Slashdot Mirror


Evolving Phishing Attacks Using Web Vulnerabilities?

miahrogers writes "The IRS Scam from a few weeks ago was not the the usual canned phishing attack; it exploited a vulnerability in the IRS benefits website to make users think they were at a government site. Also, according to Infoworld, eBay's own fraud team was tricked into thinking a phishing email was legitimate eBay correspondence. Mix the above IRS exploit with a phony email and you have misplaced trust that foils even professional fraud teams. Interestingly enough, the newest addition to my bookshelf predicted these attacks in full detail. From chapter 4: 'Combined with vulnerable Web servers allowing the "trusted" domain to launch the attack, it will be harder to determine whether the email is or isn't legitimate. When a person turns in the e-mail to question its legitimacy, due to the known marketing campaign a tech support representative may overlook the fraud report and tell the customer that XYZ company did send out such a marketing e-mail and it is OK to click the links.' Are phishers using this book as a tool, or is it a legitimate prediction? As an IT professional, what efforts should our corporate IT department be making to proactively to eliminate these vulnerabilities?"

1 of 179 comments (clear)

  1. Sign your emails by Bogtha · · Score: 5, Insightful

    As an IT professional, what efforts should our corporate IT department be making to proactively to eliminate these vulnerabilities?"

    There's been a way of eliminating phishing since before phishing existed. Sign your emails with a digital certificate. Get your users to use a mail client that displays big warning signs when an email is unsigned or is signed with an untrusted key. Get your users to trust your key.

    If your users don't follow this advice and get scammed, well then it's their own fault. But it's not their fault if you don't sign your emails, and I can think of only a handful of companies that do this right now. Being one of them is being more proactive than most.

    --
    Bogtha Bogtha Bogtha