Date: Sun, 19 Feb 2006 02:19:51 +0200
From: Gadi Evron <ge@linuxbox.org.>
To: bugtraq@securityfocus.com
Subject: The New Face of Phishing
References: <43F7B6AC.9010607@farber.net.>
In-Reply-To: <43F7B6AC.9010607@farber.net.>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeded SMTP AUTH authentication, not delayed by milter-greylist-1.7.5 (linuxbox.org [24.155.83.21]); Sat, 18 Feb 2006 18:21:16 -0600 (CST)
X-Virus-Scanned: antivirus-gw at tyumen.ru
Taken from IP:
> The New Face of Phishing
> By Brian Krebs | February 13, 2006
<snip>
> Now here's where it gets really interesting. The phishing site, which
> is still up at the time of this writing, is protected by a Secure
> Sockets Layer (SSL) encryption certificate issued by a division of
> the credit reporting bureau Equifax that is now part of a company
> called Geotrust. SSL is a technology designed to ensure that
> sensitive information transmitted online cannot be read by a
> third-party who may have access to the data stream while it is being
> transmitted. All legitimate banking sites use them, but it's pretty
> rare to see them on fraudulent sites.
>
> ...
>
> http://blog.washingtonpost.com/securityfix/2006/02/the_new_face_of_phishing_1.html
Brian is one of the more serious security-working reporters out there, I
always enjoy what he writes.
Still, this may be newly utilized these days, but it isn't new. This was
*even* reported on TechTV 2 years ago or so.
*Some* new disturbing phishing trends from the past year:
POST information in the mail message
That means that the user fills his or her data in the HTML email message
itself, which then sends the information to a legit-looking site.
The problem with that, is how do you convince an ISP that a real
(compromised) site is indeed a phishing site, if there is no
phishy-looking page there, but rather a script hiding somewhere?
Trojan horses
This is an increasing problem. People get infected with these bots,
zombies or whatever else you'd like to call them and then start sending
out the phishing spam, while alternating the IP address of the phishing
server, which brings us to...
Fast-Flux
Fast Flux is a term coined in the anti spam world to describe such
Trojan horses' activity.
The DNS RR leading to the phishing server keeps changing, with a new IP
address (or 10) every 10 minutes to a day.
Trying to keep up and eliminate these sites before they move again is
frustrating and problematic, making the bottle-neck the DNS RR which
needs to be nuked.
----
There are others, but as always - don't rely on the written press for
your updated security information.
A few weeks ago Dr. Alan Solomon (drsolly) wrote on the funsec list,
responding to someone saying he is shocked how inaccurate media reports
can be about his region in the world.
Alan said something the sort of: "What? Being in the security world and
seeing how security informations get mis-represented in the papers all
these years didn't give you a hint? You honestly thought that it was
limited to your field?"
(Not what he said, can't find the exact quote right now, but I loved it.
His was a lot shorter. Gotta love that guy).
Thanks,
Gadi.
--
http://blogs.securiteam.com/
"Out of the box is where I live".
-- Cara "Starbuck" Thrace, Battlestar Galactica.
