No-Click Phishing On The Way 301
An anonymous reader writes "MessageLabs has discovered a pretty nasty - though fairly crude - phishing scam which doesn't even require recipients to click on a link in order to hand over personal data.
Simply opening the email is enough to activate a script which 'lies in wait for its victim' according to one report. The script rewrites the host files of the machine and directs users to a fake web page the next time they legitimately attempt to access an online banking page. ... However, this will only affect users who have Windows Scripting Host enabled and certain ActiveX controls, according to MessageLabs."
Pegasus Mail! (Score:2, Funny)
Re: Mozilla Thunderbird! (Score:2, Informative)
Re: Mozilla Thunderbird! (Score:5, Insightful)
Did you read the article? It says " the most recent versions of Outlook, where such features are switched off as standard, will be protected." This has been the same with many recent exploits. They only affect old versions of ms software, but it immediately gets spun here to say that no one should be using the current, safe versions. It's similar to the recent status bar spoofing issue posted here which affected firefox rc1 and opera and pre-sp2 IE, but not sp2 IE, and was of course disscussed as being a "hole in IE".
Re: Mozilla Thunderbird! (Score:2, Insightful)
Re: Mozilla Thunderbird! (Score:2, Insightful)
Re: Mozilla Thunderbird! (Score:2)
Don't tell me what I need or don't need in my software. It's off by default and if you don't want it, you don't have to do anything. But it's not for you to decide what I should or should not be able to do with my software. Other people may have different needs or use software in a different environment from you and this moralizing attitude that you can decide for everyone what their software should be able to do is frightening.
Re: Mozilla Thunderbird! (Score:4, Insightful)
Other people may have different needs or use software in a different environment from you and this moralizing attitude that you can decide for everyone what their software should be able to do is frightening.
Name one. If you're passing activeX around in email, it could probably be done better some actual way. In the meantime, we all have to deal with the results of malicious activeX email.
Incidentally, my moralizing attitude is that you shouldn't be dumping benzene upstream of me. Is that also not for me to decide?
Re: Mozilla Thunderbird! (Score:3, Insightful)
Re: Mozilla Thunderbird! (Score:3, Insightful)
Some of us don't have the choice (at work).
At least I can install firefox, but mail clients that aren't OE are a big no-no.
Re:Pegasus Mail! (Score:3, Informative)
It is upto an individual to select if they want a rich experience in their emails. I, personally would prefer plain old text mails, but that is a choice I made. A rich client like outlook supports rich mail, but the MIME RFC clearly recommends that if the mail contains HTML, it should be a html/txt MIME attachment, with a plan text copy attached as the main message. Thus, a non rich mail client, can still display this primary message (w
Re:Pegasus Mail! (Score:3, Insightful)
I seriously wish you snotty i-love-unix-terminal types came who tell everyone in the world that monospace ASCII is good enough for everyone would read a good book about type design. Try Robert Bringhurst's Elements of Typographic Style.
No, ASCII is not good enough. People l
Re:Pegasus Mail! (Score:2)
You can be safe(er?) with PocoMail, too (Score:3, Informative)
Last year I bought a new laptop. When I was setting up my apps, I decided to ditch Eudora and look for a better mail client.
I tried out Pegasus Mail, Fox Mail, Mozilla mail, the Thunderbird standalone and PocoMail [pocosystems.com]. PocoMail was the only one that wasn't free, and it was the one I chose in the end.
A number of reasons led to my choice:
1 - Built in spam engine (Bayesian filtering added in 3.1) and the best auto-junkmail filter of the apps I tested, includes learning filters
2 - UI totally configurable
3 -
Re:Pegasus Mail! (Score:2)
What (Score:5, Interesting)
Re:What (Score:2, Informative)
I doubt many people would be affected anyhow. If I understand correctly, the attacker would have to know the URL you go to for online banking and replace it in your hosts file with a different site. It seems unlikely that it would work on too many people.
Re:What (Score:5, Insightful)
Yeah, because it would be too hard to fill a hosts file with the URLs for Citibank, Chase, BankAmerica, and the rest of the top 10 or top 100 banks. Nobody could do that.
Re:What (Score:2)
Re:What (Score:2)
Re:What (Score:2)
Re:What (Score:2)
Re:What (Score:3, Informative)
the thing is, if you already accessed the url, the result for the dns query (or hosts file) is cached and it doesn't need to do the query again.. try it with a url you never accessed before.
Re:What (Score:3, Insightful)
Re:What (Score:3, Insightful)
Re:What (Score:3, Insightful)
Re:What (Score:3, Insightful)
Re:What (Score:5, Insightful)
If the company's information gets phished because of inept IT staff, that's not your problem.
Unless of course, you ARE the IT staff.
LK
Re:What (Score:2)
Re:What (Score:3, Insightful)
Thats why this is classified as extremely low risk. It is simply a demonstration (concept) of a method of spoofing a website by modifying the host files.
Re:What (Score:2)
You might consider not doing your online banking from work? (Yeah, I'm a hypocrite, browsing /. from work, but it's lunch break right now.)
Another possibility, if you have or can get enough control of the machine, is to install F/OSS alternatives. My corporate standard is Outhouse and Internet Exploiter, but I'm typing this on Fir
you've been served (Score:5, Funny)
Re:you've been served (Score:2)
So that's the reason (Score:5, Funny)
definition (Score:5, Informative)
[Phishing] is the luring of sensitive information, such as passwords and other personal information, from a victim by masquerading as someone trustworthy with a real need for such information.
Re:definition (Score:3, Funny)
for those who don't know what phishing is
Slashdot - news for n00bs, stuff that confuses
Re:definition (Score:2)
same thing works on linux (Score:5, Funny)
not quite "no-click", but linux does support this feature.
[/humor]
thats why (Score:2, Funny)
Simple solution...don't use HTML mail (Score:3, Insightful)
Re:Simple solution...don't use HTML mail (Score:5, Interesting)
Re: Simple solution...don't use HTML mail (Score:3, Informative)
If you open HTML mail, stuff like pictures embedded in the HTML gets loaded, and that is one way spammers know that a) they've stumbled upon a valid e-mail address, and b) the user read the mail. I can imagine that with a spam run, a sudden surge in image loads from a target site might be used to calculate payments for the spammer, identify valid e-mail addresses used, use the latest browser exploit to install spy/addware, et
God bless Microsoft (Score:5, Funny)
And here I was going to switch to Windows... (Score:5, Funny)
Well, I was going to switch over from Linux to Windows, because I heard Bill Gates said that ``security is our top priority'', but now I think he must have been misquoted. Maybe I'll stick with Linux just a little longer, until Windows gets those last few little bugs ironed out.
Re:And here I was going to switch to Windows... (Score:5, Funny)
No, the quote is correct, it's just taken out of context:
"[Our financial] security is our top priority".
I don't get it (Score:2)
it would be helpful to say which email clients to avoid (probably outlook express I take it?)
Makes me glad I use pine (Score:5, Interesting)
Re:Makes me glad I use pine (Score:4, Funny)
Don't be lulled into a false sense of security... (Score:3, Informative)
Granted, I doubt pine is a big target for phishing scams, but nonetheless...
Re:Makes me glad I use pine (Score:3, Informative)
There's this cool new thing called IMAP. Look into it and get with the 90's.
"Cool new thing called IMAP" (Score:3, Insightful)
Uh, that's amusing, but wrong. Pine was the first mail program to use IMAP. Both Pine and IMAP were created at the University of Washington.
Predictions (Score:4, Insightful)
Or in other words, this will probably not affect non-Windows or non-Internet Explorer users.
Well we could see plenty of comments along those lines coming, but here's a further thought:
Hey banks: All of your users have plastic cards that you issued. Mandate two-factor authentication already and watch Phishing scams go bye bye.
Re:Predictions (Score:2)
Re:Predictions (Score:2)
Now maybe my bank will give me a smartcard/usb key. Probably not though
Two factor is an illusion for these users (Score:3, Informative)
Hey banks: All of your users have plastic cards that you issued. Mandate two-factor authentication already and watch Phishing scams go bye bye.
You obviously have no idea how these scams work. Mostly, they trick the unsuspecting user into giving out their PIN number, and name and home address. As soon as you give out your PIN, all your "two-factor" authentication is useless.
Why?? Here is why. Your bank card is absolutely trivial to duplicate.
All a theif needs is a card from the same bank (easy to obtain by
Re:Two factor is an illusion for these users (Score:4, Informative)
Hey, guess what? Some machines print out the first eight and some print out the last four. I was cleaning a bunch of ATM receipts out of my car a few weeks ago and discovered that by combining several receipts, my entire account number and name was completely recoverable. Shred those puppies!
Re:Two factor is an illusion for these users (Score:2)
One way to make card transactions more secure would be to implement something such that bank would generate a random transaction code, you punch it into your card, and it shows you a code to enter. That way you have to actually have the card.
2) CC #s use a checksum. IIRC (its been a while since I played around with the checksum algorithm) it tended to reduce the search space by a factor of 100, i.e. only 1/100 numbers are val
Took them long enough (Score:5, Insightful)
Remind me to tell my mother to start using Thunderbird and Firefox and install a firewall.
Re:Took them long enough (Score:2, Funny)
Remind me to tell my mother to start using Thunderbird and Firefox and install a firewall.
Sure. What was her email and IP address?
Re:Took them long enough (Score:3, Funny)
Sure, no problem. But could you ask her to hold off on the upgrades until after I've finished sending out this last batch of bulk mail that I've got queued up on her box? Quid pro quo and all that. Thanks.
Re:Took them long enough (Score:2)
Re:Took them long enough (Score:2)
News Flash! (Score:4, Funny)
WSH is insecure!
Windows is insecure!
HTML mail can be used to exploit security flaws in user agents!
Film at 11!
Innovation (Score:5, Funny)
-Peter
would it be so difficult (Score:2, Insightful)
Yes, it would. (Score:5, Insightful)
a) Why should Joe Newbie Windowsbuyer be expected to KNOW that he needs to change the permissions on the host file from the install defaults?
b) If he can do it, he can UNdo it, and so can the bad guy's script.
c) How many OTHER holes would he have to fix? Thousands? Tens of thousands? (Remember, he only has to miss ONE.)
Re:Yes, it would. (Score:2)
I believe the grandparent meant "would it be so difficult for MicroSoft to set the file attribute on the hosts file to read only".
However your other points are valid.
Re:would it be so difficult (Score:2)
Well... (Score:3, Interesting)
Re:Well... (Score:4, Funny)
Re:Well... (Score:2)
Good luck (Score:2)
Doesn't work on my XP box (Score:3, Informative)
A R C:\WINDOWS\system32\drivers\etc\hosts
I've got it set so only administrators can unset this flag.
This means
1) I'd have to run IE as administrator
2) the script would have to change the permissions before doctoring the script
First though it'd have to get past my spyware- and other-nasty- blockers
Use a browser for mail: Get what you deserve (Score:3, Insightful)
Very recently some joker in France sent me a worm that prevented me from reporting the abuse. The solution was simple: Delete the worm, restart mutt and mail it to abuse@wanadoo.fr. (Personal note: Wanadoo sounds like wanabee, they are little known among 'my crowd' and somewhat of a worry. This is not intended as put down to the French!) So the moral here is simply if you use Unix, call it *BSD or Linux, you may not be 100% safe, but certainly safer than using Outlook which should be called "Lookout".
Zero click exploits seem hardly new to me. Aren't most exploits, atleast in the past, done without the victim being imeadiately aware? This is from the computer-litterate camp.
To Virus and Trojan writers (Score:3, Insightful)
for those who don't know what WSH is - like me (Score:4, Informative)
Windows Script Host (WSH) is a Windows administration tool.
WSH creates an environment for hosting scripts. That is, when a script arrives at your computer, WSH plays the part of the host -- it makes objects and services available for the script and provides a set of guidelines within which the script is executed. Among other things, Windows Script Host manages security and invokes the appropriate script engine.
WSH is language-independent for WSH-compliant scripting engines. It brings simple, powerful, and flexible scripting to the Windows platform, allowing you to run scripts from both the Windows desktop and the command prompt.
Windows Script Host is ideal for noninteractive scripting needs, such as logon scripting, administrative scripting, and machine automation. WSH Objects and Services
Windows Script Host provides several objects for direct manipulation of script execution, as well as helper functions for other actions. Using these objects and services, you can accomplish tasks such as the following:
* Print messages to the screen
* Run basic functions such as CreateObject and GetObject
* Map network drives
* Connect to printers
* Retrieve and modify environment variables
* Modify registry keys
Where Is WSH?
Windows Script Host is built into Microsoft Windows 98, 2000, and Millennium Editions. If you are running Windows 95, you can download Windows Script Host 5.6 from the Microsoft Windows Script Technologies Web site (http://msdn.microsoft.com/scripting).
Note You can also go to the web site listed above to upgrade your current engines. The version of WSH in Windows 98, 2000, and Millennium Editions is either version 1.0 or 2.0. You must upgrade to version 5.6 to get the new features.
WHost and XP are integrated like IE and XP. (Score:5, Informative)
That's like saying, "this will only affect users who have not yet switched to Linux or MacOS."
I would say that a good 98% of installations have WSHost enabled. Those that are SP2 or up to date might have the latest MS patch that I believe sets a kill bit on the Internet Explorer side of WSHost scripting under all circumstances.
This is also not really anything new. Spy and adware companies have been manipulating hosts files now for at least a year, no doubt phishers have done exactly the same thing, this is just the first reported time of it happening.
One thing you have to keep in mind is that severay so-called security experts are very bright individuals but succumb to what some call: media-whoring. This is a specific instance of a "media-whoring" by Message Labs. Let me explain my proof of this: they use ASP and IIS as opposed to something like PHP and Apache.
They are obviously not very concerned about legitimate security. There's a website that keeps track of the media fanatics: http://www.vmyths.com/
The site is run by a guy who has over a decade of solid security experience. He knows when there is something legit to worry about, and he knows when something is hype.
I suppose the best way to know is years and years of experience. If you read a lot of the security mailing lists, you'd be under the impression that the world was about to revert back to the stone age with the security threats.
But the reality is, a huge amount of idiots exist that love to overhype the security risks when it comes to viruses and worms like "I Love You" and "Sasser". Most of us know when there is going to be a big problem, but there are a huge number of others that like to spread false info.
There are others, like Mikko Hypponen of F-Secure that don't sell media hype, they sensationalize the truth. Yes, there have been instances of zombie-net owners selling their networks to spammers, but I have yet to actually see the sales, and I've been running a honeypot for well over a year now and track nearly a dozen different botnet herders.
For the most part, it looks like botnetting is still used for two things, Americans (north and south america) for File Sharing/FXPing, and Germans for DDoSing. The Russians who have been spamming have been using IE exploits and web controls, not so much IRC connections. Thus, they cannot be truly considered "botnets".
Just secure windows and this wont be a problem! (Score:3, Informative)
This guide explains how to keep your damn computer from being stupidly compromised:
Simple and easy ways to keep your computer safe and secure on the Internet [bleepingcomputer.com]
Also heres a tutorial for switch from IE to firefox:
Switching from Internet Explorer to Firefox [bleepingcomputer.com]
How effective is chaning the HOSTS file... (Score:2, Insightful)
Maybe the next generation of home ADSL routers would have one in their firmware and tout it as a "security feature"?
Microsoft: PLEASE back out of this design... (Score:3, Insightful)
If only Microsoft would back out of this insistence on making the browser a completely general web applications framework with the ability to provide full access to local resources.
Microsoft: split the HTML rendering engine out of the web client components, and get rid of the "security zones" hacks. You've been trying to come up with a design that lets you do this safely for over seven years now, and never succeeded in holding off attackers for more than a few weeks at the most... it's time to admit that even all the brilliant people at Microsoft (and you have some bloody amazing blokes over there) won't be able to make it work. Please consider that you may have been mistaken.
Why is this considered phishing? (Score:3, Insightful)
Microsoft doesn't get it (Score:2)
No regular user should ever need write access to the hostsfile. That's the way Linux works by default. If you do need to modify it, you probably are root anyway.
To allow ordinary users to edit the hostsfile is stupid, but to allow some random person on
Reminds me of Autoexec.bat attacks (Score:2, Interesting)
When I was younger, I used to write little batch files that would mess up my friends autoexec.bat file. I would give them a game on a disk, and then tell them to play the game they had to type go (go.bat). The batch file would then backup their autoexec.bat file and replace it with my tampered version. Then when they rebooted their computer, blammo.
I would have it execute gwbasic programs that would continiously loop "your computer is screwed", or that would just bleep out sounds from the PC speaker. I
More information please (Score:5, Insightful)
1) What e-mail applications are vulnerable (can I get this through web-based mail)?
2) What can be disabled to prevent this? Scripting? Active-X?
3) Is a patch on the way?
That article is pretty crummy.
Zzzzzzzzz (Score:3, Funny)
Patented (Score:3, Funny)
This should not be a problem (Score:3, Insightful)
Not a problem (Score:3, Interesting)
This also doesn't affect anyone using SP2 either.
Move along, another already patched Microsoft vulnerability.
Re:Law enforcement? (Score:2, Funny)
Re:Law enforcement? (Score:2)
They've started: The Federal Trade Commission has filed suit [zdnet.com] against Sanford Wallace, and U.S. District Court Judge Joseph DiClerico Jr. granted a temporary restraining order [com.com] - ruling that Wallace and his businesses must refrain from exploiting Internet security vulnerabilities.
Re:Law enforcement? (Score:2, Insightful)
What's so hard to believe? When they spend $200 billion to bomb the living fuck out of a country, they have a reason. It's called croneyism. Halliburton, oil infrastructure companies, and military contractors get a big-ass portion of that $200 billion.
When Halliburton c
Re:Law enforcement? (Score:3, Insightful)
Yeah, especially when those fraudulent jerks are outside of the US.
Wait a second...
Re:Law enforcement? (Score:3, Insightful)
Re:Hosts file should be Read Only (Score:4, Informative)
Re:Hosts file should be Read Only (Score:2)
Setup an administrative and a user account, lock-down Windows (tools for that are included on the resource kit cd) and a script running for the user will not be able to clobber hosts files, install spyware, infect the system with viruses, etc.
When will Windows people learn from Linux?
Re:*pats his Mac on the head* (Score:2, Insightful)
(sorry, i have the post election annoyed by everything syndrome)
Re:*pats his Mac on the head* (Score:2)
I'll go back to IRC and stop talkinng shit on
I'm going for the troll, but this needs to be said (Score:2)
Re:Where Are the Microsoft Shills? (Score:2)
There's not a lot wrong with Windows Script Hosting, as long as no other shite on your system lets somebody else run scripts without your permission.
Re:Where Are the Microsoft Shills? (Score:2)
and there's not a lot wrong with an unstable SUV that's easy to flip over and kill the passengers as long as those SUVs aren't driven in an "unsafe" manner...
did you ever think that requiring "no other shite (sic) on your system (that) lets somebody else run scripts without permission" is what's "wrong" in "not a lot wrong"? it's like "it's in perfect c
Re:What about the certificate? (Score:3, Insightful)
Plus I'll agree that I doubt many people check the lock (or key or whatever) says it is encrypted. Part of the reason I have my brower set to tell me everytime I enter(or leave) an encrypted site.