Slashdot Mirror

← Back to Stories (view on slashdot.org)

Next Gen Phishing Improves on Simple Spam

Posted by ryuzaki0 on from the we-can-improve-the-ham-we-have-the-technology dept.

An anonymous reader writes "ZDNet has a writeup about the next generation of phishing. According to the article, as anti-spam engines improve and user education levels increase, phishers will find it easier to hack into web servers and deliver password stealing trojans using browser vulnerabilities or Web 2.0 technologies than spam. Tom Chan from Messagelabs is quoted: 'They are trying to compromise poorly protected Web sites — they basically go in and enter their own code into that Web server,' said Chan, who explained that victims of this new phishing era would not have to do anything wrong in order to get hooked. 'You have gone to a legitimate Web site, you have not made a mistake and done everything right, but then your information gets compromised... because [the phishers] have taken over servers that belong to other people.'"

2 of 112 comments (clear)

  1. Re:Inaccurate Term? by thewiz · · Score: 5, Funny

    I think the new term would be "phucking" as that is what happens to the company and the customer.

    --
    If "disco" means "I learn" in Latin, does "discothèque" mean "I learn technology"?
  2. What the article lacked...an example by jnaujok · · Score: 5, Informative

    For everyone screaming "If you hack the server..."

    I've already seen this "next generation phishing" method used. I was on e-bay looking for a piece of autographed memorabilia. I noticed one auction and clicked on it. The E-Bay login screen popped up. I was about half-way through typing my password when it suddenly occured to me, "Wait a second, why do I have to enter my account to view an auction."

    Careful review showed me that opening the auction had triggered some embedded javascript that opened a frame within the e-bay window that covered the whole base page, but presented a spoof of the e-bay login screen. The title bar still read as a legitimate e-bay address, the screen was a perfect dupe of the e-bay login screen. In short, it looked totally legitimate.

    Now, they didn't have to hack e-bay's servers, nor did they have direct access to anything on e-bay's site. All they had to do was embed some javascript into an otherwise "secure" site.

    I think that's what this article is talking about.

    Oh, and I was running firefox with a javascript blocker, but since I've allowed scripts on e-bay (you can't even view most of the auctions without it) it happily ran the phishing script without even a warning.

    --
    Life, the Universe, and Everything... in my image.