phishing

Discovering Phishing and other attempts to empty your pockets may not be the easiest thing to do.

Most of us regularly receives emails asking us to verify our bank account, eBay, PayPal and other services by clicking a link. And unless you are on the alert all the time, it is easy to end up with empty pockets.

eBay has produced a nice tutorial where you are told how to spot a fake, and how to deal with it. The tutorial is eBay focused, but the actual methods are the same.

If in doubt - look at the tutorial!

A quick link for you today! 

Security Coin (a blogger - not cash) gives some very appropriate comments on the anti-phishing e-mail encryption tool from Voltage!  

I have not tested the secure email solution from Voltage, so I have to take the Random Infosec Guy on his words about the solution.

The size of the hacking/scamming/phishing criminals are increasing. We all know this. The size of the criminals available creates new market spaces. We know that too. Criminals tends lack ethics. We see evidence of that all the time! 

And here is a nice story to show you again the lack of ethics amongst the criminals - Mr. Brain offers his free phishing kit to aspiring scammers. Nice one, Mr. Brain! I bet they love it!

Only drawback - Mr. Brain gets a copy of all activities and all the information collected from the kits. And the scammers themselves get scammed!

Why Mr. Brain does it like this? We can only guess. What we do know is that it gets increasingly risky to run scams and phishing - as ISPs and law enforcement are now actively on the lookout. Thus, finding an ISP and running your scam yourself is no longer the best method.

Add to that the increasing number of dumb n00bs out there, wannabies who like to be Great Hackers, but lack skill, understanding and motivation. What do you get? A market for hacking tools. 

As with legitimate business, many different business models exists - selling tools and kits directly, revenue sharing - and now "information sharing" without consent.

I am quite sure that Mr. Brain have access to the infrastructure necessary to monetize on the information. And I am more sure that his clients - the wannabies above - have no or only little clue on how to monetize the same information.  And the poor n00b ends up scammed.

I must admit - I love it. 

I am ROFL imaging their faces when they realize they are 0wned.

I have used my PayPal account a fair bit these past months. Both receiving and making payments.

Thus, when I got this email with a payment that the PayPal Investigation had returned, I was on the alert. No, not the phishing alert - I was more worried about someone making a payment and me not getting it. The obvious victim for scams, I might add.

I did not recognize the payers name, and the amount of US$35 sounded a far bit strange to me. Puzzled, I started to read the fine prints, and decided that I needed to check my account to investigate further. I scrolled down the mail to find the link to the PayPal Log on page.

Need I say this was December 26? At the kitchen table, relaxing with my late breakfast. Oh, yes, it was a nice dinner last night!

Upon finding the link again, my mind kicked me in the back, and I decided to check the link before clicking. No surprise there - I was one click away from getting phished (phish, phishing, phisher, phished, - I have no clue of the correct phishing grammar, I must admit).

So Leo, Phishers do have a clue. They are getting better every single day. And if you let the guard down only a split second after a nice dinner party, you might find your account empty. As you note, some are still swearing to old tools and bad quality, but those who mean business adopts and research. And gets their rewards.

Take a good look at the images - they show the email I got. The first shows the standard PayPal template with the serious looking header.

This next picture shows the transaction information - the part of the email that made me believe the authenticity of the scam.

I just love Gnucitizen - this time Adrian Pastor explains how to use an Outlook Web Access design flaw to create a phishing attack. 

The post is a bit technical, but it gives you a very good idea of just how easy it is to fool your OWA users to give up their user names / passwords to a hacker.

The scary bit is that Adrian told Microsoft about this a couple of years ago - but since this is a design feature and not a bug, Microsoft is not changing it.

So if you are running OWA - make sure to take precautions!  

Somehow website owners believe that phishing is only targeting banks. Here is some news for you - when security tightens in one area, attachers are quick to find other sites and technologies to exploit. 

In March, a phishing attack targeted MySpace. It was clever, and used CSS to harvest user names and passwords from MySpace accounts. According to Google Security Blog, 95% of all new phishing traffic went to MySpace. 

The Register brought forward this story about a "new" phishing tool. A file downloaded and installed on your computer gives the phisher full access to intervene your Internet banking, PayPal, eBay and so forth.

What is new with this? Spyware, greyware, trojans and virus has been installed on your computer for a long time. Bots have been controlled from the outside for years. The fact that the tool is able to access your information, tap into your communication and present to you what looks like ordinary PayPal, banking or eBay sites is nothing new. What I find disturbing is the that the anti-phishing tools do not detect the hijacking, and thus are not able to prevent it. As a matter of fact, Norton 360 clears the page you are viewing.