Slashdot Mirror

← Back to Stories (view on slashdot.org)

Next Gen Phishing Improves on Simple Spam

Posted by ryuzaki0 on from the we-can-improve-the-ham-we-have-the-technology dept.

An anonymous reader writes "ZDNet has a writeup about the next generation of phishing. According to the article, as anti-spam engines improve and user education levels increase, phishers will find it easier to hack into web servers and deliver password stealing trojans using browser vulnerabilities or Web 2.0 technologies than spam. Tom Chan from Messagelabs is quoted: 'They are trying to compromise poorly protected Web sites — they basically go in and enter their own code into that Web server,' said Chan, who explained that victims of this new phishing era would not have to do anything wrong in order to get hooked. 'You have gone to a legitimate Web site, you have not made a mistake and done everything right, but then your information gets compromised... because [the phishers] have taken over servers that belong to other people.'"

3 of 112 comments (clear)

  1. Inaccurate Term? by TripMaster+Monkey · · Score: 4, Insightful

    Not to be pedantic here, but if a person gains access to users' passwords by hacking the actual site, rather than sending out bogus emails and/or setting up counterfeit web pages, can this activity really be called 'phishing'?

    From TFA:
    You have gone to a legitimate Web site, you have not made a mistake and done everything right, but then your information gets compromised... because [the phishers] have taken over servers that belong to other people.


    And from the 'phishing' entry in Wikipedia:
    In computing, phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication.


    This attack does not consist of masquerading as a trusted party...it consists of compromising said trusted party. Thus, this activity cannot accurately be referred to as 'phishing'.
    --
    ____

    ~ |rip/\/\aster /\/\onkey

  2. Need a new metaphor by Moby+Cock · · Score: 4, Insightful

    It seems to me that the 'fishing' metaphor is no longer apt in this case. Cracking web servers and installing key logger trojans is plain old balck hat hacking.

  3. Re:Even the well educated fall for it... by Billosaur · · Score: 4, Insightful

    I wonder if that has more to do with lack of education regarding bank/web security or have phishers just gotten that much better?

    Phishers have gotten better, but the bottom line is: the average on-line banking customer is still pretty clueless. They subscribe to the theory, "if it walks like a duck and quacks like a duck and looks like a duck, it's a duck," which on the Internet is akin to measuring the speed of a bus by being hit by it and seeing how much it hurts.

    My maxim has been: if it's actually from my bank, then I should be able to take a copy of the email to my local branch or call the bank and ask if the information in it is correct, i.e. have they lost all my data? The answer in 99.9% of cases will be no; of course there are increasingly less rare occasions where the bank has lost your data or let it get out into the wild. In those cases, the bank isn't generally going to admit it until some plucky person figures it out and makes them own up to it.

    --
    GetOuttaMySpace - The Anti-Social Network