Evolving Phishing Attacks Using Web Vulnerabilities?

miahrogers writes "The IRS Scam from a few weeks ago was not the the usual canned phishing attack; it exploited a vulnerability in the IRS benefits website to make users think they were at a government site. Also, according to Infoworld, eBay's own fraud team was tricked into thinking a phishing email was legitimate eBay correspondence. Mix the above IRS exploit with a phony email and you have misplaced trust that foils even professional fraud teams. Interestingly enough, the newest addition to my bookshelf predicted these attacks in full detail. From chapter 4: 'Combined with vulnerable Web servers allowing the "trusted" domain to launch the attack, it will be harder to determine whether the email is or isn't legitimate. When a person turns in the e-mail to question its legitimacy, due to the known marketing campaign a tech support representative may overlook the fraud report and tell the customer that XYZ company did send out such a marketing e-mail and it is OK to click the links.' Are phishers using this book as a tool, or is it a legitimate prediction? As an IT professional, what efforts should our corporate IT department be making to proactively to eliminate these vulnerabilities?"

All this will stop on the day...

[b4k3d+b34nz]

...that IE7 comes out with it's phishing filter. :P

Re:All this will stop on the day...

[ThosLives]

Only because of your sig: Did you really mean "The phishing filter owned by IT (Information Technology, or perhaps the Stephen King demon)," or did you incorrectly form the possessive of 'it'?

Simple: Ensure that your "trusted" sites really ca

[eldavojohn]

I would suggest reading up on the security measures you currently use. Maybe you use HTTPS and should read up about the security zones you can make using HTTPS.

If you can verify that your trusted sites really are trusted, then you should feel safer.

I think a lot of companies fall victim to using a security method X with out investigating security methods W, Y & Z. After minimal investigation, it might be clear that X has had problems in the past and there is a lot of buzz about possible future problems (like the book in the article might point out).

I don't know a ton about security but I would suggest you simply make yourself a subject matter expert and look out for possible problems with your particular security method.

This reeks

[Deep+Fried+Geekboy]

It's flippin' ridiculous that email still doesn't have any form of simple sender verification, which would eliminate not just phishing but about 90% of spam.

Re:This reeks

[CastrTroy]

It does. It's called PGP. The problem is, nobody uses it. Most webmail clients don't work well with it, how could they? they'd need to store your private key, which I wouldn't trust any free webmail client with. I'm surprised that EBay and Paypal don't support PGP encrypted/signed email. I get tons of phishing messages with their names on it. They also send out a lot of email, as it's often the only way to communicate with their customers. I think it would help out their customers a lot if they provided a way to verify that a message was actually from Paypal/Ebay. Maybe not everyone would be savvy enough to take advantage of it, but it would be nice for those who knew how it worked.

Personal Responsibility

[WickedClean]

Why does it always have to be the fault of the business websites? No matter how safe and secure you think something is, there will always be some jackass that falls victim to something because there will always be criminals preying on the ignorant. The REAL problem is uneducated users. It isn't that hard to spot a fraud if you just take a minute to look around. I know it is a lot to expect people to have a more than basic understanding of how the web works, but maybe they should try to learn something before casually posting their personal and financial info online.

Registrar Responsibility

[rjstanford]

From the InfoWorld article:

EBay has also been trying to shut down the Web site by working with the Internet registrar that was used to acquire the ebaychristmas.net domain, Pires said. Despite these efforts, however, the site has remained operational.

That registrar, which does business under the name Joker.com, has the power to shut down the scam Web site, Jennings said. "If they were taking their responsibilities seriously, the site would have been shut down weeks ago," he said.

Last time I checked, the Registrar wasn't responsible if a server that happened to be pointed to by a record on a DNS server is registered as primary for one of the domains that they registered contained fraudulent or misleading content. In fact, checking Joker's TOS, while Joker may have the "power" to shut him down, I don't immediately see that they have any legal right to do so.

Sign your emails

[Bogtha]

As an IT professional, what efforts should our corporate IT department be making to proactively to eliminate these vulnerabilities?"

There's been a way of eliminating phishing since before phishing existed. Sign your emails with a digital certificate. Get your users to use a mail client that displays big warning signs when an email is unsigned or is signed with an untrusted key. Get your users to trust your key.

If your users don't follow this advice and get scammed, well then it's their own fault. But it's not their fault if you don't sign your emails, and I can think of only a handful of companies that do this right now. Being one of them is being more proactive than most.

Re:Simple: Ensure that your "trusted" sites really

[Ed+Avis]

Why on earth don't Ebay GPG sign their messages? Even if most users wouldn't check the signature, at least their own fraud team could tell what was genuine Ebay correspondence and what wasn't...

You just need user vulnerabilities

[TedRiot]

In Finland there was a large scale phishing attack targeted at users of a major online bank. It had an url with a numeric IP address, was translated from an earlier English message by machine and was thus very bad Finnish. The earlier English message got wide publicity also in mainstream media. I got one of the messages and just out of curiosity checked out the website. The website was equally bad Finnish language and asked for username, PIN number and payment authorisation codes. Money was transferred from accounts of about 10 people to somewhere in Latvia. 8 transfers got cancelled by the bank, 2 accounts were already emptied on an ATM and about 20 thousand euros were stolen.

The bank has taken responsibility and promised to return the money of their customers, but a couple of days ago after this Finnish attack was still saying that the attacks are a scheme to undermine the trust of online banking, but maybe it was just a way to steal money from ignorant people?

Thoroughly educate your staff

[digitaldc]

As an IT professional, what efforts should our corporate IT department be making to proactively to eliminate these vulnerabilities?"

Educate your staff on the vulnerabilities of phishing and email scams. Give them specific examples of how these attacks work and how people are usually duped into them. Use some sort of visual presentation or photocopied handouts of how these attacks look and work. Make the staff very aware of the vulnerabilities on the internet/via email and tell them to ask themselves if it is potentially harmful, and if unsure, to contact an IT professional who would know.
Hopefully, at least 3/4 of those briefed will remember this information and put it to good use.

You can also buy "Phishing Exposed: Uncover Secrets from the Dark Side" to help explain the attacks.
This is essential reading for those who want to learn the ways of the Farce.