Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Experts: 'Phishing' more sophisticated

  1. #1
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323

    Experts: 'Phishing' more sophisticated

    Me thinks that CNN needs better "experts". I've bolded two areas. One because of the terminology ("... little known directory called a host file"?!!?) and one because it misses the most important fact: educating users. Giving users a physical token and relying on technology as the only solution isn't the solution to phishing. Phishing is, simply, an elaborate form of social engineering. Educate the user on this and that's half the battle there.

    Heck, the ads that Visa did for their "Verified by Visa" were a great educational tool, along with the ones that Mastercard, IIRC, did (male actor with female voice, spending all sorts of money somewhere -- the idea that no one knows who you are). So rather than depend on having it on the website, why not do some quick spots? Educating the users means less money spent on tracking this crap down. And that can often mean more profit (what a concept).


    Source: CNN

    WASHINGTON (Reuters) -- Internet "phishing" scams are becoming more difficult to detect as criminals develop new ways to trick consumers into revealing passwords, bank account numbers and other sensitive information, security experts say.

    Scam artists posed as banks and other legitimate businesses in thousands of phishing attacks last year, sending out millions of "spam" e-mails with subject lines like "account update needed" that pointed to fraudulent Web sites.

    These attacks now increasingly use worms and spyware to divert consumers to fraudulent sites without their knowledge, experts say.

    "If you think of phishers initially as petty thieves, now they're more like an organized crime unit," said Paris Trudeau, senior product manager for Internet-security firm SurfControl.

    Phishing attacks have reached 57 million U.S. adults and compromised at least 122 well-known brands so far, according to several estimates.

    At the end of 2004 almost half of these attacks contained some sort of spyware or other malicious code, Trudeau said.

    One attack, first documented last month by the Danish security firm Secunia, misdirects Web surfers by modifying a little-known directory in Microsoft Windows machines called a host file. When an Internet user types a Web address into a browser, he is directed instead to a fraudulent site.

    This technique has shown up in attacks spoofing several South American banks, said Scott Chasin, chief technical officer of the security firm MX Logic.

    The convergence of all of these threats means "we can expect to see some large attacks in the near term," he said.

    Another more ambitious attack targets the domain-name servers that serve as virtual telephone books, matching domain names with numerical addresses given to each computer on the Internet.

    If one of those computers is compromised, Internet users who type in "www.bankofamerica.com" could be directed to a look-alike site run by identity thieves.

    Domain-name servers are tougher to crack, as they are typically run by businesses rather than home users, but hackers can find a way in by posing as a company's tech-support department and asking new employees for their passwords, Trudeau said.

    Domain-name hijacking is suspected in incidents involving Google.com, Amazon.com, eBay Germany and HSBC Bank of Brazil, Chasin said.

    Even straightforward phishing attacks are getting more sophisticated. Spelling errors and mangled Web addresses made early scams easy to spot, but scam artists now commonly include legitimate-looking links within their Web addresses, said Kate Trower, associate product manager of protection software for EarthLink Inc.

    Consumers who click on links like www.citibank.com in these messages are directed to a fraudulent Web address buried in the message's technical code, she said.

    MasterCard International has caught at least 10 phishing scams involving www.mastercard.com over the past two months, said Sergio Pinon, senior vice president of security and risk services.

    Consumers can protect themselves with software that screens out viruses, spyware and spam. But online businesses will have to take steps as well, perhaps by issuing customers a physical token containing a changing password, Chasin said.

    Internet engineers should also figure out a way to authenticate Web addresses, much as they are currently figuring out how to make sure e-mail addresses are legitimate, he said.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #2
    Junior Member
    Join Date
    Jan 2005
    Posts
    9
    I think they're being forced into the assumption that your average user is too dumb to learn how to dodge phishing attacks.

    I think the solution is to make people pass a test to be able to use a computer, like a driving test.

    That way, we can have a 'computer training school' that teaches people that making viruses and defacing websites are eventually self-destructive, and so on...

  3. #3
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    I think they're being forced into the assumption that your average user is too dumb to learn how to dodge phishing attacks.
    Forced? How are they being forced into this belief?

    I think the solution is to make people pass a test to be able to use a computer, like a driving test.

    That way, we can have a 'computer training school' that teaches people that making viruses and defacing websites are eventually self-destructive, and so on...
    And who would administer this? Who would pay the cost for this? How would you prove whether someone has taken the training or not? How are you going to enforce that people take this training.

    There are tonnes of schools that already teach this kind of ethics as well as trains people on how to prevent this. However, most of the people attending are ones that want to be in a computer-related job (e.g., technical support, administrator, etc.). It's everyone else that we need to be concerned about.

    We have to be somewhat realistic about whatever training that users are given. And, based on my own experiences, I find that users take the path of least resistence. This includes training. So rather than force them to do something they aren't interested in doing, why not show them something in an environment they already want to use? (e.g., run TV ads during primetime shows that appeals to the user).
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #4
    Senior Member
    Join Date
    Oct 2004
    Posts
    122
    Originally posted here by Spiritus
    I think they're being forced into the assumption that your average user is too dumb to learn how to dodge phishing attacks.

    I think the solution is to make people pass a test to be able to use a computer, like a driving test.

    That way, we can have a 'computer training school' that teaches people that making viruses and defacing websites are eventually self-destructive, and so on...
    That is highly impractical i would say.
    Computer has reached third world countries and also rural parts in some of developing and least developing countries.
    We shouldn't deprive them of such a wonderful resource in the name of security.
    Should we?

    Now to the origional problem MsMitten is right this educating the end user is probably the most effective(or the only possible solution).
    It is just anather form of social engineering.
    I guess the key to this type of security threat is keeping things simple.
    When humans become excessively dependent on technology problems arise and solution to those problems is educating the end users. :P
    nobody is perfect i am nobody

  5. #5
    Junior Member
    Join Date
    Jan 2005
    Posts
    9
    Well, my response was intended to be tongue-ni-cheek, but since we're considering this...

    Originally posted here by MsMittens
    Forced? How are they being forced into this belief?
    Well, by the fact that your average user tends to be too dumb to learn to watch for phishing.

    Ok, well, support-desk-born bitterness aside, perhaps it would be more objective to say that your average user doesn't have the technical grounding to understand what to watch out for in phishing attacks, and doesn't have the motivation to learn. Lectures simply lead to glazed looks and nodding and smiling in the hope that you'll go away. There are otherwise intelligent people out there who have been using computers for years, who are still uncomfortable with install programs.

    As specialists in the 'IT' field, we forget how big and scary and confusing it is to the uninitiated.


    Originally posted here by MsMittens
    And who would administer this? Who would pay the cost for this? How would you prove whether someone has taken the training or not? How are you going to enforce that people take this training.
    [/B]
    The same as driving licences, TV licences and all of the other governmental ripoffs that plague our existence. The user pays a yearly sum for the licencing costs (plus skimming, payoffs and monopoly abuse as per standard practice) and receives an official card or certificate.
    For enforcement, perhaps ISPs could be required to ask for certification before supplying a connection to a household (If there is a certificate holder in the house, he/she would be responsible for the behaviour of those in the house). I suppose it would have the enforcibility level of a driving license. Spot checks, maybe?

    Originally posted here by MsMittens

    There are tonnes of schools that already teach this kind of ethics as well as trains people on how to prevent this. However, most of the people attending are ones that want to be in a computer-related job (e.g., technical support, administrator, etc.). It's everyone else that we need to be concerned about.

    We have to be somewhat realistic about whatever training that users are given. And, based on my own experiences, I find that users take the path of least resistence. This includes training. So rather than force them to do something they aren't interested in doing, why not show them something in an environment they already want to use? (e.g., run TV ads during primetime shows that appeals to the user). [/B]
    As much as I like this idea, I have to say that TV ads are horrendously expensive in their own... and they are a dead cost, with no potential ROI (at least, not directly). A certification system would have potential income for the authority, with admin charges and fines... assuming the authorities would front the initial setup charges.

    Anyway, a silly ideal that sounds nice. I still think it'd work, though...

  6. #6
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    The same as driving licences, TV licences and all of the other governmental ripoffs that plague our existence. The user pays a yearly sum for the licencing costs (plus skimming, payoffs and monopoly abuse as per standard practice) and receives an official card or certificate.
    For enforcement, perhaps ISPs could be required to ask for certification before supplying a connection to a household (If there is a certificate holder in the house, he/she would be responsible for the behaviour of those in the house). I suppose it would have the enforcibility level of a driving license. Spot checks, maybe?
    Right. Governments are already spending too much in too many areas. Having them, and we know how technically advanced the government is, license this is hugely impractical. And ISPs are in the business to make money. Who's going to pay them to do the "enforcement"? This would be challenged heavily in courts since ISPs are not trained for enforcement (it'll raise ISP costs if they have to be trained under guidelines similar to police officers and other law officials).

    And then the possibility of forged certificates?? What about people pretending to offer courses so you can get your "license"? Or pretending to act on behalf of the gov't to issue the license? Would it be specific for Microsoft only? So if people used Linux/MacOS, they wouldn't need a license (don't get spyware and/or worms to the extend that MS products do)? What about foreign countries? Are we going to force them to follow suit? How do you convince them to be part of this when their budgets in many cases just can't handle "one more thing"? There are quite a few people online from the UK, Europe, Australia, China, India.

    You pan ads because of a lack of ROI. And you think this is going to create an ROI!?

    A certification system would have potential income for the authority, with admin charges and fines... assuming the authorities would front the initial setup charges.
    You've never seen a gov't implement a simplistic certification program have you? They tried to implement a gun registry here in Canada (it's running). It was supposed to cost something in the $2 million (IIRC) and eventually pay for itself. At present, it's well over $2 BILLION. I have little to no faith in having the gov't run this. In addition, particularly for those in the US, what additionally layer of Big Brother would this add?

    Interesting but I don't think it's a pratical idea.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  7. #7
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    Educating the end user, to me, is the only viable solution.

    If all new computers would come with a booklet, or even an interactive CD, that would contain the basic security needed by the user.......it would be more effective than any other form. Also, if they were to produce this booklet in a cartoon style, almost everyone would at least glance through it and perhaps learn something.

    Perhaps combining the booklet/interactive CD with TV comercials would be even more effective.

    I really don't think that there is a 'one size fits all' approach to educating the public. I believe it would have to be approached as any good security system has to be........in a layered format.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  8. #8
    Junior Member
    Join Date
    Jan 2005
    Posts
    9
    Well that's the thing... most of the infrastructure is already in place in any government that has a motor vehicle licensing system, and most governments could do with another source of income.

    I wasn't suggesting that ISP's directly enforce complience, just indirectly via not providing services to account holders that cannot produce such a license.

    Forged certificates are a problem, of course, but then so are forged driving licences/gun licences/etc. The same logic applies.

    I'm sure the computer licence could be made generic to every operating system... the theory is still applicable.

    Getting buy-in from foreign countries is of course the sticking point. No country wishes to admit that their population contains idiots. Perhaps heavy emphasis on the yearly losses due to computer-related crimes/screwups/etc...

    As for the ROI, I think this has a much higher ROI potential than prime-time ads with no associated product. A local ten second radio ad here costs roughly the equivalent of about US$500... that's a potential customer base of 50000, at a guess. Now extend that to prime time television airtime on a large American television network... you're looking at tends of thousands of dollars per second, (possibly even more, this is just semi-educated guesswork) and you havn't even factored in the cost of making the adverts. And you've maybe reached some of the people in part of America.

    I have to say, you do have a valid point in terms of governmental competency. A noticalble chink of the users you are trying to reach would probably be involved in running the system
    I wouldn't use Big Brother as a valid worry, though, specially in the states... with the acts that have been slipped through after the twin towers tradegy, I think that this would barely be noticed...

    But yeah, I don't think this is practical, any more than the TV ads. My only serious suggestion is limit who produces offspring, try and stop humanity as a whole apparently breeding for lack of intellect.

    :P

  9. #9
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177

    Red face

    Knowledge is Half the Battle! CBS...NBC? ABC? has it right! (If that's the phrase...I forget.) User awareness can not be supplanted by certification, tokens, digital signature verification authorities, or any other contraption spewed from the mind of us 'experts'. The human is always the vulnerable link in security.

    Oh, technology can help, but I have a stack of RSA SecurID pin-pad token cards to demonstrate otherwise (the client insisted that these were the only acceptable form...the Fob tokens meant the PIN was sent as part of the passcode, so anyone who could view/sniff/decrypt the traffic could learn the PIN) I kept this stack specifically becuase each one shows how a user wrote the PIN on the token with permanent marker, or tape it on, or anything else. The client had gone to the considerable expense of purchasing these things for a community of 15,000+ users, and prepared an informative user awareness packet, and these folks STILL did this, because they simply didn't get it. It's human nature.

    And that point is a significant one. If you want to pursue I.S. as a career, and you want to do more than run ping sweeps, vulnerability assesments, and log reviews, you probably are gonna need some people-skills to work with the 'uninformed'. If you want to be successful and go far, you'll need to deal with these folks graciously. Fortune 500 companies do not pay for Security Analysts, Engineers, or Managers that display an attitude of contempt for users and their practices.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  10. #10
    But, of course, educating users is hard work and the profits for the A/V and anti-spyware firms may go down a little if we do that.

    Now we wouldn't want to be reponsible for that, would we?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •