IE8 #fail
Although IE8 passed the browser security test with flying colours (hmm) (results here), it did not catch that one below.
Also, should you trust your address bar? No!
Start with a hijacked Hosts file (incidentally it came from the malware described in the previous post):
Browse to www.bancodabrasil.com.br
However, look at what is under the hood:
Yes, it’s a big cover up and the site is in reality hosted on 209.51.152.42. That means if you log in to this ‘banking’ website, you are giving away your information (and possibly money) to criminals.
How does IE8 protect you?
“Check the address to make sure it is a site you trust.”
OK, let’s do that:
Looks pretty legit to me?????
Phishing scams are very sophisticated and the whole thing is fairly simple: You browse to a site that has an exploit, it modifies your hosts file. Then you go to do some banking and all your money is belonged to the bad guys!
Watch what happened behind the scene:
Does that make you feel like doing online banking anymore? It certainly gives me cold shivers.
Jerome Segura
|
Beware of Twitter’s Followers frenzy
There are several sites enticing Twitter users to give them their username and password (yes password) in order to get more followers.
This site thousandfollowers.com looks a tad suspicious:
you need to give your full credentials and the “I agree with the Terms of Service” is pre-checked!
Watch what happens:
Yes, looks like spam doesn’t it? Posting messages without my consent!
Better change my password!
The site’s IP is located in the Netherlands and the Whois rather obscure:
Domain name: thousandfollowers.com
Registrant Contact:
WhoisGuard
WhoisGuard Protected ()
Wonder why? Do You? 
The site also asks you to ‘buy’ VIP which it states will get you “followed when users login to our site”.
Let me explain the scam in clear text:
I really want new followers badly and give out my personal information like thousands of other naive people. If I buy the VIP pass all those thousands of naive people will follow me. Guess how? Because their account is owned!
How many people fall for the scam? LOTS!!!
Jerome Segura
|
Capital One Phish… watch out
A well crafted Phish… scare tactics… this one has been reported.
Thanks Mitch.
Jerome
|
Strange email (spam for sex)
This is a sort of follow up post on the previous entrymade by “TinfoilHatMan”.
Spammers can be… oh so creative…
Apparentlly I have an ad on a dating site???
She seems pretty needy… or insatiable??
Of course I can’t do a reply from the original email because… well, IT’S SPAM!!!!
Instead, let’s use a real account where I can get lured into disclosing more information… or simply confirm my email address really exists. Either way, this type of spam may appeal to single guys who are really desperate to fulfill their needs and this lady’s…
Jerome
|
Anatomy of a PayPal scam
Today, I am going to illustrate a typical phishing scam targeting PayPal, the famous online money transfer company.
It all starts with a well crafted email supposedly from the company. The topic: account maintenance. Here we see a very common trick used by scammers: pretend to improve security measures.
Of course, in order to do so the user must provide all his login information.
1. The Phish email:
Note the threatening “we would have to limit it [your account]“, and also the spelling mistake in the Subject:”Account Maintainance”
Many scams have grammar or spelling errors, mainly because the scammers are from foreign countries.
2. The fake site:
Visit the real site http://www.paypal.com and check for yourself how similar they look.
3. The credentials entry:
It’s always good not to use a real identity
4. The scammers greediness: more, more and more
With this information, a scammer owns your life. Pretty scary.
5. The profit:
Some guy with an IP in Thailand is very happy.
We have reported this scam to the appropriate authorities. It’s not going to stop the bad guys behind it, just put a little dent in their profits.
However, we as responsible and careful end users can make a better impact. If you ever feel uncomfortable revealing some information, take the time to stop and consult with a friend or someone you trust.
I fell for some advertising things before, simply because the person bombards you with information and wants an answer now. What works here is making you confused and not letting you any time to think.
Remember that there is no rush, and the email can wait until the next day.
Jerome
|
Targeted Phishing, an example.
I though it would be educative to break down a targeted phishing attempt, To help demonstrate how effective this type of attack can be.
I collect video games. In my quest for the ever rare peripheral, or the out of print classic game, I’ve often done business with strange companies based in far away lands.
One of those was a wonderful little outfit called Lik-Sang. They used to carry all sorts of “hard to get” stuff from the Mecca of video game land: Japan.
Of course sometime items that were not intended for other markets could be had. Like a foreign console that would enable you to play the few titles that did not require intimate knowledge of Japanese well in advance of their US release.
This behavior generally tends to be frowned upon by the manufacturer of said products. That is why they have things such as region coded games after all.
As you would have it, Lik-Sang attracted the ire and more importantly, the scrutiny of the legal department at the Sony Corporation. This was followed by some legal entanglement better explained here: http://www.lik-sang.com/ and more importantly summarized by this comment: “As of today, Lik-Sang.com will not be in the position to accept any new orders and will cancel and refund all existing orders that have already been placed. Furthermore, Lik-Sang is working closely with banks and Paypal to refund any store credits held by the company, and the customer support department is taking care of any open transactions such as pending RMAs or repairs and shipping related matters. The staff of Lik-Sang will make sure that nobody will get hurt in the crossfire of this ordeal.”
I must admit I was disappointed that they went out of business. A couple of weeks later I received an email, apparently from Lik-Sang, informing me that I have a $10 credit on my account with them. Nothing too unusual there, as I had done business with them in the past. I was a little surprised, though. I didn’t remember any credit. I read further into the email, where they kindly asked me to fill in my Paypal user name and password account information so that they can refund me my money.
Hold on, wait a minute, my username and password? This was a phishing attempt! I would like to believe that this was created by a crafty phisher, who decided to capitalize on the downfall of Lik-Sang, but it is much more probable that someone in the IT department at Lik-Sang decided to sell the email client list on their way out. This is another painful reminder that no matter how much you may trust the business entities that you share your email address with, things may change.
So now we have to worry about who has our email address in their databases and how well they secure this information. This only re-enforces my beliefs that the throw-away e-mail address is now a necessity. I diligently read what lands in that inbox, but everything is taken with a grain of salt.
Jean “TinFoilHatMan” Taggart
|
Gone Phishing…
More and more sensitive information is exchanged online, so much so that, most of the time we don’t realize it. We log into our email account(s), our bank sites, our eBay account etc. Every time we do that, a transaction happens. We send in passwords, usernames or credit card numbers onto an external server. Of course, we know about why it is so important to choose a strong password, but do we know it is totally useless if we cannot trust the recipient we are sending it to?
That is where anyone can I exploit that trust. Phishing is any action made to fraudulently acquire private information by pretending to be a real and trustworthy entity.
Very soon, hackers have realized how much value there was in doing Phishing scams. Stealing somebody’s credentials can give full access to very private information and basically be in total control of someone’s life (provided that the person does some online banking, logs into her healthcare site and so on).
There are many ways to carry out a phishing scam. First of all, the victim needs to be contacted in some way. It could be from an email, that leads you to a fake site, or it could be from a typical malware infection, that hijacks the web browser and redirects it to fraudulent
websites whenever the victim types in the URL, or clicks on a bookmark.
Secondly, because the phishing site will be hosted on a different domain than the real one, the hacker needs to trick the
Figure 1: phishing site targeting Facebook users. Notice the URL ending in “.cn”
user into believing this is the correct URL. A classic example is to
slightly modify the domain name. Also, typos are commonly used.
Real: www.google.com
Fake: www.go0gle.com
Real: ww.facebook.com
Fake: www.facebook.com.profile.php.id.37122.cn
Another technique called website forgery involves the use of scripts to
alter the address bar. The legitimate address bar can be closed in order to display a hacked one. More simply, a JavaScript can be used to display a picture in place of the address bar, so that everything looks legitimate.
Let’s take an example of a Phishing scam targeted at Facebook’s users (Figure 1).
A similar face plate is created, that looks identical to the legitimate one. The URL in the address bar is slightly different, but the average user may not notice it. In fact, this page is hosted in China.
Then let’s enter the email address and password in the form. Figure 2 shows that the credentials are being sent to the phishing server somewhere in China.
Interestingly enough, after entering the login information, the real login page for
Figure 2: data transfer between the client and the malware server
Facebook is loaded this time. The user might just think she typed something wrong and re-enter the login again. Now, it will work and most likely the user won’t have noticed a thing.
Meanwhile, a hacker has received a valid email address that he can use for spam, not mentioning that he can log into the Facebook account at any time. However, there is something even better he can get access to, with a bit of luck. A lot of people use the same password for the different services they long into.
Now, the hacker gets into your personal email account. Due to the larger storage available, people don’t bother deleting old emails. This is a gold mine for hackers. They will do a simple keyword search (“password”, “credit card”, “confidential”), and find even more juicy stuff.
The conclusion to this story is that Phishing is a real and dangerous online threat. Although efforts are being made to protect users, the problem is so large that not one solution can fix it.
Internet Explorer 7 does include a filter capable of detecting phishing sites. But it’s not 100% trustworthy. There are public groups combating fishing and reporting live stats as well as taking them down. The PIRT (Phishing Incident Reporting and Termination) team at Castlecops.com is one of them doing a very good job.
Ultimately, this is something that users will have to become familiar with and more vigilant. Effectively blocking spam emails which are full of phishing scams would be a good start. Browser add-ons or applications running in the background can also detect in real time dangerous websites and block them.
Jerome Segura
|
