Slashdot Mirror


Evolving Phishing Attacks Using Web Vulnerabilities?

miahrogers writes "The IRS Scam from a few weeks ago was not the the usual canned phishing attack; it exploited a vulnerability in the IRS benefits website to make users think they were at a government site. Also, according to Infoworld, eBay's own fraud team was tricked into thinking a phishing email was legitimate eBay correspondence. Mix the above IRS exploit with a phony email and you have misplaced trust that foils even professional fraud teams. Interestingly enough, the newest addition to my bookshelf predicted these attacks in full detail. From chapter 4: 'Combined with vulnerable Web servers allowing the "trusted" domain to launch the attack, it will be harder to determine whether the email is or isn't legitimate. When a person turns in the e-mail to question its legitimacy, due to the known marketing campaign a tech support representative may overlook the fraud report and tell the customer that XYZ company did send out such a marketing e-mail and it is OK to click the links.' Are phishers using this book as a tool, or is it a legitimate prediction? As an IT professional, what efforts should our corporate IT department be making to proactively to eliminate these vulnerabilities?"

2 of 179 comments (clear)

  1. All this will stop on the day... by b4k3d+b34nz · · Score: 4, Funny

    ...that IE7 comes out with it's phishing filter. :P

    --
    Grammar Lesson: you're is a contraction of "you are"; your means you possess something; yore means days gone by.
    1. Re:All this will stop on the day... by ThosLives · · Score: 4, Funny

      Only because of your sig: Did you really mean "The phishing filter owned by IT (Information Technology, or perhaps the Stephen King demon)," or did you incorrectly form the possessive of 'it'?

      --
      "There are a dozen opinions on a matter until you know the truth. Then there is only one." - CS Lewis (paraprhase)