Capital One Phish… watch out
A well crafted Phish… scare tactics… this one has been reported.
Thanks Mitch.
Jerome
|
Strange email (spam for sex)
This is a sort of follow up post on the previous entrymade by “TinfoilHatMan”.
Spammers can be… oh so creative… 
Apparentlly I have an ad on a dating site???
She seems pretty needy… or insatiable??
Of course I can’t do a reply from the original email because… well, IT’S SPAM!!!!
Instead, let’s use a real account where I can get lured into disclosing more information… or simply confirm my email address really exists. Either way, this type of spam may appeal to single guys who are really desperate to fulfill their needs and this lady’s…
Jerome
|
Anatomy of a PayPal scam
Today, I am going to illustrate a typical phishing scam targeting PayPal, the famous online money transfer company.
It all starts with a well crafted email supposedly from the company. The topic: account maintenance. Here we see a very common trick used by scammers: pretend to improve security measures.
Of course, in order to do so the user must provide all his login information.
1. The Phish email:
Note the threatening “we would have to limit it [your account]“, and also the spelling mistake in the Subject:”Account Maintainance”
Many scams have grammar or spelling errors, mainly because the scammers are from foreign countries.
2. The fake site:
Visit the real site http://www.paypal.com and check for yourself how similar they look.
3. The credentials entry:
It’s always good not to use a real identity
4. The scammers greediness: more, more and more
With this information, a scammer owns your life. Pretty scary.
5. The profit:
Some guy with an IP in Thailand is very happy.
We have reported this scam to the appropriate authorities. It’s not going to stop the bad guys behind it, just put a little dent in their profits.
However, we as responsible and careful end users can make a better impact. If you ever feel uncomfortable revealing some information, take the time to stop and consult with a friend or someone you trust.
I fell for some advertising things before, simply because the person bombards you with information and wants an answer now. What works here is making you confused and not letting you any time to think.
Remember that there is no rush, and the email can wait until the next day.
Jerome
|
Targeted Phishing, an example.
I though it would be educative to break down a targeted phishing attempt, To help demonstrate how effective this type of attack can be.
I collect video games. In my quest for the ever rare peripheral, or the out of print classic game, I’ve often done business with strange companies based in far away lands.
One of those was a wonderful little outfit called Lik-Sang. They used to carry all sorts of “hard to get” stuff from the Mecca of video game land: Japan.
Of course sometime items that were not intended for other markets could be had. Like a foreign console that would enable you to play the few titles that did not require intimate knowledge of Japanese well in advance of their US release.
This behavior generally tends to be frowned upon by the manufacturer of said products. That is why they have things such as region coded games after all.
As you would have it, Lik-Sang attracted the ire and more importantly, the scrutiny of the legal department at the Sony Corporation. This was followed by some legal entanglement better explained here: http://www.lik-sang.com/ and more importantly summarized by this comment: “As of today, Lik-Sang.com will not be in the position to accept any new orders and will cancel and refund all existing orders that have already been placed. Furthermore, Lik-Sang is working closely with banks and Paypal to refund any store credits held by the company, and the customer support department is taking care of any open transactions such as pending RMAs or repairs and shipping related matters. The staff of Lik-Sang will make sure that nobody will get hurt in the crossfire of this ordeal.”
I must admit I was disappointed that they went out of business. A couple of weeks later I received an email, apparently from Lik-Sang, informing me that I have a $10 credit on my account with them. Nothing too unusual there, as I had done business with them in the past. I was a little surprised, though. I didn’t remember any credit. I read further into the email, where they kindly asked me to fill in my Paypal user name and password account information so that they can refund me my money.
Hold on, wait a minute, my username and password? This was a phishing attempt! I would like to believe that this was created by a crafty phisher, who decided to capitalize on the downfall of Lik-Sang, but it is much more probable that someone in the IT department at Lik-Sang decided to sell the email client list on their way out. This is another painful reminder that no matter how much you may trust the business entities that you share your email address with, things may change.
So now we have to worry about who has our email address in their databases and how well they secure this information. This only re-enforces my beliefs that the throw-away e-mail address is now a necessity. I diligently read what lands in that inbox, but everything is taken with a grain of salt.
Jean “TinFoilHatMan” Taggart
|
Gone Phishing…
More and more sensitive information is exchanged online, so much so that, most of the time we don’t realize it. We log into our email account(s), our bank sites, our eBay account etc. Every time we do that, a transaction happens. We send in passwords, usernames or credit card numbers onto an external server. Of course, we know about why it is so important to choose a strong password, but do we know it is totally useless if we cannot trust the recipient we are sending it to?
That is where anyone can I exploit that trust. Phishing is any action made to fraudulently acquire private information by pretending to be a real and trustworthy entity.
Very soon, hackers have realized how much value there was in doing Phishing scams. Stealing somebody’s credentials can give full access to very private information and basically be in total control of someone’s life (provided that the person does some online banking, logs into her healthcare site and so on).
There are many ways to carry out a phishing scam. First of all, the victim needs to be contacted in some way. It could be from an email, that leads you to a fake site, or it could be from a typical malware infection, that hijacks the web browser and redirects it to fraudulent
websites whenever the victim types in the URL, or clicks on a bookmark.
Secondly, because the phishing site will be hosted on a different domain than the real one, the hacker needs to trick the
Figure 1: phishing site targeting Facebook users. Notice the URL ending in “.cn”
user into believing this is the correct URL. A classic example is to
slightly modify the domain name. Also, typos are commonly used.
Real: www.google.com
Fake: www.go0gle.com
Real: ww.facebook.com
Fake: www.facebook.com.profile.php.id.37122.cn
Another technique called website forgery involves the use of scripts to
alter the address bar. The legitimate address bar can be closed in order to display a hacked one. More simply, a JavaScript can be used to display a picture in place of the address bar, so that everything looks legitimate.
Let’s take an example of a Phishing scam targeted at Facebook’s users (Figure 1).
A similar face plate is created, that looks identical to the legitimate one. The URL in the address bar is slightly different, but the average user may not notice it. In fact, this page is hosted in China.
Then let’s enter the email address and password in the form. Figure 2 shows that the credentials are being sent to the phishing server somewhere in China.
Interestingly enough, after entering the login information, the real login page for
Figure 2: data transfer between the client and the malware server
Facebook is loaded this time. The user might just think she typed something wrong and re-enter the login again. Now, it will work and most likely the user won’t have noticed a thing.
Meanwhile, a hacker has received a valid email address that he can use for spam, not mentioning that he can log into the Facebook account at any time. However, there is something even better he can get access to, with a bit of luck. A lot of people use the same password for the different services they long into.
Now, the hacker gets into your personal email account. Due to the larger storage available, people don’t bother deleting old emails. This is a gold mine for hackers. They will do a simple keyword search (“password”, “credit card”, “confidential”), and find even more juicy stuff.
The conclusion to this story is that Phishing is a real and dangerous online threat. Although efforts are being made to protect users, the problem is so large that not one solution can fix it.
Internet Explorer 7 does include a filter capable of detecting phishing sites. But it’s not 100% trustworthy. There are public groups combating fishing and reporting live stats as well as taking them down. The PIRT (Phishing Incident Reporting and Termination) team at Castlecops.com is one of them doing a very good job.
Ultimately, this is something that users will have to become familiar with and more vigilant. Effectively blocking spam emails which are full of phishing scams would be a good start. Browser add-ons or applications running in the background can also detect in real time dangerous websites and block them.
Jerome Segura
|
