New Phishing Toolkit Uses Whitelisting To 'Bounce' Non-Victims

← Back to Stories (view on slashdot.org)

New Phishing Toolkit Uses Whitelisting To 'Bounce' Non-Victims

Posted by samzenpus on Wednesday January 16, 2013 @08:03PM from the on-to-the-next dept.

chicksdaddy writes "Researchers at RSA say that a new phishing toolkit allows attackers to put a velvet rope around scam web pages – bouncing all but the intended victims. The new toolkit, dubbed 'Bouncer,' was discovered in an analysis of attacks on financial institutions in South Africa, Australia and Malaysia in recent weeks. It allows attackers to generate a unique ID for each intended victim, then embed that in a URL that is sent to the victim. Outsiders attempting to access the phishing page are redirected to a '404 page not found' error message. Other phishing kits have used IP address blacklists to block anti malware companies from viewing their malicious pages, but this is the first known use of whitelisting, RSA said. The phishing attacks that RSA technicians discovered that used the Bouncer kit were designed to harvest login credentials from financial services firms. The whitelisting feature may well work, especially given the volume of potential phishing pages that security companies review each day. Getting a 404 message may be enough to get a forensic investigator or security researcher to move on to the next phishing site, rather than investigating."

71 comments

Min score:

Reason:

Sort:

How are they validating ID? by girlinatrainingbra · 2013-01-16 20:22 · Score: 1

It's a bit ambiguous and unsaid at the RSA blog page how exactly this spearfishing attack is "valdiating or checking ID"... They say: The bouncer phishing kit targets a preset email list for each campaign. A user ID value is generated for the targeted recipients, sending them a unique URL for access to the attack. Hereâ(TM)s the interesting part â" much like a night clubâ(TM)s bouncer list â" any outsider attempting to access the phishing page is redirected to a âoe404 page not foundâ error message. Unlike the usual IP-restricted entry that many older kits used, this is a trueâ"depending on how you look at itâ"black hat whitelist. When victims access the phishing link, their name has to be on the list and their âoeIDâ value is verified on-the-fly as soon as they attempt to browse to the URL. After a scan of the âoebouncer listâ, unintended visitors are stirred away from the phishing page; in fact, the page is not even generated for eyes it was not meant for.
.
So which is it? Aren't they using IP addy to verify the identity of the sucker? Or is their some other source (their unique URL that they post)?
.
If it's by unique URL with a referral code at the post, then security checks wouldn't see it. IF it's just the unique URL, anyone else testing that URL would see it too.
1. Re:How are they validating ID? by Neil+Boekend · 2013-01-16 20:56 · Score: 2
  
  Unlike the usual IP-restricted entry
  This doesn't use IP addresses to verify. Using IP addresses requires you to know the IP addresses of your intended victims, severely limiting the usefulness. This can send emails automatically and still filter out the incoming requests.
  
  --
  Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
2. Re: How are they validating ID? by DontLickJesus · 2013-01-16 22:01 · Score: 2
  
  Whether key or ip are used here is missing the kind of whitelisting this malware is using. When the package exploits a server, it alters pages/links to redirect each unique visitor to a dynamically generated temp folder on itself which contains the phishing code, and afterwards is deleted. The phishing code could obviously get more selective, and will contain a destination either via redirect or transmission, but returning to the same url gets you nowhere. Have the link/page exploited float around as well and you have a "dynamic" whitelist which filters favoring the browsing public, not link-minded researchers.
  
  --
  Where genius and insanity become confused true wisdom is found
3. Re:How are they validating ID? by garaged · 2013-01-16 22:13 · Score: 1
  
  If they knew who was not a target victim in the first place, why send them emails too? Sounds silly to me
  
  --
  I'm positive, don't belive me look at my karma
4. Re:How are they validating ID? by Abstrakt · 2013-01-16 22:46 · Score: 5, Interesting
  
  So which is it? Aren't they using IP addy to verify the identity of the sucker? Or is their some other source (their unique URL that they post)?
  We've started seeing some of these newfangled phishing emails over the last few days. The victim's email address is used as an identifier. It is simply appended to the URL by the mailer bot, so that the link sent to the victim will look something like this:
  hxxp://compromisedsite.ru/joe33/somebank/?victim@gmail.com
  That URL would lead to a script hosted on a compromised site, which looks up the email address in a whitelist before serving either a credential-collecting scam page or a bogus 404 error.
  But this is all very basic stuff, and it is not hindering forensic investigators in the least. The folks investigating such scams don't just stumble upon them by accident; they rely instead on vigilant users and admins who take the time to report phishing emails. Once they get a report they already have a whitelisted URL to begin with.
5. Re: How are they validating ID? by Anonymous Coward · 2013-01-17 00:41 · Score: 0
  
  I'm thinking that is needlessly complicated and risks losing the victim if they reload the page after the temp folder was deleted or click the link again later to finally deal with the bogus issue presented. The page I read was somewhat vague, but I can't imagine building out an actual custom folder on disk, with all the files needed, when dealing with target numbers potentially in the hundreds of millions. Sounds like a good way to blow up a filesystem to me. This is actually easier to pull off without all that anyway.
  Utilizing unique elements in email are nothing new. Your email client doesn't display images by default when they are web hosted (at least I hope it wont by default). It is easy to figure out if someone viewed the email you sent if it did. All one needs to do is create a Perl script that responds with a content type of image/jpeg, pulls inage data from disk, prints it, does a regex against REQUEST_URI to pull out the file name requested minus the path and ".jpg" and store that string. When sending emails to you recipients on your mail list (or when spamming if you are a scumbag) you craft a unique string that is the insert ID of the entry in the database that relates to the email address and the ".jpg" suffix. When they view the image it makes a request for a unique image on your webserver. Using mod_rewrite you call your script to deliver the response. It sends them the image data everyone gets, but you log the insert ID portion from the URI. You now know the recipient who viewed the email you sent.
  What I think they are suggesting is similar. Using a unique URI to make the link good for only one connection, or perhaps even a single system on that connection using cookies. This time they might do something like domain.com/myAccount/37592/index.html. Here the directory's .htaccess file in the directory "myAccount" rewrites to a script contained within any request made to that directory. That script then verifies the 37592 is a valid index key associated with a victim email address. Then the IP address of the request is logged to the row. A bit more trickery can test cookie capabilities and set the row in the DB to enforce the presence of a cookie. Now if someone from another IP hits the same link we can check the DB and bounce them. If cookies worked then they could even disable it for any other system attached to the connection, but that doesn't seem to be necessary to lock out the unwanted researchers. This is less whitelist and more "by invitation only" however.
  Hmmm... possible countermeasure would be a farm of IP addresses scattered across the world used to test click links as emails arrive on the server. This would void out the row long before it reached a human. Of course, that has ways to counter the countermeasure... and the endless game of cat and mouse goes on and on.
  Your take home here should be ALWAYS open your browser, google that shit and go to the actual bank/company/etc website. Log in and when they have no clue what you are on about go back to the email and take a good long look at that link. Perhaps you will see a bigint looking directory name in the URL! Finally smile as you forward that shit to Avast or someone who can get jiggy with it. Now take glee in the knowledge that you just helped ruin some scumbag's little scam.
6. Re:How are they validating ID? by History's+Coming+To · 2013-01-17 02:29 · Score: 3, Informative
  
  They don't, that the point.
  
  I use precisely this technique for presenting discount vouchers to people who have signed up to a restaurant mailing list, identical system but for white hat purposes:
  
  1 - send an email to the relevant contacts, including an embedded image at domain.com/voucher.php?id=xyz where "xyz" is a unique account ID.
  
  2 - when the recipient receives the email the voucher that is displayed has their name on it, the image is generated on-the-fly using the unique ID to get the name right.
  
  3 - (this is the important bit) - if anyone logs into domain.com/voucher.php without passing a correct ID then they simply see a voucher marked as invalid, and a link to where they can sign up. In my case it stops non-members getting a voucher, in the spammers case it stops a non-target (including investigators) from seeing the exploit being presented to a "customer", most likely someone from a list of known phishing mugs.
  
  --
  Please consider this account deleted, I just can't be bothered with the spam anymore.
7. Re:How are they validating ID? by Anonymous Coward · 2013-01-17 02:35 · Score: 0
  
  They don't send them emails too. The URL has an ID at the end (a query string). The targeted users get that URL. Other people who try to go to the page (perhaps because it was reported as malware) get a 404 and move on. So it doesn't get checked. If the person checking the page had the full URL with the query string intact, they would get to the same phishing page as the targeted user. This simply keeps the masses (and security researchers, AV types, and people evaluating pages for being "blocked" by browser security like Smart Screen) from seeing the phishing page. Again, if they have the full URL, they will see the page.
8. Re:How are they validating ID? by AvitarX · 2013-01-17 04:26 · Score: 1
  
  Unless they collect their links from emails tagged as phishing...
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
9. Re: How are they validating ID? by mysidia · 2013-01-17 14:31 · Score: 1
  
  When the package exploits a server, it alters pages/links to redirect each unique visitor to a dynamically generated temp folder on itself which contains the phishing code, and afterwards is deleted.
  Fabulous... I just need to make my mail server, PING every URL in an e-mail before delivering the message, and if it's a phishing attempt, the user will get a 404 error instead of the phisher's intended page.
  Another possibility is to rewrite every URL in every e-mail (except ones in a whitelist), so clicking the link will connect to a local "proxy" / "redirector"; which will request the page first, and check a blacklist, before redirecting the user to the page. Thanks to the anti-investigative measures implemented by the phisher, the phishing attempt will now be foiled.
10. Re: How are they validating ID? by DontLickJesus · 2013-01-17 22:22 · Score: 1
  
  Interesting parts as well state infected servers can redirect to one another. Seeing this is partly a WordPress exploit, I wonder if an email link is even necessary. Visit 1 exploited in-net box and it might be able to get you where it needs.
  
  --
  Where genius and insanity become confused true wisdom is found
Need better security by rdebath · 2013-01-16 20:40 · Score: 2, Interesting

It looks like banks and gov departments can no longer be trusted as normal web sites. They have to be setup to be only available through SSL and must use client certificates for authentication with some way of verifing that the server certificate matches the client certificate.
Only then could the software (possibly a custom configuration of a web browser, maybe an normal one) actually be sure of defeating a phishing attack.
Of course the main reason it'd work is that with a client certificate there's no password to "phish" for.
Something tells me that the banks are too lazy to do this; every other web site will have to be SSL before they get on the bandwaggon.
1. Re:Need better security by Sepodati · 2013-01-16 20:49 · Score: 3, Interesting
  
  They need to do like European banks and issue keypads that generate one-time codes in conjuction with the card.
2. Re:Need better security by rdebath · 2013-01-16 21:03 · Score: 2
  
  As far as I can tell the OTP calculators are only issued for business accounts, normal "end user" accounts have minimal provisions. One example uses a user ID, a password (split into two entry fields) and the site displays a picture that you chose when you first activated the "web access" .
  This isn't that secure and because a lot of their site is HTTP there's a good chance that "sheep" attack will work too.
3. Re:Need better security by Anonymous Coward · 2013-01-16 21:11 · Score: 2, Interesting
  
  US banks are so uncaring about user's security. Even in third-world countries like Indonesia, all major banks have incorporated token/OTP (or at least SMS) for all personal/business accounts.
4. Re:Need better security by sevenisloud · 2013-01-16 21:18 · Score: 4, Informative
  
  As far as I can tell the OTP calculators are only issued for business accounts, normal "end user" accounts have minimal provisions.
  Here in the UK HSBC, Barclays and others issue OTP calculators to all their Internet banking customers.
5. Re:Need better security by Anonymous Coward · 2013-01-16 21:19 · Score: 0
  
  What banking website are you using that doesn't use SSL/TLS? I think what you're suggesting is that instead of websites using a simple username and password (something you know), they should move to having user certificates for each client (something you have). The problem with that is you still have a single factor authentication, which is no more secure. An attacker could just take the certificate from a victim's computer. All banks should move to a two-factor method and in fact many already do. Of course they use the standard username/password (know) and also use an RSA token (have) that generates a new 6 digit code every minute. A user certificate could be used as a substitute for the token, but they are more cumbersome and don't offer any additional benefit. The entire two factor mechanism is obviously not completely attack proof and gets to the underlying problem with computer security. The "something you have" at the lowest level is still something you both know, as it's obviously stored and transmitted as data and is not immutable or irreproducable.
6. Re:Need better security by Anonymous Coward · 2013-01-16 21:32 · Score: 0
  
  No banking website uses SSL/TLS after an SSL stripping attack.
7. Re:Need better security by martinlp · 2013-01-16 21:42 · Score: 1
  
  The point of the phishing site is to obtain a users credentials, OTP included. OTP's provide another means for authenticating the user to the bank, not the Website to the User.
8. Re:Need better security by neyla · 2013-01-16 22:09 · Score: 4, Interesting
  
  Not at all. BankID, the dominant form of bank-authenthication in Norway issues OTP-calculators to everyone, including average private people with a perfectly ordinary account.
  As an alternative, they have a solution where the SIM-card in your mobile-phone is used by an app to authenthicate you.
  In both cases the same thing is true: logging in to your bank requires knowledge of your passphrase -- but *also* physical possession of a object - so a phisher would need to get both somehow, in order to be able to impresonate you.
  It might not make phishing impossible, but it does make it a lot more difficult.
9. Re:Need better security by Anonymous Coward · 2013-01-16 22:19 · Score: 0
  
  Also RBS. I received mine several years ago without request. It *must* be used for setting up payment, or moving money, to another account.
  A good move in my opinion.
10. Re:Need better security by Schreckgestalt · 2013-01-16 22:24 · Score: 2
  
  Yes, same here in Switzerland at UBS. I have a SmartCard and a reader, and I have a PIN, and then there's some sort of challenge/response magic going on.
  There was an article in the newspaper recently, and they compared the various authentication-mechanisms used for Swiss bank accounts, unsurprisingly, the outcome was that UBS had the most secure as well as the most user-unfriendly authentication process.
  I guess online banking is where I'll always prefer security over ease-of-use.
11. Re:Need better security by heypete · 2013-01-16 22:41 · Score: 1
  
  Same thing with PostFinance in Switzerland.
  Not terribly user-unfriendly, IMHO.
12. Re:Need better security by mutube · 2013-01-16 22:49 · Score: 1
  
  I have bank accounts with the Co-op, Nationwide and RBS and 3 provide OTP calculators.
  
  --
  Python coder | PyQt Applications | Writer
13. Re:Need better security by Ubi_NL · 2013-01-16 23:02 · Score: 1
  
  All the dutch banks use SSL and OTP for consumer accounts.
  
  --
  
  If an experiment works, something has gone wrong.
14. Re:Need better security by Schreckgestalt · 2013-01-16 23:04 · Score: 1
  
  Not terribly user-unfriendly, IMHO.
  No, not terribly user-unfriendly, I agree... then again, you may not be the best example of an average user, having listed PGP and S/MIME keys on your website :)
15. Re:Need better security by semi-extrinsic · 2013-01-16 23:24 · Score: 2
  
  Going by the several replies with European (and even Asian) countries where OTPs are the norm for internet banking, it looks like you are wrong. Where I'm from (Norway), not only do I need an OTP for internet banking, but I also have to use it when I make a purchase from most Norwegian webshops. It's funny when Ebay is easier to phish than my local small-town computer part store's e-commerce solution.
  
  --
  for i in `facebook friends "=bday" 2>/dev/null | cut -d " " -f 3-`; do facebook wallpost $i "Happy birthday!"; done
16. Re:Need better security by Anonymous Coward · 2013-01-16 23:59 · Score: 0
  
  It doesn't even need to be a keypad. How about a smartphone app? It wouldn't even need a signal to generate the codes.
17. Re:Need better security by Anonymous Coward · 2013-01-17 00:15 · Score: 0
  
  Same here in Germany. All "end user" accounts have OTP calcs.
18. Re:Need better security by programmerar · 2013-01-17 00:22 · Score: 1
  
  As far as I can tell the OTP calculators are only issued for business accounts, normal "end user" accounts have minimal provisions.
  Most, if not all, banks in Sweden have keypads that generate one-time codes - for "normal" end-users, not just business users. This has ben the case for years. Some have different methods for logging in vs signing transactions. Some require an ATM/VISA/etc card with a chip on it.
  
  --
  Waiting for you by the bridge
19. Re:Need better security by Anonymous Coward · 2013-01-17 00:48 · Score: 0
  
  As far as I can tell the OTP calculators are only issued for business accounts, normal "end user" accounts have minimal provisions. One example uses a user ID, a password (split into two entry fields) and the site displays a picture that you chose when you first activated the "web access" .
  This isn't that secure and because a lot of their site is HTTP there's a good chance that "sheep" attack will work too.
  Here in Sweden, all the major banks issue OTP calculators to all their Internet banking customers.
20. Re:Need better security by Anonymous Coward · 2013-01-17 01:01 · Score: 0
  
  This way the bank can verify it's really you.
  But how would an OTP calculator help verifying that the website is really your bank?
21. Re:Need better security by sco08y · 2013-01-17 01:39 · Score: 1
  
  What banking website are you using that doesn't use SSL/TLS? I think what you're suggesting is that instead of websites using a simple username and password (something you know), they should move to having user certificates for each client (something you have). The problem with that is you still have a single factor authentication, which is no more secure.
  Bullshit. A good single factor is a lot more secure than a shitty single factor.
  With passwords, you're still transmitting the secret token, which is what makes phishing work in the first place. With a client cert, you explicitly do not send your secret key. The phisher can't use that to impersonate you.
22. Re:Need better security by History's+Coming+To · 2013-01-17 02:39 · Score: 1
  
  I've got a OTK generator as part of a very basic UK personal current account, they've been around for about a decade now, and are becoming more widespread. It's used instead of / as well as standard "enter characters 1, 5 and 9 of your memorable name" system.
  
  --
  Please consider this account deleted, I just can't be bothered with the spam anymore.
23. Re:Need better security by tepples · 2013-01-17 03:16 · Score: 1
  
  That's what highlighting the domain (the public suffix and the hostname element before it) is for. If the domain is the same as the domain printed on the back of your credit or debit card, and the organization name and address in the EV SSL certificate match those of the bank, then you're probably connecting to your bank.
24. Re:Need better security by heypete · 2013-01-17 03:16 · Score: 1
  
  No, not terribly user-unfriendly, I agree... then again, you may not be the best example of an average user, having listed PGP and S/MIME keys on your website :)
  Hah! Indeed. :)
  I wish they'd allow smartcard/token authentication instead of the calculator though, as that'd likely be a bit faster. Oh well.
25. Re:Need better security by Anonymous Coward · 2013-01-17 03:18 · Score: 0
  
  They need to do like European banks and issue keypads that generate one-time codes in conjuction with the card.
  This.
  It kind of bothers me that my World of Warcraft account has better security than my bank account.
26. Re:Need better security by Sepodati · 2013-01-17 03:45 · Score: 1
  
  And gaining a user's ONE TIME password/pin gains them what?
27. Re:Need better security by tlhIngan · 2013-01-17 04:14 · Score: 1
  
  US banks are so uncaring about user's security. Even in third-world countries like Indonesia, all major banks have incorporated token/OTP (or at least SMS) for all personal/business accounts.
  That's because it costs money. In North America, it's all about the money - it costs more to issue everyone a challenge-response token (not OTP) than to just pay up whatever fraud happens.
  And no, OTP keys are useless unless they're challenge response based. Because these same phish sites often do MITM attacks on the real account, popping up an OTP request and faking the responses as appropriate while they siphon money out of your account.
  A challenge-response one would require you to enter in two things: the amount to be transferred, and the challenge code, which get key-hashed (e.g., HMAC) to a response code. This protects you because a site doing a transfer would have to tell you how much it's transferring. And which can be used for OTP if the amount is set to zero (so the user who changes the password can be requested for the key as well). So if you're forced to "change your password" or "verify your identify" and you have ot enter in an amount, it's a red flag since the actions don't involve the transfer of money.
28. Re:Need better security by AvitarX · 2013-01-17 04:30 · Score: 1
  
  Would it be worth the expense?
  what's the average cost/account holder of breaches? Is it really more than the $15 or so / year my Scottish spends on keypads?
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
29. Re:Need better security by jxander · 2013-01-17 04:59 · Score: 2
  
  If World of freaking Warcraft can issue OTP devices to their players, big banks should be more than capable of providing the same. Even if it's just a smart-phone app (far less secure than a physical device, but more secure than nothing)
  
  --
  This signature is false.
30. Re:Need better security by Anonymous Coward · 2013-01-17 05:22 · Score: 0
  
  There's something to be said for a pair of eyeballs watching traffic at just the right spot.
31. Re:Need better security by Sepodati · 2013-01-17 06:24 · Score: 1
  
  I have no idea. I'd imagine that it would be worth it overall, though.
  Quick Google search found card fraud costs $86M per year.
  Although...
  
  Among the top forms of card fraud are card not present, counterfeit cards and lost/stolen card fraud, but the biggest category of card fraud is "first-party" fraud, which is committed either by a thief or a legitimate cardholder who intentionally decides not to pay off a credit card balance, the report showed.
  One-time code devices and associated smart cards would likely significantly reduce the first three issues, it'd do nothing for the last.
  It's also more than just the one-time pin/code generation devices, too. Credit/Debit cards would have to be re-issued as smart cards and all payment machines would likely have to be upgraded read the cards and verify pins for purchases. That's the investment part the US banks aren't going to want to make.
32. Re:Need better security by Sepodati · 2013-01-17 06:30 · Score: 1
  
  This is what my bank does, actually. The challenge/response method after inserting your card into the reader and entering your PIN. Sometimes there are several challenges, based on what you're doing (multiple transactions). The response is then entered into the website to validate the payment/transfer. You can configure some recipients to not require challenge/response after you've done it the first time (utilities, cable, etc.).
  Sorry for using the wrong terms. THIS is the method that US banks should be using. You're right that they won't do it until fraud costs more, though.
33. Re:Need better security by Sepodati · 2013-01-17 06:35 · Score: 1
  
  The point of the keypads is that it verifies you're in posession of the card. You need the card, the reader and your PIN to generate the response code the website is looking for. When validating transactions, you need all of that plus a challenge code that the banking website provides.
  So it's more than those keychain dongles that have changing codes on them...
34. Re:Need better security by Jesus_666 · 2013-01-17 06:42 · Score: 1
  
  It depends on the bank but in Germany most banks have already phased out basic things like TAN lists (plain and indexed). Username/password are required to log onto the site but they aren't sufficient to conduct any transaction. At most you'll be able to determine someone's balance.
  
  For example, my bank allows two methods, ChipTAN and mTAN. These are fairly usual in Germany.
  
  ChipTAN uses the user's bank card and a card reader. The reader is synchronized with the bank so that when combined with the correct bank card and a challenge issued by the bank (either in the form of a picture of flickering squares or as a number to be entered via keypad; ChipTAN readers support both) generates a TAN that is only valid for one specific transaction. Additionally, the reader will display the receiving account number and the amount of money transferred before displaying the TAN, allowing the user to proof-read.
  ChipTAN readers are supposed to be able to be used with multiple bank accounts with multiple banks simultaneously but I haven't tried that yet. My bank sold me my reader for ten Euros.
  
  mTAN simply consists of the bank sending the user a text message containing the relevant data (recipient, amount, TAN) every time a transaction is attempted. The user can proofread the transaction data and enters the TAN as usual. Note that banks might charge you per text message in addition to what your carrier may charge (which is nothing in the case of Germany).
  
  The bottom line is that every semi-modern bank will securely inform you of the details of each transaction before you confirm the transaction with a TAN specific to that transaction's parameters. (There are holes in this relating to combined bank transfers but for single transfers it's fairly solid.) If your bank doesn't do that then your bank sucks at security.
  
  --
  USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
35. Re:Need better security by Sepodati · 2013-01-17 06:43 · Score: 1
  
  It wouldn't. But a challenge/response system where you must have the card, reader, PIN and one-time code to log in and then, again, the card, reader, PIN, challenge from the website and the appropriate response code to make the transfer, would make life very hard for the phisher. The "identify" and "sign" functions are different actions, so you'd have to fool the user into signing the transaction.
  Social engineering over the phone posing as bank representatives would probably be more effective than automating this.
36. Re:Need better security by AvitarX · 2013-01-17 06:57 · Score: 1
  
  According to the first paragraph in my link there's 26,000,000 mobile bank users in the US (I'm using this, the lowest possible valid number of account holders for this, as fewer people for same fraud means more fraud/person). I got this number by assuming 200,000,000 total account holders (108,000,000 x 2 approximated, as 108,000,000 was 46%, and currently 13% use mobile banking). If we take the US total fraud (approx .5 of 7.6 billion) and the 26 million numbers, we get about $136 per a mobile account holder, if we use the 200,000,000 number (total account holders) we get $17/account holder.
  At $136/account holder it's probably worth it, at $17 it's probably not (as you mentioned the largest fraud segment would not be prevented). I think the fact that US banks haven't implemented it on their own says a lot about the over-all cost to value ratio, keep in mind, that in the IS at least, the banks eat almost all of the fraud.
  note, this assumes 3.8 Billion in US bank fraud, if it was in the same ballpark of that 86 million number to be fixed I'd say no way.
  Links:
  http://www.ibtimes.com/mobile-banking-rise-46-us-bank-account-holders-use-service-2017-report-747697
  http://www.huffingtonpost.com/2011/10/04/credit-debit-card-fraud-more-common-banks-lose-ground-hackers_n_994690.html
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
37. Re:Need better security by AvitarX · 2013-01-17 07:03 · Score: 1
  
  It'd be interesting to see:
  1) how much dollar savings/account holder was saved in europe and asia (couldn't deduce it at a glance), and what the actual cost of those pads are (my friend pays $15 (10 pounds) for one, and has lost it more than once. Also, the ability to not bank if she leaves her purse at a friends for a day or two is an additional annoyance).
  If fraud is costing the average account holder less than $20/year, I don't like the idea of giving the banks another way to charge fees...
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
38. Re:Need better security by Sepodati · 2013-01-17 07:14 · Score: 1
  
  The keypads are a small part, though, as I mentioned. Every point of sale would have to get a new reader to validate smart-cards and the PIN. I get funny looks in Europe when I use my US cards that have to be swiped. How quaint...
  I've never bought anything online with my European cards, though, so I have no idea how that's implemented. I can't imagine every retailer is using a challenge/response system like the bank websites are... If it's just a matter of entering card information like we do in the US, then this whole system is useless for online fraud, no?
39. Re:Need better security by chrismcb · 2013-01-17 08:54 · Score: 1
  
  It looks like banks and gov departments can no longer be trusted as normal web sites.
  
  While this statement may be true, I don't understand how you arrive at that this conclusion from TFA. This is a classic phishing attempt, as in go to a random website that is NOT the bank or gov web site.
  It is the same as someone calling you up, claiming to be from the bank, and asking for account info. And then you saying the Bank's phone number can't be trusted.
40. Re:Need better security by chrismcb · 2013-01-17 08:56 · Score: 1
  
  Big banks can't even get password code written correctly. How many banks limit your password to alphanumerics, with no "special characters?"
Slightly redundant conclusion. by Spottywot · 2013-01-16 20:50 · Score: 2

Getting a 404 message may be enough to get a forensic investigator or security researcher to move on to the next phishing site, rather than investigating."
The past tense should have been used in that sentence. Any security researcher worth their salt will *not* now move onto the next site upon getting a 404.

--
In a cybernetic fit of rage she pissed off to another age...
1. Re:Slightly redundant conclusion. by Vintermann · 2013-01-16 21:39 · Score: 4, Insightful
  
  A good security researcher would hopefully just paste in the link with one of the unique IDs that it came with in the honeypots/reports. Not exactly an insurmountable obstacle, this.
  
  --
  xkcd is not in the sudoers file. This incident will be reported.
2. Re:Slightly redundant conclusion. by jkflying · 2013-01-17 00:43 · Score: 1
  
  What if it expires after the first time it is used?
  
  --
  Help I am stuck in a signature factory!
3. Re:Slightly redundant conclusion. by Anonymous Coward · 2013-01-17 03:07 · Score: 0
  
  This. If I were a spammer, and I were going to this sort of trouble, I'd make my server recognize the IP of the first hit from such a custom URL and store it somewhere. Then I'd further whitelist that IP. After a few days, I'd start checking out the IPs I'd collected, and add any that matched up with AV companies to a future superglobal blacklist, with the hopes of eventually being able to grab only and exactly the first civilian visitor to my poisoned link.
  Of course, if I were on an AV first response team, or something like it, I'd make damn sure I do all my testing from a private VPN, preferrably one that leads to a residential IP somewhere.
4. Re:Slightly redundant conclusion. by Jesus_666 · 2013-01-17 06:56 · Score: 1
  
  1. Determine someone's mail address.
  2. Associate an IP address (or ISP-specific range) with the mail address, for example by having malicious code in place in a website where the mail address is entered.
  3. Store the IP/mail address combo in a database and use it to verify that the person visiting is likely to be the person the mail was supposed to reach.
  4. ????
  5. Profit
  
  Sure, it's relatively much work but it's also relatively hard to get into.
  
  --
  USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
5. Re:Slightly redundant conclusion. by Mike+Van+Pelt · 2013-01-17 08:07 · Score: 1
  
  Problem -- This is something you would like to avoid doing in general, because you don't want to let the spammer know that the email was sent to a mailbox that is read. With these, you can't avoid it, alas.
  On the other hand, just the fact of obfuscation of this sort can be taken as evidence that the sender of the email has something to hide. Are there any non-phishy reasons for an email sender to do this? I can think of some plausible legitimate reasons that someone might think it was a good idea ... but these days, if you don't want your email blocked, you will find it necessary to avoid doing anything that might be interpreted as spammy-looking.
  (If you really have a legitimate need to discuss ED drugs in email... Oh, well, sucks to be you. Or use PGP.)
New? This is very old method. by Anonymous Coward · 2013-01-16 21:16 · Score: 1

I think I saw this 7 years ago...
pretty obvious thing to do!
1. Re:New? This is very old method. by sdnoob · 2013-01-16 22:09 · Score: 2
  
  email harvesters/spammers have been using unique strings in links to verify addresses a hell of a lot longer than 7 years.. probably longer than legitimate mass marketers have been doing it to get stats on each mailing campaign.
Does this really work though? by DrXym · 2013-01-16 21:46 · Score: 4, Interesting

I expect antivirus companies, just like government agencies have registered hundreds or thousands of email addresses all over the world on different service providers and domains with the express purpose of harvesting spam. Therefore they're likely to receive legitimate links to phishing sites or be able to identify ones which are protected by per-mark unique urls. And of course the likes of Google, Microsoft, Yahoo et al who run their own webmail services could roll as many spam traps as they liked and analyse spam going to users too.
So while it might afford some protection to the phishing site, it doesn't seem very likely that it would protect them from further scrutiny.
I think a bigger benefit for phishers is they can identify users who click on these links they can focus their attention on them rather than on users who don't. Somebody dumb enough to click on these links and fill in data is obviously a more valuable target than someone who never responds.
Personally I think the best way to combat phishers would be for major mail providers to work with banks and credit institutions to poison phishing sites with bogus data and flagged cards / accounts.
Certificates can be stolen by dutchwhizzman · 2013-01-16 22:03 · Score: 2

Certificates can be stolen by spyware. As others pointed out, you need a 2 factor authentication and proper prevention of MitM attacks on both network level (SSL/TLS) and on the user's machine. You need it on the user's machine as well to prevent malware modifying the web page, hiding a malicious transaction from view, but still submitting it to the bank. In Europe a lot of countries use the chip part of the debit card with an OTP generator to generate responses to challenges sent by the bank website. This is guarded against physical debt by requiring the PIN for every transaction as well. This still leaves protection against MitM malware on the computers. Banks are currently studying how to deal with that, since it's quite a threat, given the enormous amount of flash, acrobat and java zero-days hitting users in Europe. Every week we get new attacks and they are getting better and better at faking content and hiding the exploits.

--
I was promised a flying car. Where is my flying car?
How is this new? by oneiros27 · 2013-01-16 22:09 · Score: 2

I've seen ones years ago that were PHP scripts that had different behavior based on who was coming in. (one of the more clever ones actually took over the site's main index ... but if the visitor was from the same domain as the server, it returned a near-duplicate of the original content and not the drug ads)
The 404 aspect does give me an idea that I think could make things trickier, but I'll be damned if I'm going to give spammers any ideas for things that they're not already using. (although, I guess it's possible that what I'm thinking of is what they're actually doing, but no security person would call a whitelist ... some person who's not really familiar with the security lingo might, though)

--
Build it, and they will come^Hplain.
1. Re:How is this new? by Anonymous Coward · 2013-01-17 02:36 · Score: 0
  
  This shows that those spammers are not getting smarter. It would just be easier for them to redirect those that are not on the white list to a known site like cnn or to be funny fbi cyber security website.
2. Re:How is this new? by oneiros27 · 2013-01-17 05:59 · Score: 1
  
  No ... because that would be obvious to what they're doing ...
  The 404 makes someone think that it's already been cleaned up and already been dealt with.
  
  --
  Build it, and they will come^Hplain.
3. Re:How is this new? by Anonymous Coward · 2013-01-17 07:50 · Score: 0
  
  I deal with corporate spam, sometimes I check out links to see if the message is legit or not...if I get a 404, then it's going into the crap pile and Ill block any more that come in like it... they are actually making my job easier...
New? by mitchsa · 2013-01-17 00:19 · Score: 1

Using a querystring parameter to identify recipients of an email is not new or news worthy.
As long as you have enough rupiah by tepples · 2013-01-17 03:11 · Score: 1

Even in third-world countries like Indonesia, all major banks have incorporated token/OTP (or at least SMS) for all personal/business accounts.
But do you have cell carriers charging 0.20 USD (2000 rupiah) per received text message on entry-level plans?
Not Impressed by neorush · 2013-01-17 03:44 · Score: 1

Am I the only one not impressed by this?
Lets say url crafted is: http://www.example.com/some-spam-page.php?email=joe@example.com&id=f5b8fb60c6116331da07c65b96a8a1d1
<?php
$md5_check = md5($_GET['email'].'SomeSuperAwesomelyRandomSeedHere');
if($md5_check!=$_GET['id']){
header("Location: /404.php");
die();
}
// display phishing page
?>
Well that took me 30 seconds to come up with.

--
neorush