Honeynet Revealing Actual Phishing Techniques 155
edsonie writes "CircleID is reporting on the recent Honeynet Project, 'Know your Enemy: Phishing', aimed at discovering practical information on the practice of phishing. The study reports on a number of real world examples of phishing attacks and the typical activities performed by attackers during the full lifecycle of such incidents. The research also suggests that phishing attacks "are becoming more widespread and well organized". Also with regards to the speed of such attacks, "phishing attacks can occur very rapidly, with only limited elapsed time between the initial system intrusion and a phishing web site going online with supporting spam messages to advertise the web site, and that this speed can make such attacks hard to track and prevent." Check out the full report here presenting actual techniques and tools used by phishers."
Now the Honeynet (Score:3, Funny)
Anyone have a mirror?
Phishing! (Score:3, Funny)
Re:Phishing! (Score:5, Funny)
Re:Phishing! (Score:1, Offtopic)
Re:Phishing! (Score:1)
Actual techniques (Score:4, Insightful)
Lets not make it into brain surgery. Do we need honeynets to tell us there are stupid people out there? And there always will be stupid people out there.
mod parent up (Score:1)
Re:Actual techniques (Score:4, Informative)
Good god. You use a computer a lot, and that makes a lot of people stupid BUT you? Question: Did you believe in Santa Claus growing up? Would you appreciate me calling you stupid about it?
Yeesh. Anyway, to answer your question: If Honeynets are revealing specific ways of screwing people, then specific warnings can be given out to help minimize the risk. You've never noticed how Paypal tries to very clearly explain to people not to click on paypal links in their email?
Re:Actual techniques (Score:2, Insightful)
> BUT you?
Susceptibility to phishing has virtually NOTHING to do with how much you do or do not use a computer. It is a function of your general level of naivete. Giving out your bank password in response to an email request is fundamentally no different from giving out your credit card number to a sleazy telemarketer who says he's from the local police charity. In both cases, somebody contacts you and claims to represent a
Re:Actual techniques (Score:3)
Your non-solution leaves a whole lot to be desired if you're a bank. Do you suggest banks administer an I.Q. test before they allow people to open accounts? Do yo
Internet Darwinism (Score:5, Interesting)
At work, the security guys put together a phishing test. It looked exactly like our normal web page, they made is sound official by calling it some kind of Task Force, and then they emailed everyone a link to the password checker. It supposedly tested your password for security difficulty. You enter your ID and password and it would email you back the results.
I sent the link to the security guys and got an "Attaboy". About half of the people ended up on the list of idiots that handed out their secure passwords over the internet.
What goes through someone's head to enter passwords, bank account info, or personal identity information over the Internet? Don't people consider that the companies supposedly asking for this stuff should already have it. You bank is never going to ask you for your account number over email. They already have it!
Re:Internet Darwinism (Score:1, Funny)
So few are acquitted.
Re:Internet Darwinism (Score:1)
You know the survey where people were offered a pen or something in exchange for their password? I would have gone "Sure... my password is 'gull1ble'". Free pen, no security risk.
Re:Internet Darwinism (Score:2)
They're getting MUCH better at it (Score:5, Insightful)
I've seen a PayPal phish that was very sophisticated, doing things like putting bogus info into the URL bar, duplicating the layout of PayPal's site EXACTLY... it turned out to be very difficult to spot the smoking gun - I had to go look at the raw HTML to find it.
Had I not been as paranoid as I am, it could have easily suckered me.
Read the article, and follow some of the links to the actual attacks. It's amazing how good they are. (It's equally amazing that a web browser would do anything on link mouseover EXCEPT show the real target of a link!)
Yes, there are plenty of stupid people - some people actually buy products from spam, or send money to Nigeria, etc etc. But the quality of the phishers is getting so good that it is hard to tell (in some cases) what is valid or what is not.
DG
Re:They're getting MUCH better at it (Score:2)
Re:They're getting MUCH better at it (Score:2)
Absolutely! It amazes me that webbrowsers are so willingly stupid. That's why I use something like Links or Lynx for certain browsing tasks. Unfortunately, even Links has javascript these days... so I'm probably just relying on security by obscurity to some degree.
Comment removed (Score:5, Insightful)
Re:They're getting MUCH better at it (Score:1, Funny)
Maybe you should just admit that you are almost too stupid to be on the Internet?
Re:They're getting MUCH better at it (Score:2, Interesting)
This, I have found, is not only an easy way for us geeks to spot phishers, but a way we can easily explain to non-geeks how to spot them.
Paypal Scams (Score:2)
Paypal's customer list is exactly a list of people foolish enough to fall for the convenience argument. (And yes I was that foolish. I was too lazy to have myself removed. Fortunately I never actually linked it to any
Re:They're getting MUCH better at it (Score:2)
I get spam emails addressed to "David Dennis" all the time.
It would not be difficult for someone to emulate real PayPal emails much better than is currently being done, and as the law of diminishing returns impacts this kind of attack, I'm sure it will happen.
It used to be that you could reliably identify these attacks just because of their abysmal English, but that's become less true in the past few months.
What's foolproof is this: Anything asking for you to type in your ID and passw
Re:They're getting MUCH better at it (Score:2)
I generally use the street metaphor. Do not give any information over the internet that you wouldn't give to a stranger that approaches you on the street.
There will always be phishers who will be able to get at least some victims. Just as there are people who commit fraud without using the internet. Some are very good at what they do, like Victor Lustig [wikipedia.org], who sold the Eiffel tower in 1925 -
Re:Internet Darwinism (Score:3, Interesting)
http://survey.mailfrontier.com/survey/quiztest.htm l [mailfrontier.com]
(use IE, not the Fox)
Did you get 100% correct on the first try (I didn't, I only got 9 out of 10)? Educating the internet population to be aware of the varied and increasingly sophisticated scamming variants is a hopeless proposition in my opinion.
Re:Internet Darwinism (Score:1)
Besides, I don't have an account with any of those companies, so I know they are all false.
.
.
To confirm you're not a script,
please type the text shown in this image: bicswns
Re:Internet Darwinism (Score:3, Insightful)
100% correct. Even for companies I do have an account with, no reason there would ever be a link in an email I need to click. I do have one credit card set up to send me an email when the monthly statement is ready, but when I view that statement, I'll s
Re:Internet Darwinism (Score:3, Insightful)
This is what the banks refer to as "brand damage". My bank would love to sell me a money market account and actually link to their own promotion. Maybe not right to my account page, but what stops a phisher from copying entire site structures?
I realize that you're one of the superior enlightened few that cannot be marketed to, but banks do have products to promote to the rest of the unwashed masses.
Re:Internet Darwinism (Score:2)
So what? Why do I have to waste my bandwith and storage space downloading it? Just because it was a legitimate e-mail, doesn't mean it is a legitimate way to let me know about their product. I don't care if it is Spam or a Phish, I don't want to read it, and will delete it on sight. Unless I specifically requested information from a company, I don't feel any loss.
[/rant]
Re:Internet Darwinism (Score:2)
Your opinions on marketing are irrelevant to the concept of brand damage.
Re:Internet Darwinism (Score:1)
Also, worked fine in Firefox for me.
Re:Internet Darwinism (Score:2)
I looked at the first one and realized it's sophisticated enough to need to look at the source first.. Outlook is easily spoofable with links so there isn't enough information to make a determination. Plus we have no idea whether the recipient is *really* a member of the bank anyway.
Pretty useless test.
Re:Internet Darwinism (Score:2, Informative)
Exactly the point of the test, I should think. Given that the average user isn't likely to look at source, or perhaps may not even know how to look at source, asking to judge what is a phish and what isn't purely by visual inspection helps to highlight why it is these things so often work against the unsophisticated computer user.
Re:Internet Darwinism (Score:5, Insightful)
You bank is never going to ask you for your account number over email. They already have it!
Part of the reason this social engineering is successful is that companies, banks, large organizations are so lousy at keeping accurate records. Have you never had a bank screw up your name, or your balance, or some other company you do business with charge you for something you never ordered or fail to charge you for something you have ordered? I've had all these things happen, and it makes it completely unsurprising that a bank would lose your information or even have a policy of verifying your account password via e-mail. It is ridiculous and insecure and generally a really stupid idea, which is why it seems plausible that some lumbering bureaucracy would do it. Obviously, I would never give out sensitive information via e-mail, but I would actually not be surprised if some company requested it via that method. Just because it looks like phishing, does not mean it is, it could just be someone being really dumb. There is plenty of blame to go around here.
Re:Internet Darwinism (Score:1)
In the 20 years I have had bank accounts, they screwed up exactly *once*. A few €'s on an interest calculation. I wrote a letter and got my money back. My account number, my address, my name, my birthdate were always correct. Actually, banks (at least the serious ones) are absolutely paranoid about knowing as much as they can about you. They datamine that stuff and profile you. If you didn't know that, you are being naive. To a bank, kno
Re:Internet Darwinism (Score:2)
They datamine that stuff and profile you. If you didn't know that, you are being naive. To a bank, knowing the customer is one of the most important things.
Just because the collect a lot of data on their own or buy it from outside sources does not mean it is accurate.
Sure, a transaction may be two days late (which can be very sucky for many clients), but it's only the transaction.
I've found two different banks each to have an incorrect balance for my account because once they charged me $400 in ATM f
Re:Internet Darwinism (Score:3, Informative)
Then switch banks. Wamu, Wells, and Citi all have zero problems with firefox. Call the bank and tell them why. Don't come off like some smug platform evangelist, just say "your internet banking doesn't work with my computer and t
Re:Internet Darwinism (Score:2)
Then switch banks. Wamu, Wells, and Citi all have zero problems with firefox. Call the bank and tell them why.
As I mentioned two of the banks do work with Firefox (and Safari my preferred browser) but none of them offer decent online security options such as are commonly offered in many parts of Europe. as for contacting them, I e-mailed two of the bank's feedback e-mail addresses and politely mentioned why I was going with a competitor. One did not even have an e-mail or working link just broken "contac
Re:Internet Darwinism (Score:2)
You might try one of the internet only banks for that type of stuff.
It just hasn't gotten a foothold in the USA like in Europe.
Re:Internet Darwinism (Score:5, Insightful)
I would venture a guess that among the vulnerable are the parents and/or grandparents of most of the people who read Slashdot. You don't see an ethical obligation on the party of the technically savvy to care about and protect the technically unsavvy? Shame on you.
Software can be anything we make it be. The technologists who have shaped the world have made many choices and will continue to make choices about what our programs will and won't do, how information will be presented, etc. They make those choices on behalf of the public, and they cannot simply shirk responsibility in this way.
Almost all technological problems of this kind reduce to our desire to get as far as possible as fast as possible, and damn any ill side-effects. If browsers required you to know and approve each site before you connected to it, this wouldn't happen. "But that would slow us all down," I can hear you say. The world needs this now, now, now. Indeed, we get benefits by not holding back. But we get ill effects, too, and we can't just poo poo those as not our responsibility. They follow directly from the design decisions we make on behalf of our parents and friends, people who often don't know we're making them nor the consequences of their having been made.
If we spent half as much time, energy, and intellect solving social problems as we do solving technical ones, I suspect the world would be happier.
Re:Internet Darwinism (Score:2)
You are absolutely correct. That is why I have attempted to teach my parents about the dangers of phishing, malware, and viruses. It still doesn't stop my father from installing Gator 3 times a day, but at least I am trying.
Like I said in
Re:Internet Darwinism (Score:2)
Always? No. But sometimes? Often? I wouldn't be so defeatist on those options. If you meant literally what you said, then I'd say you're speaking way too narrowly. If you just mean "sometimes" or "often", and were exaggerating, then I'd say your statement is somewhere between defeatist and outright untrue.
People don't consider food, condoms, kitchen knives, air travel, or dentistry "safe"
Re:Internet Darwinism (Score:2)
Maybe so, but they definitely ask you for your account number and password when you login to their website.
Phishers setup a fake website to look like the bank and then all they have to do is lure the suckers to the fake website. And users have been conditioned to type their usernames and passwords into the fake website because they have been conditioned to type the same information into the real website.
W
Re:Internet Darwinism (Score:2)
Whether it's an account number or a customer code is irrelevant; the ones I have experience with authenticate the user completely from details which the user types in at the keyboard. No certificates used.
This makes it vulnerable to phishing attacks because the phisher needs only to fool the user into believing that they are using the legitimate website. The phisher does not need the account number, they need only enough information to login to the use
Re:Internet Darwinism (Score:2)
The scheme you referred to about th
Re:Internet Darwinism (Score:1)
Re:Internet Darwinism (Score:2)
Re:Internet Darwinism (Score:2)
It occured to me that the phishers need some kind of transaction processing, which should deposit any money into their account; and transaction proc
Re:Internet Darwinism (Score:2)
I beleive by definiti
This is all very well and good, (Score:3, Insightful)
End users are the target and there's no way in hell ANYbody will ever change that little term in the equation.
The best defense... (Score:5, Insightful)
Re:The best defense... (Score:1, Offtopic)
Re:The best defense... (Score:5, Interesting)
Which doesn't get in the way, and is startling enough to not be ignored. It makes most users think "Is this a real e-mail?", and if it's on some company network, they could ask for help and be told not to reply, then slowly learn not to by themselves.
Re:The best defense... (Score:1)
Beware of false sense of security.
Re:The best defense... (Score:2)
----------
Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information.
Re:The best defense... (Score:2, Insightful)
I used to think this way too, but after 8 years in IT, I'd rather rely on technology than users (technology isn't much to rely on, but at least it can be reasoned with).
If only banks weren't part of the problem.. (Score:2)
I'm sure Winnie the Pooh will.... (Score:2)
Re:I'm sure Winnie the Pooh will....Poor Bear... (Score:2)
Mirrors (Score:5, Informative)
Greece - http://honeynet.phrapes.net/ [phrapes.net]
Romania - http://honeynet.iasi.roedu.net/ [roedu.net]
Croatia - http://honeynet.lss.hr/ [honeynet.lss.hr]
France - http://honeynet.startx.fr/ [startx.fr]
Germany - http://honeynet.fh.net/ [fh.net]
Germany - http://honeynet.spenneberg.org/ [spenneberg.org]
Germany - http://project.honeynet.de/ [honeynet.de]
Ireland - http://honeynet.heanet.ie/ [heanet.ie]
Italy - http://honeynet.securityinfos.com/ [securityinfos.com]
Netherlands - http://honeynet.hackers.nl/ [hackers.nl]
Netherlands - http://honeynet.evilcoder.org/ [evilcoder.org]
United Kingdom - http://honeynet.ntcity.co.uk/ [ntcity.co.uk]
Asia
India - http://honeynet.tiet.ac.in/ [tiet.ac.in]
Phillipines - http://honeynet.opensourcecommunity.ph/ [opensourcecommunity.ph]
Singapore - http://www.security.org.sg/honeynet/ [security.org.sg]
Korea - http://honeynet.secuwiz.com/ [secuwiz.com]
Malaysia - http://honeynet.0ni0n.org/ [0ni0n.org]
China - http://honeynet.xfocus.net/ [xfocus.net]
South America
Brazil - http://mirror.honeynet.org.br/ [honeynet.org.br]
North America
Canada - http://honeynet.ihackedthisbox.com/ [ihackedthisbox.com]
USA, NY - http://www.clientbox.net/ [clientbox.net]
USA, TX - http://honeynet.5dollarwhitebox.org/ [5dollarwhitebox.org]
USA, OH - http://mirror.clevelandhoneynet.org/ [clevelandhoneynet.org]
USA, VA - http://honeynet.streetchemist.com/ [streetchemist.com]
This is getting really frustrating (Score:4, Interesting)
The problem is that they are pretty organized; you get one, then a follow up, then a final warning and so on. I can imagine that a majority of Mom and Pop type of users finally succumb to theses sort of attacks since they seem to be pretty well coherent !
Re:This is getting really frustrating (Score:1)
All the phishers have to do is buy a dictionary, and start spelling their mails right, and I believe they'll hook a lot more victims.
Bad definition. (Score:5, Insightful)
"Password harvested fishing"??? What a crock! The 'ph' is just a 'cooler' version of an 'f'. Like 'phreaking' or 'phat'.
Someone clearly tried too figure out where the term came from, and completely missed the obvioius
Re:Bad definition. (Score:2)
Re:Bad definition. (Score:1)
Re:Bad definition. (Score:1)
It seems unclear if Brian Phish even existed.
Though the backronym from TFA is supported as well.
Re:Bad definition. (Score:2)
Re:Bad definition. (Score:2)
Re:Bad definition. (Score:2)
But... 'password harvest fishing' is totally bogus.
It can be quite difficult to resist (Score:4, Interesting)
I got an email stating that an order had been placed with my name and it was being delivered. Now, I have two choices:
Do nothing and mybe allow some delivery of goods that I do not want (I am in UK, not US) and then have to return them or anyway cancel the payment (can be difficult if made by debit card) even if the crook got the numbers from looking at you at the supermarket.
Have a look and see what it is about.
The ECommerce site was a troian installer, it didn't work since I user Opera and have activeX disabled (Quite interesting all the tecnique they used)
The point is that sometime it is quite difficult to know if something is legitimate or not and to me the only solution is to have less wizybang applications and more reliable ones.
No activex, plain HTML browsing.
Banks should NOT use funny addresses for part of their pages, just one clear address.
No magic jumping between applications, no magic installing, make it painful to install something taken from the network !
Re:It can be quite difficult to resist (Score:2, Interesting)
Sorry, I fail to see why this is a problem. I mean you knew you didn't order it, right?
So fucking what if something turns up at your door? I'd be like "Great! Free stuff!".
Do you think that someone would steal your card details and then use them to order something for you? It doesn't seem likely to me.
Why couldn't you just check with your bank or credit card provider? I would expect the
Re:It can be quite difficult to resist (Score:2)
Re:It can be quite difficult to resist (Score:2)
And in Thunderbird, the fake addresses on the phishing attempts that get through the spam filters show up when I hover over them. Then I nuke 'em. You're using the wrong mailer...
Speed? (Score:2)
Speed? Speed doesn't seem to be a requirement for a successful phish. I've given up complaining to ISPs who are hosting phishing sites because there seems to be no action taken against them. Sure if the site is on a compromised server in Korea or Vietnam I dont expect much, but when its a mainstream US ISP its a bit disheartening to get either an auto-responder or no response and then see that the site is still up weeks after bothering to tell the
Re:Speed? (Score:3, Insightful)
As papers like this one reveal the methods of phishers, it's going to be much more difficult for ISPs to claim ignorance of the problem, because knowledge of tools and methods contribute to standards of due care from which liability arises. The threat of legal action might improve the overall response.
Re:Speed? (Score:2)
I do/did. For example here is a link [nghiahanh.net] to a submit form that is used in a paypal phish to collect credit card and account details. It then redirects to the real paypal logon using the phished credentials. I advised Yahoo (the ISP) and Paypal a month ago and the site is still up.
Strange Phenomenon (Score:5, Insightful)
Consider:
I think computers mystify older people to the point where they lose their mind. I see it in general. My friend's father-in-law had a "computer question" for me about ebay. He wanted me to tell him how to determine the price he should sell something for. I tried to explain to him that his question had nothing to do with ebay itself, but he was so caught up in the process of selling on ebay, he was totally confused.
Maybe phishing works so well because some people are so confused by computers in general, they simply assume that their bank would ask them for this information over email (from an account named bank_stealer@hotmail.com).
Dealing with this kind of leads to the appropriate saying:
You can give a man a fish and feed him for a day, or teach him to fish and feed him for the rest of his life.
You can't get rid of phishing by blocking sites. You have to do it by educating people not to enter their info.
Re:Strange Phenomenon (Score:2)
Re:Strange Phenomenon (Score:2, Informative)
Re:Strange Phenomenon (Score:1, Insightful)
You are right, phishing is not a problem over the telephone, but supposed a crook had these abilities:
Re:Strange Phenomenon (Score:4, Insightful)
Re:Strange Phenomenon (Score:3, Insightful)
I'm going to have to disagree with you on this one. I think a phone call would have even more weight than an official looking e-mail, and naive people would happily supply their account information. Especially if you work off of the phone book, you could call and say "mr. So and So, we show we have an account with you, at XXX address. As the first step in our verification, please verify your account number. (proceeds to ask for
Re:Strange Phenomenon (Score:2)
However, I receive the occasional promotional email from my bank, and have previously used the links provided to log in, purely because getting the email reminded me about a bill I need to pay, or that I need to check if a payment has been received or something. It was only afterwards I realised what I'd done, an
Re:Strange Phenomenon (Score:2)
Or you can teach him to phish, and he should be set for life.
Re:Strange Phenomenon (Score:3, Informative)
You'd be very surprised. Phishing is a variation of a scam that has been around as long as the telephone. Ever heard of the "bank examiner scam"? Hell, some brave souls were probably even doing it door to door before then, though it's easier to do charity scams that way.
Re:Strange Phenomenon (Score:2)
Well, normally I wouldn't, but he seemed like a nice man, and he promised he'd return my card after he was finished with it.
Researchers (Score:2)
HoneyNet Developers: "Holy shit, it actually WORKED! Quick, submit a story to Slashdot!"
New Phishing Technique ... (Score:3, Insightful)
This way, the phishers are doing all the hard work (mass email spam, etc), and getting none of the benefit.
The article even goes on to tell you what tools to use ... so expect this to be the next level of phishing scam.
I'm almost tempted ... must resist the dark side ... do you think we can get the phishers to offer up free pr0n? [tt]
Re:New Phishing Technique ... (Score:2)
Easier way (Score:3, Insightful)
Re:Easier way (Score:2)
Real phishers getting a bad rap... (Score:1)
weird coincidence (Score:2, Interesting)
within minutes, i browsed to slashdot and saw this was the current top story
creeeeepy
gmail definitely agrees that... (Score:2)
No s**t! The Gmail "more options" pull down originally had a "report phishing" option...I just noticed yesterday [while noting 12 notices from paypal and ebay accounts I do not have] that they changed the option to read "report NOT phishing" after you have marked one email as a phishing attempt. It looks as if the majority of spam I get is now phishing spam. If you do use the "report" options make sure you are sending the right messa
Don't deal with eBay, PayPal, or WAMU (Score:2)
Re:Don't deal with eBay, PayPal, or WAMU (Score:2)
Re:Don't deal with eBay, PayPal, or WAMU (Score:2)
Rent a botnet here! (Score:4, Interesting)
Yes, "Specialham", the spammer hangout, is back! "SpecialHam is the premier online destination for email marketing professionals." With great new topics like "What are the most anonymous ways to transfer money". [specialham.com]
That site seems to be aimed at low end and clueless spammers.
Further up the food chain, we have Black Box Hosting [blackboxhosting.com]. "Fully featured bullet proof dedicated server. Allows direct mailing and website hosting. All our plans allow Adult, Gambling and Pharmacy Content." They also offer "Mailing Servers" [blackboxhosting.com]. You have to supply your own list of proxies, and your own bulk mailing program. They recommend DarkMailer. [dark-mailer.com]
So you go on Specialham and rent some open proxies. Then order a mailing server and a web server from Black Box Hosting. Run your scam. Launder the money through an offshore credit card processor [offshoreprocessing.net]. Profit!
What we really need in honeynets is for about 10% of these support operations to be sting operations run by law enforcement. That would make phishing and spamming a much higher risk operation.
Re:Was I the only one... ? (Score:5, Funny)
Also with regards to the speed of such attacks, "fisting attacks can occur very rapidly, with only limited elapsed time between the initial intrusion and a fisting..."
Ouch!
not a dupe (Score:1, Informative)
Re:Hmm, can't be bothered to read TFA fully but... (Score:2, Insightful)
Maybe you should read TFA, especially if you're comparing them with a bunch of criminals..
What I've read of the Honeynet projects, they set up a network of easy marks and record and examine what traffic they receive. In the case of spammers/phishers, they blast their crap across the net already - it's not like the Honeynet is their only target or its existence is influencing when a phish-run is made.
It's not entrapment. It's research.