Evolving Phishing Attacks Using Web Vulnerabilities?

miahrogers writes "The IRS Scam from a few weeks ago was not the the usual canned phishing attack; it exploited a vulnerability in the IRS benefits website to make users think they were at a government site. Also, according to Infoworld, eBay's own fraud team was tricked into thinking a phishing email was legitimate eBay correspondence. Mix the above IRS exploit with a phony email and you have misplaced trust that foils even professional fraud teams. Interestingly enough, the newest addition to my bookshelf predicted these attacks in full detail. From chapter 4: 'Combined with vulnerable Web servers allowing the "trusted" domain to launch the attack, it will be harder to determine whether the email is or isn't legitimate. When a person turns in the e-mail to question its legitimacy, due to the known marketing campaign a tech support representative may overlook the fraud report and tell the customer that XYZ company did send out such a marketing e-mail and it is OK to click the links.' Are phishers using this book as a tool, or is it a legitimate prediction? As an IT professional, what efforts should our corporate IT department be making to proactively to eliminate these vulnerabilities?"

Don't click the links.

[Harmonious+Botch]

It's that simple. Just go to the web page directly.

Registrar Responsibility

[rjstanford]

From the InfoWorld article:

EBay has also been trying to shut down the Web site by working with the Internet registrar that was used to acquire the ebaychristmas.net domain, Pires said. Despite these efforts, however, the site has remained operational.

That registrar, which does business under the name Joker.com, has the power to shut down the scam Web site, Jennings said. "If they were taking their responsibilities seriously, the site would have been shut down weeks ago," he said.

Last time I checked, the Registrar wasn't responsible if a server that happened to be pointed to by a record on a DNS server is registered as primary for one of the domains that they registered contained fraudulent or misleading content. In fact, checking Joker's TOS, while Joker may have the "power" to shut him down, I don't immediately see that they have any legal right to do so.

Re:Registrar Responsibility

The don't? Is that why the domain's status currently reads:

status: hold,infringe-3rd-parties

Thoroughly educate your staff

[digitaldc]

As an IT professional, what efforts should our corporate IT department be making to proactively to eliminate these vulnerabilities?"

Educate your staff on the vulnerabilities of phishing and email scams. Give them specific examples of how these attacks work and how people are usually duped into them. Use some sort of visual presentation or photocopied handouts of how these attacks look and work. Make the staff very aware of the vulnerabilities on the internet/via email and tell them to ask themselves if it is potentially harmful, and if unsure, to contact an IT professional who would know.
Hopefully, at least 3/4 of those briefed will remember this information and put it to good use.

You can also buy "Phishing Exposed: Uncover Secrets from the Dark Side" to help explain the attacks.
This is essential reading for those who want to learn the ways of the Farce.

Re:Flood the Phishers

[Jjeff1]

No.

Don't try to con the con, they've been at it longer than you have. That same web site is likely to try and exploit holes in your browser and start installing who knows what on your machine.

digital signature

FYI, a signature is not the public key. Rather, it is a hash of the message, that has been encrypted by the private key of the sender.

You find the senders public key, use it to decrypt the hash, then compare it to a hash of the message that you've made yourself.

If the two match, you know the message has not been tampered.

(all this is typically done more or less transparently by software)

Two Different Threats, Both Problematic

[miller60]

The two examples feature separate problems that are both serious, but not easy to combine. The IRS phishing scam was enabled by an open redirect on the govbenefits.gov web site that allowed phishers to craft a URL that uses the govbenefits.gov URL but instead sends users to a web server in Italy. Security flaws in trusted sites are found and exploited quite often by phishing crews, who look for applications that are likely to allow redirection or cross-site scripting. The NIST site, which hosts the US cyber-vulnerability database, was recently found to be briefly vulnerable to cross-site scripting.

The eBay issue was simply a case of a tech support staffer who failed to recognize a scam domain, rather than any technical wizardry or social engineering expertise on the part of the scammers. It's a good argument for adopting defense at the browser level (i.e. toolbars and in-browser blocking) rather than counting on banks, registrars or hosting companies to shut sites down.

Re:What a fraud

[tomstdenis]

Hi Neal,

Lance hasn't paid you because you're a loser and can't produce productive work. Your DFP demo is shit and you almost cost us the STS contract.

You failed to hold up your end of the deal [e.g. be competent] and were FIRED because of it.

Fuck off and die,
Sincerely, Tom St Denis [I've since re-wrote STS from scratch and it's a dozen times better].