Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Evolution of the Phisher

CmdrTaco posted more than 9 years ago | from the we-got-a-live-one-here dept.

Security 278

gurps_npc writes "An article at CNN discusses the how Phishers have moved beyond the typical email scam. Last month, Secunia (Danish security firm) documented a case where a phisher somehow modified a windows host file so that when you type in the correct url in the address, it redirects you to the phisher site. Worms and spyware are being built for the purpose of phishing, and it is also believed that phishers are attempting to compromise domain name servers. If one of these go down millions could lose their security instantly, even if they themselves have maintened the security of their computers."

cancel ×

278 comments

Sorry! There are no comments related to the filter you selected.

timmyshow@hotmail.com (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11424687)

Trying phishing me, I won't fall for it!

timmyshow@hotmail.com

Re:timmyshow@hotmail.com (1, Informative)

Anonymous Coward | more than 9 years ago | (#11424815)

"Somehow modified the windows hosts file."

Yes, that's pretty clever of them. Nobody would think of that. It's pretty hard to do. You will need extensive knowledge of a fucking text-editor.

Seriously, where is the news?

Certificates changed? (5, Insightful)

wdd1040 (640641) | more than 9 years ago | (#11424696)

And this is when users need to actually read the warnings about certificates being different than the last time accessing the site...

Again, if common-sense is used, 99% of phishing can be stopped.

Re:Certificates changed? (2, Insightful)

gurps_npc (621217) | more than 9 years ago | (#11424728)

And when you are using a new computer that has never logged onto that account....

Re:Certificates changed? (0, Troll)

Jarn_Firebrand (845277) | more than 9 years ago | (#11424752)

Wow, this is one of the stupidest things I have ever heard. If it is a new computer, then it is NEW. Meaning nothing could have been edited. Think before you open your mouth, next time. Or, in this case, touch your keyboard.

Re:Certificates changed? (3, Informative)

LithiumX (717017) | more than 9 years ago | (#11424807)

Not very familiar with the threat level against XP?

I've tested this myself. Put up a fresh brand new install of XP. Before I could even start patching it, I had worms homing in. I think the record so far (not for me but for another article here) is 45 seconds from first boot.

By the time you get around to hitting your bank records, you're already hit. If it's a brand new computer, unless it's fully patched and defended against these specific threats, you would likely already be hit long before you browsed your first site, let alone a critical one.

Think before you flame.

Re:Certificates changed? (3, Interesting)

Jarn_Firebrand (845277) | more than 9 years ago | (#11424881)

That's why you have all the stuff you need to patch it on a floppy/CD/flash drive, and don't have it connected to the internet right away. Common sense. Okay, maybe not common sense to most people.

Re:Certificates changed? (1)

QuijiboIsAWord (715586) | more than 9 years ago | (#11424973)

Actually, not actually POSSIBLE to most people, especially anyone buying their first computer (as happened to one of my relatives).
Its a chicken/egg question. How are people with new computers supposed to GET the patches without connecting to the internet first? Or even find out said patches exist? Granted, computers shouldnt be sold without the latest patches already installed, but the fact is THEY ARE. Walk into Best Buy, and they'll let you walk out the door with a factory stock unpatched e-machine, without saying a word (as long as youve paid for it that is.)

Re:Certificates changed? (2, Funny)

wertarbyte (811674) | more than 9 years ago | (#11425053)

That's why you have all the stuff you need to patch it on a floppy/CD/flash drive, and don't have it connected to the internet right away. Common sense. Okay, maybe not common sense to most people.

No, that's why i don't have that windows stuff on my computers. Common sense. Okay, maybe not common sense to most people. ;-)

Re:Certificates changed? (0)

Anonymous Coward | more than 9 years ago | (#11424888)

This story has turned into a kind of urban legend.

Your system will not become infeced, even if you leave it on for weeks.

Re:Certificates changed? (0)

Anonymous Coward | more than 9 years ago | (#11425015)

Sure, if you're running Service Pack 2 with the firewall on. Any older version and you're lucky if you get 10 minutes before you're infected with who knows what.

Re:Certificates changed? (1)

gurps_npc (621217) | more than 9 years ago | (#11424839)

Not only did I read the article, I happen to be the guy that posted it.

And if you were smart enough to have read my post you would have seen the line about DOMAIN SERVERS being attacked and how this means they do not have to have edited anything on you your computer.

Next time, before you call something stupid, think "Maybe Jarn has no idea what everyone else is talking about".

Re:Certificates changed? (1)

liquidpele (663430) | more than 9 years ago | (#11425105)

I've thought about what an anti-phishing plugin for firefox would do, and I've come up with a few things I think could work...

First have a blacklist of sites/IPs that could be updated constantly on a server somewhere. For all other sites, if the site has basic keywords/image comparisons/etc that can be used to label it a banking site, the do a reverse domain lookup from the IP and then check the OS of the IP. If it's not running BSD, Linux, Windows Server/NT4, etc, then assume it's a home windows computer that is hacked and warn the user....

Anyone know of other ways to catch these pages?

Re:Certificates changed? (1)

Jeremi (14640) | more than 9 years ago | (#11424900)

Wow, this is one of the stupidest things I have ever heard. If it is a new computer, then it is NEW. Meaning nothing could have been edited.


That's another one of those things that used to be true, before the magic of Windows made it otherwise. Remember "you can't possibly get a virus just by reading your email"? These days it is very possible to have your brand-new Windows system compromised within a minute or two of connecting to the Internet, whether you've done anything else or not.


Think before you open your mouth, next time. Or, in this case, touch your keyboard.


I trust next time you will follow your own advice? ;^)

Re:Certificates changed? (2, Interesting)

ReverendLoki (663861) | more than 9 years ago | (#11424908)

Wow, this is one of the stupidest things I have ever heard

Then you must not get out much. As they were talking about a DNS becoming compromised such that even secured systems become redirected, your argument makes absolutely no sense. It's akin to saying that since your new car has just come off the sowroom floor, it should be entirely unaffected by that bridge out ahead.

For further instructions, consult own advice.

Re:Certificates changed? (1)

JaseOne (579683) | more than 9 years ago | (#11424860)

It doesn't matter, there is no way for a phisher to get a valid certificate for any bogus domains they setup however they end up doing it.

They won't be able to get a signed certificate so the check to see if it is signed by a trusted source will always fail and also possible that the check to see if the domain matches the current address could fail.

Re:Certificates changed? (3, Interesting)

statusbar (314703) | more than 9 years ago | (#11425032)

I haven't tried this, but I heard that it is possible to create an un-signed certificate set to use 'plaintext' encryption which most web browsers will not complain about. No encryption is done and no signature is possible or required.

Does anyone know if that is correct? If so, then this is possibility.

--Jeff++

Re:Certificates changed? (4, Insightful)

x.Draino.x (693782) | more than 9 years ago | (#11424732)

You fail to realize that the typical user doesn't even know what those certificates are for. The Slashdot crowd is probably safe for the most part, but are your parents?

Re:Certificates changed? (4, Funny)

silicon-pyro (217988) | more than 9 years ago | (#11425112)

The parents of the slashdot crowd are behind a secure proxy located in the basement. They just call us up and ask us if its ok to procede.

Re:Certificates changed? (0)

Anonymous Coward | more than 9 years ago | (#11424734)

But even if 1% succeeds, it is still a major problem.

Re:Certificates changed? (4, Insightful)

Jedi Alec (258881) | more than 9 years ago | (#11424769)

common sense? is there such a thing? you know you shouldn't stick your fingers in the nice bright firy thingy because either someone told you stringently not to or you tried it once and got burned. to the majority of webusers out there most of this information is as understandable as a description of the precautions that need to be taken before summoning chtulhu. if someone went out and started changing the signs near highway offramps, and you've never been in the area, will common sense tip you off?

Re:Certificates changed? (1)

blueZhift (652272) | more than 9 years ago | (#11424824)

Hmmm. If stuff like this starts happening enough, the average user will just stop using the net. Just like people won't go wandering into a bad or dangerous neighborhood no matter how good the restaurants may be, many people will simply stop using the net if the scams, worms, and viruses continue to mount. This has significant economic consequences and consequences for individual freedoms as the government attempts to combat the problems.

Admittedly, the net is used for a lot of things that people may not be directly aware of. But as far as Joe user in front of a PC goes, if the craziness continues to escalate, he'll stop using the PC on the internet and go back to watching TV.

Re:Certificates changed? (4, Insightful)

Anonymous Coward | more than 9 years ago | (#11424837)

You lost me.

Say I usually go to site A to do my banking. And I have a trusted security certificate for that site.

I get infected with one of these phishing worms which alters my host file so that whenever I type out the URL to site A, I get the IP address to site B.

I inadvertly go to site B. Site B doesn't require a security certificate. When would I get a warning about "incorrect" security certificates? As opposed to "expired" or "missing" certificates?

Or better yet, these phishing worms pre-install their security certificate at the same time they hack my hosts file. When would I get a warning? As far as my web browser is concerned, I'm going where I intended to go.

I think your solution solves the wrong problem.

Re:Certificates changed? (1)

ComputerSlicer23 (516509) | more than 9 years ago | (#11424867)

Yes and no. Remember, they control the DNS, they wrote to the /etc/hosts (where ever it is they bury that on windows, c:\windows\system32\hosts if I remember correctly) files. How long until they add a file to your cert list. So it looks like a trusted host when you go to their site?

Besides all that, I'm fairly sharp about my security, and I know most of the fundamentals of the math behind it, and I wouldn't be shocked if my bank switched SSL keys because their old one just expired. Imagine the bedlam that would ensue if everyone did freak out, just because a key had changed.

Now, if they hijack a DNS server, or break into Verisign and get the secret key they are in (or more likely, one of the smaller SSL Key providers that have default keys on Microsoft IE installs).

I don't remember the exact details of how you use the certs on your desktop machine, if at any point you have to connect to Verisign, they have you. They control the IP where you believe Verisign is located. The trick will be you having to establish cryptographic trust of files you us, an every bit of information between you and completing the transaction. Them being able to control any stage of the transaction, and they can wreak havoc on you.

Kirby

Re:Certificates changed? (2, Interesting)

Rorschach1 (174480) | more than 9 years ago | (#11424936)

It's bad enough that most users have no clue to begin with, but you should try working within the DoD. Or maybe it's just the Air Force that's so screwed up. But they've been pushing so hard on a poorly-implemented PKI plan that all their users are now conditioned to automatically accept invalid, expired, or untrusted certificates dozens of times per day to get their jobs done.

Enablement... yeah, that's a perfectly cromulent word...

Re:Certificates changed? (1)

SiliconEntity (448450) | more than 9 years ago | (#11424945)

And this is when users need to actually read the warnings about certificates being different than the last time accessing the site...

What are you talking about? There is no such warning that I am aware of. I don't believe IE caches certificates and compares them with the last time you accessed a site. The only program that does this is ssh, which is hardly end-user material.

What will happen instead, if the DNS were to be hacked, is that the site will be UNABLE to come up witih a valid certificate on the DNS name it has stolen. If someone could hack and redirect paypal.com to their own site, they still wouldn't be able to offer a signature on a key named "paypal.com" with a certificate from a trusted issuer. The only certificate they could offer would be maybe a self-signed one, in which case you will get a warning. But it won't say that the certificate has changed, it will say that it is a bogus-looking certificate. That ought to alert people that something is wrong.

Re:Certificates changed? (1)

DA-MAN (17442) | more than 9 years ago | (#11425123)

What will happen instead, if the DNS were to be hacked, is that the site will be UNABLE to come up witih a valid certificate on the DNS name it has stolen. If someone could hack and redirect paypal.com to their own site, they still wouldn't be able to offer a signature on a key named "paypal.com" with a certificate from a trusted issuer. The only certificate they could offer would be maybe a self-signed one, in which case you will get a warning. But it won't say that the certificate has changed, it will say that it is a bogus-looking certificate. That ought to alert people that something is wrong.

That assumes that you have the site bookmarked or go to https://url/

There will be no warning if the user goes to http://www.site.com/ and clicks on the login button as most users do. As a geek I know to check for the lock in my browser when I am surfing sites, most users don't know any better.

In addition, if the spyware can change your hosts file it's only an extra step to insert a new root cert that would automagically trust https://www.site.com/.

The evolution of the Phisher... (0, Funny)

Anonymous Coward | more than 9 years ago | (#11424709)

...took an important turn once Native Americans discovered smoking "cannabis" herb.

Re:The evolution of the Phisher... (0)

Anonymous Coward | more than 9 years ago | (#11424808)

Umm, how is this flamebait? Silly mods!

and this is accomplished how? (0, Troll)

ChipMonk (711367) | more than 9 years ago | (#11424711)

Oh, that's right, Windows' nearly non-existent privilege system!

Go ahead and whine about how much better traditional Unix privileges could be. It's still better than nothing, which is what most Windows desktops have.

Re:and this is accomplished how? (4, Insightful)

ImaLamer (260199) | more than 9 years ago | (#11424825)

I was going to mod you off topic...

But I'll bite - attacks on DNS servers will direct everyone to the wrong site, Windows, Linux, UNIX, and Amiga users.

Sorry.

Re:and this is accomplished how? (1)

Aeiri (713218) | more than 9 years ago | (#11424993)

He wasn't talking about that part of the article, he was talking about this part:

Last month, Secunia (Danish security firm) documented a case where a phisher somehow modified a windows host file so that when you type in the correct url in the address, it redirects you to the phisher site.

What he is saying is, you can't alter the permissions of the hosts file on windows, but with the Unix permission system, you could make the permissions be 644, owner root, and no regular user (or compromised program running AS a regular user) could alter that file.

Re:and this is accomplished how? (1)

braindead (33893) | more than 9 years ago | (#11425079)

  • But I'll bite - attacks on DNS servers will direct everyone to the wrong site, Windows, Linux, UNIX, and Amiga users.
Yes, but that site won't have a cert, so you won't type in your account info because the little "lock" or "key" symbol will be missing. Hence clueful users of any operating system are protected against that attack.

Re:and this is accomplished how? (1)

tbase (666607) | more than 9 years ago | (#11424831)

Yeah, and if the DNS Servers are compromised, all your *nix security BS goes out the window. Even if your mother could use *nix, AND you could convince her to do it, AND she didn't have a Dell with Windows on it that she hides when you visit so she doesn't hurt your feelings, she'd still be vulnerable, and she's the one their targeting, not you.

Re:and this is accomplished how? (1)

malfunct (120790) | more than 9 years ago | (#11424843)

If they hijack the DNS so that https://www.paypal.com actually goes to a site owned by the phisher but looks exactly like paypal it doesn't matter what OS you are on you will get scammed if you type in username/password to log on. I don't see a way to know that you are on the wrong site when its DNS that sent you to the wrong place unless you keep a list of valid paypal IP's and check the IP of the site you went to.

Re:and this is accomplished how? (0)

Anonymous Coward | more than 9 years ago | (#11424979)

> Oh, that's right, Windows' nearly non-existent privilege system!

Windows has a pretty extensive privilege system -- it's hardly ever used to its capacity, and tends to be subverted by users running as administrators. But it's a hell of a lot better than the crapola unix security system.

Old game (1)

psi42 (747491) | more than 9 years ago | (#11424716)

Exactly how is this different from password-harvesting trojans/viruses?


It's not like this is anything new.

Re:Old game (1)

FishBrain (769436) | more than 9 years ago | (#11424869)

It's becoming far more widespread and is so easy to fall prey to, so now all of us have to worry about it. If you're tech savvy you should be able to avoid getting caught, but grandma may not be that sharp, even if warned, and she's possibly got the most to lose.

Matthew 4:16-19 (5, Funny)

Anonymous Coward | more than 9 years ago | (#11424730)

Simon called Peter, and Andrew his brother, casting a net into the sea: for they were phishers. And he saith unto them, Follow me, and I will make you phishers of men.

Jesus p0wns you.

in case the site goes down.... (0, Funny)

Anonymous Coward | more than 9 years ago | (#11424733)

mirror here [freeipods.com]

oh, and don't let the lil /. linker helper thingy fool you...it's perfectly legit. just register and you'll see the site in seconds ;)

No more new made up words for things that exist (-1, Flamebait)

stratjakt (596332) | more than 9 years ago | (#11424738)

Spam - unsolicited advertisement. Not new, people have been jamming flyers under your door since they invented the printing press.

Phishing - tricking someone into divulging financial details/data under a false pretense. See confidence job. People have been getting conned for as long as we've had even the most primitive systems of trade.

Blog - dear diary, JoJo is so hot..

CmdrTaco - the thing you poo out of.

You know what I mean? No more made up new words. The existing words are more than cromulent in any situation.

Re:No more new made up words for things that exist (1)

Perl-Pusher (555592) | more than 9 years ago | (#11424889)

New words are continously invented and have been since the dawn of spoken language, get over it.

Car - horseless carraige.

Phising on Linux (4, Funny)

stecoop (759508) | more than 9 years ago | (#11424741)

Email:

Although I could have written a very complex and well written virus that probably wouldn't work on you operating system I am asking you to reply with you account name, password and any other card numbers you might have.

I further ask that you forward this email message to all your friends and for that matter any one you don't know urging them to send me all your information.

Yours Truly,
Mr Phisher

Re:Phising on Linux (1)

Martin71a (754125) | more than 9 years ago | (#11425091)

Do I need any special equipment for phishing on Linux or will my fly rod setup be ok? Are there any type of limits as far as size and number of phish? What type of license is needed and is it more expensive if I phish from a Windows OS? And are there any local guides that could help me find where the best phishing might be?

From TFA (1)

lucabrasi999 (585141) | more than 9 years ago | (#11424754)

"If you think of phishers initially as petty thieves, now they're more like an organized crime unit," said Paris Trudeau, senior product manager for Internet-security firm SurfControl.

Did I read that correctly?

A senior employee of an Internet Security firm used to think of Phishers as "petty thieves"? Maybe Paris Trudeau needs to find a new line of work.

Re:From TFA (1)

swb (14022) | more than 9 years ago | (#11424858)

Well, didn't phishing initally get its start as a small-time deal to snag AOL accounts?

After that it's largely a semantic debate as to what makes something an organized crime (2 guys working together?) and how many thousands you have to steal to not be petty.

Re:From TFA (2, Informative)

jephthah (681398) | more than 9 years ago | (#11425016)

IF you think of Phishers AS petty thieves ...

NOW they're MORE LIKE an organized unit.

it's called metaphorical comparison. It's an abstract logical tool.

But don't worry, Luca. In your late teens and early 20's, your brain will physiologically be more able to handle abstract concepts, and you will have to rely on concrete expressions less often.

Re:From TFA (0)

Anonymous Coward | more than 9 years ago | (#11425019)

Bad grammer/choice of words creates confusion

Probably should read
You may think of phishers as petty thieves, but rather they are more like an organized crime unit.

Re:From TFA (0)

Anonymous Coward | more than 9 years ago | (#11425081)

Your rewrite changes the meaning of the original sentence. The emphasis of the original statement is that phishers are more sophisticated now than they used to be in the past.

No, you didn't read it correctly, you idiot. (0)

Anonymous Coward | more than 9 years ago | (#11425097)

The senior employee was talking to the general public and how they may have viewed phishers in the past and how they should now view the phenomenon.

The passage you quoted said nothing of his own personal or professional views on the matter.

You. Fucking. Moron.

Re: Certificates Changed? (0)

Anonymous Coward | more than 9 years ago | (#11424760)

This implies that the average user has a clue about certs and what it all means...

It's not me I'm worried about... (1)

LithiumX (717017) | more than 9 years ago | (#11424764)

Any phishing of that type will result in a certificate error (assuming they don't do some heavy modding of your browser as well), which I can catch. But I'm sure most of us have parents who we've told the common "If you don't understand it say Ok" - ie not the safest thing in the world, but better than being called every 2 hours. Usually this works well, since even relative illiterates understand the idea of software being installed without them specifically wanting it, and can say no. But a certificate error? Quite a few people will shrug and click OK anyway. And moreover, what will this do to the economy, considering that suddenly a far greater level of financial intrusion will now be possible?

Re:It's not me I'm worried about... (1)

KingEomer (795285) | more than 9 years ago | (#11424791)

Is it possible for them to modify the certificate stored on your hard-drive? If so, then they shouldn't have to change the browser.

Re:It's not me I'm worried about... (1)

Twanfox (185252) | more than 9 years ago | (#11424935)

This tends to be one of those days that I'm thankful that my parents are not nearly as wired into the Internet as I am. They still pay their bills by check, buy just about everything at stores, and much of their information hardly ever reaches the Internet.

How weird to be saying "Thank You mom and dad for being averse to technology" as a geek and actually be praising them.

Anti-Phishing browser (1)

MindStalker (22827) | more than 9 years ago | (#11424767)

Ok Microsoft really needs to pick up the ball on this one. They need to make an extremly obvious security certificate key information. Such that when you log onto any "secure" website it pops up information about the key authority that can be understood by all. Then they need a expansive advertising campain to tell users to look for these signs when entering confidential information, and not enter such information otherwise.

Of course then you would see popups that look identical to the key information, infact I believe I've seen a fullpage website that implemented this trick before. So any ideas on what can be done outside of a box that sits next to your computer that displays said information.

Re:Anti-Phishing browser (1)

Spydr (90990) | more than 9 years ago | (#11424960)

YES. The real problem here is the usability of sercure certificates. Even experienced web users get lost in the jumble of alerts that are near impossible to read unless you have a very solid understanding of what is going on.

Once these alerts are fixed up, maybe we could make it easier to install secure certificates in your e-mail clients so people can sign/encrypt their e-mails easier instead of having to read an ecyclopedia on secure certificates and then find a certificate authority and then figure out exactly how to install it on your OS/e-mail client.

It's really rediculous how difficult it is to do something that should be very simple by now.

Re:Anti-Phishing browser (0)

Anonymous Coward | more than 9 years ago | (#11425042)

Of course then you would see popups that look identical to the key information

This is why systems like PassMark [passmark.com] exist. If you really need to secure the channel all the way to the user's machine to establish the marks in the first place, then you're talking about something like Palladium, aren't you?

Physical tokens like a SecurID also defeat spoofing attacks, and issuing them is pretty much routine for European banks. The US lags behind in this area, as usual.

Evolution of the phish? (4, Funny)

drivinghighway61 (812488) | more than 9 years ago | (#11424777)

Everyone knows phish evolved into amphibians.

Re:Evolution of the phish? (1)

Sexy Bern (596779) | more than 9 years ago | (#11424965)

Amfibians, surely?

I blame christians... (1)

Anita Coney (648748) | more than 9 years ago | (#11424780)

Didn't Jesus say in Matthew 4:19 that if we follow him he'll make us phishers of men?

(Yeah, I know that was bad, but I just couldn't resist!)

Shouldn't it be.... (4, Interesting)

GillBates0 (664202) | more than 9 years ago | (#11424781)

phisherman.

Fishermen fish.
Phishermen phish.

It's not "Fishers fish".

Carrying the analogy further, IE becomes a "phishing net" and Windows becomes a "phishing boat". The intarweb may be viewed as the "ocean" and your average AOLer a dumb "phish". Smarter geeks could be viewed as smarter"dolphins".

Interesting, huh.

Re:Shouldn't it be.... (1)

rbarreira (836272) | more than 9 years ago | (#11424851)

No, the phishing net would be the spam programs + fake bank web sites...

Re:Shouldn't it be.... (1)

meringuoid (568297) | more than 9 years ago | (#11424952)

I am the Phisher King. I con pagans out of their PayPal accounts.

Re:Shouldn't it be.... (1)

SpongeBobLinuxPants (840979) | more than 9 years ago | (#11424996)

To carry your analogy out a little more... smarter geeks could be viewed as smater "dolphins" which are not fish or this case "phish" but are mamals.

Re:Shouldn't it be.... (1)

Xtifr (1323) | more than 9 years ago | (#11425039)

> It's not "Fishers fish".

It's not?

From Webster's Revised Unabridged Dictionary (1913) [web1913]:

Fisher \Fish"er\, n. [AS. fiscere.]
1. One who fishes.
[...]

From WordNet (r) 2.0 [wn]:

fisher
n 1: someone whose occupation is catching fish [syn: {fisherman}]
[...]

From M-W online:

Main Entry: fisher
Pronunciation: 'fi-sh&r
Function: noun
1 : one that fishes
[...]

Anyway, what about fisherwomen, you insensitive, sexist clod? And did you know that the word "gullible" doesn't appear in any dictionary?

Re:Shouldn't it be.... (1)

Johnny_Law (701208) | more than 9 years ago | (#11425088)

Smarter geeks could be viewed as smarter"dolphins".

I think you misspelled "penguins".

DNS? Bah! (5, Funny)

saintp (595331) | more than 9 years ago | (#11424787)

it is also believed that phishers are attempting to compromise domain name servers. If one of these go down millions could lose their security instantly, even if they themselves have maintened the security of their computers.
That's why only sissies and noobs use DNS. "Don't have to remember numbers," they cry. "Makes life easier," they whine. Hah! So does Gator! But I've got the upper hand now! My security won't be compromised while posting on 66.35.250.150, bitches.

Re:DNS? Bah! (0)

Anonymous Coward | more than 9 years ago | (#11424817)

Damn I wish I had some mod points. Somebody mod this man +5 funnytacular!

Mod Parent Up (1)

handy_vandal (606174) | more than 9 years ago | (#11424905)

That's why only sissies and noobs use DNS ... my security won't be compromised while posting on 66.35.250.150, bitches.
Damn I wish I had some mod points. Somebody mod this man +5 Insightful.

I scrolled down the posts, looking and looking for someone to address the problem of DNS compromise.

You nailed it, thus the +Insightful -- and throw in some +Funny, for good measure.

-kgj

Re:DNS? Bah! (1)

frostfreek (647009) | more than 9 years ago | (#11424921)

I hope you are using Lynx to browse, then, 'cuz those image hyperlinks to akamai will get you!

Re:DNS? Bah! (2, Funny)

saintp (595331) | more than 9 years ago | (#11425067)

Images? What the heck are you talking about? Oh brave new Internet that has such things in it!

dnssec (1)

martok (7123) | more than 9 years ago | (#11424994)

I am surprised dnssec tsig et al haven't really
taken. The technology's been around for some
time in one form or another but hasn't been
adopted by many if any tlds and the root zone.
That should render DNS attacks ineffective for
phishing attacks provided keys were properly
secured.

Re:DNS? Bah! (0)

Anonymous Coward | more than 9 years ago | (#11425012)

That's great until the address legitimately changes. You _HAVE_ to be able to trust the DNS for the internet to work in the real world.

Re:DNS? Bah! (2, Insightful)

ziplux (261840) | more than 9 years ago | (#11425035)

What about sites hosted on virtual servers? You _need_ DNS for those sites to work, otherwise the server doesn't know what site you want.

Re:DNS? Bah! (1)

SpongeBobLinuxPants (840979) | more than 9 years ago | (#11425038)

In that case, could you please send your credit card numbers, dob, ssn, and mother's maiden name to spongeboblinuxpants@64.4.19.134?

Passwords updated (1)

BrGaribaldi (710238) | more than 9 years ago | (#11424800)

My questions is who thinks that a message saying all your bank passwords need to be updated on one website is really from the bank. The bank won't even send your pin# and your atm cards to you in the same envelope. They send them a week apart from each other. Now they're asking you to submit everything? At once? Who does that?

Re:Passwords updated (1)

gurps_npc (621217) | more than 9 years ago | (#11424885)

Part of the problem I was discussing is that the new Phishers do not send you email. They just modify your host file /attack the Domain Server and wait for you to log in normally. Many more people will fall for this.

Re:Passwords updated (2, Interesting)

MightyMartian (840721) | more than 9 years ago | (#11424887)

Let's be perfectly blunt. The average human being is functionally retarded. They're perfectly capable of being taught a few neat tricks like reading the newspaper or buying a member of the opposite sex a drink before groping them, but when it comes right down to it, about 95% of the species H. sapiens are gibbering morons who will refuse to listen to constant warnings about opening suspicious attachments, paying attention to certificate warnings, but will happily supply their credit card numbers to the first guy that comes along and says "We're from PayPal and we need to verify your account information".

I used to think something should be done about this, but since the average daft ninny who bought a computer from Big Ticket Computer Store is pretty much incapable or unconcerned about these matters, I figure what the hell! Let the scammers steal their money and their identities. People this idiotic and unwilling to learn even the rudiments of keeping themselves safe on the Internet deserve everything they get.

Everybody, remember all IPs (1)

nsasch (827844) | more than 9 years ago | (#11424820)

This is why we should all stop using DNS and just remember IPs for all our favorite sites. A nice feature for a browser or an extension would be to cache IPs and compare before connecting to a site. Imagine if the IP ever changed for a site, you would be asked immediately if you would like to continue. For sites like no-ip.com it could be annoying, but financial sites would instantly be known to have something wrong going on.

Re:Everybody, remember all IPs (1)

TigerNut (718742) | more than 9 years ago | (#11424942)

Cache them where? In the filesystem or in the registry? At a discoverable file or key location, presumably?
This would only be secure if the cache was secured using a secret key (i.e. using local serial number information that wasn't ever visible from the network a machine might be on).

Re:Everybody, remember all IPs (1)

Mercano (826132) | more than 9 years ago | (#11425030)

"For sites like no-ip.com it could be annoying, but financial sites would instantly be known to have something wrong going on." Problem, though: big sites tend to have web server clusters, with a different IP address for each mirroring box. Really big sites use some sort of geographic load balancing scheme, like akamai where you never know quite what you will get back from the DNS server. Do an nslookup on google some time to see.

Re:Everybody, remember all IPs (1)

yetdog (760930) | more than 9 years ago | (#11425089)

I love it. Maybe we could get a Firefox extension written for exactly this!

Simple cure (1)

Turn-X Alphonse (789240) | more than 9 years ago | (#11424842)

Banks need to start charging MS for all the money they have to "return" to customers after thay get caught by a scam like this. It must be costing them millions and alot of it is from people using Windows. I'm sure Bill would get stick his thumb out and get moving if he had several million dollars fines he can't pay in Windows 98 CDs.

Re:Simple cure (1)

ScentCone (795499) | more than 9 years ago | (#11424984)

Banks need to start charging MS

And if your ISP's name server or your border router or something not on your desktop is lying to you about a forward lookup on a trusted domain name? This doesn't even have to include SSL hacking, because most users will see the phish mail, and if they're typical people, see that the target URL is mybank.com and just go there, and suffer.

This ain't just an MS thing.

spyware problem: admin users v. regular users (1)

rjnagle (122374) | more than 9 years ago | (#11424847)

Wow! I had some spyware overwrite the windows etc/hosts file every time I rebooted, and I couldn't remove it. The solution (for me) was backing up the hosts file and surfing under a user account to prevent a similar kind of infection.

If Admins can modify this file willy-nilly, then could be a major problem for users who haven't bothered to create user accounts.

rj

DNS (1)

tommyth (848039) | more than 9 years ago | (#11424848)

I would be very concerned if someone who owns/runs a DNS server was not net-savvy enough to avoid phishing scams.

A few simple rules (1)

KiltedKnight (171132) | more than 9 years ago | (#11424876)

  1. Call your financial institution before even attempting to use the web. They generally have toll-free numbers, and major ones tend to have 24 hour customer service. Ask them if there really is a problem with your account, and if there is, ask them how to remedy it.
  2. If you run IE, shut it down and use Mozilla, Firefox, Netscape, Opera, or some other browser. If you don't want to go through the downloading, go into your internet preferences and disable ALL forms of ActiveX and VBScript.
  3. If it's an email claiming to be your bank or other financial institution and they ask you to click on a link contained therein, don't do it. Go to your web browser and type in the link manually.
  4. If you use Firefox, try installing something like SpoofStick [mozilla.org]

Sometimes, the simplest things you do can make all the difference whether your account gets compromised or not.

Re:A few simple rules (1)

malfunct (120790) | more than 9 years ago | (#11424940)

I think the DNS attacks they are talking about in the article may trick even SpoofStick as the domain your browser went to really was the site you thought you went to. Its just that DNS (or your hosts file) gave you a bogus IP for that domain which sent you to a phishers server. Your browser really does think it went to: "https://www.paypal.com" for example.

Re:A few simple rules (1)

KiltedKnight (171132) | more than 9 years ago | (#11425049)

Unfortunately, unless you run your own DNS server, there isn't much you can do about DNS server attacks.

Disabling ActiveX and VBScript guards against your hosts file being compromised, because most people just set their Windows user accounts to be an administrator of the box. Unix/Linux users don't have to worry about this, unless they're running the web browser as root, in which case they deserve what happens to them.

Of course, if you're mildly net-savvy, you can always use "dig" or "nslookup" and check about four or five well-known servers before you even go to the financial web site. If all of them return the same thing, you're probably safe. If any of them return something different, wait 12 hours and see what happens.

As the bible says (1)

awhelan (781773) | more than 9 years ago | (#11424891)

If you give a man a fish, he will eat for a day. If you teach a man to phish, he will steal your money, and buy enough fish to eat for life.

How's your phishing-picking-out-skills? (2, Interesting)

froggero1 (848930) | more than 9 years ago | (#11424930)

Even straightforward phishing attacks are getting more sophisticated. Spelling errors and mangled Web addresses made early scams easy to spot, but scam artists now commonly include legitimate-looking links within their Web addresses, said Kate Trower, associate product manager of protection software for EarthLink Inc.

I have noticed this lately as well... so now I scrutenize every email I get, hovering over links, and occasionally, entering the first line or so into google. I do consider myself to be pretty good at figuring out if it's a phish or not though. I found a fun little phishing-finding-outting test to take on i-am-bored.com [i-am-bored.com] . Try it out and see how well you do!

We're from the government; we're here to help (1)

Doc Ruby (173196) | more than 9 years ago | (#11424947)

Who trusts the Department of Homeland Security to help secure DNS with a task force from their Cybersecurity department?

Let's face it (1)

rbarreira (836272) | more than 9 years ago | (#11424950)

Computers were not made to be safe, much less the internet. Anyone who thinks that by accessing his bank online, they're not risking anything, is just heavily misguided. Anyone who does online banking, shopping and so on, is at risk.

If you don't want those risks, go doing those tasks the traditional way.

It's not only about certificate errors (2, Insightful)

DingerX (847589) | more than 9 years ago | (#11424992)

Folks, let's do the math:
Phishers do not need to be successful very often. Think sperm here: if conditions are right, most of time only one gets lucky 20% of the time. (Sorry for the anchorman gag)
Consider the facts:
1) Only a few sites transact critical personal data (Credit cards, identity info) without proper security
2) Only a few sites use security certificates that are A) out of date B) for a different site C) otheerwise invalid.
3) only a modest majority of IE users have been trained into clicking "OK" on every security warning they see, especially for sites they know they trust.

If a phisher jacks a DNS, if they're good and have volume, they'll only go for 1); the certification warnings in 2) are worthless. They're worthless for two reasons. First, browser sgives the user the option of proceeding. Second, browsers don't distinguish between unimportant in-the-clear transmissions and stuff that looks like credit card numbers and identity information. Ideally, all browsers should have a cert mismatch not be an "ignorable" offense, but be one that causes the connection to fail.
3) As a backup, any attempt at in-the-clear transmission of numeric data longer than 5 digits should cause a whole storm of scary looking warnings (get rid of the "saturate the user with needless warnings" garbage that does more harm than good) stating that this is a really bad idea if it's anything valuable and to please, for the love of jeebus, reconsider.

I have no doubt they're hammering away at DNSs around the world; and they'll probably get one.

Oh yeah, and Mandatory Email encrpytion should be enabled, dammit.

Actual example anyone? (0)

Anonymous Coward | more than 9 years ago | (#11425009)

I'd like to see a pair of domain names:

a) the real site (e.g. www.bankofamerica.com)
b) its phisher version (probably hosted in a lawless country)

Cyber terrorism? (4, Insightful)

GrouchoMarx (153170) | more than 9 years ago | (#11425022)

Here's where our laws are truly screwed up.

On the one hand, downloading music from "unauthorized" sources such as P2P networks will get million dollar fines and, if the companies get their way, jail time, when there is actually no evidence that they are causing a loss of revenue (even if they are technically violating copyright law).

Meanwhile, people who write spyware, break into computers and DELETE data, shut down networks, and attack DNS servers in order to disrupt all traffic on the Net (roughly the online equivalent of putting tacks all over a major expressway junction) get.... what? Really, I have no problem with seeing these people get 20-life hard time.

When will the people who [ run the country | have money | bought Congress ] realize who the real threat to the Internet and to their bottom line is? It's not cheap Britney Spears fans. It's the people trying to break the Internet in order to get better advertising.

Oh wait, I forgot. Advertising is always good, because companies do it, so they can't object when someone tries to advertise. Silly me. Greedy SOBs have to stick together.

Don't trust DNS (1)

MattW (97290) | more than 9 years ago | (#11425061)

The simply answer: for all places where you have sensitive information, bookmark an SSL-enabled url.

For example, instead of logging into your bank by typing in "www.mybank.com", bookmark their login info like:

https://www.mybank.com/login.bnk?gz=1

Or whatever.

When you visit the https url, even if a phisher has completely altered dns and hijacked your connection, they do not have the private key for the institution.

If you want to be paranoid, save your institutions certificates locally so that even if a hijacked compromised a root server and spoofed a response AND got a cert issued for the legitimate domain (which, as anyone familiar with it knows, is not that hard), they still can't trick your browser.

Really, all institutions containing sensitive data should establish secondary data channels as well - like, any time you log into your bank or brokerage, you should be able to specify an email address...say, of your cell phone.... which will receive an email saying you just logged in. Then someone who manages to get your info still can't effectively use it.

Who needs DNS?! (1)

scovetta (632629) | more than 9 years ago | (#11425064)

I just keep a copy of the IP addresses to all of the sites that I visit on a piece of paper. Who needs DNS anyway?

Seriously though, any reason why the kernel's DNS-lookup procedure couldn't be changed to verify the IP through N servers instead of just the primary server? Of course, if one of the root dns servers go down, then that's it, but it's more likely that YOUR ISP's box will get rooted.

Easy Short Term Fix (3, Insightful)

ftzdomino (555670) | more than 9 years ago | (#11425092)

Most phishing sites use images pulled from the real sites, as well as direct people to them when they are done entering their information. Many banks and sites such as paypal could easily track these people by watching their referral logs and looking for foreign referrals to things such as their navigation images. They could then contact the nocs of ISPs who are unknowingly hosting them on hacked machines to get them taken down immediately. Most ISPs are extremely willing to take these down quickly, I've had quite a few respond to me within minutes when I've informed them. Eventually phishers would just grab the whole site and host the images as well, but the increased bandwidth would be more likely to be noticed.

Mail clients should also notify users when the displayed http:// url differs from the actual href.

A better fix would be for banks and other organizations to set up contact addresses for people to inform them. Many of them take days to read feedback I've sent them regarding someone trying to scam their customers.

I'm confused (2, Funny)

TiggertheMad (556308) | more than 9 years ago | (#11425103)

The article was a little vague on this point, but aren't Phisher scams where you pretend to be a slightly paranoid ex-chess geinus hiding out in Japan?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>