Recently in Phishing Category

Malware to defeat virtual keyboards

By Rory2 on September 19, 2006 9:06 AM | No Comments

Banking Trojan Captures User's Screen in Video Clip

A good write-up and video of malware designed to capture information from users using virtual keyboards.

It's just another indication that banks and other E-Commerce sites will need to come up with something more robust if they really want to make phishing impractical for attackers...

Personally I'd be interested to try a combination of RSA SecureID and Intrusion detection/prevention.

It works like this. the SecureID forces an attacker to do an in-line attack 'cause they've only got a less than 60 second window to use the credentials successfully, and this should increase the visibility of the traffic patterns. For example if you've got 10 users who've always come from different UK based IP addresses in the past, and suddenly they're all coming from the same non-UK based ip address, then that could be a good time to block the session.

It would be difficult to tune, but I think once you'd baselined users it would be possible to build up a reasonable enough pattern to allow for some form of anomoly detection.

2-Factor Auth in banking Attacked

By Rory2 on July 11, 2006 7:33 AM | No Comments

Security Fix - Brian Krebs on Computer and Internet Security - (washingtonpost.com)

Post about a MITM attack on Citibanks two-factor authentication system. The relaying of error messages from Citi by the attacker is a nice touch as it makes it seem a lot more legitimate...

Well not really a surprise that the attackers have worked this out. Of course it's slightly easier to detect/shut down as they have to do the attack in real-time as opposed to gathering the credentials and then using them at their leisure, which can happen with standard phishing.

Still, goes to show that there's more work neeeded to be done on this.

noooooooo.

By Rory2 on February 22, 2006 7:00 PM | No Comments

Schneier on Security: Impressive Phishing Attack

Wow phishers with genuine SSL certs, issued by Certificate authoritys that are installed, by default, in every browser on the planet...

Just goes to show, when there's money involved the criminals will evolve and get real smart real quick...

As to the SSL cert providers assertions that they rigourously check SSL cert applications... well yeah.

couple of Interesting phishing Stories

By Rory2 on November 17, 2004 9:27 PM | No Comments | No TrackBacks

First one's the story that Phishing scam forces NatWest services offline - vnunet.com. What I find somewhat odd about this is that they took the step of disabling some functionality on their site...

They must have had quite a few of these scams by now and I find it hard to believe that they're disabling parts of their websites every time they get hit, as that would seem a bit like a self-imposed Denial-Of-Service...

Another story about how some customers are dealing with phishing here . Basically the guy in this story is blanket deleting mails looking for personal info. seems like a sound idea to me!.

Personally I think that standard SMTP e-mail is just about dead as a Business to Consumer communication method. Between SPAM, phishing and malware there's no way consumers and home users are going to keep using this. Really companies should not have been using what has always been a really insecure mechanism to communicate with their customers.

The thing is though, it's REALLY cheap compared with most other forms of communications (notably this is what the spammers depend on as well to make money) so they've been very reluctant to stop.

My expectation is that they will have to find some way to clearly and securely provide communications with their customers to bridge the gap left by E-Mail. Not that that's an easy problem to solve...

Article looking at some of the defences against phishing

By Rory2 on November 2, 2004 12:45 PM | No Comments | No TrackBacks

There's an article over at InfoWorld looking at the various measures that companies have been using to try and mitigate the current rising trend in phishing attacks.

My money's on server-based mitigations as opposed to client-based ones (like the anti-phishing toolbars mentioned in the article). There are several good reasons for this.

1. Companies don't and won't control the client environment, so they're not in a good position to dictate the client environment. Also given the current trend in spyware and virii, there's no way companies can place trust in a client based solution.

2. There are literally millions of clients out there which would need to be "fixed" to make a solution work, but for each company there is only one location that needs fixed...

Personally my monies on the deployment of 2-factor authentication like secureID. Most banks already use it internally, the main reason it hasn't been deployed for customers is cost... well if phishing starts placing a significant cost on the banks, then suddenly it starts being much more viable to deploy....

Of course there are some more complications involved as SecureID can still be vulnerable to a MITM attack, but it would still be a great step forward.....

Another anti-phishing initiative

By Rory2 on June 24, 2004 9:39 PM | No Comments | No TrackBacks

There's an article about a MasterCard program which combats phishing. I've got to say that I'm not that impressed by this kind of approach to combating phishing.

If what's in the article is accurate it basically amounts to looking through content from the entire Internet for potential phishing scams and then shutting them down when they're found..... This approach just strikes me as far to reactionary and prone to missing things. I would expect that currently a phishing scam will make most of it's money in the first 24 hours of its operation and I'll be a little suprised if Mastercards approach will be effective in shutting down these scams in that time frame.

There are other ways to combat this kind of attack (I linked to one before ). Another option would be 2-stage authentication by the service provider, where the user enters initial credentials, then the site responds with a secret (be it a phrase, word or fact about the users account) and asks for a secondary authentication. In this model the phisher will be able to get the inital credentials but will have a significantly lower rate at getting the secondary ones (of course some social engineering would still get some credentials out of people I'm sure)

Personally I think that this kind of system, or more probably, some form of 2-factor authentication will be the best way to combat these attacks. If running around stomping on sites as they popped up worked well, I'm sure we'd have considerably less SPAM and Virii doing the rounds......

« Penetration Testing | Main Index | Archives | Programming »

Categories

Monthly Archives

Pages

Powered by Movable Type 4.32-en

Search

About this Archive

This page is an archive of recent entries in the Phishing category.

Penetration Testing is the previous category.

Programming is the next category.

Find recent content on the main index or look in the archives to find all content.