Tag: phishing

No free lunch from Gmail

Sophos is warning of a phishing email offering $500 from Google’s Gmail service.

Either phishers are getting desperate, or stupid, as this has got to be one of the lamest phishing exploits ever. But with Google releasing new products all the time, even the most ridiculous of attempts is bound to garner a buck or two. Of course, there will be a politician, someplace, who will blame Google for someone, someplace, getting scammed. With any luck, the idiot who gets taken will be a teen, and then Google can join MySpace in the legislative roundup.

Some banks claim their sites are phishing-proof

Some South African banks are claiming their sites are secure, despite the fact that folks continue to lose money through phishing exploits.

For those who just tuned in, phishing is a process whereby you get an email (in this case, from a financial institution), asking you to log into your account to clean up some administrative issue. You click the link in the email, and are immediately directed to a fake website that looks like your bank’s. As you enter your username and password, a thief is getting it instead of the bank’s systems, and the thief then uses it to log into the real bank site and empty your account.

Note that this is a single step process, and requires no additional validation. The only bank I have seen of late that has figured this out is Bank of America. They require you enter a valid account number and the state the account is located in. You are then redirected to another entry page, where you are presented with an image and a keyword (both preselected by you), at which time you enter your password and proceed. That is a multi-step process, and one that would be relatively hard to exploit via a phishing lure, unless you aren’t paying attention to the image and keyword. I might also suggest that Bank of America require its customers to change said image and keyword (or at least re-validate that data) every sixty days or so, to keep customers on their toes.

Nevertheless, this is the only bank I’ve seen doing this (and I’ve seen quite a few bank front ends). Kudos to B of A – to rest, well good luck with those claims.

PS: Spamroll was not paid to shill B of A, and Michael doesn’t own any Bank of America stock either.

***UPDATE***

It seems Ed Falk, whose comment below outlined the fact that even two-factor authentication was subject to man-in-the-middle attacks, was entirely on target (and a quite timely in his comment as well). Phishers have thwarted the process using exactly that.

Note that the Citibank system used a physical token that generates additional passwords (which recycle ever minute). I’m not fond of such devices, but the fact that the phishing site described can also return error messages, it could be used to catch additional server-side authentication measures as well. The site in question has already been shut down, something that likely happened as a result of someone monitoring those returned messages to Russia.

***UPDATE 2***

Discussion on this at Bruce Schneier’s blog.

Why Phishing Works

A report was just released by Harvard and Berkeley types entitled Why Phishing Works. I’d usually call a report out of academia isolated gibber, but this one highlights the real deal – internet users are naive, don’t pay attention to details, and are certain of their superior intellect.

Criminals are shrewd, creative, and hungry. And the ones that slock their warez online have electrical engineering degrees to boot.

No contest.

Another anti-phishing group starts

Microsoft announced they would be chasing phishers in a big way. Now we have a new group led by Symantec, and including RSA, eBay, Paypal, Google, and Wells Fargo.

Still no word from the Anti-Phishing Working Group.

Phishers know how to spend your tax refund

Tax season is winding up, and phishers are hot on the trail of those refunds. The scam is posing as the IRS, and then offering to help lure recipients in tracking down their refunds.

The ploy is supposed to be representative of the increasing sophistication of online criminals. The thieves are supposed to be chasing the money nowadays – maybe they should be targeting employees of corporate treasury departments instead of individuals desperate for their tax refunds.

California AG’s phishing PR play

The word out of the California AG’s Office is to be wary of phishing emails, as your identity may be stolen as a result.

So, what should the everyday citizens of California do about the stolen laptops full of their data, the banks losing the stuff off the backs of UPS trucks, or the data brokers who willingly give it to scammers?

Don’t ask me.

To catch big fish, you need a big boat

And Microsoft has one of the biggest in the fleet. So they are chasing phishers in a big way, and promising a motherload of legal action against perpetrators on three continents.

The company has a new initiative cranking into gear called the Global Phishing Enforcement Initiative, which they announced at a recent conference. Interesting, but not surprising – the Anti-Phishing Working Group is not mentioned.

So much for cooperation?

Phish trumping humans in evolutionary progress

That’s correct – phish are getting smarter! It used to be that if you clicked on a phishing email, you were pointed to a site that tried to grab a username, password or some other identifying piece of data. The purveyors of said email and site would then run to the real site, and use that data to hijack your account, or take your money. Unfortunately for them, there are plenty of eyes watching for phishing sites, so they get shut down quickly. How does a phisher make a living now?

Well, they set up a pack of identical phishing sites across the globe, and centrally redirect the browser to whatever phish page is still running. Smart, very smart.

I am not complimenting insidiousness here, but simply the ingenuity. Goes to show you that despite what some folks might say about criminals being stupid, it is not always so – highlighting what a huge problem phishing really is.

More lures being pulled from the phishing tacklebox

Sophos, through its participation in the Anti-Phishing Working Group, reported that phishing attacks are still rising in number, with more than half of businesses surveyed saying they received at least one phishing lure a day (and almost a quarter receiving 5X that number). Unique phishing attempts increased almost 73% between December ’04 and December ’05, according to anti-phishing central, so even if the stats are a little bit scare tactic, it is hard to argue with such a big jump.

Predicting existing threats – stating existing solutions

I think the latest “predictions” regarding online threats by the fine and fair Department of Homeland Security are just their way of saying “We’re paying attention, and some legislator has a bill in waiting to pump up his/her profile prior to elections.”

Tops on the list of “predictions”….spear phishing (already happening), and brokerage account break-ins (don’t worry here, the brokerages are already pretty good at losing the data themselves).

The safety recommendations include the ultra-creative “turn on your firewall,” “install and update anti-virus and anti-spyware,” and “perform regular operating system updates.”

The insight, the forethought!