The Evolution of the Phisher

gurps_npc writes "An article at CNN discusses the how Phishers have moved beyond the typical email scam. Last month, Secunia (Danish security firm) documented a case where a phisher somehow modified a windows host file so that when you type in the correct url in the address, it redirects you to the phisher site. Worms and spyware are being built for the purpose of phishing, and it is also believed that phishers are attempting to compromise domain name servers. If one of these go down millions could lose their security instantly, even if they themselves have maintened the security of their computers."

Re:Certificates changed?

[LithiumX]

Not very familiar with the threat level against XP?

I've tested this myself. Put up a fresh brand new install of XP. Before I could even start patching it, I had worms homing in. I think the record so far (not for me but for another article here) is 45 seconds from first boot.

By the time you get around to hitting your bank records, you're already hit. If it's a brand new computer, unless it's fully patched and defended against these specific threats, you would likely already be hit long before you browsed your first site, let alone a critical one.

Think before you flame.

Re:timmyshow@hotmail.com

[Anonymous Coward]

"Somehow modified the windows hosts file."

Yes, that's pretty clever of them. Nobody would think of that. It's pretty hard to do. You will need extensive knowledge of a fucking text-editor.

Seriously, where is the news?

Re:From TFA

[jephthah]

IF you think of Phishers AS petty thieves ...

NOW they're MORE LIKE an organized unit.

it's called metaphorical comparison. It's an abstract logical tool.

But don't worry, Luca. In your late teens and early 20's, your brain will physiologically be more able to handle abstract concepts, and you will have to rely on concrete expressions less often.

Re:Mod Parent Up

[nzkbuk]

Funny, yes, Insightful, no
Most web sites are hosted on a shared platform. That's the whole reason HTTP 1.1 was invented. Go to any site on there and unless you type in the commands directly and like reading text with html tags (not displayed as web pages), then over 90% of web sites will be inaccessable.

Load of BS

[janoc]

Sorry folks, but this is so overblown that it is incredible. Similar to the recent "Evil twin" story.

Does anybody really think that compromising a root DNS server will suddenly redirect customers of e.g. Citibank to a phishers site and it wouldn't be immediately noticed ? C'mon:

- DNS is distributed and any change in DNS takes a while to propagate (on the order of days). Moreover, more and more sites are switching for digitally signed updates to DNS, so bogus updates have no chance to go through.

- Do you really think that e.g. a bank or eBay would not notice that somebody hijacked their domain? The only think a potential phisher would achieve is to attract a very close attention to himself and very quickly at that.

More credible threat are tricks like changing the hosts file, however with that we are in the domain of common adware/spyware which hijacks the browsers on Windows routinely.

Finally, any bank worth my money does not use just a stupid username/password for authentication! Most European banks have as a standard feature a challenge/response mechanism (in addition to the username/password pair).

Some banks even go that far, that they issue you a smartcard with a pocket "calculator", which generates correct responses to the challenges from the bank. The smartcard is used as a seed for this and is protected with its own PIN that you have to enter before typing in the challenge code from the bank. The codes transmitted are usable just once, so they are completely useless to the phisher. Oh the mindless scaremongering ...

Stupid system

[haakoneide]

Everything about phishing comes down to this: The passwords are reusable. If you can just get the password from the user once, you can whatever you want. In scandinavia, all banks use RSA-tokens or lists whith one-time passwords (these are rare nowadays). The file on the token is secret, and the pin that the user puts into the token never have to be plotted into a computer, so that's secret too. The password you get out only lasts for a minute. US banks apparently has the security level of Hotmail. Scandinavian banks (and probably most european) have had this system for like 10 years. Should I laugh or cry?

CallerID fraud will be huge

[Anonymous Coward]

Watch out for fake caller ID phishers... Imagine getting a call from the police, FBI, Wells Fargo, someone famous, etc.. at least that's what it says on your caller ID.. Its been happening in Denver.. should start getting nasty soon.

Re:Certificates changed?

[BlueCodeWarrior]

SpoofStick [mozilla.org]

It's not perfect, but it'll help.

Re:Certificates changed?

[That's Unpossible!]

Say I usually go to site A to do my banking. And I have a trusted security certificate for that site.

I get infected with one of these phishing worms which alters my host file so that whenever I type out the URL to site A, I get the IP address to site B.

I inadvertly go to site B. Site B doesn't require a security certificate. When would I get a warning about "incorrect" security certificates? As opposed to "expired" or "missing" certificates?

Assuming you are smart enough to require a site to be secured with SSL before submitting your information to them, you'd first look to see if the connection is secure. If it IS secure, that means the SSL certificate that site has must match up to the domain your browser thinks you are viewing.

The phishing site might trick you into thinking you're at bankofamerica.com, they may also have an SSL certificate installed on their phishing hole, but there is no way in hell they have an SSL certificate (from a trusted SA) for that bankofamerica.com domain. They'd need BoA's private key for that kind of trickery.

Therefore 1 of 3 things should tip you off:

1. The site is not SSL secured. Stop.

or

2. The site is SSL secured, but the SSL certificate triggers an alert that the domain in the cert doesn't match the domain you're viewing. Stop.

or

3. The site is SSL secured, the domain in the cert matches, but your browser triggers an alert because it was not issued by a trusted SA.