Online Scammers Go Spear-Phishing 144
Ant wrote to mention an examination at C|NET looking into the increasingly more effective techniques employed by phishers. From the article: "More recently, however, a hybrid form of phishing, dubbed "spear-phishing," has emerged and raised alarms among the digital world's watchdogs. Spear-phishing is a distilled and potentially more potent version of phishing. That's because those behind the schemes bait their hooks for specific victims instead of casting a broad, ill-defined net across cyberspace hoping to catch throngs of unknown victims."
This is weird. (Score:5, Insightful)
But her friend's e-mail was actually gur-r@zahav.net.il. As Israeli investigators traced the origin of the bogus account they discovered that the person who had opened it lived in London and had charged the cost of the account to his American Express card.
Are we to believe that these super-phishers don't know how to spoof a From: header?
the path! Re:This is weird. (Score:5, Interesting)
Some computer security specialists suggest at least one basic approach that might allow e-mail recipients to learn right away that a communique appearing to come from a company like Amazon.com actually originated somewhere in the Ukraine, Romania, Bulgaria, Poland, Russia or any of the other places that law enforcement officials say are hot spots for phishing scams. "It strikes me that this is just a failure of most e-mail systems to reveal the history of an e-mail," said Whitfield Diffie, a pioneer in computer cryptography who is the chief security officer of Sun Microsystems. "You could post a warning flag indicating that the 'from' address doesn't seem consistent with the path history."
I have yet too see an applcation that does (only) this. And "8 out of 10 collegues here (in the IT) don't have a clue what a "path" in a e-mail is.
Anyway the gist of the article was in the start that some phisher used a fake-emial address where the from was NOT faked, but contained a small alteration that does not show at first. Since no anti-spam/anti-phissher can protect against that ou leave the people who run the most up to date anti-spam will beleive the mail is trusted. Even the journalist has problems to explain that a technical solution is not the final solution.
by the way: you americans do not have to worry so much since you seem to care so much for privacy.
Re:the path! Re:This is weird. (Score:2)
Re:the path! Re:This is weird. (Score:4, Interesting)
The second one was sent from my ISPs smtp server and pretended to be from admin@gmail.com, I got a bright red :
"Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information."
The third pretended to from Bill Gates himself (billg@microsoft.com) and didn't raise any flag.
Re:the path! Re:This is weird. (Score:2)
Re:the path! Re:This is weird. (Score:2)
Re:the path! Re:This is weird. (Score:5, Insightful)
And if I was phishing, there are ways to get completely valid headers. For example, I live in the US. From here it is a simple task to send you a valid e-mail from the Cayman Islands. I have an account in the Cayman Islands. Using the Webmail interface, I can send an e-mail from there. If I scam someone in England for example and got the password for one of their e-mail accounts, I could scam someone in England by using the ISP Webmail interface and send a perfectly valid e-mail from the US that originated in England. By signing up for an account in England, using a bogus credit card, I could use VOIP and dial into the ISP in England from England (local number) and send a scam that way. Think outside the box. A local call doesn't have to be local anymore.
Some Nigerian scammers are using Canadian, Australian, and UK VOIP phones so they don't look like Nigerian scammers until you are hooked and find out where to send the Western Union money. I'm in England and not a Nigerian scammer.
Re:the path! Re:This is weird. (Score:2)
Information Regarding Your account:
Dear PayPal Member!
Attention! Your PayPal account has been violated!
Someone
Re:the path! Re:This is weird. (Score:2, Informative)
MOD parent up (Score:2)
Re:the path! Re:This is weird. (Score:2)
Its the viruses you don't know about... (Score:2, Interesting)
...which you should worry about. Viruses which create havoc and draw attention to themselves should be less of a concern.
If software has been created for a specific attack, then standard virus scanners will never pick up its signature.
Re:Its the viruses you don't know about... (Score:1, Funny)
bullshit article (Score:5, Insightful)
Jackont took his computer to the Israeli police last fall and was told to reformat it. But his problems persisted. So the police examined his computer more closely and discovered that a malicious program known as a Trojan horse lay hidden deep inside and had hijacked the machine from a remote location.
So he reformatted his drive but the virus was still there? What?
I'm sorry, but does it really take much effort to get the facts right? EVERYONE seems to get it wrong: CNN, MSNBC, the NY Times, CNET. Somehow, the writers chosen to pump out articles like this either don't really understand technology or just pick subjects of which they don't really know anything.
Re:bullshit article (Score:3, Insightful)
WTF? (Score:1, Informative)
Memory resident ones? If he reformatted then he reinstalled the OS and if he reinstalled he rebooted and if he rebooted.... you figure it out.
GP is correct, the story makes no sense.
Re:bullshit article (Score:1)
Re:bullshit article (Score:3, Insightful)
Re:bullshit article (Score:5, Informative)
Re:bullshit article (Score:1)
GUI installers still do all this behind the scenes, they just hide it from you. I am guessing Windows must do something similar with its own bootstrap loader.
Re:bullshit article (Score:3, Insightful)
boot=/dev/ide/host0/bus0/target0/lun0/part2
Why don't I install it on my MBR? because when you install windows it wipes the MBR, creates a boot block on its partition and changes the active partion. So if I don't use the MBR all I have to do to get lilo back is to change my active partition back to partition 2, which is muc
Re:bullshit article (Score:2)
Re:bullshit article (Score:5, Interesting)
FTA, That isn't "spear phishing," and sure as hell doesn't warrant the coining of a new term. It might be considered normal "phishing," if only the author had a clue. Just because a "phish" is targeted at a particular group doesn't make it any more special than the everyday eBay "phish" spammed at random to ten million email addresses. This whole "spear phishing" thing is a contrived buzzword like "spim" (or "Cyber Monday [slashdot.org]"). Spam over IM is still spam, it doesn't need a new term. Phishing for particular targets is still phishing - I even hate that term, really - and doesn't need a new cyberbuzzword.
Free clue-by-four: the term "phishing" gained popularity on AOL some 6 or 8 years ago, and described the practice of attempting to solicit passwords from unsuspecting users. No matter how simplistic or elaborate the scheme, and regardless of whether normal users or employees were targeted in a blanket or with a direct ploy, it was always "phishing" (or ><> 'ing). Back then, the media hadn't yet caught on to the idea. Now that they've caught up, they want to call anything and everything "phishing."
From TFA, Are you kidding me? How does a "phishing scam" "infect" computers? "Phishing" is asking for information; it's impossible for a "phish" to infect anything.
I've really lost some respect for C|Net on this one.
Re:bullshit article (Score:5, Insightful)
How about we just drop all the silly cyber-words and start calling it what it is: Fraud.
Re:bullshit article (Score:2)
Re:bullshit article (Score:5, Insightful)
"All the silly cyber-words" are useful means of distinguishing nuances of meaning -- identifying specific methods of fraud, for instance. "Phishing" refers to a specific method of fraud, and as such adds precision and power to the language. The coining of the new term -- "spear phishing" -- makes it clear that this is a special type of the more general method of phishing, and even provides a pretty clear image to identify the particular type. Identifying this particular subtype also is the first step toward arming people against it -- which may require slightly different methods of self-defense than arming people against more general phishing, or mail fraud, or flimflam scams at the bank, or car-in-distress fraud, or white collar crime, or "blind" panhandlers who can see perfectly well, or any of the other myriad varieties of fraud that exist out there. Lumping them all together with a single word is sometimes useful, but "just dropping" all the language that draws useful distinctions between them is what is "silly".
Re:bullshit article (Score:3, Funny)
Re:bullshit article (Score:2)
Re:bullshit article (Score:2)
Your analogy doesn't hold up. The difference is not in what kind of equipment was used to commit the crime; if that were the case, we'd hear about "Delling" vs. "HPing". Also, if protecting oneself against a Ford required different measures than protecting oneself against a Chevy, then yes, by all means, those terms should be used. But defenses against the online scams and other forms of fraud, unlike getting run over by a car, do all require different tactics
Re:bullshit article (Score:2, Funny)
Re:bullshit article (Score:2)
Re:bullshit article (Score:2)
Riiiight.
Now when I read articles with new fake words I just laugh and make sure not to use it.
Not CNET. (Score:2)
Re:bullshit article (Score:2)
Personally i thought it was rather sophisicated and could see how many people could fall for it. Particularly the reposting with payload, people who only check there email one a day or less could very easily fall victim to
Second Hard Drive (Score:2)
Re:bullshit article (Score:2)
Of course, the writer was probably not technically knowledgable to pick up on this little omission or its significance.
Re:bullshit article (Score:2)
Infection surviving a drive "format" can be done (Score:2)
1) He was told to; this does not mean he did it.
2) He may not have done a proper full (MBR) reformat
3) He may have backed up the infection vector with his "important" files, on other infected media.
4) If the infection vector was via email, he might have redownloaded and reopened the message from a POP/IMAP server that retained a copy.
It is also theoretically possible to make something that will survive anything short of degaussing or
Format the disk (Score:4, Insightful)
So either he did not format it, or after formatting it, he did not properly protect it and got infected again.
Poor (usually Microsoft Windows) users who also have to be administrators. The key problem is just that current OSes are not for people without CS knowledge to use. They need appliances which are protected, on which they can not install more software and which are protected by a mixed contract of anti-virus anti-spyware and system update vendors.
As long as users have to administrate their system, whatever system, these kind of problems will continu to exist.
Re:Format the disk (Score:2)
Another possible scenario: After he had formatted the disk, he restored a backup which already contained the infection.
Re:Format the disk (Score:2)
Re:Format the disk (Score:2)
FTA: the Trojan horses that penetrated their computers came packaged inside a compact disc or an e-mail message that appeared to be from an institution or a person that the victims thought they knew very well.
Let's say that you have a computer at your company that has a certain program on it, and a scammer knows that. With some research, and some effort, they could send you an "update" CD in the mai
Re:Format the disk (Score:2)
Not news (Score:2, Interesting)
The only surprise is it's taken this long for it to get noticed.
As long as people have had weaknesses, there have been other people out there seeking to exploit those weaknesses. That's just human nature; and if you fail to account for it, you might just as well
Re:Not news (Score:2)
Or a TeX user.
Re:Not news (Score:1)
Re:Not news (Score:4, Insightful)
*Note:I did not say that open source OSs do not have any security advantages, they usually do. However, the parent decided to mention trojan horses which are the easiest of all malware to write and probably the hardest to protect against.
Re:Not news (Score:2, Insightful)
If somebody is bothered enough to be running GNU/Linux or a BSD variant, they probably are already smarter than to go running unknown programs without at least checking what they do. Of course, there are plenty of Windows users who know that already. But they aren't the ones you hear about.
Windows has made it possible for computer users to be ignorant and proud of it, and ignorant people have created all manner of problems for them and the rest of us. A computer i
Re:Not news (Score:2)
As opposed to a double-edged sword that cuts only one way?
Re:Not news (Score:5, Insightful)
This is a little harder to do. In windows all you have to do is convince the user to look at these pictures of my naked wife wife.gif.pif (the
In linux you have to convince the user to save the attachment, change it's attributes to include execute and explain why the file must be executed instead of viewed.
Convincing the user is much harder in Linux. Microsoft has blurred the line between executing a program and viewing a file. Linux still makes it harder to trick a user into running a program.
Re:Not news (Score:2)
You could probably mitigate the danger by running your browser and mail client chrooted or as another user. Or both. And possibly have them drop any unecessary regular-u
Re:Not news (Score:4, Insightful)
So, on Windows, as long as the average user is running your code, you can very easily have an FTP server running at boot which the user can't kill. It can run silently for a very long time, making available keylogs or whatever else.
On Linux/BSD/OS-X, the danger is slightly reduced. Sure, you can monitor a single user's access, and you can open up a port > 1024. You can certainly nuke the home directory, which would be horribly bad news for a lot of users. But, it is always possible to log in as another user and kill whatever it is. When you are running as another user, you will be fairly confident that you can at least see any problems that might present themselves. With windows, any app can make itself invisible to normal means of inspection (See Sony rootkit!).
There are some *nix fanboys who overstate the protections, certainly. But, "not much real extra security" is a hell of a lot better than "what in god's name were those chimp brained fucktards thinking?"
Is this really phishing? (Score:3, Insightful)
duh !!!! (Score:1)
Its just phishing.Yea
Re:duh !!!! (Score:1)
Re:duh !!!! (Score:2)
C Food (Score:5, Funny)
Explicitly casting further with new lures, the phishers trolled, hoping for more bytes on the (on)line. The emails of the species were particularly at risk, as their outlook was not so good to begin with.
Some sought harbour in the eBay, hoping their bet paid off. Last I heard, the feedback was good.
Maybe our only hope is growing legs and migrating to the LAN.
Re:C Food (Score:2, Funny)
The problem isn't Windows (Score:5, Insightful)
Case in point: http://www.schneier.com/cgi-bin/mt/mt-tb.cgi/474/ [schneier.com]
in which a bank manager was convinced to leave 5 million under the door to a bathroom stall in a bar in Paris.
Re:The problem isn't Windows (Score:3, Insightful)
http://www.timesonline.co.uk/article/0,,13509-181
Wow Mods, pay attention at all? (Score:3, Informative)
B) The man only left 358,000 Euros, not 5 million.
FROM GOVERNMENT SOFTWARE FOUNDATION OF NIGERIA (Score:4, Funny)
PHISHING claims many LIVES, but YOU TOO can be SAFE when you use our SECURE SOFTWARE to protect your family from PHISHING. BUT alas, my COMPANY lacks FUNDS to share this SECURE SOFTWARE with GOOD PEOPLE like you. THIS TRAGIC moment for our company can only be FIXED by your kind SERVICES. PLEASE transfer ONE THOUSAND DOLLARS to me at the GOVERNMENT SOFTWARE FOUNDATION OF NIGERIA so we can all SHARE this SECURE SOFTWARE.
ATTACHED is a special TRIAL of this very SECURE SOFTWARE, just for YOU. DO NOT HESITATE to protect yourself from the deadly THREAT of PHISHING.
Re:FROM GOVERNMENT SOFTWARE FOUNDATION OF NIGERIA (Score:3, Funny)
Scam! Scam!!
Re:FROM GOVERNMENT SOFTWARE FOUNDATION OF NIGERIA (Score:2)
I also forwarded the initial email, and website log [I got a visit from Nigeria to my page minutes before the email], to phonebusters.com in Canada [RCMP] who handle this kind of crime.
That does it. (Score:5, Funny)
Why is it that EVERYTHING involving computers and the internets ends up becoming some cutesy-cutesy thing?
What's next?
Employee 1: "You hear about Bob?"
Employee 2: "Yeah, I hear he got spear-phished this weekend. I guess they gutted and scaled him, and supposedly they're going to pan-phry him."
Employee 1: "Well, it beats being served in a tuna salad!"
Employee 2: "What the hell, exactly, are we talking about?"
Re:That does it. (Score:2)
Why is it that EVERYTHING involving computers and the internets ends up becoming some cutesy-cutesy thing?
What's next?
Spear-spamming?
In other news... (Score:2)
Or does it? Jackont took his computer to the Israeli police last fall and was told to reformat it. But his problems persisted. So the police examined his computer more closely and discovered that a malicious program known as a Trojan horse lay hidden deep inside and had hijacked the machine from a remote location. Trojan horse? That's sooo 1000 BC. Was this trojan hiding in his BIOS or is this guy incompetent?
The only new thing is this "spear-phishing" is a speciali
Drama queen (Score:5, Funny)
People don't like it when I say this, but it's like being raped. It's like my underwear was spread all over the streets. It was a severe breach of privacy.
I'd like to be the cop that treats this like they do when they try to tell young girl rape victims its their fault...
Well, look at ya! is that all you put on as a browser?!
Yea, this is just what I usually put on, Internet Explorer.
Well there ya go... You're going out on the internet putting on nothing but a skimpy browser, making all sorts of purchases, without any sort of protection? No wonder you're gettin yourself raped!
Re:Drama queen (Score:2)
what's the relationship btw phishing scam (no software involved) and IE?
IE has a bug that makes it possible to give people links that go to places other than what the IE address bar says they are. This was exploited quite a bit by phishing emails, but Microsoft claimed it was not a serious bug and said they would not fix it. They might have fixed it by now, under pressure, like many other bugs they said they did not care to fix, but that remains to be seen. The fact it was possible to be at one site whe
Better habits.... (Score:4, Insightful)
See why whitelisting your contacts is important ? The problem is that people want to use they computer the way they use their washing machine. They think that just because they have "auto-update on" for Windows and Norton, then they're safe. Unfortunately, they're not. If they use emails irresponsibly, they will get spammed/phished/worse. There is no miracle cure, but good internet "security" habits can help a lot. No amount of software can replace good habits and experience.
However, I feel that this is a battle that is already lost. How can I convince strangers to pick up good habits if I can't even convince my sister and father? All they care about is having a functional computer to send their emails and type their .docs whenever they need to do so. Any downtime is unacceptable, yet they refuse to acknowledge the fact that any downtime is usually their fault. PCs have become the 'automobiles' of the 21st century:" I don't care how it works, as long as it gets me to where I want to be."
Bah, maybe I'm wrong. Maybe I have too much free time, others don't have the luxury to care about these things. Still I'm the one who ends up fixing the PC/ taking the car to the mechanic....
Re:Better habits.... (Score:2)
Re:Better habits.... (Score:2)
Re:Better habits.... (Score:2)
It does stand up. Maybe in the UK you have to be knowledgable to drive a car, but in America any idiot can drive a car with the most minimal training.
Not only that, but most people do not properly maintain their cars. Keeping track of updates, scanning for viruses, maintaining security.. all that is maintenance. But the computer is harder to maintain than a car, and the worst part is there are always new things cropping up that need to be countered with computer security, unlike with cars, where you don'
Re:Better habits.... (Score:2)
I made myself the administrator of the system, gave one of them a "managed" account with a simple finder. All the applications could be used but the restrictions were little enough so they could do everything they needed without access to Terminal, o
Spear-phishing (Score:3, Insightful)
Instead of telephoning some company and making believe ur their service provider to try and get the root password for some machine, one sends an email disguised as a legit email from a company with which a target company's employee has a commercial relation. Said email contains as payload an agent program which can be used to gather information/control the machine.
This is more powerfull than old style social engineering, both because you directly get an agent running on a machine inside the target company's network and because the list of potential targets is bigger than just "the person's that have passwords to the company's servers"
Re:Spear-phishing (Score:1, Funny)
Notice the misspellings.
Dear Amazon member,
Due to concerns we have for the safety and integrity of the Amazon community we have issued this warning.
Per the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend, indefinitely suspend or terminate your membership and refuse to provide our services to you if we believe that your actions may cause financial loss or legal liability for you, our users or us. We may also take these actions if we are unable
What utter crap (Score:3, Insightful)
I'm sorry for those of you IT types who have managers or "super users" who learned everything they know about computers from reading PC Ragazine or CNET. I'm sure you'll be getting worried calls and emails today. Just what you need on a Monday.
surprise (Score:1)
Hard to believe anything is a surprise in that area of the world anymore.
Phishers marketing is getting better (Score:2)
I've seen two messages that are heading in this direction and the banks better step up their education because more people will fall for these than the older scams.
And this isn't new.... This type of so
Re:Phishers marketing is getting better (Score:2)
Re:Phishers marketing is getting better (Score:2)
The media is going to call that "phly phishing".
More marketing words (Score:3, Funny)
I'll call it ice phishing.
Spam Fritter (Score:3, Funny)
Phishing or not? (Score:5, Interesting)
First thing they want is my birthday.
I hesitate, and they say they have to confirm who I am before they can talk to me.
(Federal privacy regs, HIPAA, and all that).
I refuse, because I don't know if they are who they say they are.
They immediately understand, and give me a tool-free number that I can call into.
After I hang up, I realize that their number doesn't help me, becuase *they* gave it to me.
It isn't the number on my health insurance card.
I can't find it on their web page.
I google for it and get no hits.
So I still don't know who they are.
So I don't call the number.
Phishing? Probably not.
It probably was my health insurance company.
But it's been a couple of weeks now, and they haven't called back.
In the past, when they've wanted to talk to me,
they've called every few days until they got hold of me.
So I don't really know...
Re:Phishing or not? (Score:2)
Re:Phishing or not? (Score:5, Interesting)
A couple of months ago I received a message on my home phone from American Express concerning "suspicious activity on my card." The message said really only that, and that I should call some toll-free number that wasn't printed on my card. There was no identifying information at all in the message, and to make matters stranger they were calling about a business card (they called me at home, not at work).
So I called the number. I get a person almost immediately and there is quite a bit of background noise on the line. They ask for my card number. When I didn't tell them and started asking questions (trying to determine if the person really did work for AmEx), the guy got insistent and asked for my social security number. I refused to answer and asked more questions, but never got a good answer.
I eventually hung up on the guy and then looked up AmEx's fraud prevention number in Google and called THAT. It turned out that someone really did hijack the card number from some vendor's database and there were 4-5 bogus purchases. We got the problem cleared up relatively quickly.
The problem, however, is that the AmEx representative did not come across in a professional manner and his conversation with me served only to make me more suspicious. With all the phishing going on, I'm extremely leery of simply providing personal information upon request.
Re:Phishing or not? (Score:5, Insightful)
So did I. I knew it was a phishing call. I was polite and refused to give my paticulars and asked about the activity. I asked if I gave the last 4 digits if they could verify the address. They said no they needed the full number, exp date, name as it is on the card and the verification number. I then told them I do not have an American Express card. I then called American Express and gave them the phishing information.
If a bank is having their customer base phished, and you don't have an account, let the bank know anyway instead of ignoring it. You may protect your neighbors.
Re:Phishing or not? (Score:2)
What is worse is that the companies use the same kinds of approaches, so it's even more difficult to figure out if any of it is legit. The companies are also victims in these cases, but due to the disconnects between the fraud stats and their customer service, they don't see the big picture. Large companies use "email marketing" as
Re:Phishing or not? (Score:2)
Re:Sometimes legit (Score:2)
Re:Phishing or not? (Score:2)
Re:Phishing or not? (Score:2)
I had an issue where I forgot to pay my Sprint bill, and so they called my cell phone. Except that nothing on the display indicated that it was Sprint (I would think that *they* of all people could change what's displayed on my phone if they wanted). The person wanted my credit card or checking account information to pay the bill. I told them I would pay it online by the end of the day. She informed me that if I did not pay immediately, my account woul
Add mail header info to email subject lines? (Score:2)
I am a rock I am an island. And a rock feels no pain, and and island never gets phished.
Dupe? (Score:2, Informative)
Re:Dupe? (Score:2)
"Spear" phishing? (Score:4, Funny)
Okay:
Jelly phishing - targeting politicians.
Salmon phishing - targeting gays.
Flounder phishing - targeting christians.
Tuna phishing - targeting pianists.
Shark phishing - targeting lawyers.
I am sure we could come up with others
Classified Ads (Score:2)
One response I received was one in broken English asking for pictures and if the price was firm. I responded with photos and the price. The next response was 4 paragraphs of an overdraft money order scam, telling me they'd arrange for someone to pick up the dog, but to wire the excess funds back to an account in London, etc.
I was sort of impressed, c
Not much different from "remote dumpster diving" (Score:2)
This is really not much different from remote dumpster diving. If I wanted specific, personal information from someone, I wouldn't need to go through very much trouble in getting it. Just as a security-conscious person would shred sensitive documents before com
Old hat, traditional defense (Score:2)
What gets me about this is that it's not new. Telephone scams of a similar nature have been around forever. And the defense is the same for both: never trust the other party if you didn't originate the call. Whether I'm getting an e-mail from PayPal about my account being locked or a phone call from American Express about potentially fraudulent activity on my card, my first reaction is to simply ignore everything the caller/sender tells me. I go to my own bookmarks and get to my account on the respective we
Authentication (Score:2)
It would be helpful if large companies had a simple way for their customers to authenticate email and telephone calls from that company. The phishers are getting better at what they do, and sometimes it is almost impossible