Slashdot Mirror
Next Gen Phishing Improves on Simple Spam
An anonymous reader writes "ZDNet has a writeup about the next generation of phishing. According to the article, as anti-spam engines improve and user education levels increase, phishers will find it easier to hack into web servers and deliver password stealing trojans using browser vulnerabilities or Web 2.0 technologies than spam. Tom Chan from Messagelabs is quoted: 'They are trying to compromise poorly protected Web sites — they basically go in and enter their own code into that Web server,' said Chan, who explained that victims of this new phishing era would not have to do anything wrong in order to get hooked. 'You have gone to a legitimate Web site, you have not made a mistake and done everything right, but then your information gets compromised... because [the phishers] have taken over servers that belong to other people.'"
Not to be pedantic here, but if a person gains access to users' passwords by hacking the actual site, rather than sending out bogus emails and/or setting up counterfeit web pages, can this activity really be called 'phishing'?
From TFA:
And from the 'phishing' entry in Wikipedia:
This attack does not consist of masquerading as a trusted party...it consists of compromising said trusted party. Thus, this activity cannot accurately be referred to as 'phishing'.
____
~ |rip/\/\aster /\/\onkey
It seems to me that the 'fishing' metaphor is no longer apt in this case. Cracking web servers and installing key logger trojans is plain old balck hat hacking.
Their qualifications for describing new types of attacks (which are actually age old) seem pretty phishy. Hell, they could have called it a server side trojan. I can do a better job than them, and I'm some guy wasting my time browsing slashdot..
He tried to kill me with a forklift!
After working in bank security for a few months, I was always constantly amazed by how even the most educated of web users still falls for a phishing scam. I wonder if that has more to do with lack of education regarding bank/web security or have phishers just gotten that much better?
"One thing I think is noteworthy of calling out is the fact that these type of attacks can impact many people quickly, but they can also be halted in short order because they have a central chokepoint: the organisation hosting the Web site or Web service in question.
I'm still confused as to how this is Next Gen? This exists now.
If this is news just because phissing is a new word or something... then my time here is a waste...
Farewell... I'll go for youtube and watch videos of adipose cosplayers...
I'd call it hacking, not phishing, but this happened to us earlier this year. Our company web site at was hacked many times over a period of a month to insert code redirecting visitors to a Russian site that attempted to install a trojan. We knew that 's server was compromised because other users of the same server were also complaining about the same thing. 's reaction?: "We are aware of the problem and we are investigating". We abandoned our account there and moved to another web host after repairing our site every day (often several times per day) for a month.
So they're hacking the servers and stealing passwords? Then that's not phishing.
So you could break into a bank and steal a backup tape with usernames/passwords and that would be "phishing".
Has "phishing" become another meaningless buzzword for "security" "experts" to toss around?
This would definately put them into the black hat arena and no longer phishing. It requires a bit more skill than the average phishing attempt.
I have found that fixing server vunerablilities are much easier than phishing because I have more direct control over it; I don't have to rely on random individuals to keep their guard up 24/7. The new IE is using a web service black list to help control phishing by reducing the mistakes of the masses. I'm not too keen on it yet, but it shows how difficult it is to control the random individual verse a single point of attack.
"They are trying to compromise poorly protected Web sites"
Fortunately as slashdot often reminds us. Apache is the number one server (over you know who), and the people who use Linux and Unix software are the most intelligent people on the planet (we're command line commandos).
Gee, it's not phishing then, is it? It's cracking, infecting, eaves-dropping and theft.
The first thing to take into account is that this article seemed to be written by a "security expert" who skimped on a few key details.
/etc/passwd or /etc/shadow file under linux (poor examples as they are locked while linux is running) I would deny it.
The first is that no web site should ever be able to execute code on your PC without your express permission. If it can then the browser being used to access that site needs fixing.
Now there will still be cases where the user has to give permission to execute code locally in order for the site to work properly but these should be very very rare. Most code that is executed such as ActiveX or Javascript should be excuted in a sandbox environment where no access is given to local PC resources. If a local resource is needed it should be asked for specifically and the accepted or denied permission by the user.
What does need to happen is that users need to be educated into a state of mind where they deny everything and then only go back the accept permission to access a local resource if something doesnt work properly and it make sense for the web site to be accessing the resource in question. For instance, if a web site wants access to my
These problems all seem to stem from most PC users being lazy and not wanting to know these things. What they want is to have everything complicated hidden from them and everything to "just work". This might be possible with a pencil or other simple device but with things as complicated as PC's or Motor Vehicles it will not. Ever.
I really think that for people to expect to use a machine as complicated as a PC, they must understand the basics of how to operate it safely. This is no different to expecting drivers to undertake a test of competance. Without a driving licence I am not able to drive on the road although I can drive round my own back yard to my hearts content. Using a computer should ideally be the same where users are forced to undertake a basic competancy exam before they can allow their computer to interact with the web.
Until this happens you will always have users who allow their PC to be hijacked by malicious software and then carry on using it without calling for help. This is no different to forcing drivers not to drive with faulty breaks or severely worn tires.
Now how you would enforce this is a little complicated but it must still be possible with legislation. This is no different to a car salesman wanting to see a driving licence and proof of insurance before I buy a car. He wouldn't do that by choice (He would probably much rather make a sale regardless) but can be forced to by law.
I dont read
Or just an average day at the NSA...
Ask not what you can do for your country. Ask what your country did to you
For everyone screaming "If you hack the server..."
I've already seen this "next generation phishing" method used. I was on e-bay looking for a piece of autographed memorabilia. I noticed one auction and clicked on it. The E-Bay login screen popped up. I was about half-way through typing my password when it suddenly occured to me, "Wait a second, why do I have to enter my account to view an auction."
Careful review showed me that opening the auction had triggered some embedded javascript that opened a frame within the e-bay window that covered the whole base page, but presented a spoof of the e-bay login screen. The title bar still read as a legitimate e-bay address, the screen was a perfect dupe of the e-bay login screen. In short, it looked totally legitimate.
Now, they didn't have to hack e-bay's servers, nor did they have direct access to anything on e-bay's site. All they had to do was embed some javascript into an otherwise "secure" site.
I think that's what this article is talking about.
Oh, and I was running firefox with a javascript blocker, but since I've allowed scripts on e-bay (you can't even view most of the auctions without it) it happily ran the phishing script without even a warning.
Life, the Universe, and Everything... in my image.
If you don't already know, use a credit card company that allows you to set up a virtual credit card number. The idea is that it is a number that is used only once. Therefore, if that number gets stolen, it is still useless, you've already used it once. (I could be wrong, but this is the general idea, a use once or low credit amount or an expiration date that ends in a month type of credit card number.)
Sorry, but as a Nintendo fan, I can only accept New-Gen Phishing.
It's obvious that the current security practices we use on the Net are totally inadequate for our society. Most people have adopted some of us geeks' toys, like networks, email and multimedia - even custom T-shirts. But few of the normals have adopted some of the tools we geeks learned we needed to play with our toys without getting hurt. Geek posers are killing themselves, and dragging down our geek paradise with them.
The best solution to all this phishing, spam and other harvesting naive "normals" is the trust web. Everyone has a private key for signing assertions, and a contact list with trust levels. Every message is signed (or default untrusted) by the sender and vouchers. When enough vouchers sign a message, it is trustworthy. The Web contains vouching centers, including diverse security analysts signing messages (including each others' assertions). People subscribe to many vouch sources, as well as "vouchmasters" which publish formulas for securing transactions. This way, anyone who says a transaction is unsafe, and is vouched by someone else, makes that transaction at least subject to review, or blocked, depending on the person's policy. Which depends on whom they trust.
That is the kind of system I'd expect banks and governments to deploy for the public. They are the ones we are paying, and relying on, for security. There's so much efficiency to gain from security compared to the losses from insecurity that I expect a very diverse, competitive market of vouchers to thrive. The underlying tech, like PGP/GPG signing and other trustweb tools, already exists. There are already relatively informal vouchers, like CERT, DHS, and lots of independents.
What's needed are standards for trust degrees, and simple UIs for using the trust web without learning many new skills. UIs simpler than antiphishing techniques will win. UAs like Firefox and Outlook merely coloring buttons red to blue for degrees of trust, keeping personal info stored locally for standard submission to standard requests graded by risk and identified by trustworthyness would go very far. Onetime passwords for every transaction to prevent replay attacks would go even further. And local databases with audit trails of every transaction would make it even easier to use once a transaction is doubted.
All those features hook an automated trust web into many existing security practices already used by most people in person. A really secure regime would include privacy laws prohibiting transfer of personal info outside the transaction expressly required by the requester and expressly permitted by the sender. Putting personal info under copyright in detail, and a US Constitutional Amendment in general, would really lock our existing judicial/police/security system into a consistent defense of people as well as corporations.
The time is now. Why doesn't Novell's Evolution at least require PGP/GPG by default? Why doesn't Firefox keep personal info stored encrypted for form submissions with a separate log? Why don't banks issue onetime password credit "cards" for Web use? We've already gone far enough down the path that it's obvious Microsoft, the US government, Chase Bank aren't going to move first. Let's see some of the UIs start to make it easy, and force the backend of the trust web to catch up. I'm doing it in my own software. What are you doing?
--
make install -not war
Quit being so negative. I like Slashdot's new PayPal monitoring service!
If a server is already compromised, it doesn't really matter if you log in or not. Your password is compromised regardless.
Ie, entering non standard code (often javascript) on a website to obtain credentials from other users?
He tried to kill me with a forklift!
Hilarious.
On-line banking isn't worth it. I know exactly how much money goes into my bank account each month, because I know how much I get paid each month, and how much I might have paid in through the hole-in-the-wall machine. No money gets into my account any other way except a negligible amount of interest. I know exactly how much money comes out of my bank each month, because I stand right there at the HITW and transfer it to my wallet every time I make a withdrawal, I know what cheques I have signed, and no money comes out any other way. If I was really bothered, I could subtract the second subtotal from the first and keep a running total; but as long as it's always smaller, that's all that matters to me. My bank send me a statement as soon as I have performed enough transactions to fill a page, and the HITW has a button to check my balance if I am desperate to know while out and about. I don't really need to know exactly how much money is in the bank until I am ready to draw some out; and then I will have to go to the HITW anyway to do that, so I might as well check my balance right then. On-line banking can't print pound notes, nor can it scan cheques and pay them into my account. And since deposits and withdrawals are the only two reasons why I would ever have to go to a bank anyway, what's the point?
Je fume. Tu fumes. Nous fûmes!
And client side code. The Web 2.0 and Security 2.0 where we have a generation of "web programmers" who have to learn all of the security lessons from scratch. Hmmm, I wonder when we'll see the first viruses.
Deleted
Phishing crews have been targeting web site vulnerabilities to deploy spoof sites for several years. In its year-end 2005 Phishing by the Numbers report, Netcraft noted that more than 600 phishing spoof sites were hosted on compromised forums and content management systems in 2005. In January hackers increased their targeting of PHP-based CMS and blogging apps, and were able to distribute the Windows WMF malware through a customer support forum on AMD's web site. There's nothing cutting edge at all about this.
RichM
Data Center Knowledge
That is my solution. Cookies off, Javascript off, Java off.
Even less Flash or other even shadier active media.
Web designers with huge egos have no business running their often crappy programs on my box.
BTW, that is whi I'll always post here as Anonymous Coward:
No cookies, honey.
Symantec is involved in this. My only questions were "What is Symantec trying to sell the public now?" and "How much hand-holding will I need to do to convince users that this is just more fear-mongering?".
I know Symantec is supposed to be a white-hat company, but as the guard at the door, they sure do spot a lot of invisible monsters.
Here will be an old abusing of God's patience and the king's English.
Hmm, I like the concept, and it might work in terms of security. ie - compramised boxes can infect other boxes, so if your box is compramised, you are responsible for making sure that your box does not infect others, and we know that you can be responsible to do this becuase that's what your 'internet license' says you are competent enough to do. It would be a good tool to hold people accountable for their actions online - defacing property, spreading virii, etc.
However, there seem to be several inherant problems with this. First, you loose the potential for anonymity, you are always being watched, and everything that you do gets recorded. 'Hey, remember that anti-government website that you visited last week? Well so do we.' Second, the 'internet license' itself would become a target of theft, so that the black hats can disguise themselves and avoid being held accountable. So, you're left with the wrong-doers still doing wrong and getting away with it, and those on the 'up and up' being watched.
It seems that people are simply going to need to take responsability for themselves and their own personal security, as well as demanding the banks and services they use are as secure as possible. Then track those trying to steal things the old fashioned way - following the IP around.
Disclaimer: I am in no way assuming that the parent poster wants to make every internet user 'licensed.' I simply wanted to work through the issues of the concept that was brought up.
The Phishers actually use a hacked webserver page which may even actually processes data using servers resources and the ordinary consumer education or alerting systems can't function right.
For example Yahoo webmail will alert you if you click http://127.0.0.1/updatecc.htm or everyone learned not to click such "numeric" addresses.
There are some phish mails I reported to Spamcop.net with "hacked server actually collects data!" in CAPS (hoping to get attention of admin) which were hosted on legit websites. I shouldn't provide example for obvious reasons but I can say there are 3-4 ones I reported so far.
Checking one of my reports from Spamcop history, one belongs to some scientific organisation of some little country (not USA). I don't think any security solution would have that site in their database as "hostile site".
So people are hacking into servers in order to steal people's information? Unheard of! Whatever next...
Slow news day Eds?
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
Google is very excited about this new technology though and they are giving 77 million dollars per year to Mozilla for redirecting searches to their page. This means that, every time you search google, google makes money. And this way 5 mozilla developers will become millioners and keep promoting Web 2.0, Javascript CrackDOM, and other dynamic content technologies that backd00r your host and google will be sure to use ASAP, in order to lock out other web browsers.