Online Scammers Go Spear-Phishing

Ant wrote to mention an examination at C|NET looking into the increasingly more effective techniques employed by phishers. From the article: "More recently, however, a hybrid form of phishing, dubbed "spear-phishing," has emerged and raised alarms among the digital world's watchdogs. Spear-phishing is a distilled and potentially more potent version of phishing. That's because those behind the schemes bait their hooks for specific victims instead of casting a broad, ill-defined net across cyberspace hoping to catch throngs of unknown victims."

This is weird.

[meringuoid]

According to records of the Israeli investigation, Wieseltier told authorities that she received a Trojan-infested e-mail message bearing the address of gur_r@zahav.net.il, which she believed came from a friend.

But her friend's e-mail was actually gur-r@zahav.net.il. As Israeli investigators traced the origin of the bogus account they discovered that the person who had opened it lived in London and had charged the cost of the account to his American Express card.

Are we to believe that these super-phishers don't know how to spoof a From: header?

bullshit article

[eobanb]

I particularly love this part:

Jackont took his computer to the Israeli police last fall and was told to reformat it. But his problems persisted. So the police examined his computer more closely and discovered that a malicious program known as a Trojan horse lay hidden deep inside and had hijacked the machine from a remote location.

So he reformatted his drive but the virus was still there? What?

I'm sorry, but does it really take much effort to get the facts right? EVERYONE seems to get it wrong: CNN, MSNBC, the NY Times, CNET. Somehow, the writers chosen to pump out articles like this either don't really understand technology or just pick subjects of which they don't really know anything.

Format the disk

[jurt1235]

Jackont took his computer to the Israeli police last fall and was told to reformat it. But his problems persisted.

So either he did not format it, or after formatting it, he did not properly protect it and got infected again.

Poor (usually Microsoft Windows) users who also have to be administrators. The key problem is just that current OSes are not for people without CS knowledge to use. They need appliances which are protected, on which they can not install more software and which are protected by a mixed contract of anti-virus anti-spyware and system update vendors.
As long as users have to administrate their system, whatever system, these kind of problems will continu to exist.

Is this really phishing?

[Zog The Undeniable]

Looks like good old-fashioned social engineering to me, probably kicking off with some even more old-fashioned dumpster-diving to get the names and addresses of the target's friends and acquaintances.

Re:bullshit article

[Renraku]

Its entirely possible to reformat and still have a virus. What about MBR viruses and memory-resident ones?

The problem isn't Windows

[wk633]

Phishing isn't a technology problem. If your computer has a virus, the bad guys can get your critical data without tricking it out of you. Phishing will always exist due to human nature.

Case in point: http://www.schneier.com/cgi-bin/mt/mt-tb.cgi/474/ [schneier.com]

in which a bank manager was convinced to leave 5 million under the door to a bathroom stall in a bar in Paris.

Better habits....

[Chaffar]

Wieseltier told authorities that she received a Trojan-infested e-mail message bearing the address of gur_r@zahav.net.il, which she believed came from a friend.[...]But her friend's e-mail was actually gur-r@zahav.net

See why whitelisting your contacts is important ? The problem is that people want to use they computer the way they use their washing machine. They think that just because they have "auto-update on" for Windows and Norton, then they're safe. Unfortunately, they're not. If they use emails irresponsibly, they will get spammed/phished/worse. There is no miracle cure, but good internet "security" habits can help a lot. No amount of software can replace good habits and experience.

However, I feel that this is a battle that is already lost. How can I convince strangers to pick up good habits if I can't even convince my sister and father? All they care about is having a functional computer to send their emails and type their .docs whenever they need to do so. Any downtime is unacceptable, yet they refuse to acknowledge the fact that any downtime is usually their fault. PCs have become the 'automobiles' of the 21st century:" I don't care how it works, as long as it gets me to where I want to be."

Bah, maybe I'm wrong. Maybe I have too much free time, others don't have the luxury to care about these things. Still I'm the one who ends up fixing the PC/ taking the car to the mechanic....

Spear-phishing

[Aceticon]

Spear-phishing = social engineering via e-mail

Instead of telephoning some company and making believe ur their service provider to try and get the root password for some machine, one sends an email disguised as a legit email from a company with which a target company's employee has a commercial relation. Said email contains as payload an agent program which can be used to gather information/control the machine.

This is more powerfull than old style social engineering, both because you directly get an agent running on a machine inside the target company's network and because the list of potential targets is bigger than just "the person's that have passwords to the company's servers"

Re:Not news

[antifoidulus]

Hate to burst your bubble here, but it's incredibly EASY to create a trojan horse in Linux. All you have to do is convince the user to run the program, and if they do that, no matter what the OS, the program the user runs has all the same privlidges as the user. Meaning if I want to covertly send all the user's files to an offsite location, I can because the user has read access to all those files. Sure I can't delete the whole hard drive, but seriously, what is the point in doing that? Even if you do delete the whole drive, outside of the home directories, who cares? Seriously, the kernel files are easily replaceable, the home directory files much less so....In conclusion, that was a pointless, completely wrong post by an open source fanboy, ie something that is incredibly common here...

*Note:I did not say that open source OSs do not have any security advantages, they usually do. However, the parent decided to mention trojan horses which are the easiest of all malware to write and probably the hardest to protect against.

What utter crap

[MikeyToo]

CNET takes a year-old story about a bitter divorce and revenge, adds some buzzwords, information about very common, almost "old school", spamming and phishing techniques and we're all supposed to run around yelling "The sky is falling!!". Someone must be way behind on their copy output and have the FUD generators turned up to 11.

I'm sorry for those of you IT types who have managers or "super users" who learned everything they know about computers from reading PC Ragazine or CNET. I'm sure you'll be getting worried calls and emails today. Just what you need on a Monday.

Re:bullshit article

[KiloByte]

Or, more likely, the person who did "reformat" it just reinstalled the OS without actually formatting anything. Most of people who work in tech support don't know the difference.

Re:bullshit article

[oolon]

No i does NOT! It infact installs it where the "boot" line in your lilo.conf tells it too. Yes alot of distro default to this behavior but they don't HAVE to. For example from my lilo.conf

boot=/dev/ide/host0/bus0/target0/lun0/part2

Why don't I install it on my MBR? because when you install windows it wipes the MBR, creates a boot block on its partition and changes the active partion. So if I don't use the MBR all I have to do to get lilo back is to change my active partition back to partition 2, which is much less hassle then having to boot a rescue disk etc.

James

Re:Not news

[ajs318]

You're forgetting the rather obvious.

If somebody is bothered enough to be running GNU/Linux or a BSD variant, they probably are already smarter than to go running unknown programs without at least checking what they do. Of course, there are plenty of Windows users who know that already. But they aren't the ones you hear about.

Windows has made it possible for computer users to be ignorant and proud of it, and ignorant people have created all manner of problems for them and the rest of us. A computer is not a single-purpose appliance like a washing machine or a hoover. It is a highly general-purpose device; and that very generality of purpose is a double-edged sword which cuts both ways.

Re:Not news

[Anonymous Coward]

If you can see this, it means that the installation of the Apache web server [apache.org] software on this system was successful. You may now add content to this directory and replace this page.

Seeing this instead of the website you expected?

This page is here because the site administrator has changed the configuration of this web server. Please contact the person responsible for maintaining this server with questions. The Apache Software Foundation, which wrote the web server software this site administrator is using, has nothing to do with maintaining this site and cannot help resolve configuration issues.

The Apache documentation [slashdot.org] has been included with this distribution.

You are free to use the image below on an Apache-powered web server. Thanks for using Apache!

Re:bullshit article

[Stiletto]

How about we just drop all the silly cyber-words and start calling it what it is: Fraud.

Re:The problem isn't Windows

[Anonymous Coward]

The link about the bank fraud doesn't work. Here's the correct link:

http://www.timesonline.co.uk/article/0,,13509-1814 531,00.html [timesonline.co.uk]

Re:the path! Re:This is weird.

[Technician]

I have yet too see an applcation that does (only) this. And "8 out of 10 collegues here (in the IT) don't have a clue what a "path" in a e-mail is.

And if I was phishing, there are ways to get completely valid headers. For example, I live in the US. From here it is a simple task to send you a valid e-mail from the Cayman Islands. I have an account in the Cayman Islands. Using the Webmail interface, I can send an e-mail from there. If I scam someone in England for example and got the password for one of their e-mail accounts, I could scam someone in England by using the ISP Webmail interface and send a perfectly valid e-mail from the US that originated in England. By signing up for an account in England, using a bogus credit card, I could use VOIP and dial into the ISP in England from England (local number) and send a scam that way. Think outside the box. A local call doesn't have to be local anymore.

Some Nigerian scammers are using Canadian, Australian, and UK VOIP phones so they don't look like Nigerian scammers until you are hooked and find out where to send the Western Union money. I'm in England and not a Nigerian scammer.

Re:bullshit article

[Woldry]

Nah, let's get even less specific and just call it "crime." Or wait! How about maybe just "bad"? While we're at it, let's stop all this silly talk of Fords and Saturns and SUVs and just call 'em all "cars". And we can definitely do without all of the ridiculous kitchen words like "fry" and "roast" and "microwave" and "steam" and "simmer" and just call it what it is: Cooking.

"All the silly cyber-words" are useful means of distinguishing nuances of meaning -- identifying specific methods of fraud, for instance. "Phishing" refers to a specific method of fraud, and as such adds precision and power to the language. The coining of the new term -- "spear phishing" -- makes it clear that this is a special type of the more general method of phishing, and even provides a pretty clear image to identify the particular type. Identifying this particular subtype also is the first step toward arming people against it -- which may require slightly different methods of self-defense than arming people against more general phishing, or mail fraud, or flimflam scams at the bank, or car-in-distress fraud, or white collar crime, or "blind" panhandlers who can see perfectly well, or any of the other myriad varieties of fraud that exist out there. Lumping them all together with a single word is sometimes useful, but "just dropping" all the language that draws useful distinctions between them is what is "silly".

Re:Not news

[Technician]

All you have to do is convince the user to run the program, and if they do that, no matter what the OS, the program the user runs has all the same privlidges as the user.

This is a little harder to do. In windows all you have to do is convince the user to look at these pictures of my naked wife wife.gif.pif (the .pif does not show)

In linux you have to convince the user to save the attachment, change it's attributes to include execute and explain why the file must be executed instead of viewed.

Convincing the user is much harder in Linux. Microsoft has blurred the line between executing a program and viewing a file. Linux still makes it harder to trick a user into running a program.

Re:Phishing or not?

[Technician]

A couple of months ago I received a message on my home phone from American Express concerning "suspicious activity on my card."

So did I. I knew it was a phishing call. I was polite and refused to give my paticulars and asked about the activity. I asked if I gave the last 4 digits if they could verify the address. They said no they needed the full number, exp date, name as it is on the card and the verification number. I then told them I do not have an American Express card. I then called American Express and gave them the phishing information.

If a bank is having their customer base phished, and you don't have an account, let the bank know anyway instead of ignoring it. You may protect your neighbors.

Re:Format the disk

[Anonymous Coward]

But... but... but what if the spear-phishing email stored itself in the video memory, then it restored itself upon the reinstallation of the operating system!

Re:Not news

[forkazoo]

Certainly, it is quite easy to nuke a home directory, but that doesn't mean there aren't any benefits. The first that occurs to me is that a normal user can't install a service that runs at boot automatically. They also don't have permission to do things like open certain ports.

So, on Windows, as long as the average user is running your code, you can very easily have an FTP server running at boot which the user can't kill. It can run silently for a very long time, making available keylogs or whatever else.

On Linux/BSD/OS-X, the danger is slightly reduced. Sure, you can monitor a single user's access, and you can open up a port > 1024. You can certainly nuke the home directory, which would be horribly bad news for a lot of users. But, it is always possible to log in as another user and kill whatever it is. When you are running as another user, you will be fairly confident that you can at least see any problems that might present themselves. With windows, any app can make itself invisible to normal means of inspection (See Sony rootkit!).

There are some *nix fanboys who overstate the protections, certainly. But, "not much real extra security" is a hell of a lot better than "what in god's name were those chimp brained fucktards thinking?"