Evolving Phishing Attacks Using Web Vulnerabilities?

miahrogers writes "The IRS Scam from a few weeks ago was not the the usual canned phishing attack; it exploited a vulnerability in the IRS benefits website to make users think they were at a government site. Also, according to Infoworld, eBay's own fraud team was tricked into thinking a phishing email was legitimate eBay correspondence. Mix the above IRS exploit with a phony email and you have misplaced trust that foils even professional fraud teams. Interestingly enough, the newest addition to my bookshelf predicted these attacks in full detail. From chapter 4: 'Combined with vulnerable Web servers allowing the "trusted" domain to launch the attack, it will be harder to determine whether the email is or isn't legitimate. When a person turns in the e-mail to question its legitimacy, due to the known marketing campaign a tech support representative may overlook the fraud report and tell the customer that XYZ company did send out such a marketing e-mail and it is OK to click the links.' Are phishers using this book as a tool, or is it a legitimate prediction? As an IT professional, what efforts should our corporate IT department be making to proactively to eliminate these vulnerabilities?"

Never. Believe. Anything. From. Email. Ever.

[glengineer]

Ever, ever, ever....

Re:Never. Believe. Anything. From. Email. Ever.

[markomni]

As we can see, even professionals can be fooled! Caution should always be exercised. You have to determine what level of trust you grant to everything you come across on the internet, and you cannot rely solely on others to determine at what level you should trust information. You need to use a combination of your personal experience and outside information to set that level of trust.

Re:Never. Believe. Anything. From. Email. Ever.

[BushCheney08]

So are you saying I shouldn't order anything from the email I received yesterday that had the subject "MASTERDICK!"?

BTW, I'm not kidding about the email, either. Definitely one of the better pieces of spam that's come my way...

All this will stop on the day...

[b4k3d+b34nz]

...that IE7 comes out with it's phishing filter. :P

Re:All this will stop on the day...

[ThosLives]

Only because of your sig: Did you really mean "The phishing filter owned by IT (Information Technology, or perhaps the Stephen King demon)," or did you incorrectly form the possessive of 'it'?

Simple: Ensure that your "trusted" sites really ca

[eldavojohn]

I would suggest reading up on the security measures you currently use. Maybe you use HTTPS and should read up about the security zones you can make using HTTPS.

If you can verify that your trusted sites really are trusted, then you should feel safer.

I think a lot of companies fall victim to using a security method X with out investigating security methods W, Y & Z. After minimal investigation, it might be clear that X has had problems in the past and there is a lot of buzz about possible future problems (like the book in the article might point out).

I don't know a ton about security but I would suggest you simply make yourself a subject matter expert and look out for possible problems with your particular security method.

Don't click the links.

[Harmonious+Botch]

It's that simple. Just go to the web page directly.

Re:Don't click the links.

[BushCheney08]

But typing http://www.f773js93skv0fjdakd9da4js0d9skdsdll23-39 sdksdf.ebay-h4xx0r.com/ is too hard. It's much easier to click the link...

Re:Don't click the links.

[Andrewkov]

I don't even do that, if I don't have a bookmark saved, I Google for the company name and click on a link from there, rather than risk making a typing mistake that could take me to a fake site. At least when I'm going to be doing financial transactions, like on paypal or my bank or something.

This reeks

[Deep+Fried+Geekboy]

It's flippin' ridiculous that email still doesn't have any form of simple sender verification, which would eliminate not just phishing but about 90% of spam.

Re:This reeks

[griffindj]

if the USPS has no such sender verification on standard mail... what makes you think you'll ever see it on the internet?

As long as their are uneducated people who are willing to sign up to this month's publisher's clearing house lottery or free chance to win an ipod, there will be people willing to take advantage of that.

Educate as many people as you can. And when they laugh at your paranoia, be content in knowing that your tin foil hate keeps the government from listening in on your thoughts.

Re:This reeks

[CastrTroy]

It does. It's called PGP. The problem is, nobody uses it. Most webmail clients don't work well with it, how could they? they'd need to store your private key, which I wouldn't trust any free webmail client with. I'm surprised that EBay and Paypal don't support PGP encrypted/signed email. I get tons of phishing messages with their names on it. They also send out a lot of email, as it's often the only way to communicate with their customers. I think it would help out their customers a lot if they provided a way to verify that a message was actually from Paypal/Ebay. Maybe not everyone would be savvy enough to take advantage of it, but it would be nice for those who knew how it worked.

Re:This reeks

[GigsVT]

how could they?

A browser plugin could do it easily without exposing your private key. Start writing! :)

Re:This reeks

[Alizarin+Erythrosin]

Maybe not everyone would be savvy enough to take advantage of it, but it would be nice for those who knew how it worked.

Unfortunately, the tech savvy among the users would be the least likely to need such a feature to determine if the email was legitimately from ebay, paypal, their bank, etc. We know the rules about suspicious email. It is the so-called "unwashed masses" that don't.

Wellll

[OverlordQ]

As an IT professional, what efforts should our corporate IT department be making to proactively to eliminate these vulnerabilities?

Hard code your error messages, hard code everything you can, rely on user input as little as you can, and always treat it like nuclear waste.

Personal Responsibility

[WickedClean]

Why does it always have to be the fault of the business websites? No matter how safe and secure you think something is, there will always be some jackass that falls victim to something because there will always be criminals preying on the ignorant. The REAL problem is uneducated users. It isn't that hard to spot a fraud if you just take a minute to look around. I know it is a lot to expect people to have a more than basic understanding of how the web works, but maybe they should try to learn something before casually posting their personal and financial info online.

Registrar Responsibility

[rjstanford]

From the InfoWorld article:

EBay has also been trying to shut down the Web site by working with the Internet registrar that was used to acquire the ebaychristmas.net domain, Pires said. Despite these efforts, however, the site has remained operational.

That registrar, which does business under the name Joker.com, has the power to shut down the scam Web site, Jennings said. "If they were taking their responsibilities seriously, the site would have been shut down weeks ago," he said.

Last time I checked, the Registrar wasn't responsible if a server that happened to be pointed to by a record on a DNS server is registered as primary for one of the domains that they registered contained fraudulent or misleading content. In fact, checking Joker's TOS, while Joker may have the "power" to shut him down, I don't immediately see that they have any legal right to do so.

Sign your emails

[Bogtha]

As an IT professional, what efforts should our corporate IT department be making to proactively to eliminate these vulnerabilities?"

There's been a way of eliminating phishing since before phishing existed. Sign your emails with a digital certificate. Get your users to use a mail client that displays big warning signs when an email is unsigned or is signed with an untrusted key. Get your users to trust your key.

If your users don't follow this advice and get scammed, well then it's their own fault. But it's not their fault if you don't sign your emails, and I can think of only a handful of companies that do this right now. Being one of them is being more proactive than most.

Re:Simple: Ensure that your "trusted" sites really

[Ed+Avis]

Why on earth don't Ebay GPG sign their messages? Even if most users wouldn't check the signature, at least their own fraud team could tell what was genuine Ebay correspondence and what wasn't...

You just need user vulnerabilities

[TedRiot]

In Finland there was a large scale phishing attack targeted at users of a major online bank. It had an url with a numeric IP address, was translated from an earlier English message by machine and was thus very bad Finnish. The earlier English message got wide publicity also in mainstream media. I got one of the messages and just out of curiosity checked out the website. The website was equally bad Finnish language and asked for username, PIN number and payment authorisation codes. Money was transferred from accounts of about 10 people to somewhere in Latvia. 8 transfers got cancelled by the bank, 2 accounts were already emptied on an ATM and about 20 thousand euros were stolen.

The bank has taken responsibility and promised to return the money of their customers, but a couple of days ago after this Finnish attack was still saying that the attacks are a scheme to undermine the trust of online banking, but maybe it was just a way to steal money from ignorant people?

Thoroughly educate your staff

[digitaldc]

As an IT professional, what efforts should our corporate IT department be making to proactively to eliminate these vulnerabilities?"

Educate your staff on the vulnerabilities of phishing and email scams. Give them specific examples of how these attacks work and how people are usually duped into them. Use some sort of visual presentation or photocopied handouts of how these attacks look and work. Make the staff very aware of the vulnerabilities on the internet/via email and tell them to ask themselves if it is potentially harmful, and if unsure, to contact an IT professional who would know.
Hopefully, at least 3/4 of those briefed will remember this information and put it to good use.

You can also buy "Phishing Exposed: Uncover Secrets from the Dark Side" to help explain the attacks.
This is essential reading for those who want to learn the ways of the Farce.

Simple resolution

[Todd+Knarr]

There's a fairly simple way to avoid these attacks: never ever trust any link in any e-mail, period. If you think the e-mail is legitimate, ignore the links in it and use your own bookmarks to go to the relevant site and check your account or similar page there. If it really is legitimate, there'll be a way to find the information without depending on the e-mail links. It's not completely fool-proof, but for a phisher to fool you when you do this they'd have to vandalize the legitimate web-site to include their links on it's actual pages. That's harder than just faking an e-mail.

Why should I have to tell anyone this? It's received wisdom that if you receive a phone call from someone claiming to be your bank and asking to verify things like your PIN you should hang up, look up the bank's phone number in the phone book, call them yourself and ask Customer Service about the situation. First rule: never trust the identity of the other end unless you called them. Why should e-mail be any different?

Re:Flood the Phishers

[Jjeff1]

No.

Don't try to con the con, they've been at it longer than you have. That same web site is likely to try and exploit holes in your browser and start installing who knows what on your machine.

PhishFighting.com

[fak3r]

While I have plenty of defense on my mail server (Spamassassin, Clamav, dcc, razor, MailScanner) to stop this stuff from reaching my users mailboxes, a good offense is needed to help polute the Phishers database with garbage. Enter:

http://www.phishfighting.com/

"Just enter the Phishing emails REAL url below and watch as realistic looking, fake, entries are continously sent to the Phishers fake site. The criminal will receive hundreds or thousands of fake entries and he won't be able to tell which are fake and which are real."

Nice stuff.

Phishing filter eh?

[Comboman]

Is it too late to trade-mark the name 'philter'?

Re:Flood the Phishers

[British]

Or maybe VISA and other credit card companies get in on this. Go to a known phishing site, put in a specially assigned VISA card #, trace the merchant on VISA's end when a transaction is attempted.... then hurt them. A "poison credit card", so to speak.

digital signature

FYI, a signature is not the public key. Rather, it is a hash of the message, that has been encrypted by the private key of the sender.

You find the senders public key, use it to decrypt the hash, then compare it to a hash of the message that you've made yourself.

If the two match, you know the message has not been tampered.

(all this is typically done more or less transparently by software)

Re:Flood the Phishers

[vinn01]

Using a "marked" credit cards numbers goes back to the 1970's.

The problem is that the credit card companies are not motivated to stop fraud. They mostly view fraud as an acceptable business loss. Fraud is a very small percentage bump in their profits. They are not the victims of fraud.

The victims are mostly small businesses and credit card holders. They can't afford to ignore the loss. They spend hours of time working through fraud related clean-up measures. But their time and efforts cost the credit card companies nothing.

Motivate the credit card companies to stop fraud and fraud will become very difficult to get away with.

Two Different Threats, Both Problematic

[miller60]

The two examples feature separate problems that are both serious, but not easy to combine. The IRS phishing scam was enabled by an open redirect on the govbenefits.gov web site that allowed phishers to craft a URL that uses the govbenefits.gov URL but instead sends users to a web server in Italy. Security flaws in trusted sites are found and exploited quite often by phishing crews, who look for applications that are likely to allow redirection or cross-site scripting. The NIST site, which hosts the US cyber-vulnerability database, was recently found to be briefly vulnerable to cross-site scripting.

The eBay issue was simply a case of a tech support staffer who failed to recognize a scam domain, rather than any technical wizardry or social engineering expertise on the part of the scammers. It's a good argument for adopting defense at the browser level (i.e. toolbars and in-browser blocking) rather than counting on banks, registrars or hosting companies to shut sites down.

What happened to phones?

[boxxa]

I recently got an email from citibank.com asking for information about my bank account and asked to go to a website. The email from was from the citibank website and looked like it checked out, except, I dont have a citibank account...not now or ever in my life. Not even a citibank credit card, etc. Looking into things such as this in my free time, there is alot of loopholes and exploits that people can use to genereate a legit looking web pages. We expierements with DNS poisoning and also setting routes into test systems that even when the person would go to say, yourbank.com, it would redirect to our own server, but still show up yourbank.com. This asks a whole new set of questions such as how much are you protected? Using the internet to communicate information has made it easier but easier to break into. For everyone who is looking to make something easier, there is just as many people looking for ways to exploit it. Me personally have all my serious bank information is not over the information. Yes, i ahe my own logins with usernames on my bank and credit card sites that dont require me to enter my account number but any information that needs to be submitted nowadays is over the phone by my bank.

Re:Protecting site graphics

[Simon+Brooke]

(And yes, I know you should allow your email package to display HTML with remote images, but people do and this is the main technique phishers use to make their messages look legitimate.)

Exactly.

And that is exactly why people like eBay, banks, etc should never send mail which embeds remote images, and, ideally, should never send HTML formatted mail at all (or, probably, any other format more complex than plain text).

Re:What a fraud

[tomstdenis]

Hi Neal,

Lance hasn't paid you because you're a loser and can't produce productive work. Your DFP demo is shit and you almost cost us the STS contract.

You failed to hold up your end of the deal [e.g. be competent] and were FIRED because of it.

Fuck off and die,
Sincerely, Tom St Denis [I've since re-wrote STS from scratch and it's a dozen times better].