Forgot your password?
typodupeerror
Security IT

The Evolution of the Phisher 278

Posted by CmdrTaco
from the we-got-a-live-one-here dept.
gurps_npc writes "An article at CNN discusses the how Phishers have moved beyond the typical email scam. Last month, Secunia (Danish security firm) documented a case where a phisher somehow modified a windows host file so that when you type in the correct url in the address, it redirects you to the phisher site. Worms and spyware are being built for the purpose of phishing, and it is also believed that phishers are attempting to compromise domain name servers. If one of these go down millions could lose their security instantly, even if they themselves have maintened the security of their computers."
This discussion has been archived. No new comments can be posted.

The Evolution of the Phisher

Comments Filter:
  • by wdd1040 (640641) on Thursday January 20, 2005 @04:46PM (#11424696)
    And this is when users need to actually read the warnings about certificates being different than the last time accessing the site...

    Again, if common-sense is used, 99% of phishing can be stopped.
    • And when you are using a new computer that has never logged onto that account....
    • by x.Draino.x (693782) on Thursday January 20, 2005 @04:49PM (#11424732)
      You fail to realize that the typical user doesn't even know what those certificates are for. The Slashdot crowd is probably safe for the most part, but are your parents?
    • by Jedi Alec (258881) on Thursday January 20, 2005 @04:51PM (#11424769)
      common sense? is there such a thing? you know you shouldn't stick your fingers in the nice bright firy thingy because either someone told you stringently not to or you tried it once and got burned. to the majority of webusers out there most of this information is as understandable as a description of the precautions that need to be taken before summoning chtulhu. if someone went out and started changing the signs near highway offramps, and you've never been in the area, will common sense tip you off?
    • Hmmm. If stuff like this starts happening enough, the average user will just stop using the net. Just like people won't go wandering into a bad or dangerous neighborhood no matter how good the restaurants may be, many people will simply stop using the net if the scams, worms, and viruses continue to mount. This has significant economic consequences and consequences for individual freedoms as the government attempts to combat the problems.

      Admittedly, the net is used for a lot of things that people may not b
    • by Anonymous Coward on Thursday January 20, 2005 @04:56PM (#11424837)
      You lost me.

      Say I usually go to site A to do my banking. And I have a trusted security certificate for that site.

      I get infected with one of these phishing worms which alters my host file so that whenever I type out the URL to site A, I get the IP address to site B.

      I inadvertly go to site B. Site B doesn't require a security certificate. When would I get a warning about "incorrect" security certificates? As opposed to "expired" or "missing" certificates?

      Or better yet, these phishing worms pre-install their security certificate at the same time they hack my hosts file. When would I get a warning? As far as my web browser is concerned, I'm going where I intended to go.

      I think your solution solves the wrong problem.
      • Say I usually go to site A to do my banking. And I have a trusted security certificate for that site.

        I get infected with one of these phishing worms which alters my host file so that whenever I type out the URL to site A, I get the IP address to site B.

        I inadvertly go to site B. Site B doesn't require a security certificate. When would I get a warning about "incorrect" security certificates? As opposed to "expired" or "missing" certificates?


        Assuming you are smart enough to require a site to be secured w
    • Yes and no. Remember, they control the DNS, they wrote to the /etc/hosts (where ever it is they bury that on windows, c:\windows\system32\hosts if I remember correctly) files. How long until they add a file to your cert list. So it looks like a trusted host when you go to their site?

      Besides all that, I'm fairly sharp about my security, and I know most of the fundamentals of the math behind it, and I wouldn't be shocked if my bank switched SSL keys because their old one just expired. Imagine the bedlam

    • It's bad enough that most users have no clue to begin with, but you should try working within the DoD. Or maybe it's just the Air Force that's so screwed up. But they've been pushing so hard on a poorly-implemented PKI plan that all their users are now conditioned to automatically accept invalid, expired, or untrusted certificates dozens of times per day to get their jobs done.

      Enablement... yeah, that's a perfectly cromulent word...
    • And this is when users need to actually read the warnings about certificates being different than the last time accessing the site...

      What are you talking about? There is no such warning that I am aware of. I don't believe IE caches certificates and compares them with the last time you accessed a site. The only program that does this is ssh, which is hardly end-user material.

      What will happen instead, if the DNS were to be hacked, is that the site will be UNABLE to come up witih a valid certificate on the
      • What will happen instead, if the DNS were to be hacked, is that the site will be UNABLE to come up witih a valid certificate on the DNS name it has stolen. If someone could hack and redirect paypal.com to their own site, they still wouldn't be able to offer a signature on a key named "paypal.com" with a certificate from a trusted issuer. The only certificate they could offer would be maybe a self-signed one, in which case you will get a warning. But it won't say that the certificate has changed, it will say
    • Why do you think they're going to use HTTPS? How many people actually look for the lock symbol?

      No HTTPS, no prompt whether to accept a new certificate.

      If you want to be even nastier I think you can set up Apache so it will use a "null" cipher. I'm not sure whether certificates are even needed in that case, but to anyone who doesn't drill through the "security" dialogs it will look like a genuine site.

  • Exactly how is this different from password-harvesting trojans/viruses?


    It's not like this is anything new.
    • by phorm (591458)
      Since the tactic mentioned involves editing hosts to redirect a site, doesn't that already mean that the system has been owned by a virus/trojan? At that point the game is already lost

  • by Anonymous Coward on Thursday January 20, 2005 @04:49PM (#11424730)
    Simon called Peter, and Andrew his brother, casting a net into the sea: for they were phishers. And he saith unto them, Follow me, and I will make you phishers of men.

    Jesus p0wns you.
  • by stecoop (759508) * on Thursday January 20, 2005 @04:49PM (#11424741) Journal
    Email:

    Although I could have written a very complex and well written virus that probably wouldn't work on you operating system I am asking you to reply with you account name, password and any other card numbers you might have.

    I further ask that you forward this email message to all your friends and for that matter any one you don't know urging them to send me all your information.

    Yours Truly,
    Mr Phisher
  • "If you think of phishers initially as petty thieves, now they're more like an organized crime unit," said Paris Trudeau, senior product manager for Internet-security firm SurfControl.

    Did I read that correctly?

    A senior employee of an Internet Security firm used to think of Phishers as "petty thieves"? Maybe Paris Trudeau needs to find a new line of work.

    • Well, didn't phishing initally get its start as a small-time deal to snag AOL accounts?

      After that it's largely a semantic debate as to what makes something an organized crime (2 guys working together?) and how many thousands you have to steal to not be petty.
  • Any phishing of that type will result in a certificate error (assuming they don't do some heavy modding of your browser as well), which I can catch. But I'm sure most of us have parents who we've told the common "If you don't understand it say Ok" - ie not the safest thing in the world, but better than being called every 2 hours. Usually this works well, since even relative illiterates understand the idea of software being installed without them specifically wanting it, and can say no. But a certificate
    • This tends to be one of those days that I'm thankful that my parents are not nearly as wired into the Internet as I am. They still pay their bills by check, buy just about everything at stores, and much of their information hardly ever reaches the Internet.

      How weird to be saying "Thank You mom and dad for being averse to technology" as a geek and actually be praising them.
    • Why bother using https at all? How many people do you think actually check for that little lock symbol in their browser.

      What's to keep them from sticking in a Verisign graphic just to look safe? Think they're going to be stopped by copyright law?
      • What's to keep them from sticking in a Verisign graphic just to look safe? Think they're going to be stopped by copyright law?

        That's pretty unlikely. I mean, copyright violation is technically illegal. Plus, the government has been cracking down on it pretty heavily. No, safer to just stick to fraud.
  • Ok Microsoft really needs to pick up the ball on this one. They need to make an extremly obvious security certificate key information. Such that when you log onto any "secure" website it pops up information about the key authority that can be understood by all. Then they need a expansive advertising campain to tell users to look for these signs when entering confidential information, and not enter such information otherwise.

    Of course then you would see popups that look identical to the key information, inf
    • Rather than Microsoft and I.E., Mozilla and Firefox.
  • by drivinghighway61 (812488) on Thursday January 20, 2005 @04:51PM (#11424777)
    Everyone knows phish evolved into amphibians.
  • Didn't Jesus say in Matthew 4:19 that if we follow him he'll make us phishers of men?

    (Yeah, I know that was bad, but I just couldn't resist!)
  • Shouldn't it be.... (Score:5, Interesting)

    by GillBates0 (664202) on Thursday January 20, 2005 @04:52PM (#11424781) Homepage Journal
    phisherman.

    Fishermen fish.
    Phishermen phish.

    It's not "Fishers fish".

    Carrying the analogy further, IE becomes a "phishing net" and Windows becomes a "phishing boat". The intarweb may be viewed as the "ocean" and your average AOLer a dumb "phish". Smarter geeks could be viewed as smarter"dolphins".

    Interesting, huh.

    • I am the Phisher King. I con pagans out of their PayPal accounts.
    • > It's not "Fishers fish".

      It's not?

      From Webster's Revised Unabridged Dictionary (1913) [web1913]:

      Fisher \Fish"er\, n. [AS. fiscere.]
      1. One who fishes.
      [...]

      From WordNet (r) 2.0 [wn]:

      fisher
      n 1: someone whose occupation is catching fish [syn: {fisherman}]
      [...]

      From M-W online:

      Main Entry: fisher
      Pronunciation: 'fi-sh&r
      Function: noun
      1 : one that fishes
      [...]

      Anyway, what about fisherwomen, you insensitive, sexist clod? And did you know that the word "gullible" doesn't appear in any
    • You must be using some definition of the word "interesting" with which I have never been acquainted.
  • DNS? Bah! (Score:5, Funny)

    by saintp (595331) <(stpierre) (at) (nebrwesleyan.edu)> on Thursday January 20, 2005 @04:52PM (#11424787) Homepage
    it is also believed that phishers are attempting to compromise domain name servers. If one of these go down millions could lose their security instantly, even if they themselves have maintened the security of their computers.
    That's why only sissies and noobs use DNS. "Don't have to remember numbers," they cry. "Makes life easier," they whine. Hah! So does Gator! But I've got the upper hand now! My security won't be compromised while posting on 66.35.250.150, bitches.
    • That's why only sissies and noobs use DNS ... my security won't be compromised while posting on 66.35.250.150, bitches.
      Damn I wish I had some mod points. Somebody mod this man +5 Insightful.

      I scrolled down the posts, looking and looking for someone to address the problem of DNS compromise.

      You nailed it, thus the +Insightful -- and throw in some +Funny, for good measure.

      -kgj
      • Re:Mod Parent Up (Score:2, Informative)

        by nzkbuk (773506)
        Funny, yes, Insightful, no
        Most web sites are hosted on a shared platform. That's the whole reason HTTP 1.1 was invented. Go to any site on there and unless you type in the commands directly and like reading text with html tags (not displayed as web pages), then over 90% of web sites will be inaccessable.
    • Re:DNS? Bah! (Score:2, Insightful)

      by ziplux (261840)
      What about sites hosted on virtual servers? You _need_ DNS for those sites to work, otherwise the server doesn't know what site you want.
    • You think you're so smart, just wait until everyone's using IPv6.
  • Banks need to start charging MS for all the money they have to "return" to customers after thay get caught by a scam like this. It must be costing them millions and alot of it is from people using Windows. I'm sure Bill would get stick his thumb out and get moving if he had several million dollars fines he can't pay in Windows 98 CDs.
    • Banks need to start charging MS

      And if your ISP's name server or your border router or something not on your desktop is lying to you about a forward lookup on a trusted domain name? This doesn't even have to include SSL hacking, because most users will see the phish mail, and if they're typical people, see that the target URL is mybank.com and just go there, and suffer.

      This ain't just an MS thing.
  • Wow! I had some spyware overwrite the windows etc/hosts file every time I rebooted, and I couldn't remove it. The solution (for me) was backing up the hosts file and surfing under a user account to prevent a similar kind of infection.

    If Admins can modify this file willy-nilly, then could be a major problem for users who haven't bothered to create user accounts.

    rj
  • Even straightforward phishing attacks are getting more sophisticated. Spelling errors and mangled Web addresses made early scams easy to spot, but scam artists now commonly include legitimate-looking links within their Web addresses, said Kate Trower, associate product manager of protection software for EarthLink Inc.

    I have noticed this lately as well... so now I scrutenize every email I get, hovering over links, and occasionally, entering the first line or so into google. I do consider myself to be prett

  • Who trusts the Department of Homeland Security to help secure DNS with a task force from their Cybersecurity department?
  • Folks, let's do the math:
    Phishers do not need to be successful very often. Think sperm here: if conditions are right, most of time only one gets lucky 20% of the time. (Sorry for the anchorman gag)
    Consider the facts:
    1) Only a few sites transact critical personal data (Credit cards, identity info) without proper security
    2) Only a few sites use security certificates that are A) out of date B) for a different site C) otheerwise invalid.
    3) only a modest majority of IE users have been trained into clicking "O
  • Cyber terrorism? (Score:5, Insightful)

    by GrouchoMarx (153170) on Thursday January 20, 2005 @05:11PM (#11425022) Homepage
    Here's where our laws are truly screwed up.

    On the one hand, downloading music from "unauthorized" sources such as P2P networks will get million dollar fines and, if the companies get their way, jail time, when there is actually no evidence that they are causing a loss of revenue (even if they are technically violating copyright law).

    Meanwhile, people who write spyware, break into computers and DELETE data, shut down networks, and attack DNS servers in order to disrupt all traffic on the Net (roughly the online equivalent of putting tacks all over a major expressway junction) get.... what? Really, I have no problem with seeing these people get 20-life hard time.

    When will the people who [ run the country | have money | bought Congress ] realize who the real threat to the Internet and to their bottom line is? It's not cheap Britney Spears fans. It's the people trying to break the Internet in order to get better advertising.

    Oh wait, I forgot. Advertising is always good, because companies do it, so they can't object when someone tries to advertise. Silly me. Greedy SOBs have to stick together.
  • The simply answer: for all places where you have sensitive information, bookmark an SSL-enabled url.

    For example, instead of logging into your bank by typing in "www.mybank.com", bookmark their login info like:

    https://www.mybank.com/login.bnk?gz=1

    Or whatever.

    When you visit the https url, even if a phisher has completely altered dns and hijacked your connection, they do not have the private key for the institution.

    If you want to be paranoid, save your institutions certificates locally so that even if a h
  • I just keep a copy of the IP addresses to all of the sites that I visit on a piece of paper. Who needs DNS anyway?

    Seriously though, any reason why the kernel's DNS-lookup procedure couldn't be changed to verify the IP through N servers instead of just the primary server? Of course, if one of the root dns servers go down, then that's it, but it's more likely that YOUR ISP's box will get rooted.
    • Better yet, a browser that gets a certificate mismatch could check a couple of other DNS sources before assuming that it has the correct site. If both the DNS servers and certificates don't agree, then there is a big problem.

      Of course that assumes that sites transferring secure data use SSL, which is not always true. But I'm not sure whether adding even more DNS queries for every lookup is a good idea, since there is already more DNS traffic on the wire than there needs to be.
  • by ftzdomino (555670) on Thursday January 20, 2005 @05:17PM (#11425092)
    Most phishing sites use images pulled from the real sites, as well as direct people to them when they are done entering their information. Many banks and sites such as paypal could easily track these people by watching their referral logs and looking for foreign referrals to things such as their navigation images. They could then contact the nocs of ISPs who are unknowingly hosting them on hacked machines to get them taken down immediately. Most ISPs are extremely willing to take these down quickly, I've had quite a few respond to me within minutes when I've informed them. Eventually phishers would just grab the whole site and host the images as well, but the increased bandwidth would be more likely to be noticed.

    Mail clients should also notify users when the displayed http:// url differs from the actual href.

    A better fix would be for banks and other organizations to set up contact addresses for people to inform them. Many of them take days to read feedback I've sent them regarding someone trying to scam their customers.
    • However, if DNS is hijacked in any form, the site would not see anything weird in their referral logs. The browser would send "Give me image X, and I was referred by site X". It would match, because the DNS was wrong.

      This is very scary, as it would be almost impossible to detect! Fortunately, certain sites are releasing "security plugins" which tell you if the site you're connected to is legit. Unfortunately, it's only a matter of time before spyware and phishermen start to hijack these security plugins as
  • by TiggertheMad (556308) on Thursday January 20, 2005 @05:19PM (#11425103) Homepage Journal
    The article was a little vague on this point, but aren't Phisher scams where you pretend to be a slightly paranoid ex-chess geinus hiding out in Japan?
  • Load of BS (Score:3, Informative)

    by janoc (699997) on Thursday January 20, 2005 @05:24PM (#11425176)
    Sorry folks, but this is so overblown that it is incredible. Similar to the recent "Evil twin" story.

    Does anybody really think that compromising a root DNS server will suddenly redirect customers of e.g. Citibank to a phishers site and it wouldn't be immediately noticed ? C'mon:

    - DNS is distributed and any change in DNS takes a while to propagate (on the order of days). Moreover, more and more sites are switching for digitally signed updates to DNS, so bogus updates have no chance to go through.

    - Do you really think that e.g. a bank or eBay would not notice that somebody hijacked their domain? The only think a potential phisher would achieve is to attract a very close attention to himself and very quickly at that.

    More credible threat are tricks like changing the hosts file, however with that we are in the domain of common adware/spyware which hijacks the browsers on Windows routinely.

    Finally, any bank worth my money does not use just a stupid username/password for authentication! Most European banks have as a standard feature a challenge/response mechanism (in addition to the username/password pair).

    Some banks even go that far, that they issue you a smartcard with a pocket "calculator", which generates correct responses to the challenges from the bank. The smartcard is used as a seed for this and is protected with its own PIN that you have to enter before typing in the challenge code from the bank. The codes transmitted are usable just once, so they are completely useless to the phisher. Oh the mindless scaremongering ...

    • According to a July Slashdot story [slashdot.org], DNS updates should now take five minutes.

      I've always worried about either terrorists or the FBI conducting an attack on the populace where a component of that attack was causing mass confusion and disturbing communication (e-mail and blogs) via a DNS takeover.

      DNS is a weak point. Sure, "only" 99% of Internet users rely on one of the main DNS servers, and, sure, like all censorship on the Internet, the Internet will route around it. But confusing/misinforming 99% of the

The speed of anything depends on the flow of everything.

Working...