon.
The author is a twice-convicted felon (state of Washington, digital trespassing) and copied works by many other people for this book. Some of the figures and text come directly from other anti-phishing researchers. Lance (the "author") also copied text from the World Wide Web Consortium, Wikipedia, and other places on the web. This isn't failure to cite -- this is direct plagiarism.
And the person that posted this to
Glad to see that "ethics" and "moral responsibility" are alive and well.
Syngress should be ashamed to have published this book.
The weak point in phishing seems to be the people's reason ... lack of, I mean.
Sometimes we tend not to use reason and this is what phishers try to exploit.
I receive a dozen of such emails every month. Almost all of them are pitiful attempts, clearly showing they are fake without any special check.
Nonetheless is seems that lots of people get trapped into them.
Maybe people needs more real education in "Internet etiquette" than anti-anything software.
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
If a well known web site claims to link to an IP address to collect your sensitive information that's a pretty big red flag.
If a Who-Is lookup of the owner of that IP address reads: China that's another pretty big flag.
Of course if the email is from Prince Uba-bott-toomu-slam-botta and he needs your help in liberating the jewel of Thesia you're good to go.
Cogito Ergo Sum
Let's look at the problem:
.
1) Email arrives promising free money
2) User clicks or copy/pastes URL
3) User is redirected to a site which asks for very personal information.
The vulnerability is a PEBKAC problem.
Some are excusing the users because the link first went to a government website. BS. That carries the implied assertion that because the government is involved people should absolutely believe what is being said, shown, or asked for .
This is not a dream, not a dream...we are transmitting from the year 1-9-9-9.
It sure seems to me that a big part of the solution is to establish some legitimate trust mechanism for domains. This applies to email and to HTTP packets.
No I don't have a solution, but to use a famous analogy, lack of trust on domain addressing is equivalent to unlocked doors. It's still against the law to open the unlocked door, but at some point you really do need to install the locks.
dave
The problem with the govbenefits.gov Web site isn't serious and doesn't leak sensitive data about individuals. However, it does provide an easy way for scam artists to make their phishing attack more convincing, Cluley said. The phishers even advise recipients to cut and paste the Web link into their Web browser rather than clicking on it, Sophos said.
the coolest club on
Let's just stop following E-Mail links altogether. Or, We could start a campaign that advertises the "greatness of companies that never e-mail solicitations or links". Perhaps, before long, it becomes something that can be touted "We will never E-mail you anything with a link in it".
That way you would know it was fake if it happened.
Personally, I like the idea of not following E-Mail links at all. Or, even go so far as to make it a standard option in E-Mail clients to not show hyperlinks.
Hurry! Click (LINK DELETED SO YOU CAN'T SUFFER YOUR OWN STUPIDITY) before time runs out!
I found a COUPLE of holes about 2 months ago and immediately emailed the adminstrators of the website;
The bank is a pretty famous German financial institute and they actually have a "https" "secured" webpage just for ebanking; And exactly that website is full of security holes. I give you a short example:
Original:i on=SelectMenu&SMID=EigenesOrderbuch&MenuName=&Init Href=http://www.consti.de/secure
/Fälschung --> Imitation /
https://www.vr-ebanking.de/index.php?RZBK=0280
MY Version (XSS):
https://www.vr-ebanking.de/help;jsessionid=XA?Act
They have a couple more of those ... and the admins never responded - I just got a response with something like "Thanks for telling us, we will look into it, but dont expect any answers / changes".
I am pissed - actually thats the bank I am a customer of -- my local banks website is even worse ...
damn.. and they promote their website as "secure" and tell the customers to look at the links they get in phising - I am sorry guys, but if any phiser is reading this .. *smile*
What am I supposed to do in that case? I even CALLED them ...
The company that is supposed to secure the website, has holes, too - and they dont close em either..
is that only germany or are all those companies crazy and dont give a poop for their customers security?
I beg for responses and help,
Consti / thr0n
Pretty hard to phish with ASCII email...
--- For a good time mail uce@ftc.gov
While I have plenty of defense on my mail server (Spamassassin, Clamav, dcc, razor, MailScanner) to stop this stuff from reaching my users mailboxes, a good offense is needed to help polute the Phishers database with garbage. Enter:
http://www.phishfighting.com/
"Just enter the Phishing emails REAL url below and watch as realistic looking, fake, entries are continously sent to the Phishers fake site. The criminal will receive hundreds or thousands of fake entries and he won't be able to tell which are fake and which are real."
Nice stuff.
fak3r.com
"Excuse me, but 'proactive' and 'paradigm' -- aren't these just buzzwords that dumb people use to sound important? Not that I'm accusing you of anything like that."
Is it too late to trade-mark the name 'philter'?
Support Right To Repair Legislation.
This is not new. This is why IE stopped supporting direct login from the url an year or so back:
f 8f6ewf68002@123.234.324.123/ (i.e. notice the true address is the IP in the end).
:)
http://www.domain.com/
Phishers were using it to fake legitimate domain names:
http://www.microsoft.com?sid=2149wef07wefewf5e4f9
Phishers use everything they can get their hands on, it's not as if they're afraid of braking the law
Distribute refrigerator magnets at work with witty propoganda slogans and cartoons on them. Examples at http://www.diggerhistory.info/pages-posters/americ an3.htm
Perhaps because it's trivial to forge a signature? It's just the public key stuck on the end of the message - if spammers can forge a few Received-by: headers and make links like http://ebay.comlt/a> ;, how much harder would it be to also add a couple more headers and a fake signature to their spam?
The "right" way to do it would be for everyone to send eBay their key once and then for eBay to send out encrypted mail using that key - but that'd increase eBay's procesor load for sending mail, and there'd just be more phishing attacks trying to get people to upload their key to the spammers. Fat chance of any of that happening, though.
Ah, for the days when it was only the elderly getting scammed by magazine subscriptions and phone calls...
You already have certificates for websites, why don't ebay, paypal and the others digitally SIGN their email... So far the system is: Ok the email can be crap but them the links point to websites that are signed... Urr sorry, why not sign the email directly ?
\u262D = \u5350
> Evolving Phishing Attacks Using Web Vulnerabilities?
At first I got excited and thought the evolve fish started attacking the Jesus fish.
The Applied Cryto Group has had two anti phising extensions out for some time. One is for IE and Firefox, the other is for IE only.
From the site: " SpoofGuard is a browser plug in that is compatible with Microsoft Internet Explore. SpoofGuard places a traffic light in your browser toolbar that turns from green to yellow to red as you navigate to a spoof site. If you try to enter sensitive information into a form from a spoof site, SpoofGuard will save your data and warn you. SpoofGuard warnings occur when alarm indicators reach a level that depends on parameters that are set by the user"
I only use IE to download MS patches and updates so I've not installed SpoofGuard. I've used the Firefox extension for sometime now.
From the site: "PwdHash is an browser extension that transparently converts a user's password into a domain-specific password. The user can activate this hashing by choosing passwords that start with a special prefix (@@) or by pressing a special password key (F2). PwdHash automatically replaces the contents of these password fields with a one-way hash of the pair (password, domain-name). As a result, the site only sees a domain-specific hash of the password, as opposed to the password itself. A break-in at a low security site exposes password hashes rather than an actual password. We emphasize that the hash function we use is public and can be computed on any machine which enables users to login to their web accounts from any machine in the world. Hashing is done using a Pseudo Random Function (PRF)."
"Phishing protection. A major benefit of PwdHash is that it provides a defense against password phishing scams. In a phishing scam, users are directed to a spoof web site where they are asked to enter their username and password. SpoofGuard is a browser extension that alerts the user when a phishing page is encountered. PwdHash complements SpoofGuard in defending users from phishng scams: using PwdHash the phisher only sees a hash of the password specific to the domain hosting the spoof page. This hash is useless at the site that the phisher intended to spoof."
Personally I find prudence and a healthy dose of incredulity to be the best antiphising measures.
"Academicians are more likely to share each other's toothbrush than each other's nomenclature."
Cohen
The forged signature wouldn't check out as Ebay's though. It wouldn't be there for looks, it would be there to actually use.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
An article previously referenced on Ars Technica about ID being struck down in Dover will be posted in a few minutes...
Think about it: The basic mechanism of a phishing attack is this:
<a href="sleazy.isp">bank.com</a>
That's possible because e-mail is done on HTML clients these days. Right? Absent HTML, it doesn't work.
Other attacks are done by an advert with an [X] in the corner of the image or images of [OK] [CANCEL] buttons. They look real because the modern web browser doesn't get in the way of any visual display. Imagine an old clunky browser that put a frame around any image. Would that kind of attack be so successful? Probably not!
Worse still are attacks that simulate a Windows window on the browser. If the browser insisted on putting a frame and buttons around pop-ups, those would be obviously adverts and much less successful.
The problem is that a browser is essentially omnipotent, so you cannot trivially tell what information comes from your own computer (and is therefore reasonably trustworthy) versus what comes from some random criminal on the Internet.
It's the visual equivalent of the Church-Turing thesis: that once a computer's instruction set reaches a certain small complexity, then it can compute anything. Likewise, once you let the browser be flexible enough, the guy on the other end can display anything.
So, I lay a lot of the blame on browser writers, including some of our favourite open source projects. In my book, anyone who writes a browser that doesn't always clearly identify itself as a browser window is partially responsible for anyone who loses money by a pfishing attack. Likewise, anyone who writes a browser that allows content to remove the [X] in the corner should be legally liable if and when that "feature" is used to scam someone.
FYI, a signature is not the public key. Rather, it is a hash of the message, that has been encrypted by the private key of the sender.
You find the senders public key, use it to decrypt the hash, then compare it to a hash of the message that you've made yourself.
If the two match, you know the message has not been tampered.
(all this is typically done more or less transparently by software)
The Web Security Mailing List
Website Security news
Website Security news [RSS Feed]
If the server detects that the browser is IE, automatically issue a redirect to the firefox download page!
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
Well...at the very least, you may want to let them know that you just went *public* with their exploitable web-site on one of the most popular Internet sites in the world.
Oh...and now that you've done that...you should probably get *your* money out of *their* bank.
I'm just sayin'...
The eBay issue was simply a case of a tech support staffer who failed to recognize a scam domain, rather than any technical wizardry or social engineering expertise on the part of the scammers. It's a good argument for adopting defense at the browser level (i.e. toolbars and in-browser blocking) rather than counting on banks, registrars or hosting companies to shut sites down.
RichM
Data Center Knowledge
Please enter the characters of your password that are missing:
-*-***-**
Please enter the 3rd, 5th and 6th digit of your telephone number:
***
If the login page was random on each log in, it would still take phisher at least twice the time to gather the nesscessary information. If phishers tried to imitate this kind of log in page, they'd have great difficulty in extracting all of the information that would be needed to successfully dupe somebody.
Also isn't it high time that you can verify where the information is being sent on a form without scraping through HTML?
I recently got an email from citibank.com asking for information about my bank account and asked to go to a website. The email from was from the citibank website and looked like it checked out, except, I dont have a citibank account...not now or ever in my life. Not even a citibank credit card, etc. Looking into things such as this in my free time, there is alot of loopholes and exploits that people can use to genereate a legit looking web pages. We expierements with DNS poisoning and also setting routes into test systems that even when the person would go to say, yourbank.com, it would redirect to our own server, but still show up yourbank.com. This asks a whole new set of questions such as how much are you protected? Using the internet to communicate information has made it easier but easier to break into. For everyone who is looking to make something easier, there is just as many people looking for ways to exploit it. Me personally have all my serious bank information is not over the information. Yes, i ahe my own logins with usernames on my bank and credit card sites that dont require me to enter my account number but any information that needs to be submitted nowadays is over the phone by my bank.
Bryan
What is with the cheesy link to "newest addition to my bookshelf". If you are going to flog someones book on Amazon.com it is nice to at least mention the name of the book you are flogging. Making someone click on the link just to see what you are talking about is the act of patheticly self-serving refferal whore. I certainly didn't bother to see what it was.
Are phishers using this book as a tool, or is it a legitimate prediction?
It's a legitimate prediction whether phishers are using the book as a tool or not. If they got the idea from the book then it's self-fulfilling prophecy but still legitimate. The only way it might not be a legitimate prediction is if the author is a phisher. Then it would be a statement of intention.
Sorry to be blunt but that bit about "no amount of training" is pure bs and I don't care who says it be it admins, back-seat driving admins or anybody else. Yes social engineering will always exist and some people will fall for it, deservedly or not, but for your own sake the issue is not to eradicate social engineering: the issue is to make it too costly/inefficient for whoever does it. Stopping phising scams is simple: treat every link in any unencrypted email as a scam and be careful about encrypted ones as well; you must trust the encryption for it to have any value at all.
This means: never ever use a link from any email no matter how supposedly "right" that link is for anything involving money or confidential information like passwords or even user names. There actually isn't any real reason to use links like that to provide any kind of information no matter how "worthless", even clicking on a link provides a bit of information to a would-be scammer because it takes you somewhere (they'll get a traceback in some form).
If a company that you have a (private or otherwise) business relationship with sends you an offer by solicited email then do not use that email to take advantage of said offer but instead contact said company about the offer through other means like going directly to their main website page or more sensibly (at least if we're talking about other stuff than buying a book at a discount etc.) by making a call.
In case the offer is only available through the email:
1: the likelihood of it being a scam is close to 100% (and please note that the inverse does not hold true and in addition is irrelevant: don't click or in any way use that link)
2: the business is stating that they do not want you as their customer for that offer - disregard it and if you care you can tell them about the adverse effects of acting in such a way
And of course if it is an unsolicited mail then instead just treat it as spam.
Would any user conduct any sort of business by sending postcards? That is what unecrypted mail is and if explained to a user as such anyone with a modicum of intelligence will get it.
When they get the postcard comparison then tell them that it's a special postcard that automatically includes knowledge of their actions (when, where, and how you wrote that postcard and possibly more) to a greater detail (and with a lot more uses) than any normal postcard would do. In addition this "postcard" is accessible to a lot more people than would usually get access to a real postcard (and that number is already quite high).
Anyway all this is just the tip of the iceberg: most companies (or people, governments, and other organisations) do not use encryption of either internal or external email and it's begging for disasters. The worst of it is that it is not hard to avoid those disasters and start using encryption.
this comment is provided "as is" and without any express or implied legibility or congruity [...]
Comment removed based on user account deletion
The biggest issue I have with SPF is that too many of the big players don't want to use it. Or they use it but seem indecisive about what hosts are allowed to send email for them. For example:
yahoo.com, peoplepc.com, sbc.com, fbi.gov, irs.gov, irs.com, whitehouse.gov - no SPF records at all
gmail.com, google.com, aol.com, verizon.com - includes ?all in their SPF record which basically says "these are my authorized senders but other hosts are probably ok too.
hotmail.com, msn.com, charter.net, ebay.com, usbank.com, citibank.com - include ~all in their SPF record which means "soft fail" or "these are my only authorized hosts but don't block stuff from other hosts"
Why doesn't even one of these specify -all which means "fail" or "If it isn't from one of the hosts just listed then it's not from us."? It looks to me like none of the domains above are willing to do what needs to be done unless forced into it. So, at this point SPF checks on my mail gateway do little more than consume CPU time.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Ok, so after a little bit further research, it appears that the signature is actually based partially on the contents. That makes sense, as it'd be stupid to do it any other way. :) The recipient isn't taken into consideration, though, so one could still redirect a message to an unintended recipient, potentially with some modified headers.
:)
Alternatively, It'd just take a fake, self-signed key with some nonsense @ebay.com address to fake out people who would just click "OK" wen the program warned them of an unrecognized/new key, accompanied by a message noting the new key eBay's using to notify users of account fraud. Then we're back to the same uneducated user problem... The encrypted message route woudl require the recipient to have sent a key to the sender first, at least, and would require some pre-phishing just to get to the point where more phishing would happen.
PGP/GPG use RSA or ElGammel public-key encryption to store a secret key, which is then used to decrypt the actual message. This is faster than using RSA or ElGammel for the entire message, but is only as strong as the weakest algorithm in the chain. There are substantially faster public-key algorithms, but they are either known to be broken (HFE), heavily encumbered (HFE, NTRU) or regarded with suspicion (ECC).
The reason this is important is that no authentication scheme can be any better than the method used to prove or validate the identity. (Duh!) Therefore, it is essential that the authentication scheme can be trusted to do what it says - authenticate that the message originated with the person the message claims to be from, with absolutely no possibility of the message originating with anyone else or being modified en-route (except for relay headers).
This means that PGP-style encryption does not prove identity. The message must be signed to prove identity, if the public key is only used to hide a secret key. Even then, with hashing algorithms tumbling like dominos (with or without sparrows helping), you need to be somewhat strict about what method is used for authentication. In four or five years, it is entirely possible to imagine skript kiddies being able to fake MD5-based signatures and for organized crime syndicates to be able to fake SHA1-based signatures. As these are the two largest sources of phishing scams, any approach which they are likely to completely defeat within the lifetime of any standard adopted is useless.
An Internet-based protocol can be considered of having a life-expectancy of 20 years, with no substantial modifications being possible. Maybe 30 years, in some cases, even if the infrastructure is incapable of handling the load. (IPv6 demonstrates that.) That does not mean any given e-mail must be proof against 30 years of concentrated effort. Digital certificates and encryption keys usually expire after a few months or a year, so we don't care if anyone breaks a particular key after that. The ideal signature scheme, then, has only to be reasonably secure for the same few
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I still don't understand why the big banks and major ISP's don't band together and just stuff all the phishing web sites with bogus data from a huge portion of customer IP space. Then make use of any of this purposely bogus data (bad credit card numbers, passwords, etc.) start an auto-traceback whenever used. They probably already have enough honeypots to sniff the phishing scams just as they get started. AOL and MSN (et.al.) could probably buy some legislation to protect the creation of a legal counter-attack botnet from their IP space agaist anyone violating a partner banks trademarks with phishing-like content.
... as there is a music label called XYZ, they may sue you.
Actually, even if users didn't check, it would be easy enough for someone like E-Bay to run a promotion targetting ISPs - "if you add our automatic phish frier, you can carry our flashy 'secure e-commerce' logo and be listed as a 'trusted' partner!", where the phish frier simply drops any e-mail that has a FROM claiming to be from E-Bay but where the signature is missing or is incorrect.
ISPs love anything that makes them look good - especially when it doesn't cost them anything. All you'd really need is for a couple of the major players to provide ISPs with such filters, and for just one or two of the major providers (AOL, Comcast, etc) or major webmail providers (Yahoo, Hotmail, Gmail) to install them. I would see that as very doable and would cut down on the phishing scams, even if they didn't eliminate them.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
At least for businesses, filter out the HTML from emails. I have Thunderbird set to show me my emails in plain text only, so I'm never fooled by the URL in the link text versus the actual URL trick. For example, I just got an Ebay phishing email that when viewed as HTML appeared to have a link to
www.paypal.com/...
But when viewed as text, it was clear the link was really to
www.paypal.com.us-cgi-bin-web-scr-cmd.com/...
This one simple trick seems to be pretty reliable in spotting phishing scams.
and would require some pre-phishing just to get to the point where more phishing would happen.
This would be awesome, if only because we could add "chumming" to the list of scam words.
It has been 10 years and the fucking retards have still never learned to use PGP.
Oh sure they've added tons of fucking bullshit. From Internet Explorer ONLY websites to new kinds of crypto. What good is it?
They STILL Have not learned to type in plain ASCII and manage PGP keys.
It must be too accurate for them.
They need CHAOS to make MONEY.
Lookie at how well they manage Databases, Business is the Database Management Retard also. Look at how many IDENTITY THEFTS and Databases got stolen.
Now lets look at out government for a sec...
They are rippin up Constitutions, and Oaths of Offices, Geneva Conventions (There's only one by the way) all in the name of No Bid Contracts and 8 Missing Billion dollars.
Uhm, Don't expect your ELECTRONIC BALLOT BOX to fix this any time soon.
That Mo Fo is Locally Rigged!
Dear, Mr. Poor,
Sorry to have to inform you of this, you are going to have a ruined life. Start behaving like the new slave you are, before we make you disappear. You could always join the military. Or keep flippin that burger in the local wwwWoolwortth$Mart. Oh and by the way you were one day late on that home depot bill for 50 cents, so your credit gets an F rating, your APR is now Between 39-50% On the bright side: ALL of your CURRENT MONEY will pay your loan off in ONLY 120 Years!
PS: If you ever make it to CEO of WIDGET CO., make sure you take up the ladder after yourself so no other can climb up.
From my own trying and, unfortunately, not limited experience with fraud and ebay, the fraud team is a joke. They sat on my complaints until the person(s) moved to another locale.
a slut did tulsa
Another useful book that can raise awareness and understanding is "Phishing: Cutting the Identity Theft Line," by Rachael Lininger and Russell Dean Vines. It covers everything from the basics to detailed strategies, with summary sections of action points for IT staff, users and financial execs. About $20.
RichM
Data Center Knowledge
Let me try to go one better: this is not a grammar lesson, it's a lesson in spelling.
q =%22New+email+address+added+to+your+PayPal+account !%22
Meanwhile, the webserver I administer (although I'm not root) was recently cracked through a PHP application.
The crack set up a mini-website used as the recipient of one of those scam e-mails - this case it was telling the recipient to (dis)approve of a certain email address being added to their PayPal account, and of course click the link (apparently to PayPal, in reality to the scam website set up in a crack of our real website).
For reference: the scam in question with Google as
http://www.google.com/search?client=opera&rls=en&
What I already knew: most crackers aren't interested in the machine they crack at all; never trust a PHP application as far as security is concerned; it's pretty easy to discover most cracks but it takes a full daytime job to investigate and report it properly, while the benefits are near-zero, because noone I know or have talked to has time to properly deal with it.
News to me: I didn't realise that the scam sites used to trik people into giving their credit card numbers are
themselves set up on cracked hosts;. This is, in fact, the first time a crack that I've witnessed was malicious in intent. (Illegaly copying DVDs can hardly be called malicious.)
I have received a bunch of false emails from ebay, paypal, banks, and etc. But, if the email seems real I always enter fake information first on the site in question. For example, the last one that I got from ebay took me to their site login (DNS was spoof), I enter aaaaaaa as the user name, and pass as "asdokngfakdv", and as I figure it, the login screen went directly to "Enter your credit card information"
If this was a real email, I don't think I was going to be able to enter with someones' user name(even if is a little absurd to have a user name as "aaaaaaaa") at ebay's login page.
I have tried this in every single email that I got requesting this type of information. Beware though, that 90% of them had a scrip that checked if the credit card number is valid. So, do not apply this to to the credit card information part.
The best advice is, if in doubt either call customer service or dismiss all these junks.
Happy Holidays and a Safe browsing !!!
Companies like ebay, paypal and citibank need to be sure that if someone sends a legitimate email, it goes through even if IT forgot to add a new mail server to the SPF record (or whatever it might be). That email might be something from paypal telling you that they have frozen your account and that it is now in the red and that if you dont pay up right now, they will send debt collectors after you. Or something else important.
Excuse me, but it just sounds like an oxymoron begging for a punch line.
But, I wanted socialized health insurance!
EdAvis wrote:
I thinks parent's idea is important, and not just because the fraud team can verify an e-mail.
If a big company started signing their e-mails, suddenly all their customers would start seeing the signatures. They might ask the company what these signatures are, and get an answer. Next thing you know, maybe they'd start using signatures themselves, thus propagating signing of e-mails further.
We'd need a few things to happen first, of course.
First of all, we'd need a standard that is integrated with the major e-mail clients. That does include web mail, of course.
Second of all, we'd need to figure out how to store private keys on web mail sites. My personal preference would be to not store the keys there. Instead, store the keys on the computer used to check mail, and have javascript generate the signature. This wouldn't work for some locations (net coffee shops, or work computers). Alternatively we could store the private keys on the webservers, but encrypted, and use the password provided at sign-on to decrypt the key.
Finally, we'd have to get people to stop trusting e-mail. If it's not signed, don't trust it. Maybe get the client to pop up a window saying "you've clicked on an unverified link, are you sure?". If it's signed, CHECK THE SOURCE. You can have a ring of trusted keys, but it's very important to stop people from accepting just about any key to their ring.
I'm sure there are other problems to be solved, but the main point is this: it takes momentum to get people to change their behavior, and preaching won't do it, but leading by example might.
m
And if it is rejected and they get a bounce message they could jump on the IT dept for not doing their job. eMail isn't and shouldn't be relied upon for extremely critical communications. What if there is a disk crash? A software bug, etc?
Besides, It's not like mail servers just bring themselves online and start participating in sending mail without anyone knowing that it is going to happen. Plus they could just as easily provide all full netblocks that they control in their SPF record. Then the record would only need to be updated when they get a new set of IP addys assigned to them.
I can tell you that phones don't really make much difference, and even moreso since we now have throw-away cell phones. I've received more than one voice-mail from people trying to phish me over the phone.
Only problem it was not an IRS site. www.govbenefits.gov belongs to another agency. The bad guys found the fault and exploited it. Later reports in the media finally got it right. But it was a slick job, the scipt was in place to help users jump to other sites of interest.