Online Scammers Go Spear-Phishing 144
Ant wrote to mention an examination at C|NET looking into the increasingly more effective techniques employed by phishers. From the article: "More recently, however, a hybrid form of phishing, dubbed "spear-phishing," has emerged and raised alarms among the digital world's watchdogs. Spear-phishing is a distilled and potentially more potent version of phishing. That's because those behind the schemes bait their hooks for specific victims instead of casting a broad, ill-defined net across cyberspace hoping to catch throngs of unknown victims."
This is weird. (Score:5, Insightful)
But her friend's e-mail was actually gur-r@zahav.net.il. As Israeli investigators traced the origin of the bogus account they discovered that the person who had opened it lived in London and had charged the cost of the account to his American Express card.
Are we to believe that these super-phishers don't know how to spoof a From: header?
bullshit article (Score:5, Insightful)
Jackont took his computer to the Israeli police last fall and was told to reformat it. But his problems persisted. So the police examined his computer more closely and discovered that a malicious program known as a Trojan horse lay hidden deep inside and had hijacked the machine from a remote location.
So he reformatted his drive but the virus was still there? What?
I'm sorry, but does it really take much effort to get the facts right? EVERYONE seems to get it wrong: CNN, MSNBC, the NY Times, CNET. Somehow, the writers chosen to pump out articles like this either don't really understand technology or just pick subjects of which they don't really know anything.
Format the disk (Score:4, Insightful)
So either he did not format it, or after formatting it, he did not properly protect it and got infected again.
Poor (usually Microsoft Windows) users who also have to be administrators. The key problem is just that current OSes are not for people without CS knowledge to use. They need appliances which are protected, on which they can not install more software and which are protected by a mixed contract of anti-virus anti-spyware and system update vendors.
As long as users have to administrate their system, whatever system, these kind of problems will continu to exist.
Is this really phishing? (Score:3, Insightful)
Re:bullshit article (Score:3, Insightful)
The problem isn't Windows (Score:5, Insightful)
Case in point: http://www.schneier.com/cgi-bin/mt/mt-tb.cgi/474/ [schneier.com]
in which a bank manager was convinced to leave 5 million under the door to a bathroom stall in a bar in Paris.
Better habits.... (Score:4, Insightful)
See why whitelisting your contacts is important ? The problem is that people want to use they computer the way they use their washing machine. They think that just because they have "auto-update on" for Windows and Norton, then they're safe. Unfortunately, they're not. If they use emails irresponsibly, they will get spammed/phished/worse. There is no miracle cure, but good internet "security" habits can help a lot. No amount of software can replace good habits and experience.
However, I feel that this is a battle that is already lost. How can I convince strangers to pick up good habits if I can't even convince my sister and father? All they care about is having a functional computer to send their emails and type their .docs whenever they need to do so. Any downtime is unacceptable, yet they refuse to acknowledge the fact that any downtime is usually their fault. PCs have become the 'automobiles' of the 21st century:" I don't care how it works, as long as it gets me to where I want to be."
Bah, maybe I'm wrong. Maybe I have too much free time, others don't have the luxury to care about these things. Still I'm the one who ends up fixing the PC/ taking the car to the mechanic....
Spear-phishing (Score:3, Insightful)
Instead of telephoning some company and making believe ur their service provider to try and get the root password for some machine, one sends an email disguised as a legit email from a company with which a target company's employee has a commercial relation. Said email contains as payload an agent program which can be used to gather information/control the machine.
This is more powerfull than old style social engineering, both because you directly get an agent running on a machine inside the target company's network and because the list of potential targets is bigger than just "the person's that have passwords to the company's servers"
Re:Not news (Score:4, Insightful)
*Note:I did not say that open source OSs do not have any security advantages, they usually do. However, the parent decided to mention trojan horses which are the easiest of all malware to write and probably the hardest to protect against.
What utter crap (Score:3, Insightful)
I'm sorry for those of you IT types who have managers or "super users" who learned everything they know about computers from reading PC Ragazine or CNET. I'm sure you'll be getting worried calls and emails today. Just what you need on a Monday.
Re:bullshit article (Score:3, Insightful)
Re:bullshit article (Score:3, Insightful)
boot=/dev/ide/host0/bus0/target0/lun0/part2
Why don't I install it on my MBR? because when you install windows it wipes the MBR, creates a boot block on its partition and changes the active partion. So if I don't use the MBR all I have to do to get lilo back is to change my active partition back to partition 2, which is much less hassle then having to boot a rescue disk etc.
James
Re:Not news (Score:2, Insightful)
If somebody is bothered enough to be running GNU/Linux or a BSD variant, they probably are already smarter than to go running unknown programs without at least checking what they do. Of course, there are plenty of Windows users who know that already. But they aren't the ones you hear about.
Windows has made it possible for computer users to be ignorant and proud of it, and ignorant people have created all manner of problems for them and the rest of us. A computer is not a single-purpose appliance like a washing machine or a hoover. It is a highly general-purpose device; and that very generality of purpose is a double-edged sword which cuts both ways.
Re:Not news (Score:1, Insightful)
If you can see this, it means that the installation of the Apache web server [apache.org] software on this system was successful. You may now add content to this directory and replace this page.
Seeing this instead of the website you expected?This page is here because the site administrator has changed the configuration of this web server. Please contact the person responsible for maintaining this server with questions. The Apache Software Foundation, which wrote the web server software this site administrator is using, has nothing to do with maintaining this site and cannot help resolve configuration issues.
The Apache documentation [slashdot.org] has been included with this distribution.
You are free to use the image below on an Apache-powered web server. Thanks for using Apache!
Re:bullshit article (Score:5, Insightful)
How about we just drop all the silly cyber-words and start calling it what it is: Fraud.
Re:The problem isn't Windows (Score:3, Insightful)
http://www.timesonline.co.uk/article/0,,13509-181
Re:the path! Re:This is weird. (Score:5, Insightful)
And if I was phishing, there are ways to get completely valid headers. For example, I live in the US. From here it is a simple task to send you a valid e-mail from the Cayman Islands. I have an account in the Cayman Islands. Using the Webmail interface, I can send an e-mail from there. If I scam someone in England for example and got the password for one of their e-mail accounts, I could scam someone in England by using the ISP Webmail interface and send a perfectly valid e-mail from the US that originated in England. By signing up for an account in England, using a bogus credit card, I could use VOIP and dial into the ISP in England from England (local number) and send a scam that way. Think outside the box. A local call doesn't have to be local anymore.
Some Nigerian scammers are using Canadian, Australian, and UK VOIP phones so they don't look like Nigerian scammers until you are hooked and find out where to send the Western Union money. I'm in England and not a Nigerian scammer.
Re:bullshit article (Score:5, Insightful)
"All the silly cyber-words" are useful means of distinguishing nuances of meaning -- identifying specific methods of fraud, for instance. "Phishing" refers to a specific method of fraud, and as such adds precision and power to the language. The coining of the new term -- "spear phishing" -- makes it clear that this is a special type of the more general method of phishing, and even provides a pretty clear image to identify the particular type. Identifying this particular subtype also is the first step toward arming people against it -- which may require slightly different methods of self-defense than arming people against more general phishing, or mail fraud, or flimflam scams at the bank, or car-in-distress fraud, or white collar crime, or "blind" panhandlers who can see perfectly well, or any of the other myriad varieties of fraud that exist out there. Lumping them all together with a single word is sometimes useful, but "just dropping" all the language that draws useful distinctions between them is what is "silly".
Re:Not news (Score:5, Insightful)
This is a little harder to do. In windows all you have to do is convince the user to look at these pictures of my naked wife wife.gif.pif (the
In linux you have to convince the user to save the attachment, change it's attributes to include execute and explain why the file must be executed instead of viewed.
Convincing the user is much harder in Linux. Microsoft has blurred the line between executing a program and viewing a file. Linux still makes it harder to trick a user into running a program.
Re:Phishing or not? (Score:5, Insightful)
So did I. I knew it was a phishing call. I was polite and refused to give my paticulars and asked about the activity. I asked if I gave the last 4 digits if they could verify the address. They said no they needed the full number, exp date, name as it is on the card and the verification number. I then told them I do not have an American Express card. I then called American Express and gave them the phishing information.
If a bank is having their customer base phished, and you don't have an account, let the bank know anyway instead of ignoring it. You may protect your neighbors.
Re:Format the disk (Score:1, Insightful)
Re:Not news (Score:4, Insightful)
So, on Windows, as long as the average user is running your code, you can very easily have an FTP server running at boot which the user can't kill. It can run silently for a very long time, making available keylogs or whatever else.
On Linux/BSD/OS-X, the danger is slightly reduced. Sure, you can monitor a single user's access, and you can open up a port > 1024. You can certainly nuke the home directory, which would be horribly bad news for a lot of users. But, it is always possible to log in as another user and kill whatever it is. When you are running as another user, you will be fairly confident that you can at least see any problems that might present themselves. With windows, any app can make itself invisible to normal means of inspection (See Sony rootkit!).
There are some *nix fanboys who overstate the protections, certainly. But, "not much real extra security" is a hell of a lot better than "what in god's name were those chimp brained fucktards thinking?"