Tag: phishing

Posted on
by

After my latest round of supposed anti-fraud notices claiming to be from banks with which I don’t have any accounts, it occurred to me that phishing, 419 scams, email spam, blog spam, etc. are all scattershot approaches. They seem so obvious to those of us who are used to seeing them. It seems unthinkable that someone would fall for a phishing attempt that identifies itself as someone else’s bank, or buy pharmaceuticals from someone who can’t spell d.Ruugz. But they’re not intended for us. We’re just collateral damage.

Direct marketing often makes at least an effort to aim, because paper and postage cost money. That’s why businesses and charities will mainly share/sell their mailing lists among similar organizations, and not some random list of people. In this way, direct marketing is like riflery: you want each shot to be as accurate as possible.

Email, however, is cheap, and most spammers are using someone else’s resources to send out the mail anyway. It’s long been pointed out that they don’t care if 99% of their messages get lost in the ether. They only need a fraction of their list to respond. It’s like using a machine gun: you don’t have to aim, just spray the general area and at least one bullet is likely to hit your target.

So phishers don’t have to match their pitches to each recipient’s bank. If they plaster the net with messages claiming to be from Chase, it doesn’t matter if most of their messages hit Wells Fargo customers. Statistically speaking, some of the recipients will have Chase accounts, and some of them will be fooled, and that’s all they need to collect their virtual loot.

And the rest of us? Bystanders caught in the drive-by.

Posted on
by

Last week I received a message offering a 30% discount on Norton Internet Security 2006. It claimed to be from Symantec, but the email address was at digitalriver.com, and all the links—including the ones that claimed to be at symantec.com—went to bluehornet.com.

Now 5 minutes of research turns up the facts that Symantec does work with Digital River and Digital River owns Blue Hornet. And it did go to the address I used to register Norton Antivirus last year. So it’s probably a legit offer.

But let’s think about this for a minute.

Assuming it’s legit, Symantec—a company that deals in internet security—is deliberately sending out offers via third-party domains, email and web servers. Depending on how security-conscious you are, they are either making their messages look suspicious or training users to ignore warning signs.

Or have you never seen spam offering enormous discounts on Norton products? Which generally turn out to be pirated. And I seem to recall—though I can’t find an article to back it up—that the bootleg copies are often infected themselves, or crippled in some way.

Given how many shady operators are out there, taking advantage of the big guys’ name recognition, you’d think the big guys would at least make some effort to make their own offerings look less, well, shady.

Posted on
by

I found a flood of crude phishing attempts in our postmaster account this morning.

How crude?

The hook was, “Simply reply to this email with your online login and password.”

No forms, no imitation websites, no swiped logos, no links of any sort at all. One of them even had multiple recipients visible on the To: line. It’s like a throwback to the early days of spam-n-scam.

The headers were full of things like %RNDDIGIT27, suggesting a broken spam generator, and of course there’s the fact that they actually targeted the postmaster account.

Posted on
by

Too bad it’s the bad guys.

As reported on DailyDave and picked up at SANS, Email Battles and elsewhere, there are phishers out there using a botnet (a network of infected “zombie” computers) not just to send emails, but to host the websites and the DNS for their scam.

Imagine what this technology could do for legitimate sites. It could potentially surpass Akamai’s system of worldwide mirrors. You could set up something like BitTorrent that would automatically mirror sites you’re looking at. Getting Slashdotted would actually improve a site’s response!

Posted on
by

Here’s an online security story to freak you out: Security firm Secunia has found a loophole [Edit: originally linked to Yahoo! News] in basic browser window handling that can let any site plug its code into a pop-up window generated by any other site. That’s not just ads, that includes pop-up help files, password dialogs, you name it.

They even have a demonstration: Start the code going on their site, open up Citibank, then click on a button on the Citibank site and it’ll open a page from Secunia.

And it works in every major browser, for the simple reason that it uses standard functionality that no one has questioned until now: The ability to open a page in a particular frame or window. All you need to know is the name of that window, and you’re set. As long as it hides the toolbars (SOP for pop-up windows of all stripes), the user will never notice. There is a workaround, at least for Firefox and Mozilla users, but it’s ugly: prevent sites from hiding the location bar.

Actually, the functionality has been questioned before: last July, when Secunia found a similar problem in frames. The solution for that was to prevent a page in one window (or tab) from accessing frames in another. But it’s a little more challenging to decide which pages should be allowed to update a top-level window.

In the short term, sites wanting to protect themselves from being hijacked can probably help by randomizing the names of their pop-up windows. In the long term, browsers are going to have to figure out how to separate windows that should have the ability to load new pages from windows that shouldn’t, knowing that they’ll undoubtedly end up breaking some websites in the process.

(via The War on Spam)