Tag Archives: phishing

If You Teach a Man to be Phished…

Posted on April 20, 2011 by Kelson

I’ve dealt with a couple of companies that try to plug the general lack of security in email by using a “secure email” service. The way this works is:

  1. The company sends you an email with a link to a third-party or co-branded website, asking you to click on it in order to read important information about your financial/insurance/whatever account. (Or better yet, the third party site sends you the mail on the company’s behalf.)
  2. You click on the link and open the site in your web browser.
  3. You register for the site (which usually involves entering your name, choosing a password, and possibly entering other personal detail like a reminder question.)
  4. You log into the site and actually read the message.

Can you see what the problem is?

That’s right: Steps 1-3 are exactly what you see in a phishing attack. Only in a phishing attack, the third-party site is a fake that’s trying to collect account information (like your login and password) or personal information (like your SSN).

So while they may be solving the immediate problem of “someone might intercept this message,” they’re perpetuating a broader problem by training people to fall for phishing attacks.

Sadly, this is not new.

Posted in Annoyances, Computers/Internet | Tagged , | Leave a comment

Spammy to the Max (Plus Jetpack Launch!)

Posted on May 20, 2009 by Kelson
  • 83 copies of the same fake-Facebook spam sent to the same spamtrap address via botnet in one day seems a wee bit excessive. #
  • “rm spam” – if only it were that easy. #
  • Also: Mozilla Launches Jetpack! # (Couldn’t resist the headline.)

Posted in Mozilla, Spam | Tagged , , , | Leave a comment

Social Malware

Posted on December 8, 2008 by Kelson

Malware spreading “via” social networking sites? Sounds like it’s impersonating them phish-like. Worth a look, tho #

Posted in Computers/Internet | Tagged , , , , , | Leave a comment

EV SSL Buzzword Used for Phishing

Posted on September 22, 2008 by Kelson

One of the great ironies of phishing is that, these days, identity theft via the web tends to work by preying on people’s fear of identity theft. It doesn’t help that most people don’t really understand the technology. The typical phishing message looks something like this:

Dear so-and-so. In order for us to protect your account from identity theft, we need you to give us all the critical information that we already have. Otherwise, your account will be locked.

These typically use actual bank logos and link to a website that imitates the bank’s real site as closely as possible. The days of “Pease entr yore acccccount infomation hear KTHXBYE” are long gone.

But the one I saw in the spamtraps today was just astonishing in its brazen use of buzzwords to add authenticity:

Dear Wilmington Trust Banking Member,

Due to the high number of fraud attempts and phishing scams, it has been decided to implement EV SSL Certification on this Internet Banking website.

First we have the scare tactic (always ironic in a “there are treacherous people about” sense). Throwing in EV SSL certificates makes it seem a bit more authoritative, since it’s something a lot of companies have started doing, and people may have heard about it in the news.

The use of EV SSL certification works with high security Web browsers to clearly identify whether the site belongs to the company or is another site imitating that company’s site.

It has been introduced to protect our clients against phishing and other online fraudulent activities. Since most Internet related crimes rely on false identity, WTDirect went through a rigorous validation process that meets the Extended Validation guidelines.

And here they talk about EV certs and how much safer they’ll make your account!

Please Update your account to the new EV SSL certification by Clicking here.

And here’s where they demonstrate that they figure the typical mark doesn’t actually have a clue what EV SSL certificates are. Various real businesses have converted from standard SSL to Extended Validation SSL, and the users didn’t have to do a thing.

Now, you might need to upgrade your web browser or switch to one that will show you a green bar (Firefox 3, IE7, Opera 9, etc.), but you’d still be able to access your account even if you didn’t. Unless the site started blocking other browsers like PayPal briefly discussed back in April. Even then, there would still be nothing that would require you to log into your account and make a change.

Anyway, let’s continue:

Please enter your User ID and Password and then click Go.

This one’s presumably a simple phish, just obtaining login credentials to give the thief access to the account through the web.

(Failure to verify account details correctly will lead to account suspension)

And of course the implied threat: Do this or you won’t be able to get at your money. Again, a typical phishing tactic.

On a side note: My favorite spam topic of the last week is “Refinance your ARM today.”. Yeah, I know what ARM stands for, but I keep imagining Cyborg, or perhaps the Six Million-Dollar Man, trying to refi a loan that covers the gadgets in his arm.

Posted in Spam | Tagged , | Leave a comment

Flagging (Non)-Spoofed Mail

Posted on May 1, 2008 by Kelson

Following up on the PayPal anti-phishing discussion of a few weeks ago, I see that PayPal is promoting a service called Iconix. You install the program on your system, and it looks at your inbox for messages that claim to be from one of its customers. It tries to verify them “using industry-standard authentication technologies such as Sender ID and DomainKeys.” Messages that pass get a lock-and-checkbox icon attached to the sender’s name, and in some cases the name is replaced by the sender’s logo.

On the tech side, it’s similar to SpamAssassin’s whitelist_from_spf and whitelist_from_dkim features. Both allow you to specify a sender to whitelist, and it will only give a message special treatment if it can verify the sender.

On the user-interface side, it’s similar to EC certificates, in that it tries to highlight a “good” class of messages rather than flag or filter out a “bad” class.

It’s not a bad idea, actually, and now that I’m surprised I haven’t seen something similar in other email clients. It’s sort of like setting up custom rings or images for images on your cell phone address book

They seem to be focused on webmail and Outlook so far, and only on Windows, but it looks like the perfect candidate for a Thunderbird extension. They do have a sign-up form to notify you when they add support for various programs and OSes, and I was pleased to see not only Thunderbird and Mac OS listed, but Linux as well. Too often, Linux gets forgotten in the shuffle to ensure compatibility with every Windows variation.

Posted in Computers/Internet, Spam | Tagged , , , | Leave a comment

Nasty Ebay “About Me” Phish

Posted on February 27, 2007 by Kelson

Someone I know encountered a really sneaky eBay phish this weekend. It arrived through eBay’s official “Ask seller a question” system, and consisted of a simple request: Was his auction the same as the auction at the following About Me page?

The URL was a normal eBay URL of the form http://members.ebay.com/aboutme/_____. Pasting the link into another browser brought up the user’s About Me page… which consisted of a spoofed eBay login form that would submit the username and password to a page hosted at Yahoo.

So it not only came through eBay’s official messaging system, but the form appeared on eBay’s own website, meaning it bypasses many of the usual cues. It’s not a secured page, but use of SSL for login pages is still spotty enough that a user could easily miss that. And how many people have noticed that eBay only puts login forms on signin.ebay.com? You have a slightly better chance if you have a browser like Opera, which shows you the target* of a form when you hover over a button. If you think to look at it. Continue reading

Posted in Computers/Internet, Spam | Tagged , , | 7 Comments

Flash Fraud

Posted on January 2, 2007 by Kelson

Got an interesting phish today.

Subject: Error in your billing information
From: Keystone Savings Bank.

Hmm, Keystone, eh? ;-)

Posted in Comics, Spam | Tagged , , , | 3 Comments

Back to Basics: Phish by Phone

Posted on September 8, 2006 by Kelson

I just spotted a rather disturbing phishing message in (of all places) our abuse contact mailbox:

Subject: Fraud Prevention Measures

Dear customer!

Due to high fraud activity we constantly increasing security level both for online banking and card transactions. In order to update our records you are required to call MBNA Card Service number at 1-800-[removed] and update information on your MBNA card.

This is free of charge and would not affect any transactions with your card. Please note this is necessary to provide highest security level for all transactions with your card.

No HTML tricks. No links to fraudulent websites. Just a phone number.

I can only assume this is a response to high-profile inclusion of antiphishing features in Internet Explorer 7 and in Firefox 2. If there’s no website, there’s nothing for a web browser to check.

And of course by not using sneaky technical tricks in the message, it’s harder for tools like ClamAV, spam filters, or mail clients to detect.

Incidentally, does anyone else find it ironic that one of the most common phishing techniques is to exploit people’s fear of being phished?

Further reading: Anti-Phishing Working Group.

Posted in Spam | Tagged , , , , | Leave a comment

Thank you, Captain Obvious

Posted on May 19, 2006 by Kelson

OK, I appreciate that eBay has a dedicated email address for reporting phishing attempts. I appreciate that their abuse department is a lot busier than I am, and therefore has to rely heavily on form letters. And I appreciate that they’re making an effort to educate the public on how to spot phishing and avoid getting caught.

But when I forward them a message with the comment, “Here’s a sample of a blatant phish,” is it really necessary to reply with the full two-page notice explaining, “This is a spoof, we didn’t send it, here’s how to avoid it, blah blah blah” and the entire body of the original message, complete with the links to the phishing site?

I’d think in this case a simple, “Thanks for the report, we’ve notified the authorities” note would be sufficient, especially since the “how to spot a phish” stuff is already in the auto-response. All it takes is giving their abuse staff an extra choice for the form letter.

And under no circumstances should they be including the full, original text of the phish. At best, it’s asking for the response to get lost in a spam box or blocked outright. At worst, it’s a security risk waiting to happen (since this copy really did come from eBay). Somewhere in the middle is the risk of mucking up adaptive filters as they try to reconcile the original message, which was spam, with the new message, which isn’t.

Posted in Annoyances, Spam | Tagged , , , | Leave a comment

Spam is like machine gun fire

Posted on April 11, 2006 by Kelson

After my latest round of supposed anti-fraud notices claiming to be from banks with which I don’t have any accounts, it occurred to me that phishing, 419 scams, email spam, blog spam, etc. are all scattershot approaches. They seem so obvious to those of us who are used to seeing them. It seems unthinkable that someone would fall for a phishing attempt that identifies itself as someone else’s bank, or buy pharmaceuticals from someone who can’t spell d.Ruugz. But they’re not intended for us. We’re just collateral damage.

Direct marketing often makes at least an effort to aim, because paper and postage cost money. That’s why businesses and charities will mainly share/sell their mailing lists among similar organizations, and not some random list of people. In this way, direct marketing is like riflery: you want each shot to be as accurate as possible.

Email, however, is cheap, and most spammers are using someone else’s resources to send out the mail anyway. It’s long been pointed out that they don’t care if 99% of their messages get lost in the ether. They only need a fraction of their list to respond. It’s like using a machine gun: you don’t have to aim, just spray the general area and at least one bullet is likely to hit your target.

So phishers don’t have to match their pitches to each recipient’s bank. If they plaster the net with messages claiming to be from Chase, it doesn’t matter if most of their messages hit Wells Fargo customers. Statistically speaking, some of the recipients will have Chase accounts, and some of them will be fooled, and that’s all they need to collect their virtual loot.

And the rest of us? Bystanders caught in the drive-by.

Posted in Spam | Tagged , | 1 Comment