×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

IBM Reports On Spear Phishers

CmdrTaco posted more than 8 years ago | from the something-to-think-about dept.

Security 169

FrenchyinOntario writes "IBM reports that while "regular" phishing is declining the black hats are now engaging in targeted spear phishing to glean as much information about a specific identity as they can for all the usual cybercrime reasons. It concerns authorities because the usual suspects - criminal and terrorist organizations - will want to take advantage of this, but the chilling part is how your identity will now be dependent on multiple institutions protecting your personal information, as opposed to eBay, PayPal, your bank, etc."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

169 comments

Slashdotted, mirror here (5, Informative)

winkydink (650484) | more than 8 years ago | (#13242789)

click me, click me! [networkmirror.com]

Re:Slashdotted, mirror here (1)

ergo98 (9391) | more than 8 years ago | (#13242871)

This sounds absolutely nothing like "phishing", but rather like targeted trojans to gain access to priviledged info (getting some bank employee to launch a trojan). I'm fairly certain this has happened all along. Maybe the article summarizes the IBM information incorrectly.

When I first read the article summary, I thought it was going to describe indirect phishing - e.g. trolling for ancillary info about someone such that one can "recover" the account. e.g. Many accounts can be accessed by claiming a forgotten password, and answering trivial questions like D.O.B. or mother's maiden name, both of which a phisher could get fairly easily.

Re:Slashdotted, mirror here (1)

Shut the fuck up! (572058) | more than 8 years ago | (#13242887)

click me! click me! I'm a karma whore!

Re:Slashdotted, mirror here (3, Insightful)

ergo98 (9391) | more than 8 years ago | (#13242906)

The primary link is down, and people have to resort to mirrors. If Slashdot karma is all it takes to get people to help the system, then it seems pretty cheap.

Re:Slashdotted, mirror here (5, Funny)

winkydink (650484) | more than 8 years ago | (#13243044)

Karma has nothing to do with it. I do it for the sheer pleasure of annoying the heck out of people like you.

MOD PARENT UP! (0)

Anonymous Coward | more than 8 years ago | (#13243541)

Mod paretn up!

w00 (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#13242794)

yay

black hats (0)

Anonymous Coward | more than 8 years ago | (#13242797)

I think many black hats would be upset with you calling them phishers..

Re:black hats (1, Funny)

Anonymous Coward | more than 8 years ago | (#13242961)

That's why I call them asexual, butt-ugly wankers.

So the phishers have refined their tactics (5, Funny)

Trigun (685027) | more than 8 years ago | (#13242800)

Didn't see that coming. Maybe their old tactics weren't working so well, so they had to adapt?
Naw, it's an intelligent design!

Re:So the phishers have refined their tactics (3, Funny)

ShaniaTwain (197446) | more than 8 years ago | (#13243034)

See this is why evolution should be banned!

not the teaching of evolution, evolution itself.
Then MEGACORP won't have to waste profits on securing their massive database of customer eyecolor and bloodtype.

Re:So the phishers have refined their tactics (1)

Iriel (810009) | more than 8 years ago | (#13243095)

That's not really intelligent design! By the time Microsoft actually takes a stand against current phising schemes, it's called a reflex ;)

Re:So the phishers have refined SALMON PIES (1)

milktoastman (572643) | more than 8 years ago | (#13243139)

Could the "spear phishing" analogy be extended into salmon as one example. Now, I'm not so ambitious or overwrought to try and work in the differences between pharm- and wild-raised salmon.

Re:So the phishers have refined their tactics (0)

Anonymous Coward | more than 8 years ago | (#13243250)

Intelligent design? Nah, God has always had terrible security. Look at the apple tree...

Re:So the phishers have refined their tactics (1)

Trigun (685027) | more than 8 years ago | (#13243393)

One exploit in the default install. That's as good of a track record as NetBSD!

Slashdot should change the 2 minute wait to 2 minutes per thread. This tabbed browsing is killing my slashdot productivity here.

what do they mean (3, Insightful)

eobanb (823187) | more than 8 years ago | (#13242805)

...by 'multiple institutions...as opposed to ebay, bank, etc.' Isn't that multiple institutions? I think what the summary is really trying to say is, to the phishers' advantage, a chain is only as strong as its weakest link.

Re:what do they mean (0)

Anonymous Coward | more than 8 years ago | (#13242870)

lol, what?

Scamming is way too easy (1)

DocSavage64109 (799754) | more than 8 years ago | (#13243410)

Just last week, a friend of mine's bank account was overdrawn on her payday even though she had direct deposit.

What happened is that someone used a fake id and her bank account number to cash $15,000 in fake money orders at two local banks. She didn't have even a thousand dollars in her account, but the banks gave the cash in "good faith". Well, now the bank is refusing to remove the 15,000 debit on her account and their only advice to her is to "borrow the 15,000 from your relatives and pay us back". She has already opened a new account at another bank, but I fear she may never get her paycheck the bank swallowed or the 15,000 off of her credit report.

On top of all that, after contacting the FBI, she was told that they won't even bother to investigate this crime. The agent said that other people have been scammed for millions and that her 15,000 isn't even worth it.

She is having a hard time getting any information on what the bank is doing to investigate this, but from what she can tell they are saying it's her problem because it is her account.

Re:Scamming is way too easy (1)

pete6677 (681676) | more than 8 years ago | (#13243796)

Tell her to complain to the state and federal regulatory boards. Banks are heavily regulated and this one probably violated some regulations in the course of these events. In fact, simply telling the bank manager that she will notify the boards will probably be enough to get the bank to take care of things on their own, since they really don't want any more regulatory red tape than they already have. And of course, filing a local police report will help to document the theft and make it more likely the bank will take it seriously. She will unfortunately have to do a lot of the leg work herself, since banks aren't especially motivated to go out of their way to help people in cases like this.

Re:Scamming is way too easy (1)

FLEB (312391) | more than 8 years ago | (#13243951)

I'd say to sue the bank for defamation of character or suchlike, but I imagine there's probably a protective law against that somewhere.

I really think that if the banks and information-holders were held to task and made legally liable for their part in unreasonable* information theft, you would see much more secure bank and credit card transaction handling.

* Yes, yes, I know, "unreasonable" is a sloppy, scary word. There would have to be a line drawn so if it the customer did not follow instructions or did not take standard precautions, they would be liable.

Re:Scamming is way too easy (0)

Anonymous Coward | more than 8 years ago | (#13244005)

Have your friend write to the bank president (on dead trees that is) explaining the unfairness of the situation, and include a rather visible carbon copy of the local television affiliate stations. Local news stations eat this stuff up, and it tends to get picked up by networks.

The FBI doesn't do wire fraud anyway, the Secret Service does. Try them.

A way around this... (5, Informative)

ajiva (156759) | more than 8 years ago | (#13242806)

There is one way around this, that's to go to the 3 large credit companies and tell them to "Freeze" your credit (I think it costs $5-$10). Anyway nobody can open an account in your name, and as long as you remember to "thaw" your account before getting a loan, you'll be ok. It's no perfect, and I'd argue that all credit information should be purged from people who don't need it (this includes SSN numbers). Heck none of this should even be on file...

Re:A way around this... (0)

Anonymous Coward | more than 8 years ago | (#13242916)

I know I'll be flamed for this but this would not happen in a country with a national ID card. Want to open an account? Prove that you are who you pretend to be! I know that most americans are more than reluctant to show any kind of identification to a cop but this never happened to me.

Re:A way around this... (4, Insightful)

TripMaster Monkey (862126) | more than 8 years ago | (#13242959)


Yes, of course, because the National ID card is the magic wand of the identification world, isn't it? There's no way any one could possibly forge one of those...

Re:A way around this... (0)

Anonymous Coward | more than 8 years ago | (#13243382)

If you consider that french ID cards are a thousand times more secure than your dollar bills then: Yes, there is no way anyone could forge one of these.

Wrong! (2, Funny)

Anonymous Coward | more than 8 years ago | (#13243542)

It's not that the French ID cards can'tbe forged, it's that NOBODY wants to pretend to be French!

Re:A way around this... (2, Funny)

TripMaster Monkey (862126) | more than 8 years ago | (#13243661)


french ID cards are a thousand times more secure than your dollar bills

What an idiotic statement...for three reasons:
  1. Just how did you arrive at that figure 'a thousand times'? Show your math, please.
  2. The U.S. one-dollar bill is perhaps the most insecure piece of currency on the planet. Eight-year-old children can create counterfeit dollar bills with a decent color inkjet printer. Sorry, but something a 'thousand times' more secure than a joke does not exactly inspire feelings of security and trust.
  3. You referenced the French.

Please log off before you hurt yourself.

Re:A way around this... (3, Insightful)

pete6677 (681676) | more than 8 years ago | (#13243123)

On the contrary, it is the use of a national ID number (social security number) that makes identity theft so easy and common. If more than one number were required to prove identity, thieves would have to work a lot harder to pull it off and would be more likely to trip up and get caught. With so many banks and stores ready to hand out instant credit to anyone who comes along with an SSN and some minimal form of ID, it's no wonder that criminals are taking advantage of the system.

Re:A way around this... (2, Interesting)

Atzanteol (99067) | more than 8 years ago | (#13243484)

What if that ID card stored a private key and a chip to do encryption of incoming data on it? The bank/gov't has your public key. Near impossible to 'forge', and if it goes missing you can report it.

If we're going to get ID cards, I'd at least want them to be useful. At this point I'm in more danger of having my identity stolen than of being tracked by black helicopters...

You're right! (1, Insightful)

Karma_fucker_sucker (898393) | more than 8 years ago | (#13243154)

And...we should have people's religious preference and background on this ID. Then....if they're, let's say, Muslim or a convicted cracker, we'll have them wear a yellow star on their shirts. That way the children will be safe!

By the way, have you thought of being a psychic? You predicted the flaming. ;-)

Mental note... (0)

Anonymous Coward | more than 8 years ago | (#13243355)

"Troll" on /. == Satire.

Oh, I wish there was a way to explain humor or a poor attempt at it to the mods.

And Goddam /. for inventing "Troll" and "Flamebait"

Famous "Troll"s and "Flaimers:" people:

Thomas Paine

Thomas Jefferson

Ben Franklin

Karl Marx

Dr. Rev. Martin Luther King

Martin Luther

etc ...

People who spoke what they truly believed and got Fucked for it!!!

MOD PARENT UP - Please. (1)

Karma_fucker_sucker (898393) | more than 8 years ago | (#13243392)

Thank you! I was just trying to illustrate why a national ID card would be folly. I guess one of the modderators was from Germany or something.

Re:A way around this... (1)

lobsterGun (415085) | more than 8 years ago | (#13243222)

I'd expect that identity thieves would LOVE this. They would only have to forge one document to steal your ID.

It would save them TONS of work.

So kids, if someone tells you they are in favor of a national ID card, hold on to your wallet. They are probably an identity thief.

Re:A way around this... (1, Interesting)

Anonymous Coward | more than 8 years ago | (#13242979)

This doesn't work. One of my best friends had his identity stolen and then Froze his credit, but Credit card companies were still issuing new cards in his name.

Re:A way around this... (0)

Anonymous Coward | more than 8 years ago | (#13243209)

Sooooo you mean I now have to thaw the credit for my next victim?

besides making it one more step (which would be quite easy for the amount of money to be made) what is this going to accomplish?

Remeber they already stole your identity, it wont be too difficult to pretend they areyou for the purposes of unfreezing credit

Re:Freezing Credit (1)

The Angry Mick (632931) | more than 8 years ago | (#13243574)

It's not always necessary to pay a fee to protect your information. Certain states have passed laws allowing you to request the freeze for free - check your state regs for the details.

Folks should be aware that the credit industry is starting to push for legislation at the federal level that will be far weaker than, and will automatically trump, these state laws. God forbid they lose the ability to extend "valuable offers" from their affiliates and business partners.

Another alternative approach is to file a fraud alert on your credit report. Doing this is not as restrictive as a freeze, and it will severely limit the amount of people who get access to your files. Anyone attempting to establish a credit account in your name will be advised to contact you directly. The fraud alert can be left on your reports for as long as seven years, or until you request that it be removed (in writing). As an added bonus, you'll also be removed from a lot of junk mailing lists (!) - an instant opt-out, if you will.

slashdotted (0)

Anonymous Coward | more than 8 years ago | (#13242808)

No comments yet...and I still can't read the article.

first post? (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#13242809)

not...

aw, crud.. (5, Insightful)

werelord (562191) | more than 8 years ago | (#13242822)

And this is probably the easiest fishing they'll be able to do.. Until companies are made liable for any damages that occurr when they "lose" their information, this will probably be an extremely easy method of fishing..

Social Engineering, anyone??

Re:aw, crud.. (0)

Anonymous Coward | more than 8 years ago | (#13243152)

Companies are already held liable for protecting credit card information. Across the country right now, every IT group in every company that deals with credit card transactions, are under order to meet new Compliance regulations for data protection.

All retailers, banks, etc are audited, and are required to meet all kinds of very strict requirements for encryption, network segmentation, authentication, loggin, multiple internal firewalls, etc, for systems that house Credit Card data. It's a real thing, and it's big. it just takes a lot of time and money for companies to completely restructure their security, and the companies pay HUGE fines for not meeting the new compliancy standards.

of course, no matter how well people secure their data, there's always holes to be found, and ways around the security.

Re:aw, crud.. (1)

Karma_fucker_sucker (898393) | more than 8 years ago | (#13243206)

and the companies pay HUGE fines for not meeting the new compliancy standards.

Mr. AC,
Please define "HUGE". And who's to enforce this fine?

I mean, a $250,000 fine or whatever to a very large corp, is their toilet paper budget for the week. Which they'll then pass on to their customers and/or make their stockholders eat.

I have to say ... (3, Interesting)

Daniel Dvorkin (106857) | more than 8 years ago | (#13242825)

... I think it's kind of hilarious how stuffed-shirt companies like IBM, and the news organizations that report on them, have tried to adopt hacker slang. "Spear phishing"? It kind of reminds me of Christian pop music that desperately tries to be cool but always looks and sounds ten years behind the times.

Re:I have to say ... (0)

Anonymous Coward | more than 8 years ago | (#13242940)

for music, just wait 20 years, then it will be cool again.

Re:I have to say ... (1)

heatdeath (217147) | more than 8 years ago | (#13242969)

I hate to break it to you, but hacker slang isn't cool. "Stuffed shirt companies" are just a different form of uncool. Uncool meet uncool, and this is their love child.

Re:I have to say ... (1, Interesting)

Anonymous Coward | more than 8 years ago | (#13243268)

Um yeah, maybe in the 80's.

I suggest you actually listen to some of it today.... in fact you have, many hit the top 40 charts in "secular alternative" music over the past 5 years.

the clueless like you stay on your path to what you think. the rest of us get bit shit eating grins as you not realize that bands like Creed and others are simply christian rock bands that are flying under the radar subverting you in your music... (OMFG! I better listen to some Insane clown Possee to cleanse my soul of this evil christanity! OMFG! OMFG! OMFG!)

Oh let's forget that alternative HIt from 3 years ago "flood" that STILL shows up in airplay on the "aleternative rock" stations around the country....

get a clue. you know nothing about which you speak of.

Re:I have to say ... (0)

Anonymous Coward | more than 8 years ago | (#13243394)

You like Creed? Shit is shit, no matter what the message is.

it's bad on IRC (3, Interesting)

eight and a quarter (904629) | more than 8 years ago | (#13242839)

i've found a gang of romanian scammers on a popular IRC server because a friend's machine was compromised for spamming. i joined the chan and just monitored for a few hours.. i logged everything, e-mailed them to the IRC administrator, and absolutely nothing has been done.

Re:it's bad on IRC (1)

TubeSteak (669689) | more than 8 years ago | (#13243111)

Try e-mailing it to the FBI or Secret Service. I'm pretty sure they have a taskforce devoted to international scammers

PLEASE TO BE NOT REPORTING US TO FBI!!!1 (2, Funny)

Anonymous Coward | more than 8 years ago | (#13243177)

Re:it's bad on IRC (4, Insightful)

Steinfiend (700505) | more than 8 years ago | (#13243146)

What are the IRC Ops supposed to do in a case like this? I'm not trying to be a troll, I'm seriously asking. They can ban the users, they can close the room, and they can send the logs to whatever law enforcement agencies are responsible for their area. However, how much will that achieve?

A Romanian scammer, on a Brazilian server (just a random pick, not trying to suggest anything negative about Brazil), scamming an American user. The legal hoops are mind-boggling. That's if the IRC Ops can even get any useful information from their logs, which isn't 100% sure.

Re:it's bad on IRC (1)

hcob$ (766699) | more than 8 years ago | (#13243736)

Let the UN control it.... Then everything will be ok. Trust us, we're doing it for your own good.

Protecting personal information is something new? (3, Insightful)

GFunk83 (686657) | more than 8 years ago | (#13242843)

"...the chilling part is how your identity will now be dependent on multiple institutions protecting your personal information, as opposed to eBay, PayPal, your bank, etc."

Wasn't it a company's responsibility to protect your personal information already? I don't understand how this new method of phishing changes that (not including the technical aspects of said protection).

An Open Information Society (4, Interesting)

under_score (65824) | more than 8 years ago | (#13242868)

I'm starting to feel like the right to privacy might be a red herring. The benefits of technology and a truely collaborative and just society might only be fully realized if we completely give up privacy... and that that might actually be a good thing. I know that I've read an essay or something about this before, but I can't find a link - anyone know who wrote about this or where I can find some references? (Actually, Robert J. Sawyer [sfwriter.com] wrote a series of books where one of the societies is like this... but it's not what I'm thinking of.)

Re:An Open Information Society (4, Informative)

Locke2005 (849178) | more than 8 years ago | (#13243001)

Are you thinking of the Transparent Society [davidbrin.com] essay by David Brin?

Re:An Open Information Society (1)

under_score (65824) | more than 8 years ago | (#13243155)

Thanks! This is the one I was thinking of. Mod parent up - it's an important essay that should be made more commonly known.

Re:An Open Information Society (1, Insightful)

Taevin (850923) | more than 8 years ago | (#13243332)

Interesting essay but the guys sounds like a bit of an asshole apologist for 'Big Brother'.
For in fact, it is already far too late to prevent the invasion of cameras and databases. The djinn cannot be crammed back into its bottle. No matter how many laws are passed, it will prove quite impossible to legislate away the new surveillance tools and databases. They are here to stay. Light is going to shine into nearly every corner of our lives.
Why? No one is going to 'legislate away' the development of new surveillance technology but what the hell does that have to do with using it to monitor everyone's activities? Assuming the people can actually rein in the government, laws preventing the use of such technology in any public place by any one for any reason would be easy to pass.

Again he just sounds like an asshole: "Our will is absolute and we will do as we please with your life and no, citizen, you cannot do anything about it because you are just a sheep to be lead by your superiors." Fuck that.

Re:An Open Information Society (1)

daspriest (904701) | more than 8 years ago | (#13243561)

"Again, there are ubiquitous cameras, perched on every vantage point. Only here we soon find a crucial difference. These devices do not report to the secret police. Rather, each and every citizen of this metropolis can lift his or her wristwatch/TV and call up images from any camera in town. Here a late-evening stroller checks to make sure no one lurks beyond the corner she is about to turn. Over there a tardy young man dials to see if his dinner date still waits for him by a city fountain. A block away, an anxious parent scans the area and finds which way her child wandered off."

Actually the essay paints an interesting use for camera's in public places.

"Assuming the people can actually rein in the government, laws preventing the use of such technology in any public place by any one for any reason would be easy to pass."

how do you figure, we can't even get laws that fairly implement copyright passed in the US, so assuming that the people would be able to rein in government is a horrible assumption. I found the essay quite brilliant, and looking at the direction that things are going, I will move to city number 2, TYVM.

Re:An Open Information Society (1)

Hellburner (127182) | more than 8 years ago | (#13243662)

Actually, Sawyer also wrote along this line in his Neanderthal series.

This is a fictional Neanderthal dominated Earth where they have evolved a technological society.

Every action they make - their entire lives - is recorded. The recordings can only be accessed during legal proceedings.

I've read the first 1 and a half of the 3 books in the series. Pretty cool.

Re:An Open Information Society (0)

Anonymous Coward | more than 8 years ago | (#13243002)

here [amazon.com]

Re:An Open Information Society (0)

Anonymous Coward | more than 8 years ago | (#13243011)

I think you are thinking of Database Nation, by Simson Garfinkel

Re:An Open Information Society (1)

Tim C (15259) | more than 8 years ago | (#13243070)

How does that protect my bank account from unauthorised access? Sure, giving up my privacy would make it very much harder to blackmail me, but that's not generally what this sort of attack is about.

Re:An Open Information Society (1)

tsalaroth (798327) | more than 8 years ago | (#13243120)

One problem with an open InSoc is the potential development of a police state.

People break laws they don't agree with every day - including speeding, using illegal drugs (as opposed to legal ones [pmusa.com]), refusing to mow their laws, etc.

With no privacy, the American police system will either fail miserably, or will over-compensate, and we'll have no privacy AND no freedom.

I wish we COULD live in a society where one could do what they wanted, and no one questioned it, so long as what you do doesn't infringe upon another's rights to do what THEY want. This means murder would still be illegal, as would many other things we already consider "wrong".

The problem comes in with laws that criminalize "victimless" actions. I know, there's no such thing as a victimless crime, but personal choice, such as sexuality and drug use should be something society shuns, not something the government criminalizes.

Re:An Open Information Society (1)

Frank T. Lofaro Jr. (142215) | more than 8 years ago | (#13243128)

And if you do something people don't like?

Everyone will judge you and you are guaranteed to piss people off.

Example:

Hit your child? Child abuser! (people saying this, let's call them group A)
Don't hit your child? Raising an undisciplined kid! (B)
No child? Something must be wrong with you! (C)

One of the above 3 groups will be pissed at you no matter what.

Also, there are unjust laws - imagine if you'd get convicted of every law you ever broke.

Most people alive would have over 100 years of jail time.

Re:An Open Information Society (1)

Chyeld (713439) | more than 8 years ago | (#13243148)

David Brin wrote Earth [amazon.com] where that was one of the sub-plots of the story, started with the invasion Switzerland to end Swiss bank accounts or some such silliness. Might not be what you were looking for though.

prisoner's dilemma (1)

tacokill (531275) | more than 8 years ago | (#13243199)

This is a classic prisoner's dilemma. Your idea is a great one -- as long as EVERYONE plays by the same rules and opens up. If one person (or entity) does not, then they have an advantage over the rest of us.

And this is why your idea will not work. As long as there is incentive NOT to open up, then someone, someplace won't do it.


And for those that don't know what a priosoner's dilemma is, let me try to explain. It goes something like this: 2 prisoners are in jail and awaiting trial. The expected outcomes of their sentence are are:
a) if person A cooperates and the other doesn't, the one who cooperated gets 0 years and the other gets 5 years.
b) if they both cooperate w/ authorities and turn on each other, the will both receive 2 years.
c) if they both don't cooperate, they both get 0 years


This creates an interesting problem because the natural reaction is to rat each other out and assure their own minimal sentence. However, if they both do that, then they both get screwed with a 2 year sentence. The best of all outcomes is that they both keep quiet and get 0 years --- but the likelihood of that happening is small because there is such an incentive to rat the other guy out.

Re:An Open Information Society (0)

Anonymous Coward | more than 8 years ago | (#13243293)

I agree and I propose to take the first step by watching my sexy neighbor take her shower.

Re:An Open Information Society (1)

Brandybuck (704397) | more than 8 years ago | (#13243386)

Privacy exists, but people treat it strangely. They want it to be legaly protected like property but are unwilling to personally protect it. For example, you lock your doors at night but consider buying a firewall too inconvenient. We peek out the door to see who's there before opening it, but we open every email regardless of who sends it.

Our attitude towards privacy is like living in a house without doors and then complaining that the government needs to do something to stop the epidemic of robberies.

Another stupid cutesy technical term? (5, Funny)

Heffenfeffer (888559) | more than 8 years ago | (#13242874)

'Spear phishing'? Oh great, what's next? Bass phishing - searching for orders made at koss.com Phly phishing - searching for info in TRL posts Net phishing - Oh, wait...

Re:Another stupid cutesy technical term? (1)

Schwartzboy (653985) | more than 8 years ago | (#13243416)

Ice Phishing: Breaking through a wall of "black ice" when attempting to get your phishing phreak on during an intense hack.

Re:Another stupid cutesy technical term? (1)

pherthyl (445706) | more than 8 years ago | (#13243718)

I would think since they blindly send out mass emails, it really is closer to dynamite phishing.

Server (3, Informative)

cached (801963) | more than 8 years ago | (#13242911)

Because the server is being /.ed, heres TFA:

A report published this week from IBM Corp. suggests that phishing schemes are growing in sophistication, allowing would-be Internet criminals to target their victims by name. A targeted or "spear phishing" attack is designed to extract data from a specific individual or organization, maximizing damage caused and financial gain. IBM estimates that these types of attacks have grown ten-fold this year alone. According to the company, they can be used for identity theft, extortion, fraud and to steal specific intellectual property. "We're seeing it as a targeted security threat within financial institutions as well as government regulatory bodies," said Michael Small, security practice leader for IBM Canada. "It's very targeted with a specific purpose to ensure that they try to get access to privileged information for, usually, profit. Its concerns are linked to cyberterrorism as well as obviously organized crime." Until now, the most common form of phishing attacks were those that attempt to disguise themselves as e-mail from banks or common consumer Internet services like eBay or its payment arm PayPal. They aren't addressed to a specific person but are sent out as widely as possible in an attempt to snare a few unfortunates who are willing to part with bank account information or their eBay identities. Mary Kirwan, CEO of Toronto-based security firm Headfry Inc., said that these types of attacks may be on the decline but agreed with IBM that spear phishing is a growing concern. "These are higher payoff crimes, so it's in their interest to follow the money, essentially," she said. "There's no real consensus among the global banks as to how to deal with that right now. Some of the banks are acknowledging that you don't have to be a dummy to fall for these scams." This isn't the first time banks have been identified as a lucrative target. In 2003, Symantec Corp. noted that a virus called Win32.Bugbear.B was sent by likeminded criminals to financial institutions such as J.P. Morgan Chase, Citibank and American Express. Security experts believed that Bugbear was designed to scan an inbox for any indication that it belonged to a bank employee. Recovery from targeted attacks and malware in general costs a Canadian organization an average of $30,000 to $40,000, said Small. He added that IBM is sharing its research with customers, partners and vendors to help them prevent such attacks. Nuisance e-mail like spam appears to be leveling off, according to the IBM report. In January of this year, spam accounted for 83 per cent of global e-mail. That number had fallen to 67 per cent by June. There are new problems on the horizon, however. In March, a new threat called Domain Name Service (DNS) cache poisoning was discovered. Cache poisoning can hijack a user's browser and direct them towards a specific site or advertisement by corrupting a DNS server's ability to map machine host names to a correct IP address. Variations of these types of attacks have been around for years, but cache poisoning is becoming more sophisticated and a DNS server that isn't configured properly is particularly susceptible.

Lucrative Targets... (1)

bwcbwc (601780) | more than 8 years ago | (#13243377)

This isn't the first time banks have been identified as a lucrative target.

More like the billionth time. As Willie Sutton [wikipedia.org] never said when asked why he robbed banks: "Because that's where the money is."

Why phishing? (2, Funny)

spun (1352) | more than 8 years ago | (#13242932)

Why not phunting or gaphering, hmmm? Isn't this whole thing rather fish-centric? I prefer to think of the rubes taken in by these cons as vegetables, thus I think we should use the term gaphering.

Re:Why phishing? (0)

Anonymous Coward | more than 8 years ago | (#13243021)

Or sheep, suggesting "phlocking" instead. Or would that be seagulls?

Phishing to Fish (1)

Gnpatton (796694) | more than 8 years ago | (#13242937)

One development I see this coming from is how phisers will try to 'spear phish' to get the most detailed information out of an individual then pose as that individual to phish out the rest of the pool. Suppose a phisher was able to get very detailed information about a xyz CEO. Impersonating said CEO could give the phiser much more valuable information from the other employees. Spear phishing can catch small fish so that they can use it for bait for larger fish.

hmm. ibm ? (-1, Troll)

Anonymous Coward | more than 8 years ago | (#13242955)

Sorry to play the tripped out hippy troll but does anyone care what IBM have to say about anything anymore ?

A known globalist company who equipped nazi concentration camps with equipment to record executions and who are now equiping governments to impose new levels of intrusion on citizens.

Not sure IBM are some comfy old pair of slippers giving good advice to the world, they are an unaccountable global mega corp serving the new agenda.

oh they made some cool chips for apple once.

Opportunity to make a difference? (4, Interesting)

It doesn't come easy (695416) | more than 8 years ago | (#13242972)

I've always thought that someone with a strong opinion on the pitiful state of privacy laws in the US would ... how do you say it ... demonstrate just how easy it is to steal someone's identity in this country (using, of course, selective politically connected individuals as test cases). Nothing like getting a senator interested in stronger privacy protection after they get the bill for that $5000 digital camera someone "bought" using their credit card.

Re:Opportunity to make a difference? (0)

Anonymous Coward | more than 8 years ago | (#13243187)

this is a "me too" post!

I agree. Look at stem cells and the Reagans (1, Insightful)

Anonymous Coward | more than 8 years ago | (#13243231)

It's still a hot debate, but some Republicans definitely perked their ears up when Ron Reagan's family started getting involved with stem cell lobbying.

All it takes is one high-profile, CNN-covered major story to get our government's attention and get some changes done.

Re:Opportunity to make a difference? (1)

Evil Butters (772669) | more than 8 years ago | (#13243467)

Sorry, even if you can steal the identity of a US Senator, not much will happen. From a recent article, "Two people who tried to use a credit card number belonging to Cindy McCain, the wife of Sen. John McCain, were sentenced Wednesday to 2 1/2 years in prison for identity theft." Aside from 2.5 years in prison (probably less with parole), nothing else has really been done with this incident. Here's the actual article [azcentral.com] from the AZ Republic, if anyone's interested.

The real question is... (3, Funny)

swelke (252267) | more than 8 years ago | (#13242993)

The real question is: Would this still be news if they hadn't come up with such a catchy name (spear phishing)?

Re:The real question is... (0)

Anonymous Coward | more than 8 years ago | (#13243092)

s/catchy/gay/g

Multiple institutions *are* responsible (5, Interesting)

MirrororriM (801308) | more than 8 years ago | (#13243038)

but the chilling part is how your identity will now be dependent on multiple institutions protecting your personal information

The way I see it, all personal information I send to a particular company should be confidential and protected. Some if it they simply don't need. For instance, why the hell did the clerk at Hollywood Video ask for my SSN to open a damn account to rent movies?! They did not need my SSN and I sure as hell didn't give it to him either, but it makes me wonder how many people actually *have* given out their SSN just for a Hollywood Video account. Not good.

If a company does not protect my personal information and it gets stolen and/or misused, you bet your ass they'd see some backlash from me. The only bad thing is, it's hard to figure out exactly *which* company that held your personal information was compromised. It's certainly not like they're going to volunteer the fact that they were comprimised, otherwise you might take your business elsewhere (to a more responsible company). Just look at the millions of people who had their information on backup tapes "misplaced" by a UPS driver (posted on slashdot a while back) after the company was stupid enough to send that info via UPS to begin with.

Companies that have our personal information need to be held accountable on how they handle it and should be prosecuted to the fullest when they mishandle it.

Re:Multiple institutions *are* responsible (3, Interesting)

Karma_fucker_sucker (898393) | more than 8 years ago | (#13243288)

why the hell did the clerk at Hollywood Video ask for my SSN to open a damn account to rent movies?!

Video places use it for a credit check. They're loaning you a movie.

On the other hand, here's a trick I learned. When you're asked for a SSN, say "I'm soooo sorry! I didn't think I needed it. I'll have to come back!" 90% of the time, the clerk will just say "We really don't need it, just hang on." I kid you not! Try it! It pisses me off that a lot of firms "require" this information but when you balk or plead stupidity (in my case),it's amazing how it all of a sudden "doesn't matter."

When I was taking a marketing class, we were told by the Prof. that to get information for whatever reason, all we had to do was ask. Most people just hand it over. I would love to get into the social reasons for this, but for now, I'll just say that we're all (in Western countries at least) to just shutup and hand over anything anyone in authority or perceived authority requests...I'm starting to rant and my spellink is going to hell. Off to the porn sitesss!

Re:Multiple institutions *are* responsible (1)

robertgeller (882730) | more than 8 years ago | (#13243375)

Most people just hand it over. I would love to get into the social reasons for this, but for now, I'll just say that we're all (in Western countries at least) to just shutup and hand over anything anyone in authority or perceived authority requests...I'm starting to rant and my spellink is going to hell. Off to the porn sitesss! That's very true. I bet all of us have been to U.S. airports post-9/11. What's with the TSA mandating that everyone takes their shoes off? We just don't do it, and if they give us a hard time, we'll wait in that little compartment until they look over our stuff and let us go. Too many Americans just think, "oh well, it's no big deal; just get it over with." However, that's an awful mentality when we consider history and how it's affected previously apathetic populations. Needless to say, no longer were they apathetic!

Re:Multiple institutions *are* responsible (1)

Karma_fucker_sucker (898393) | more than 8 years ago | (#13243443)

Absolutley. Once, while being screened, the TSA guy in Pheonix actually asked if it was "Ok". I said "Do I have a choice?" He said, "Yes. If you refuse that officer (pointing to a local cop) will escort you to the curb outside."

The sucky part is if we want to stick our rights, we have to eat the cost of the plane ticket. And the time, too. It really pisses me off too that we either have to put up or eat the plane ticket. I don't have the money to do that. Oh, I wish! The fuckers!!!!

P.S. The pornsites are boring today!

So lemme get this straight . . . (1)

mmell (832646) | more than 8 years ago | (#13243053)

Instead of harvesting as much information as possible about everyone they can and then winnowing that down to information they can use, the cybercrooks are now targetting those individuals from whome they expect to be able to steal something, and then going after all the information they can on that select group?

This is great!!! With my credit history, I'm safer than ever now! Nobody in his right mind would try to use my identity for any money-making venture! ;^D

scattered info (1)

milktoastman (572643) | more than 8 years ago | (#13243065)

The "spear" dubnym surprises me. Why is it we're not out on the theft ledge just as yet? So, I feel a little ill coming down off the server room floor, and I read this, and I'm glad the air is on. So many little busy unlaid phisher bitches out there want to steal my identity. Hey, I'll hand it to you and give you a 200 dollar shopping spree if you want to come fight me for it in person. And I don't mean your bosses in the mob paying you for your efforts...I mean you. If you're bigger than me...well, I guess I'm screwed. Doogs. I know one thing though, the blue color is dark and pinpricked as with stars at the very point where we meet. Look, it's like a faded poster for the old 80's classic.

Re:scattered info (0)

Anonymous Coward | more than 8 years ago | (#13243133)

scattered info? hello? bring it back home bay-bee, bring it back. bring it back home bay-bee, bring it back.

macaroni candle

Re:scattered info (1)

milktoastman (572643) | more than 8 years ago | (#13243174)

I put a mention out to salmon in a comment above. Do you like salmon from the electric blue, or the sickly green?

If they would just attack the politicians... (1)

ScooterBill (599835) | more than 8 years ago | (#13243246)

You just know that something would be done to limit sharing of financial and personal information if a bunch of high ranking congresspeople had their identites stolen. Perhaps then they would think of someone other than the corporations who insist on "the right" to share whatever information they want about anybody.

M

Fun with adverbs (4, Funny)

Jeremi (14640) | more than 8 years ago | (#13243400)

"Its concerns are linked to cyberterrorism as well as obviously organized crime."


Surreptitiously organized crime may be involved also, but they keep such a low profile that it's hard to tell.

Account Accountability (1)

Doc Ruby (173196) | more than 8 years ago | (#13243444)

The only way to protect our info is through a combo of tech and law. We need to keep control of our personal info ourselves, through crypto client databases which issue one-time password access to counterparties which need to authenticate us. We need to minimize the authentication transactions to only those necessary for actual authentication, encapsulating the transactions as much as possible - passing only money to counterparties, rather than our identites, for example. We need to log accesses to our personal info, to audit unauthorized accesses.

And we need to protect those transactions with clear laws with real teeth. Jail time for people commiting unauthorized use of our identities. Copyright protection of personal info passed in a transaction, which prohibits further distribution beyond the authorized transaction, even within the momentarily authorized organization.

We've been living an adolescent bliss of low risk and unaccoutability. But now that we've grown up, we need to act our age.

Probably been going on for a long time (3, Insightful)

Animats (122034) | more than 8 years ago | (#13243803)

The "computer security" industry has turned into a volume business aimed at annoyance attacks. The very profitable "wait for high-volume exploit and patch" mindset into which the industry has settled is useless against serious attackers.

A serious attack has a specific target and attacks it quietly. Serious attackers aren't going to show up in the "top 10 virus" lists. They're probably not going to use an attack that appears in some known signature list. They may have the ability to craft their own attacks, or at least modify known ones beyond recognition. The volume-oriented defense techniques won't work.

Military security people are very aware of this issue. You don't want to tie up all your resources chasing kids who are throwing rocks at the airfield fence. The real threat is probably being quietly mounted elsewhere.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...