Next Gen Phishing Improves on Simple Spam

An anonymous reader writes "ZDNet has a writeup about the next generation of phishing. According to the article, as anti-spam engines improve and user education levels increase, phishers will find it easier to hack into web servers and deliver password stealing trojans using browser vulnerabilities or Web 2.0 technologies than spam. Tom Chan from Messagelabs is quoted: 'They are trying to compromise poorly protected Web sites — they basically go in and enter their own code into that Web server,' said Chan, who explained that victims of this new phishing era would not have to do anything wrong in order to get hooked. 'You have gone to a legitimate Web site, you have not made a mistake and done everything right, but then your information gets compromised... because [the phishers] have taken over servers that belong to other people.'"

Inaccurate Term?

[TripMaster+Monkey]

Not to be pedantic here, but if a person gains access to users' passwords by hacking the actual site, rather than sending out bogus emails and/or setting up counterfeit web pages, can this activity really be called 'phishing'?

From TFA:

You have gone to a legitimate Web site, you have not made a mistake and done everything right, but then your information gets compromised... because [the phishers] have taken over servers that belong to other people.

And from the 'phishing' entry in Wikipedia:

In computing, phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication.

This attack does not consist of masquerading as a trusted party...it consists of compromising said trusted party. Thus, this activity cannot accurately be referred to as 'phishing'.

Re:Inaccurate Term?

[Cocoronixx]

In the author's defense, If they called it black-hat hacking this would be a non-story. The addition of a 'Next-Gen' buzzword, as well as trying to somehow link Trojan writing with spam and phishing creates a much more exciting article.

In other news I have created a Next-Gen motorcycle that gets unlimited miles to the gallon, due to the addition of two levers that you operate with your feet that drive the rear wheel using a combination of chains and sprockets.

Need a new metaphor

[Moby+Cock]

It seems to me that the 'fishing' metaphor is no longer apt in this case. Cracking web servers and installing key logger trojans is plain old balck hat hacking.

Re:Even the well educated fall for it...

[Billosaur]

I wonder if that has more to do with lack of education regarding bank/web security or have phishers just gotten that much better?

Phishers have gotten better, but the bottom line is: the average on-line banking customer is still pretty clueless. They subscribe to the theory, "if it walks like a duck and quacks like a duck and looks like a duck, it's a duck," which on the Internet is akin to measuring the speed of a bus by being hit by it and seeing how much it hurts.

My maxim has been: if it's actually from my bank, then I should be able to take a copy of the email to my local branch or call the bank and ask if the information in it is correct, i.e. have they lost all my data? The answer in 99.9% of cases will be no; of course there are increasingly less rare occasions where the bank has lost your data or let it get out into the wild. In those cases, the bank isn't generally going to admit it until some plucky person figures it out and makes them own up to it.