Slashdot Mirror

← Back to Stories (view on slashdot.org)

Evolving Phishing Attacks Using Web Vulnerabilities?

Posted by Cliff on from the how-to-protect-against-the-new-generation-of-annoyance dept.

miahrogers writes "The IRS Scam from a few weeks ago was not the the usual canned phishing attack; it exploited a vulnerability in the IRS benefits website to make users think they were at a government site. Also, according to Infoworld, eBay's own fraud team was tricked into thinking a phishing email was legitimate eBay correspondence. Mix the above IRS exploit with a phony email and you have misplaced trust that foils even professional fraud teams. Interestingly enough, the newest addition to my bookshelf predicted these attacks in full detail. From chapter 4: 'Combined with vulnerable Web servers allowing the "trusted" domain to launch the attack, it will be harder to determine whether the email is or isn't legitimate. When a person turns in the e-mail to question its legitimacy, due to the known marketing campaign a tech support representative may overlook the fraud report and tell the customer that XYZ company did send out such a marketing e-mail and it is OK to click the links.' Are phishers using this book as a tool, or is it a legitimate prediction? As an IT professional, what efforts should our corporate IT department be making to proactively to eliminate these vulnerabilities?"

7 of 179 comments (clear)

  1. Simple: Ensure that your "trusted" sites really ca by eldavojohn · · Score: 4, Insightful

    I would suggest reading up on the security measures you currently use. Maybe you use HTTPS and should read up about the security zones you can make using HTTPS.

    If you can verify that your trusted sites really are trusted, then you should feel safer.

    I think a lot of companies fall victim to using a security method X with out investigating security methods W, Y & Z. After minimal investigation, it might be clear that X has had problems in the past and there is a lot of buzz about possible future problems (like the book in the article might point out).

    I don't know a ton about security but I would suggest you simply make yourself a subject matter expert and look out for possible problems with your particular security method.

    --
    My work here is dung.
  2. This reeks by Deep+Fried+Geekboy · · Score: 4, Insightful

    It's flippin' ridiculous that email still doesn't have any form of simple sender verification, which would eliminate not just phishing but about 90% of spam.

    --

    I'm not wrong. You haven't thought about it hard enough.

    1. Re:This reeks by CastrTroy · · Score: 4, Insightful

      It does. It's called PGP. The problem is, nobody uses it. Most webmail clients don't work well with it, how could they? they'd need to store your private key, which I wouldn't trust any free webmail client with. I'm surprised that EBay and Paypal don't support PGP encrypted/signed email. I get tons of phishing messages with their names on it. They also send out a lot of email, as it's often the only way to communicate with their customers. I think it would help out their customers a lot if they provided a way to verify that a message was actually from Paypal/Ebay. Maybe not everyone would be savvy enough to take advantage of it, but it would be nice for those who knew how it worked.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  3. Personal Responsibility by WickedClean · · Score: 4, Insightful

    Why does it always have to be the fault of the business websites? No matter how safe and secure you think something is, there will always be some jackass that falls victim to something because there will always be criminals preying on the ignorant. The REAL problem is uneducated users. It isn't that hard to spot a fraud if you just take a minute to look around. I know it is a lot to expect people to have a more than basic understanding of how the web works, but maybe they should try to learn something before casually posting their personal and financial info online.

    --
    ...All I can say is that my life is pretty strange...
  4. Sign your emails by Bogtha · · Score: 5, Insightful

    As an IT professional, what efforts should our corporate IT department be making to proactively to eliminate these vulnerabilities?"

    There's been a way of eliminating phishing since before phishing existed. Sign your emails with a digital certificate. Get your users to use a mail client that displays big warning signs when an email is unsigned or is signed with an untrusted key. Get your users to trust your key.

    If your users don't follow this advice and get scammed, well then it's their own fault. But it's not their fault if you don't sign your emails, and I can think of only a handful of companies that do this right now. Being one of them is being more proactive than most.

    --
    Bogtha Bogtha Bogtha
  5. Re:Simple: Ensure that your "trusted" sites really by Ed+Avis · · Score: 4, Insightful

    Why on earth don't Ebay GPG sign their messages? Even if most users wouldn't check the signature, at least their own fraud team could tell what was genuine Ebay correspondence and what wasn't...

    --
    -- Ed Avis ed@membled.com
  6. Re:Flood the Phishers by British · · Score: 3, Insightful

    Or maybe VISA and other credit card companies get in on this. Go to a known phishing site, put in a specially assigned VISA card #, trace the merchant on VISA's end when a transaction is attempted.... then hurt them. A "poison credit card", so to speak.