Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Phishers Using Keystroke Loggers

CmdrTaco posted more than 9 years ago | from the please-no-phishing-jokes dept.

Security 388

Eh-Wire writes "Keystroke loggers are rapidly becoming the lure of choice for phishers. Their advantage is that they compromise information long before the information has a chance to be encrypted. "

Sorry! There are no comments related to the filter you selected.

Challenge (5, Interesting)

fembots (753724) | more than 9 years ago | (#12445383)

Will this work against keyloggers?

When using online banking (or anything online really), once you have entered your login correctly, the site displays a graphical challenge derived from one of your personal details, such as address, phone, birthday etc., and you use your mouse to choose the correct one and proceed.

I guess this is similar to the additional 3/4 digits at the back of a credit card.

Re:Challenge (2, Insightful)

blogtim (804206) | more than 9 years ago | (#12445400)

That's not a bad idea, though if they can log keystrokes, they can certainly log mouse movements. The problem with computer security is that everything is digitized. Even an eye scan or a fingerprint gets digitized at some point. That datastream can be captured and replayed.

Re:Challenge (4, Insightful)

Em Adespoton (792954) | more than 9 years ago | (#12445468)

The trick is that the web site would use the WinZip trick; the elements would be placed in random locations; after all, it's the data they need; the placement of the form elements doesn't really matter. If the phisher tried to re-create the mouse movements at a later date, they'd have a very low chance of clicking on the same radio button.

Re:Challenge (1)

LiquidCoooled (634315) | more than 9 years ago | (#12445653)

But you forget that they have access to the local machine.
They can see as much of the data as the user.

Replay attacks will become movies.

Re:Challenge (1)

fembots (753724) | more than 9 years ago | (#12445474)

Mouse movement is harder to track because the correct image can be positioned randomly among few bogus ones

And there can be more than one correct image (i.e. this time it shows your birthday, next time your street name, then first 3 digits of your phone etc.) in the database to choose from.

Re:Challenge (1)

YrWrstNtmr (564987) | more than 9 years ago | (#12445509)

And at some point during signing up, you have to enter those values in. Via the keyboard.

Re:Challenge (0)

Anonymous Coward | more than 9 years ago | (#12445529)

Or they already have them on file. I'm sure my bank knows my phone number and such...

Re:Challenge (1)

fembots (753724) | more than 9 years ago | (#12445565)

Yes I was about to say that.

And for normal websites that don't previously own your other details, you can sign up using a credit card, which links to your other details like address, phone etc.

However I think this is getting too far :) Relying on so many sources to pass around your details is just as bad a idea.

Re:Challenge (2, Interesting)

nkh (750837) | more than 9 years ago | (#12445559)

Logging the movement of the mouse may be too difficult to implement. In the end it's always HTTP requests sent to the server. What I would do is write a server that the key logger could connect to, the key logger would send the URL of the site being visited and the server would answer with the proper protocol to follow. The server would have a database of all the banking web sites and if a web site is missing in the DB, the phisher would add it manually to the DB. The captcha could be cracked on the local machine or it could be cracked on a porn site (as it's already been done in the past: read this captcha and get your pics!)

Re:Challenge (0)

Anonymous Coward | more than 9 years ago | (#12445420)

If they can log keys, they can probbably log where the mouse is and take screenshots of your bank's webpage. A few modifications to your already owned system, and your data's theirs.

Re:Challenge (4, Informative)

Saven Marek (739395) | more than 9 years ago | (#12445428)

well many of the hishers dont hack accounts with automated tools so they have your account details and then they go enter them manually and put in the graphical challenge result themselves so they can do what they want from there.

Also most of these graphical challenges are still a limited number of preset images that are simply cycled around so its easy to detect which is which by file hashes and things like that. Not many sites generate their own live graphical challenge images.

Re:Challenge (0)

Anonymous Coward | more than 9 years ago | (#12445431)

Some of the same toolsets include methods that capture screenshots.

But I do like the idea.

Next up: (0)

Anonymous Coward | more than 9 years ago | (#12445459)

Spyware that initiates a remote VNC-type display session when it detects connection to a financial site.

Use password that looks like mouse data (1)

suso (153703) | more than 9 years ago | (#12445525)

I imagine it would change a bit from machine to machine, but it would be a neat idea to use a password that looked simular to what the keylogger would show for mouse data. So as long as you don't hit enter, you could confuse the phisher by making them think that you never typed a password, but moved the mouse around.

I know I know, this is security by obscurity, but maybe this idea will spark some others that would work even better.

Re:Use password that looks like mouse data (1)

suso (153703) | more than 9 years ago | (#12445554)

Actually, I spoke to soon, I didn't think about the possibility that the logging programs/hardware would record mouse and key data seperately.

Re:Challenge (1)

JadeNB (784349) | more than 9 years ago | (#12445551)

When using online banking (or anything online really), once you have entered your login correctly, the site displays a graphical challenge derived from one of your personal details, such as address, phone, birthday etc., and you use your mouse to choose the correct one and proceed.
I guess I'm missing the point, but I don't see how this would work -- even setting aside what others have mentioned, that mouse movement can probably be logged, too. If a phisher has your personal information already (from the keylogger), then surely it won't pose any additional problem for him to choose the correct graphical option?

Hardware (1)

Hoi Polloi (522990) | more than 9 years ago | (#12445604)

How about hardware based encryption built into the keyboard itself?

Re:Hardware (0)

Anonymous Coward | more than 9 years ago | (#12445667)

How about a docking bay for an Enigma Machine?

Maybe put a USB router in there too for the fun of it.

Graphical passwords (1)

EmbeddedJanitor (597831) | more than 9 years ago | (#12445679)

This is like something that was tried a while ago using graphical passwords.

The system sends a list of images (people's faces) to the user and the user chooses one. The benefits of this are: 1) People remembeer faces better than passwords. Don't forget their password during a vacation. 2) An face is very easy to recognise, but very hard to describe. This makes it very difficult to steal or give away the password (on purpose, under duress or by mistake [including phishing]).

Gone phishin'. (0)

Anonymous Coward | more than 9 years ago | (#12445386)

Closed today. Gone phishin'.

News? (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12445387)

How this qualify as news?

Re:News? (0, Offtopic)

Yonatanz (798506) | more than 9 years ago | (#12445455)

How this qualify as news?

It says "news" in TFA's link... (news.yahoo.com)

Really? (0, Troll)

thundercatslair (809424) | more than 9 years ago | (#12445394)

Next on slashdot: Humans require oxygen to live.

In other news... (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#12445397)

DUH!!

wow (-1, Troll)

opposume (600667) | more than 9 years ago | (#12445404)

there's a shocker. Could we move on to something that wasn't as obvious??? Phishers looking for user names and passwords using a tool to collect said information. I'm just dumbfounded they were smart enough to think about it!

Scramble your keys (4, Interesting)

qewl (671495) | more than 9 years ago | (#12445407)

If you're on a PC that you suspect may contain logging equipment or trojans or anything similar, you can alawys avoid accurate keystroke logging by typing part of a password per se, and the then clicking the other side(s) to type in the rest. That way typing is scrambled. Loggers can usually record the arrow keys, but not mouse clicks.

Re:Scramble your keys (2, Interesting)

Himring (646324) | more than 9 years ago | (#12445497)

If you're on a PC that you suspect may contain logging equipment or trojans or anything similar, you can alawys avoid accurate keystroke logging by typing part of a password per se, and the then clicking the other side(s) to type in the rest. That way typing is scrambled. Loggers can usually record the arrow keys, but not mouse clicks.

ahh, my asplode....

Clicking the other side of what? My experience with key loggers is that they are inescapable. If you touch the key and send the signal the character is recorded. No need to hit "enter" either for it to get recorded. They are the most nefarious thing I've seen, yet, in spying on a user's computer activities....

Re:Scramble your keys (1)

pv2b (231846) | more than 9 years ago | (#12445550)

I think the parent poster meant to click in different parts of the password field *using the mouse*.

Granted, not ideal, but will help against trivial keyloggers.

Re:Scramble your keys (5, Informative)

Anonymous Coward | more than 9 years ago | (#12445553)

He means like if your password is password, type 'sswo' then click the front of that and type 'pa' and then click the other side and type 'rd' A keystroke logger alone can not catch that, a screen monitoring program would also be needed (which do exist), but a hacker would likely not expect that and therefore bother.

Re:Scramble your keys (3, Interesting)

zulux (112259) | more than 9 years ago | (#12445620)

Clicking the other side of what?

He means like this:

1) type in 'word'
2) move the pointer (caret) to the left 'w'.
3) Finish typing 'pass' - you now have 'password' but the keylogger recorded 'wordpass'

Re:Scramble your keys (1)

carlos_benj (140796) | more than 9 years ago | (#12445681)

...but the keylogger recorded 'wordpass'

Another reason to move away from dictionary words if the user hasn't already, but isn't this a bit unwieldy?

Re:Scramble your keys (1)

user317 (656027) | more than 9 years ago | (#12445640)

you got to be kidding right? if you give me all the characters in your password and the length of your password how long do you think it will take me to guess your password?

Re:Scramble your keys (0)

Anonymous Coward | more than 9 years ago | (#12445689)

But the thing is, you wouldn't it was scrambled..

Re:Scramble your keys (5, Insightful)

slam smith (61863) | more than 9 years ago | (#12445545)

Maybe if you suspect it has trojans, keyloggers etc, you should clean/reinstall the machine before you using it for sensitive work.

Re:Scramble your keys (2, Interesting)

Anonymous Coward | more than 9 years ago | (#12445584)

Maybe it's time for keyboards to wrap their keystrokes in a secure layer like ssh. Seems basic enough to have a generic secure input usb device like there are generic usb input devices now. Would that work? Would the kernel need to provide password hashes to programs instead of plain text passwords? This might be a way to thwart the FBI keystroke loggers. But we would need a way to verify our kernel every time we ran. Some sort of trusted computing . . . .

Re:Scramble your keys (1)

bigjocker (113512) | more than 9 years ago | (#12445601)

If you don't trust the computer, then use a card sized linux distribution [inside-security.de] to boot the computer. If you can't boot the computer, then wait until you find a secure terminal.

MOD PARENT UP!!! (1)

Futurepower(R) (558542) | more than 9 years ago | (#12445702)


Good idea.

Enter some characters in the password field. Then use the mouse to erase some of those characters. Then put the cursor in a different position than it was originally, and enter some more characters.

ALL banks should be required by law to use randomly presented images in a challenge-response system.

It's a pity that the only things that can be done now in the U.S. government involve paying some politician, so needed changes aren't made.

Talented (2, Insightful)

MonsterOfTheLake (880659) | more than 9 years ago | (#12445410)

"These are talented people doing bad things," said Cluley. "It's a shame they can't put all that expertise to a better use than stealing money."

The reason they are doing "bad things" is because they can't get a job in the first place.

Re:Talented (3, Insightful)

pv2b (231846) | more than 9 years ago | (#12445454)

The reason they are doing "bad things" is because they can't get a job in the first place.


Not necessarily. It could just be that phishing might just pay more than doing an honest job.

Re:Talented (4, Insightful)

Avyakata (825132) | more than 9 years ago | (#12445478)

That's not necessarily true...some people do "bad things" simply because they get pleasure from doing it. Maybe the enjoy the challenge?

Plus, if they have enough skill to phish efficiently and successfully, then they can probably get a job somewehere.

Re:Talented (1)

MrAnnoyanceToYou (654053) | more than 9 years ago | (#12445581)

Most of the people I've known who were even mildly suited personality-wise to this kind of stuff were not exactly the kind of people willing to accept a job 'somewhere.' Idealists, perfectionists, assholes, whatever, they were crippled socially in a way that kept them from fitting into most of the things people consider 'jobs.'

They hate sitting in the cube, and all they want for eight hours is out. So they don't do it.

They've got other talents anyways.

Re:Talented (1)

zulux (112259) | more than 9 years ago | (#12445580)

The reason they are doing "bad things" is because they can't get a job in the first place.

Tell that to the people two doors down from me - they're dealing drugs while the local McDonald's is has a 'help wanted' sign. Go figure. The kicker - these bums are also on welfare.

Some people would rather scheme and steak $1 instead of making $10 honestly.

Re:Talented (3, Informative)

Hoi Polloi (522990) | more than 9 years ago | (#12445630)

I think if you are going to compare drug dealing to McDonalds it is probably a case of preferring to make $100 illegally than to make $1 legally.

Competition (1)

Anonymous Coward | more than 9 years ago | (#12445666)

"These are talented people doing bad things," said Cluley. "It's a shame they can't put all that expertise to a better use than stealing money."

The reason they are doing "bad things" is because they can't get a job in the first place.

Too much competition, Enron, Halliburton, etc. Today's lesson, for those who haven't been paying attention since January 2001, is Get Rich, GET REALLY, REALLY FILTHY STINKING RICH, the government is behind you all the way (as long as you don't make them look bad). Windfall profits tax? PFFT! See the oil companies helping offset the deficit? Not a chance, they paid their few millions to get the team in place, why should they pay billions now?

Secure yourself! (4, Funny)

coupland (160334) | more than 9 years ago | (#12445424)

This isn't a problem for me, I rearrange all the keycaps on my keyboard to protect myself. ^_^

Re:Secure yourself! (1)

fbartho (840012) | more than 9 years ago | (#12445466)

I assume of course that you're kidding when you suggest that this might actually improve your security...

Re:Secure yourself! (0)

Anonymous Coward | more than 9 years ago | (#12445585)

I assume of course that you're kidding

Did you not know that when you swap keys on the keyboard, they take the new letter automatically? Duh!

Re:Secure yourself! (1)

JadeNB (784349) | more than 9 years ago | (#12445586)

This isn't a problem for me, I rearrange all the keycaps on my keyboard to protect myself.
Of course, that means that what you thought you typed was Xrmn mna'x f qzslbep hsz pe ....

Re:Secure yourself! (1)

Rorschach1 (174480) | more than 9 years ago | (#12445617)

Hey, me too. My QWERTY keyboard looks like a RIYOUP keyboard. Might not prevent keyloggers, but it bugs the hell out of anyone who sits down here and doesn't know how to touch type.

News (1, Redundant)

Aenox (874907) | more than 9 years ago | (#12445429)

This is both news and accurate! "Keyloggers .. could be placed in an e-mail message that downloads the program automatically even if a user does not open the attachment."

Re:News (1)

$1uck (710826) | more than 9 years ago | (#12445481)

Is that really true? If so thats kind of frightening is that soley an Outlook "feature"?

Well, just take away their wood (5, Funny)

WillAffleckUW (858324) | more than 9 years ago | (#12445437)

"Keystroke loggers are rapidly becoming the lure of choice for phishers.

If we just take away the Wood on the Internets, the Loggers will go home. And then they'll stop phishing for Newbs ...

That's what I've heard (5, Insightful)

SteelV (839704) | more than 9 years ago | (#12445442)

I've been worried about this for quite some time. I know how easy it is for someone to put a small device between the keyboard and the computer, and no one would notice it in most cases (such as at a public library, university campus, or any other place where the computers themselves are accessible and used by the general population). And even if you check the rear of the machine, it's also possible that it's been compromised by a software keylogger that is much more difficult to detect.

I find myself, when on public machines, typing extra characters in my passwords and then using the mouse to highlight them and type over them. This makes my passwords (which are already random letters/numbers) seem longer than they really are with gibberish if they are logged as keystrokes. Unfortunately, some software keyloggers can detect exactly what the input into forms are -- this does not help with that. It is also quite a hassle, but what can I say? I'm a bit paranoid (but, I believe, right so).

Keylogging is the easiest way to get people's information. The only solution I see is to ensure all public machines are much more secure from the user's end, and to actually have the machine itself inaccessible (i.e. locked in a drawer, etc.). I guess the only 'perfect' solution (if there is one) would be to use a keyboard that is projected from an inaccessible area, so that it cannot be tampered with whatsoever.

Nothing's perfect, but we can do better than we're doing in public locations!

Re:That's what I've heard (1)

mscnln (785138) | more than 9 years ago | (#12445510)

And even if you check the rear of the machine, it's also possible that it's been compromised by a software keylogger that is much more difficult to detect.

How about not using an OS on which anyone can install a software keylogger?

Re:That's what I've heard (0)

Anonymous Coward | more than 9 years ago | (#12445626)

And that OS is?

Re:That's what I've heard (1)

jay-be-em (664602) | more than 9 years ago | (#12445654)

Keylogging is the easiest way to get people's information. The only solution I see is to ensure all public machines are much more secure from the user's end, and to actually have the machine itself inaccessible (i.e. locked in a drawer, etc.). I guess the only 'perfect' solution (if there is one) would be to use a keyboard that is projected from an inaccessible area, so that it cannot be tampered with whatsoever.

This accomplishes nearly nothing as any phisher could install a software keylogger from the network.

Re:That's what I've heard (0)

Anonymous Coward | more than 9 years ago | (#12445698)

How about a machine whose hard drive is "locked" by hardware wherein any disk writes are undone on restart. That, combined with an inability to hide any sort of hardware-based keylogger would fix the problem entirely. Or we could all just use something like SecurID where the passphrase itself changes.

From a quick scan of TFA (1)

nathan s (719490) | more than 9 years ago | (#12445444)

It seems like you'd pick up the keylogger if you visited questionable websites or ran insecure email software that automatically trusts every image, script, etc in your email (*cough*Default Outlook Behavior*cough*) - in other words, not really anything to worry about if you're security conscious.

Seems like yet another thing that a bit of education and/or better software architecting practices could easily reduce. The user is always the weakest link.

Re:From a quick scan of TFA (2, Interesting)

psbrogna (611644) | more than 9 years ago | (#12445535)

Shouldn't there be some level of accountability for the company though (ala guns, cigs, alcohol, etc)? Don't get me wrong, I'm not a huge fan of bigGov and legislation creeping into everything but IMHO its unrealistic to expect average users to be reponsible for their own security.

I think shipping a product that, taken out of the box and connected to the internet as is, stops working in very short order is negligent. If I bought a toaster I think I should be reasonable able to make toast with it for at least a few weeks before it spontaneously combusted without buying any toaster protection devices or having to read tomes of information about toaster security theory.

Sure... (1)

nathan s (719490) | more than 9 years ago | (#12445594)

...but you'd think that enough people would eventually get burnt that there would be a collective realization that the software is flawed, and a corresponding push to use other/less-flawed software (as we've seen with even government [theinquirer.net] recommending against using Internet Explorer).

I think it might be that Microsoft's PR guys do a really good job of damage control, and people never fully realize that they're so vulnerable (although there's a chance that they just don't understand that they have alternatives).

Re:From a quick scan of TFA (3, Informative)

YrWrstNtmr (564987) | more than 9 years ago | (#12445571)

(*cough*Default Outlook Behavior*cough*)

Not for quite some time now. The Outlook 2003 default Inbox view is no preview pane, and the default condition for images is off, unless you right click to display.

Re:From a quick scan of TFA (1)

nathan s (719490) | more than 9 years ago | (#12445635)

Now if we could only get everyone to shell out [microsoft.com] (Pro: $499US new user/$329US upgrade) for Office 2003, things might get better:-)

Yeah... (1, Redundant)

Vthornheart (745224) | more than 9 years ago | (#12445449)

And in other news, apparently experts have come to the conclusion that the Earth is *not* flat as was previously expected, but rather it forms some sort of spherical shape. More on this news as it develops.

CopyPaste (2, Funny)

FunkDaddy (556594) | more than 9 years ago | (#12445452)

I'll just start coping and pasting all my u/p. So there.

This site tests antivirus programs. (-1, Offtopic)

zymano (581466) | more than 9 years ago | (#12445456)


Antivirus tested [virus.gr]

Old exploit, new name (2, Interesting)

Jailbrekr (73837) | more than 9 years ago | (#12445460)

keylogging has been around for some time, in fact I'm sure many posters here have writen their own rudimentary keyloggers at highschool just for shits and giggles. I fail to see why this is news worthy. Pretty soon they'll be talking about how these "phishers" are exploiting javascript vulnerabilities. Oh wait.....

Phishers are virus writers with a financial motive, nothing more. In fact, most virus writers these days are financially motivated (like setting up zombie networks for extortion attempts). Why differentiate? Just call them criminals.

SOLUTION! (2, Funny)

crudeawakening (867472) | more than 9 years ago | (#12445461)

Well what if I physically rearrange the keys on my keyboard? Will that work?

Re:SOLUTION! (1)

CamelToes (325281) | more than 9 years ago | (#12445533)

Well what if I physically rearrange the keys on my keyboard? Will that work?

Well, you can always learn to use a Dvorjak Keyboard layout. But I think these Phishers may alrady be keen on that.

Re:SOLUTION! (1)

m50d (797211) | more than 9 years ago | (#12445539)

Changing them and changing the layout in software too would defeat a hardware keylogger, at least until they run it through their table of keyboard layouts (there aren't too many). Might defeat loggers built into the keyboard drivers, which are the most insidious kind, too.

Informative Link (4, Informative)

TripMaster Monkey (862126) | more than 9 years ago | (#12445463)


In the interest of stimulating more informed discussion, the results of the Anti-Phishing Working Group survey can be found here [earthlink.net] .

Pharmers (3, Informative)

Virtual Karma (862416) | more than 9 years ago | (#12445464)

The new word for them is Pharmers. Read about it here [blogspot.com]

phishers attack personal apache webservers? (0)

Anonymous Coward | more than 9 years ago | (#12445467)

I used to run an apache webserver, and one day, I discovered random files running on my computer. Freaking out, I disconnected from the internet, deleted all those files, and turned off Apache.

I'm not particularly adept with the software, but I do some minor web development, so I like to run the webserver for convenience. Apparently somebody (or some bot) came to my computer, uploaded a php file, which gave it access to my entire computer, uploaded a program and executed it. Thinking that I am a bit more computer literate than many others, i found this a terrifying experience.

Not a problem with Windows Trusted Keyboard... (2, Funny)

Anonymous Coward | more than 9 years ago | (#12445469)

Windows Trusted Keyboard(tm) Technology allows complete safety from keyloggers. By converting each key into an XML string to be passed via a SOAP along with domain or .NET Passport credentials... you can be completely safe from mean hackers and black-head script kiddos.

Summary misleading. (3, Insightful)

Anonymous Coward | more than 9 years ago | (#12445479)

Whoever wrote the article obviously didn't understand what he was writing about. The keylogger phenomenon has nothing to do with phishing.

dictionary.com entry
Main Entry: phishing
Definition: the practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking email with the real organization's logo, in an attempt to steal passwords [...]

You can install a keylogger to steal someone's passwords, credit card numbers, etc but calling it a trojan horse or a browser/email client exploit would be much more appropriate.

Here's an Idea... (2, Insightful)

megarich (773968) | more than 9 years ago | (#12445486)

Don't do any online banking....period! I'm too paranoid, anything that involves my direct bank accounts I do in person. I still do CC orders over the interet since at least with cc you can report fradulent charges and have them erased.

I was disappointed reading the article. I was hoping they would go into more technical details like how these programs work, and how to detect some of them. As some pointed out already, the article just merely states the obvious, people using whatever tehcniques they can to steal your information.

To George W. Bush: Iraq Has The Largest Oil .... (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12445492)


01110010 01100101 01110011 01100101 01110010 01110110 01100101 01110011 00100000 01101001 01101110 00100000 01110100 01101000 01100101 00100000 01110111 01101111 01110010 01101100 01100100 00101110 00100000 01010111 01100101 00100000 01101110 01100101 01100101 01100100 00100000 01110100 01101111 00100000 01100110 01100001 01101011 01100101 00100000 01101001 01101110 01100110 01101111 01110010 01101101 01100001 01110100 01101001 01101111 01101110 00100000 01100001 01100010 01101111 01110101 01110100 00100000 01110111 01100101 01100001 01110000 01101111 01101110 01110011 00100000 01101111 01100110 00100000 01101101 01100001 01110011 01110011 00100000 01100100 01100101 01110011 01110100 01110010 01110101 01100011 01110100 01101001 01101111 01101110 00101110 00001010 00001010

Feloniously yours,
President-Vice Richard B. Cheney

FthePresident [whitehouse.org]

We already know this... (1)

suitepotato (863945) | more than 9 years ago | (#12445494)

...and it comes under the heading of "phishing-user intervention required".

Trojans both keylogging and not, some as much as the core VNC code in a not-so-clever wrapper and some far worse and some in between, are already well documented.

Tacking them onto phishmail is just another tactic, no different than using interesting spam. The majority of infections these days are in people using Outlook Express with preview pane active and e-mails being allowed to display in full glorious security-farked HTML, Active X, and so on. The rapidly competing second for me are people who click every other freaking pop-up and that too can be a kind of phishing.

Nothing new here...

How about not wasting law enforcement? (2, Insightful)

swb (14022) | more than 9 years ago | (#12445517)

How about we not waste law enforcement [usdoj.gov] efforts on pointless enforcement efforts that will get nowhere and instead focus those efforts on internet-based crimes, such as the fraud/theft rings behind spam, phishing and other activities?

Need an easy workaround? (1)

Rahga (13479) | more than 9 years ago | (#12445518)

Klingon.

If you are cheap, and can't afford a Klingon Keyboard, then just use klingon phrases and throughout your work and play. How are phishers supposed to know that "Bocktagh Massacre" is your username, or that "I eat raw Kitblagh." is your bank's password?

So, until the keyloggers come with screenscrapers, I figure I'm safe no matter what computer I'm sitting at.

Re:Need an easy workaround? (1)

Cro Magnon (467622) | more than 9 years ago | (#12445568)

Well, you were until you posted your info on /.

Coming soon on Slashdot... (0)

Anonymous Coward | more than 9 years ago | (#12445519)

timothy writes "As more and more people are connecting to the Internet, some sinister individuals are taking advantage of browser vulnerabilities to install software on users' computers. These so-called trojans [wikipedia.org] often pose as legitimate software, but can capture information and relay it to a third party. This could surely turn out to be a goldmine for online fraudsters."

Welcome to the 90s, Slashdot.

Easy Fix (2, Insightful)

Usaflt2003 (881612) | more than 9 years ago | (#12445528)

A couple of easy ways to avoid this:

1. Don't use public access terminals for your important transactions.

2. Don't let you home computer become infected with tons of malware.

3. Go back to snailmail and telephones for those transactions... ok not a great solution but a logger can't get your bank password if your sending checks to pay your bills, reading paper statements and calling the bank for your balance.

Phising (1, Funny)

Anonymous Coward | more than 9 years ago | (#12445537)

"These are talented people doing bad things," said Cluley. "It's a shame they can't put all that expertise to a better use than stealing money."
Why? Some fool had some money. Some enerprising dude managed to lure the money out of his hands.
The money and the fool got seperated. Big deal.
As far as I'm conserned the end result is a more effective allocation of money, from fools to smarter people.

Re:Phising (1)

jay-be-em (664602) | more than 9 years ago | (#12445687)

Installing a keylogger has nothing to do with being smart, I'm not sure what the hell this fellow was thinking.

Old is not bad in all the cases (1)

leoval (827218) | more than 9 years ago | (#12445540)

This is not intended as a flame, but given the amount of automation of most of the attacks, it is better to stick with old technologies at least as email and web browsing is related.

I still read my email at the office with netscape 4.77 and with Thunderbird at home (with view->plain text for all my messages).

At least when I do a ps -ax on my Linux box I can recognize every single daemon, but in Windows bringing the process windows does not help at all, it seems that the process names follow some cryptographic convention so spotting a keylogger is futile, at least for me.

Re:Old is not bad in all the cases (1)

the_rev_matt (239420) | more than 9 years ago | (#12445596)

And the process viewer in Win allows processes to hide as well, so it's basically useless.

Secure keyboards (4, Interesting)

ndogg (158021) | more than 9 years ago | (#12445549)

I think it's time we started seeing encrypted keyboards, particularly if they're coupled with flash drives. With USB so abundant, finding a place to plug in shouldn't be too much of a hassle. The keyboard could contain the private key, and the flash drive would contain the public key, and the decryption would take place on the application level (e.g. PuTTy).

Re:Secure keyboards (3, Insightful)

merdark (550117) | more than 9 years ago | (#12445696)

Bluetooth keyboards are encrypted, but that still doesn't stop software loggers, which are probably more common anyways.

what lures? (0)

Anonymous Coward | more than 9 years ago | (#12445562)

"attackers have found a way to create e-mail lures that do not require user behavior to infect a machine."

Well? What is this way? What operating systems does it affect?

do your banking offline (1)

mashedpatatas (854784) | more than 9 years ago | (#12445564)

i always do my banking in... (hold your breath)... BANKS! once in a while, it helps to leave the computer alone.

Re:do your banking offline (1)

graphicsguy (710710) | more than 9 years ago | (#12445659)

I've got bad news for you -- the banks still store your personal information on computers for other people to steal.

Is it just me... (1)

Sewer Panda (812292) | more than 9 years ago | (#12445574)

...or does resorting to using a keylogger just make you a regular ol' hacker? I thought "phishing" referred specifically to using social engineering tactics to get people's info. When is a phisher not a phisher?

new employees at Slashdot recently? (1)

_Shorty-dammit (555739) | more than 9 years ago | (#12445589)

the last few days have seen some pretty lame stories being accepted, that's for sure.

Re:new employees at Slashdot recently? (1)

_Shorty-dammit (555739) | more than 9 years ago | (#12445634)

haha, and now I notice that it was the Taco that put this one up. Invasion...body snatchers...

Along with social engineering to distribute them.. (1)

Audigy (552883) | more than 9 years ago | (#12445612)

...it makes sense that keyloggers are the phishing tool of choice now.

Instead of downloading and running an attachment, all you may have to do to become 'infected' is click on a hyperlink while on an unpatched system. I got one of these via ICQ the other day. It appears that what used to be a legitimate site was either DNS poisoned or taken over completely - http://www.azafrica.com [azafrica.com]

Here's what my Application log had to say about it:

The description for Event ID ( 1900 ) in Source ( HHCTRL ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: This operation can only function within HTML Help., http://www.azafrica.com/sp2html.html [azafrica.com] , http://support.microsoft.com/kb/890175 [microsoft.com] .

McAfee caught the offending .ani file and quarantined it, but I'm patched up.

Phishers will keep on trying... it's fascinating, really. Patch your damn systems and disable IE. :P

firstdirect has a nice stopgap (4, Interesting)

Second_Derivative (257815) | more than 9 years ago | (#12445613)

They're a UK bank that works soley over the telephone and, lately, over the internet (they're partnered with HSBC for brick-and-mortar operations such as paying in cheques). Over the phone they ask you for random letters out of your password, and they've taken the same approach with online passwords, eg:

if my password is "spaghetti bolognese", it might request three letters out of that, say "pgg". It's still vulnerable to man-in-the-middle but keylogging alone is of limited use.

Which makes me wonder why they don't just do man in the middle trojans which trigger off against known online banking domains...

Lure? (1)

dmanny (573844) | more than 9 years ago | (#12445615)

Inigo Montoya: You keep using that word. I do not think it means what you think it means.

Lure is more synonymous with "bait". Crappy email messages are the bait. The use of keyloggers as a tool is more the trap than a lure.

You 1nsen5itive clod?! (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#12445624)

Memb3rs' 3reative

Workaround (1)

JadeNB (784349) | more than 9 years ago | (#12445646)

Maybe it's over the top, but couldn't you have a program which accepted some seed and then acted as an intermediary between what you type and what the password field sees, scrambling text appropriately? I guess you run into the problem of entering the seed out of sight of the keylogger, but maybe it could be something mouse-based (though, as others have mentioned, presumably mouse motion can be logged too). The final result would even be opaque to screencaptures, since you usually can't see what you're entering in a password field.

Phishers or miners? (4, Insightful)

pg110404 (836120) | more than 9 years ago | (#12445658)

Their advantage is that they compromise information long before the information has a chance to be encrypted.

Ultimately how identity information is revealed aside, is this a phishing attempt or a mining attempt?

Phishing has traditionally been initiated by a cleverly socially engineered email or some form of communication, redirecting the unsuspecting user to a counterfeit site designed to harvest that information. Like putting a worm on a hook and dropping it in the water, you hope for someone to nibble at it.

Mining on the other hand is like picking away at the ground, in this case undetected, hoping to find that cache of gold. There's no guarantee that you'll even find anything, and once keylogging software is installed on the victim's PC, there is no user interaction with it. There is no social engineering to be done.

So therefore, wouldn't keylogging really be more mining than phishing? Or should I stop wasting my time on /. and forget about symantics?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?