Evolving Phishing Attacks Using Web Vulnerabilities?

miahrogers writes "The IRS Scam from a few weeks ago was not the the usual canned phishing attack; it exploited a vulnerability in the IRS benefits website to make users think they were at a government site. Also, according to Infoworld, eBay's own fraud team was tricked into thinking a phishing email was legitimate eBay correspondence. Mix the above IRS exploit with a phony email and you have misplaced trust that foils even professional fraud teams. Interestingly enough, the newest addition to my bookshelf predicted these attacks in full detail. From chapter 4: 'Combined with vulnerable Web servers allowing the "trusted" domain to launch the attack, it will be harder to determine whether the email is or isn't legitimate. When a person turns in the e-mail to question its legitimacy, due to the known marketing campaign a tech support representative may overlook the fraud report and tell the customer that XYZ company did send out such a marketing e-mail and it is OK to click the links.' Are phishers using this book as a tool, or is it a legitimate prediction? As an IT professional, what efforts should our corporate IT department be making to proactively to eliminate these vulnerabilities?"

Flood the Phishers

[OYAHHH]

A,

Possible way to stop phishing is to simply flood them with too many responses to their emails.

When you get a phishing email simply go to the pointed site, enter false information and then click the submit button....

For every false set of data they receive they have to try to use that invalid credit card number, ebay password, etc... Thus, costing them extreme amounts of time.

You just need user vulnerabilities

[TedRiot]

In Finland there was a large scale phishing attack targeted at users of a major online bank. It had an url with a numeric IP address, was translated from an earlier English message by machine and was thus very bad Finnish. The earlier English message got wide publicity also in mainstream media. I got one of the messages and just out of curiosity checked out the website. The website was equally bad Finnish language and asked for username, PIN number and payment authorisation codes. Money was transferred from accounts of about 10 people to somewhere in Latvia. 8 transfers got cancelled by the bank, 2 accounts were already emptied on an ATM and about 20 thousand euros were stolen.

The bank has taken responsibility and promised to return the money of their customers, but a couple of days ago after this Finnish attack was still saying that the attacks are a scheme to undermine the trust of online banking, but maybe it was just a way to steal money from ignorant people?

PhishFighting.com

[fak3r]

While I have plenty of defense on my mail server (Spamassassin, Clamav, dcc, razor, MailScanner) to stop this stuff from reaching my users mailboxes, a good offense is needed to help polute the Phishers database with garbage. Enter:

http://www.phishfighting.com/

"Just enter the Phishing emails REAL url below and watch as realistic looking, fake, entries are continously sent to the Phishers fake site. The criminal will receive hundreds or thousands of fake entries and he won't be able to tell which are fake and which are real."

Nice stuff.

Re:This reeks

[GigsVT]

how could they?

A browser plugin could do it easily without exposing your private key. Start writing! :)

Re:Don't click the links.

[Andrewkov]

I don't even do that, if I don't have a bookmark saved, I Google for the company name and click on a link from there, rather than risk making a typing mistake that could take me to a fake site. At least when I'm going to be doing financial transactions, like on paypal or my bank or something.