Slashdot Mirror

← Back to Stories (view on slashdot.org)

Evolving Phishing Attacks Using Web Vulnerabilities?

Posted by Cliff on from the how-to-protect-against-the-new-generation-of-annoyance dept.

miahrogers writes "The IRS Scam from a few weeks ago was not the the usual canned phishing attack; it exploited a vulnerability in the IRS benefits website to make users think they were at a government site. Also, according to Infoworld, eBay's own fraud team was tricked into thinking a phishing email was legitimate eBay correspondence. Mix the above IRS exploit with a phony email and you have misplaced trust that foils even professional fraud teams. Interestingly enough, the newest addition to my bookshelf predicted these attacks in full detail. From chapter 4: 'Combined with vulnerable Web servers allowing the "trusted" domain to launch the attack, it will be harder to determine whether the email is or isn't legitimate. When a person turns in the e-mail to question its legitimacy, due to the known marketing campaign a tech support representative may overlook the fraud report and tell the customer that XYZ company did send out such a marketing e-mail and it is OK to click the links.' Are phishers using this book as a tool, or is it a legitimate prediction? As an IT professional, what efforts should our corporate IT department be making to proactively to eliminate these vulnerabilities?"

7 of 179 comments (clear)

  1. fp by Anonymous Coward · · Score: -1, Offtopic

    first post?

  2. firstpost! by Anonymous Coward · · Score: -1, Offtopic

    post first!

  3. Use the registry, Luke! by mister_llah · · Score: 0, Offtopic

    Restricting user's access rights to their own machine is an obvious preventative step.

    The Windows registry is a powerful tool for controlling what people can do to screw up a machine (sadly it isn't really well documented)...

    It isn't a miracle cure, nothing is... but it's a good idea.

    --
    MoM++ - A Classic Expanded - [Master of Magic 1.5]
    http://mompp.sourceforge.net/
  4. Take away the Internet. by Anonymous Coward · · Score: -1, Offtopic

    Seriously. All Internet should be restricted and monitored. This is company time and business*. I have been a sysadmin long enough to know that the Internet isn't for "research". It can be but only in the hands of the responsible and monitored.

    Yes, I hate filters, proxies and the like but it can be done in a non-invasive way. Firewall reports can be generated and monitored by management (IT stafff member prefered) so that MySpace employee X doesn't brag about their newest, oh what the devil do kids talk about, Nanopods.

    * I'm on company time at the moment.

  5. OT But ... Intelligent Design Loses Court Case. by kotku · · Score: 0, Offtopic

    http://news.bbc.co.uk/2/hi/americas/4545822.stm

    Thought I'd pre-empt the inevitable slashdot article on the subject.

    Tee Hee Hee

    --
    The bikini - security through obscurity since 1943
    1. Re:OT But ... Intelligent Design Loses Court Case. by vertinox · · Score: 0, Offtopic

      OT But ... Intelligent Design Loses Court Case

      Don't worry... Everyone got that info on Digg and we'll have plenty of times to comment and ramble on the topic after its duped 3 times over the next week. ;)

      --
      "I am the king of the Romans, and am superior to rules of grammar!"
      -Sigismund, Holy Roman Emperor (1368-1437)
  6. bitc4 by Anonymous Coward · · Score: -1, Offtopic

    worse and Worse. As non-fucking-existant.