JaBbA's Hut - Phishing

Real risk - the Phishing Trojan

nospam@example.com (JaBbA) — Fri, 15 Jun 2007 13:26:17 -0400

Of course, there are real risks out there that we need to avoid.

The targeted emails warning of IRS Audits or overdue invoices are a perfect example. Executives receiving these quite alarming emails click on the attachments to find out what the problem is, and the bad guys now own their computers.

I've seen multiple examples of the IRS audit scam, all of which came to executives here at work. Someone's been doing their homework.

I'd suggest warning all executives of your companies about these emails.

Example, from SANS:

Proforma Invoice for "Company Name" (Attn: "Executive Name")

The Body of the email included this text

"Hello,

The Proforma Invoice is attached to this message. You can find the file
in the attachments area of your email software.

PS: The invoice also includes the cost for the services provided for the
second quarter of 2007.
Please read, evaluate and reply with any comments. Thanks."

Paypal address bar hack on Firefox

nospam@example.com (JaBbA) — Mon, 19 Jun 2006 15:19:10 -0400

A paypal phish just came in that had some interesting features. Using Firefox with NoScript, I connected to the site and it tried to redirect me. With NoScript on it didn't succesfully redirect but it presented me with a "Go here" link. I did so, and got the attached screen - note that it tried to replace my addressbar but failed, creating a new addressbar instead.

Netcraft identified the site as a Phish.

I'd like to see what this does to IE but I don't have a virtual machine right now and don't want to allow the site to hack my real machine.

JaBbA says DON'T Check it out!

APWG Meeting

nospam@example.com (JaBbA) — Tue, 18 Apr 2006 10:23:40 -0400

I'm in Chicago for the Anti Phishing Working Group (APWG) Spring meeting. I'm speaking on a panel entitled Moving Toward A Tipping Point in Email Authentication: Arbitrating the Remediation of a Global Application. We'll be discussing how to get some email authentication method for anti-spam and anti-phishing to be adopted by the Internet.

JaBbA's gone big time

There are still some amateurs out there...

nospam@example.com (JaBbA) — Mon, 20 Mar 2006 14:17:13 -0500

And they still make some silly mistakes. Like the following, received Mar 19,2006:

Your online credit card account has high-risk activity status. We are contacting you to remind that on March 27 2006 our Account Review Team identified some unusual activity in your account. In accordance with Chase Bank User Agreement and to ensure that your account has not been compromised, access your account was limited. Your account access will remain limited until this issue has been resolved. ...

It gets even better - apparently they realized the mistake, changed the date to Mar 19, and resent it - to the same addresses!

Of course, the sad thing is some people probably fell for it anyway.

UPDATE OK, this gets even funnier.

At 12pm, they sent out a set that said the 27th.
At 3pm, they sent out a set that said the 21st.
At 6pm, another set that said the 27th.
And finally, at 9pm, the set that said the 19th.

Someone's playing with daddy's phishing kit...

The Phishers take it to the next level

nospam@example.com (JaBbA) — Thu, 16 Mar 2006 13:03:27 -0500

Think you can spot a phishing email by the fact that it isn't addressed to you?

Not any more.

I've seen a few of these. I think their hit rate is low - some of the data is incorrect. But when it's right, it's devastating.

JaBbA says be careful out there.

ARRRRGGGH

nospam@example.com (JaBbA) — Tue, 14 Mar 2006 10:06:25 -0500

I just got an email from my bank preparing me for the change to Chase.com. Fine. But they're setting me up for a replay:

You can bookmark the new site by adding it to your list of favorites, or you can enter www.Chase.com into your browser. In the meantime, you can preview the new site for more information.

Let's see. They're

Telling me to click a link in an email, while telling me not to !?!
Getting me used to link click tracking by putting a unique ID on the link
Telling me I'm going to www.chase.com while sending me elsewhere
Getting me used to links with complex URLs, which Phishers just love
And even worse - there's NO WAY for me to preview the site EXCEPT through their complex URL. Going to notifications.chase.com just redirects me to the standard Bank One site.

BankOne was doing a good job avoiding this crap. I thought Chase was on this stuff, but their marketing department clearly hasn't gotten the memo.

I'm calling the security department at Chase and complaining - and telling them I moved from Ohio Savings to Bank one BECAUSE of OSB's lack of anti-phishing readiness. Let's see if I can get them talking about this.

Change in Tactics - and Maybe I'm Off the Island

nospam@example.com (JaBbA) — Mon, 13 Mar 2006 10:32:48 -0500

Well, I've now gone 4 days and none of my SPAM-catchers has gotten a phishing scheme. My eBay accounts are fine, nothing's wrong with PayPal, My Chase, Citibank and Wells Fargo accounts are all hunky-dory. (Well, there was a Wells Fargo phish on Friday, but that's it.) Even my wider nets have only caught a couple, mostly Comerica Bank. I'm still winning a lot of European lotteries, and having opportunities to help move money out of Africa, of course. And Offers to enhance my sex life and lose weight. *yawn*

So either the Phishers are taking a break, or they've scrubbed me from their systems - that's possible, but unlikely. But more importantly, the Phishers are apparently taking their cue from the eBay phishers and are changing tactics - offering rewards rather that scaring victims with stories about their account being hacked.

So apparently people are listening and ignoring the old phishes. Be alert, and don't believe anything you are sent in email.

Thank You

nospam@example.com (JaBbA) — Mon, 13 Feb 2006 16:13:54 -0500

To SANS Handler Tom Liston, who tells it like it is. Today's SANS Handler's Diary has a very important story to tell - a story I've been trying to say here for 2 years:

What is going on here? How can this be happening? Internet e-commerce is founded on SSL, and SSL is founded on the trust that the companies handing out SSL certificates are doing their homework and are verifying that the companies sitting behind their certs are who they say they are.

To paraphrase one of my favorite movie lines: "What we have here is a failure to authenticate..."

Finally, banks and credit unions that send our email with clickable links teach their customers incredibly dangerous habits. Financial institutions that use multiple domain names are setting their customers up for disaster. And, of course, any financial institution that isn't checking their referrer logs for odd and unknown sites is a time bomb waiting to explode.

Come on folks. It's hard enough to keep the end users from shooting themselves in the foot... don't give them a loaded gun.

JaBbA says check it out.

Nasty new eBay Phish

nospam@example.com (JaBbA) — Tue, 10 Jan 2006 12:05:14 -0500

Rather than relying on fear of authority to get you to give up your eBay password, this one tugs at your heartstrings:

Hello,

I recently placed a bid on item #5590717206 being a wheelchair for me that i really need do to my age (78 years old) and it seems that i can not find the auction anymore...May i please know if you are the seller of the item above?

Regards,
Gretta.

(misspellings are those of the original author)

The email is formatted just like a question from a seller, and links to a server called looo.mooo.com. You can see what it looks like (a little munged) Here.

JaBbA says keep your guard up. Remember, some of these have WMF exploits as well as Phishing schemes.

Nasty New Phish

nospam@example.com (JaBbA) — Wed, 30 Nov 2005 09:47:17 -0500

This one is quite sophisticated and nasty. The screenshot (click to enlarge) shows the page on my fully-patched XP SP2 box in IE. The emails is sent with a google.com address and uses the google redirect to go to japan while it looks like paypal.

The hack works on Firefox too, but using the Netcraft toolbar, the noscript extension and other tools it was obvious that something funky was going on, and the faked address bar was removed in the end:

Google Phish - No, you didn't win $400

nospam@example.com (JaBbA) — Thu, 10 Nov 2005 11:07:02 -0500

A Wensense Labs Alert about a nasty Google phish using $400 as the lure. Complete with screenshots.

And you thought you were safe

nospam@example.com (JaBbA) — Tue, 11 Oct 2005 14:43:53 -0400

Because your bank gave you a stack of One Time Passwords?

Think again.

Recipients were directed to several fake websites, thought to be based in South Korea, and asked not only for their account details, but also for the next password on their list of one-time passwords.

[snip]

According to F-Secure: âRegardless of what you entered, the site would complain about the scratch code and asked you to try the next one. In reality the bad boys were trying to collect several scratch codes for their own use.â?

Obedience to Authority

nospam@example.com (JaBbA) — Wed, 20 Jul 2005 10:36:35 -0400

The problem of Phishing comes down to Obedience to Authority, as in Stanley Milgram's famous experiment.

Usable Security has a good article on the problem of conflicting authorities, in the case of a phish.

JaBbA says check it out.

Simple Anti-Phishing tool

nospam@example.com (JaBbA) — Fri, 15 Jul 2005 14:21:52 -0400

A new firefox extension is a simple and effective addition to the Anti-Fraud arsenal.

The Petname Extension simply allows you to assign a descriptive name to any SSL-enabled website, then displays that name whenever it sees that same SSL certificate.

Any browser tricks or redirections will become obvious when you "Pet Name" for the website isn't displayed.

JaBbA recommends.

UPDATE I probably should have pointed out - this is a very small implementation of a new idea called a "Security Skin". See Bruce Schneier and this paper (PDF).

And more examples of corporate stupidity

nospam@example.com (JaBbA) — Fri, 08 Jul 2005 12:30:36 -0400

F-Secure's blog has examples of phishing-replayable emails from RSA and CA.

These are Security Companies doing this! Amazing.