Evolving Phishing Attacks Using Web Vulnerabilities?

miahrogers writes "The IRS Scam from a few weeks ago was not the the usual canned phishing attack; it exploited a vulnerability in the IRS benefits website to make users think they were at a government site. Also, according to Infoworld, eBay's own fraud team was tricked into thinking a phishing email was legitimate eBay correspondence. Mix the above IRS exploit with a phony email and you have misplaced trust that foils even professional fraud teams. Interestingly enough, the newest addition to my bookshelf predicted these attacks in full detail. From chapter 4: 'Combined with vulnerable Web servers allowing the "trusted" domain to launch the attack, it will be harder to determine whether the email is or isn't legitimate. When a person turns in the e-mail to question its legitimacy, due to the known marketing campaign a tech support representative may overlook the fraud report and tell the customer that XYZ company did send out such a marketing e-mail and it is OK to click the links.' Are phishers using this book as a tool, or is it a legitimate prediction? As an IT professional, what efforts should our corporate IT department be making to proactively to eliminate these vulnerabilities?"

Never. Believe. Anything. From. Email. Ever.

[glengineer]

Ever, ever, ever....

Re:Never. Believe. Anything. From. Email. Ever.

[markomni]

As we can see, even professionals can be fooled! Caution should always be exercised. You have to determine what level of trust you grant to everything you come across on the internet, and you cannot rely solely on others to determine at what level you should trust information. You need to use a combination of your personal experience and outside information to set that level of trust.

Simple: Ensure that your "trusted" sites really ca

[eldavojohn]

I would suggest reading up on the security measures you currently use. Maybe you use HTTPS and should read up about the security zones you can make using HTTPS.

If you can verify that your trusted sites really are trusted, then you should feel safer.

I think a lot of companies fall victim to using a security method X with out investigating security methods W, Y & Z. After minimal investigation, it might be clear that X has had problems in the past and there is a lot of buzz about possible future problems (like the book in the article might point out).

I don't know a ton about security but I would suggest you simply make yourself a subject matter expert and look out for possible problems with your particular security method.

This reeks

[Deep+Fried+Geekboy]

It's flippin' ridiculous that email still doesn't have any form of simple sender verification, which would eliminate not just phishing but about 90% of spam.

Re:This reeks

[griffindj]

if the USPS has no such sender verification on standard mail... what makes you think you'll ever see it on the internet?

As long as their are uneducated people who are willing to sign up to this month's publisher's clearing house lottery or free chance to win an ipod, there will be people willing to take advantage of that.

Educate as many people as you can. And when they laugh at your paranoia, be content in knowing that your tin foil hate keeps the government from listening in on your thoughts.

Re:This reeks

[CastrTroy]

It does. It's called PGP. The problem is, nobody uses it. Most webmail clients don't work well with it, how could they? they'd need to store your private key, which I wouldn't trust any free webmail client with. I'm surprised that EBay and Paypal don't support PGP encrypted/signed email. I get tons of phishing messages with their names on it. They also send out a lot of email, as it's often the only way to communicate with their customers. I think it would help out their customers a lot if they provided a way to verify that a message was actually from Paypal/Ebay. Maybe not everyone would be savvy enough to take advantage of it, but it would be nice for those who knew how it worked.

Re:This reeks

[Alizarin+Erythrosin]

Maybe not everyone would be savvy enough to take advantage of it, but it would be nice for those who knew how it worked.

Unfortunately, the tech savvy among the users would be the least likely to need such a feature to determine if the email was legitimately from ebay, paypal, their bank, etc. We know the rules about suspicious email. It is the so-called "unwashed masses" that don't.

Personal Responsibility

[WickedClean]

Why does it always have to be the fault of the business websites? No matter how safe and secure you think something is, there will always be some jackass that falls victim to something because there will always be criminals preying on the ignorant. The REAL problem is uneducated users. It isn't that hard to spot a fraud if you just take a minute to look around. I know it is a lot to expect people to have a more than basic understanding of how the web works, but maybe they should try to learn something before casually posting their personal and financial info online.

Sign your emails

[Bogtha]

As an IT professional, what efforts should our corporate IT department be making to proactively to eliminate these vulnerabilities?"

There's been a way of eliminating phishing since before phishing existed. Sign your emails with a digital certificate. Get your users to use a mail client that displays big warning signs when an email is unsigned or is signed with an untrusted key. Get your users to trust your key.

If your users don't follow this advice and get scammed, well then it's their own fault. But it's not their fault if you don't sign your emails, and I can think of only a handful of companies that do this right now. Being one of them is being more proactive than most.

Re:Simple: Ensure that your "trusted" sites really

[Ed+Avis]

Why on earth don't Ebay GPG sign their messages? Even if most users wouldn't check the signature, at least their own fraud team could tell what was genuine Ebay correspondence and what wasn't...

Simple resolution

[Todd+Knarr]

There's a fairly simple way to avoid these attacks: never ever trust any link in any e-mail, period. If you think the e-mail is legitimate, ignore the links in it and use your own bookmarks to go to the relevant site and check your account or similar page there. If it really is legitimate, there'll be a way to find the information without depending on the e-mail links. It's not completely fool-proof, but for a phisher to fool you when you do this they'd have to vandalize the legitimate web-site to include their links on it's actual pages. That's harder than just faking an e-mail.

Why should I have to tell anyone this? It's received wisdom that if you receive a phone call from someone claiming to be your bank and asking to verify things like your PIN you should hang up, look up the bank's phone number in the phone book, call them yourself and ask Customer Service about the situation. First rule: never trust the identity of the other end unless you called them. Why should e-mail be any different?

Re:Flood the Phishers

[British]

Or maybe VISA and other credit card companies get in on this. Go to a known phishing site, put in a specially assigned VISA card #, trace the merchant on VISA's end when a transaction is attempted.... then hurt them. A "poison credit card", so to speak.

Re:Flood the Phishers

[vinn01]

Using a "marked" credit cards numbers goes back to the 1970's.

The problem is that the credit card companies are not motivated to stop fraud. They mostly view fraud as an acceptable business loss. Fraud is a very small percentage bump in their profits. They are not the victims of fraud.

The victims are mostly small businesses and credit card holders. They can't afford to ignore the loss. They spend hours of time working through fraud related clean-up measures. But their time and efforts cost the credit card companies nothing.

Motivate the credit card companies to stop fraud and fraud will become very difficult to get away with.

What happened to phones?

[boxxa]

I recently got an email from citibank.com asking for information about my bank account and asked to go to a website. The email from was from the citibank website and looked like it checked out, except, I dont have a citibank account...not now or ever in my life. Not even a citibank credit card, etc. Looking into things such as this in my free time, there is alot of loopholes and exploits that people can use to genereate a legit looking web pages. We expierements with DNS poisoning and also setting routes into test systems that even when the person would go to say, yourbank.com, it would redirect to our own server, but still show up yourbank.com. This asks a whole new set of questions such as how much are you protected? Using the internet to communicate information has made it easier but easier to break into. For everyone who is looking to make something easier, there is just as many people looking for ways to exploit it. Me personally have all my serious bank information is not over the information. Yes, i ahe my own logins with usernames on my bank and credit card sites that dont require me to enter my account number but any information that needs to be submitted nowadays is over the phone by my bank.

Re:Protecting site graphics

[Simon+Brooke]

(And yes, I know you should allow your email package to display HTML with remote images, but people do and this is the main technique phishers use to make their messages look legitimate.)

Exactly.

And that is exactly why people like eBay, banks, etc should never send mail which embeds remote images, and, ideally, should never send HTML formatted mail at all (or, probably, any other format more complex than plain text).