Slashdot Mirror

← Back to Stories (view on slashdot.org)

Next Gen Phishing Improves on Simple Spam

Posted by ryuzaki0 on from the we-can-improve-the-ham-we-have-the-technology dept.

An anonymous reader writes "ZDNet has a writeup about the next generation of phishing. According to the article, as anti-spam engines improve and user education levels increase, phishers will find it easier to hack into web servers and deliver password stealing trojans using browser vulnerabilities or Web 2.0 technologies than spam. Tom Chan from Messagelabs is quoted: 'They are trying to compromise poorly protected Web sites — they basically go in and enter their own code into that Web server,' said Chan, who explained that victims of this new phishing era would not have to do anything wrong in order to get hooked. 'You have gone to a legitimate Web site, you have not made a mistake and done everything right, but then your information gets compromised... because [the phishers] have taken over servers that belong to other people.'"

10 of 112 comments (clear)

  1. Inaccurate Term? by TripMaster+Monkey · · Score: 4, Insightful

    Not to be pedantic here, but if a person gains access to users' passwords by hacking the actual site, rather than sending out bogus emails and/or setting up counterfeit web pages, can this activity really be called 'phishing'?

    From TFA:
    You have gone to a legitimate Web site, you have not made a mistake and done everything right, but then your information gets compromised... because [the phishers] have taken over servers that belong to other people.


    And from the 'phishing' entry in Wikipedia:
    In computing, phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication.


    This attack does not consist of masquerading as a trusted party...it consists of compromising said trusted party. Thus, this activity cannot accurately be referred to as 'phishing'.
    --
    ____

    ~ |rip/\/\aster /\/\onkey

    1. Re:Inaccurate Term? by Cocoronixx · · Score: 3, Insightful

      In the author's defense, If they called it black-hat hacking this would be a non-story. The addition of a 'Next-Gen' buzzword, as well as trying to somehow link Trojan writing with spam and phishing creates a much more exciting article.

      In other news I have created a Next-Gen motorcycle that gets unlimited miles to the gallon, due to the addition of two levers that you operate with your feet that drive the rear wheel using a combination of chains and sprockets.

      --
      "Obscenity is the crutch of the inarticulate motherfucker." - cloak42
  2. Need a new metaphor by Moby+Cock · · Score: 4, Insightful

    It seems to me that the 'fishing' metaphor is no longer apt in this case. Cracking web servers and installing key logger trojans is plain old balck hat hacking.

  3. Re:Next Gen? by legoburner · · Score: 2, Insightful

    simple, if it does not sound buzzwordy enough, people wont talk about it much and it wont get much publicity. It is the next-gen of news stories.

    --
    Warhammer forums
  4. It's even worse in TFA. by khasim · · Score: 2, Insightful
    OK, so hacking into a 'trusted' Web site may not be all that easy. However, as people become more savvy about phishing scams and less people open unsolicited e-mails, fraudsters need to find alternative ways of stealing users' banking passwords.

    So you could break into a bank and steal a backup tape with usernames/passwords and that would be "phishing".

    Tom Chan, enterprise and client services manager for Messagelabs Asia Pacific, told me that because of more educated users and improved anti-spam engines, the success rate for traditional phishing scams is likely to fall soon. By hijacking trusted Web sites, phishers could lure many more victims.

    Has "phishing" become another meaningless buzzword for "security" "experts" to toss around?
  5. Re:Even the well educated fall for it... by Billosaur · · Score: 4, Insightful

    I wonder if that has more to do with lack of education regarding bank/web security or have phishers just gotten that much better?

    Phishers have gotten better, but the bottom line is: the average on-line banking customer is still pretty clueless. They subscribe to the theory, "if it walks like a duck and quacks like a duck and looks like a duck, it's a duck," which on the Internet is akin to measuring the speed of a bus by being hit by it and seeing how much it hurts.

    My maxim has been: if it's actually from my bank, then I should be able to take a copy of the email to my local branch or call the bank and ask if the information in it is correct, i.e. have they lost all my data? The answer in 99.9% of cases will be no; of course there are increasingly less rare occasions where the bank has lost your data or let it get out into the wild. In those cases, the bank isn't generally going to admit it until some plucky person figures it out and makes them own up to it.

    --
    GetOuttaMySpace - The Anti-Social Network
  6. Re:Interesting theory but.... by Anonymous Coward · · Score: 1, Insightful

    > This might be possible with a pencil or other simple device but with things as complicated as PC's or Motor Vehicles it will not. Ever.

    while your PC point might be correct, your pencil and motor vehicle analogies are bad. a pencil is just dead simple and, in fact, hides nothing from the user as to how it works (i'll let you argue mechanical pencils might). it also requires the user to perform all maintenance with regards to keeping the pencil in working condition.

    your car example is just as bad. but for the opposite reason. cars DO hide most everything complicated from the user. about the simplest possible interface to getting the car to go from one location to another is presented to the user and not much more. ignition, gas, brake, steering wheel and gas tank entry point are the interface to the car. how it actually works is well beyond the knowledge of most people. when something is wrong with their car a light will go on or a noise will be made signalling that the user should take it to someone who knows what to do. under normal circumstances the user will need 0 knowledge of the internal workings of the car. exactly the opposite of what you're claiming.

  7. Re:Even the well educated fall for it... by Intron · · Score: 2, Insightful

    As someone once pointed out: If you were walking down the street and you saw an ATM machine, put in your card and PIN, and it gave you an error like "Out of Service", would you suspect that it was a phish scam just put there to collect your information? Would you call up your bank and report it?

    Why should people on the internet be any smarter?

    --
    Intron: the portion of DNA which expresses nothing useful.
  8. Don't waste your time by ajs318 · · Score: 2, Insightful

    On-line banking isn't worth it. I know exactly how much money goes into my bank account each month, because I know how much I get paid each month, and how much I might have paid in through the hole-in-the-wall machine. No money gets into my account any other way except a negligible amount of interest. I know exactly how much money comes out of my bank each month, because I stand right there at the HITW and transfer it to my wallet every time I make a withdrawal, I know what cheques I have signed, and no money comes out any other way. If I was really bothered, I could subtract the second subtotal from the first and keep a running total; but as long as it's always smaller, that's all that matters to me. My bank send me a statement as soon as I have performed enough transactions to fill a page, and the HITW has a button to check my balance if I am desperate to know while out and about. I don't really need to know exactly how much money is in the bank until I am ready to draw some out; and then I will have to go to the HITW anyway to do that, so I might as well check my balance right then. On-line banking can't print pound notes, nor can it scan cheques and pay them into my account. And since deposits and withdrawals are the only two reasons why I would ever have to go to a bank anyway, what's the point?

    --
    Je fume. Tu fumes. Nous fûmes!
  9. Re:Even the well educated fall for it... by mgblst · · Score: 2, Insightful

    If the "ATM machine" (sic) was in the middle of no where, on a small side street, no attached to a building, then I would be concerned. I have no evidence of this, but I think most people would be, but that maybe me thinking people are more intelligent than they are. If it was on the main street, attached to the bank or a supermarket, I would not be so concerned.

    How does this translate to the online world? Not so easily. It is easier to get tricked by things like mail headers and URLs.