Online Scammers Go Spear-Phishing 144
Ant wrote to mention an examination at C|NET looking into the increasingly more effective techniques employed by phishers. From the article: "More recently, however, a hybrid form of phishing, dubbed "spear-phishing," has emerged and raised alarms among the digital world's watchdogs. Spear-phishing is a distilled and potentially more potent version of phishing. That's because those behind the schemes bait their hooks for specific victims instead of casting a broad, ill-defined net across cyberspace hoping to catch throngs of unknown victims."
Its the viruses you don't know about... (Score:2, Interesting)
...which you should worry about. Viruses which create havoc and draw attention to themselves should be less of a concern.
If software has been created for a specific attack, then standard virus scanners will never pick up its signature.
Not news (Score:2, Interesting)
The only surprise is it's taken this long for it to get noticed.
As long as people have had weaknesses, there have been other people out there seeking to exploit those weaknesses. That's just human nature; and if you fail to account for it, you might just as well have failed to account for gravity. The moment you put someone in front of a computer, they panic and lose all semblance of common sense. That also is human nature.
I believe Microsoft are complicit in all this, because it was Microsoft's deliberate design decision that the users of those computers did not have to give consent for a process to run as root. But whoever picked Microsoft must share some of the blame, since they basically decided that the integrity of their computer systems was less important than a pretty user interface.
the path! Re:This is weird. (Score:5, Interesting)
Some computer security specialists suggest at least one basic approach that might allow e-mail recipients to learn right away that a communique appearing to come from a company like Amazon.com actually originated somewhere in the Ukraine, Romania, Bulgaria, Poland, Russia or any of the other places that law enforcement officials say are hot spots for phishing scams. "It strikes me that this is just a failure of most e-mail systems to reveal the history of an e-mail," said Whitfield Diffie, a pioneer in computer cryptography who is the chief security officer of Sun Microsystems. "You could post a warning flag indicating that the 'from' address doesn't seem consistent with the path history."
I have yet too see an applcation that does (only) this. And "8 out of 10 collegues here (in the IT) don't have a clue what a "path" in a e-mail is.
Anyway the gist of the article was in the start that some phisher used a fake-emial address where the from was NOT faked, but contained a small alteration that does not show at first. Since no anti-spam/anti-phissher can protect against that ou leave the people who run the most up to date anti-spam will beleive the mail is trusted. Even the journalist has problems to explain that a technical solution is not the final solution.
by the way: you americans do not have to worry so much since you seem to care so much for privacy.
Re:bullshit article (Score:5, Interesting)
FTA, That isn't "spear phishing," and sure as hell doesn't warrant the coining of a new term. It might be considered normal "phishing," if only the author had a clue. Just because a "phish" is targeted at a particular group doesn't make it any more special than the everyday eBay "phish" spammed at random to ten million email addresses. This whole "spear phishing" thing is a contrived buzzword like "spim" (or "Cyber Monday [slashdot.org]"). Spam over IM is still spam, it doesn't need a new term. Phishing for particular targets is still phishing - I even hate that term, really - and doesn't need a new cyberbuzzword.
Free clue-by-four: the term "phishing" gained popularity on AOL some 6 or 8 years ago, and described the practice of attempting to solicit passwords from unsuspecting users. No matter how simplistic or elaborate the scheme, and regardless of whether normal users or employees were targeted in a blanket or with a direct ploy, it was always "phishing" (or ><> 'ing). Back then, the media hadn't yet caught on to the idea. Now that they've caught up, they want to call anything and everything "phishing."
From TFA, Are you kidding me? How does a "phishing scam" "infect" computers? "Phishing" is asking for information; it's impossible for a "phish" to infect anything.
I've really lost some respect for C|Net on this one.
Which makes me wonder... (Score:1, Interesting)
It seems to me it would help a lot.
Phishing or not? (Score:5, Interesting)
First thing they want is my birthday.
I hesitate, and they say they have to confirm who I am before they can talk to me.
(Federal privacy regs, HIPAA, and all that).
I refuse, because I don't know if they are who they say they are.
They immediately understand, and give me a tool-free number that I can call into.
After I hang up, I realize that their number doesn't help me, becuase *they* gave it to me.
It isn't the number on my health insurance card.
I can't find it on their web page.
I google for it and get no hits.
So I still don't know who they are.
So I don't call the number.
Phishing? Probably not.
It probably was my health insurance company.
But it's been a couple of weeks now, and they haven't called back.
In the past, when they've wanted to talk to me,
they've called every few days until they got hold of me.
So I don't really know...
Re:the path! Re:This is weird. (Score:4, Interesting)
The second one was sent from my ISPs smtp server and pretended to be from admin@gmail.com, I got a bright red :
"Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information."
The third pretended to from Bill Gates himself (billg@microsoft.com) and didn't raise any flag.
Re:Phishing or not? (Score:5, Interesting)
A couple of months ago I received a message on my home phone from American Express concerning "suspicious activity on my card." The message said really only that, and that I should call some toll-free number that wasn't printed on my card. There was no identifying information at all in the message, and to make matters stranger they were calling about a business card (they called me at home, not at work).
So I called the number. I get a person almost immediately and there is quite a bit of background noise on the line. They ask for my card number. When I didn't tell them and started asking questions (trying to determine if the person really did work for AmEx), the guy got insistent and asked for my social security number. I refused to answer and asked more questions, but never got a good answer.
I eventually hung up on the guy and then looked up AmEx's fraud prevention number in Google and called THAT. It turned out that someone really did hijack the card number from some vendor's database and there were 4-5 bogus purchases. We got the problem cleared up relatively quickly.
The problem, however, is that the AmEx representative did not come across in a professional manner and his conversation with me served only to make me more suspicious. With all the phishing going on, I'm extremely leery of simply providing personal information upon request.
Re:Is this really phishing? (Score:1, Interesting)
The phisher was the victim's ex-son-in-law. No dumpster-diving required. It's even conceivable the phisher had physical access to the victim's computer. At that point, all bets are off.