|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Discovering and Stopping Phishing/Scam Attacks
From: Dave Greer (bonjovijones
gmail.com)
Date: Thu Apr 28 2005 - 12:33:08 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Here is a scenario -
Victim connects to Fake.com
Fake.com prompts for username/password
Fake.com connects to Real.com, enters username/password, recieves Third Field
Fake.com presents Third Field to Victim
Victim enters Third Field
That seems like a reasonable scenario
On 4/28/05, Nuno Costa <webcentersapo.pt> wrote:
>
> Randy,
>
> the phisher needs to colect first the username and then the password with
> probably two interactions from the user...
>
> but the problem for the fisher is that, when i tries to get the 3rdfield, i need
> to authenticate if not, the username will be locked and a mail will be send from
> the bank site for example, saying that something happen, and this is your
> security code, to unlock your username and force to change the username, now
> the phisher guy, don't know again the username...
>
> i just can see a way to the phisher can get the user and pass, when he knows the
> username, he can brute force with just 3times, the other way is having access
> the user email account...
>
> regards
> Nuno Costa
>
> Randy :
>
> I think that the system you're proposing will stop *current* phishing
> schemes but it wouldnt take a lot for the phishers to come up with a
> way
> to retrieve that third piece of information from the user.
>
> A lot of places verify information with the "third question" you're
> referring to (pet's name, childhood superhero, mother's maiden name,
> etc)
> and identity theft is still a problem for us.
>
> If a user is willing to give their username and password to an
> unverified
> source, it only takes a little more work to get that third piece of
> information from them.
>
> ~randy
>
> On Thu, 28 Apr 2005 webcentersapo.pt wrote:
>
> >
> > ok mr. moderator...
> >
> > i think the real problem to phishing exists is the weak process of
> login
> systems
> > today...
> >
> > anyone just needs a login and password, to be authenticated, i
> think web
> > aplications needs to change login systems... to be more tight...
> and the
> > phishers maybe loose there hope to grep information very easy with
> just a
> > username and password...
> >
> > my idea and solution to a new login system is this...
> >
> > creating a 3rd field, this 3rd field the user will choose... it
> will work
> like
> > saying yes this is the real bank system welcome back mr. user
> insert your
> > password...
> >
> > the process...
> >
> > 1rst page
> > user -> puts the username...
> >
> > second page..
> >
> > 3rd field -> what is your cat name? now the user knows that this
> was the
> > question that he have put int the 3rdfield from the real bank site
> (he can
> put
> > what he want)...
> > password ?? -> user puts the password.. he is athenticated.
> >
> > now the phishers they have more work, needs two process to gain
> access to
> the
> > bank user account...
> >
> > first they need to colect the username to get the 3rd field... and
> they need
> to
> > put the 3rdfield in the false website... to get the password... but
> this is
> the
> > deal...
> >
> > when a user or anyone, puts the username in this login system needs
> to
> proceed
> > with a password, if not, if the user close the browser, if he tries
> 3times
> and
> > can't login, the system will block the username and send a email to
> the real
> > user, a code to unblock the username and force the user to change
> the
> username
> > and 3rd field... and now the phishers don't know again what will be
> the new
> > username and 3rdfield...
> >
> > this system, is nothing from other planet and i think that help a
> lot the
> users,
> > and will stop a litle or a big % this phisher mans...
> >
> >
> > regards
> > Nuno Costa
> >
> > -----Original Message-----
> > From: Krul Thomas [mailto:Thomas.Krulpsepc-sppcc.gc.ca]
> > Sent: April 27, 2005 10:31 AM
> > To: 'Alex'; incidentssecurityfocus.com
> > Subject: RE: Discovering and Stopping Phishing/Scam Attacks
> >
> > I received a phishing scam email for RBC Bank literally moments
> ago.
> > The
> > Web site is based in the Czech Republic with very little in the way
> > to
> > disguise the address of the site. (At last check, the site was
> still
> > up
> > at:
> > http://updatestatus.webz.cz/rbc/cgi-bin/rbaccess/login.html)
> >
> > Odd, either there are some newbie phishers out there, or they are
> > starting to realise that no matter how much they disguise their
> sites
> > someone will be having them shut down soon enough so catching the
> > uninformed in the few moments they have is paramount. Will we be
> > seeing
> > an increase in the diversity of referring addresses in a flooding
> > attempt to catch the last remaining moms and pops who don't know
> > better
> > versus well-crafted addresses that don't arouse suspicions?
> >
> > -----Original Message-----
> > From: Alex [mailto:incidentsalex.gotdns.org]
> > Sent: Tuesday, April 26, 2005 7:51 PM
> > To: incidentssecurityfocus.com
> > Subject: Re: Discovering and Stopping Phishing/Scam Attacks
> >
> > I agree that checking by referer addresses is a powerful way to
> > detect
> > phishing sites, but such logs can easily be adverted?
> >
> > Doesn't some anti-popup software remove referer fields?
> >
> > Simple use of javascript can allow a page to fetch anything without
> > showing
> > up in referer logs.
> >
> > While we are on the subject, has anyone come across commercial
> and/or
> > government websites being (illegally?) mirrored?
> >
> > For example, I recently came a website located on a (Asian?)
> hosting
> > provider where the content of the website was EXACTLY that of a
> > well-known
> > US govt website. (It appeared that they ran the equivalent of a
> > recursive
> > "wget" on the real site and hosted the files). It appeared to be
> > several
> > layers deep.
> >
> > Why would anyone want to do that?
> >
> > -Alex
> >
> >
> ------------------------------------------------------------------------
> > --
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks
> > from
> > CORE IMPACT.
> > Go to
> > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> >
> > to learn more.
> >
> ------------------------------------------------------------------------
> > --
> >
> >
> ------------------------------------------------------------------------
> > --
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks
> > from
> > CORE IMPACT.
> > Go to
> > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> >
> > to learn more.
> >
> ------------------------------------------------------------------------
> > --
> >
> >
> --------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks
> > from
> > CORE IMPACT.
> > Go to
> > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > to learn more.
> >
> --------------------------------------------------------------------------
> >
> >
> >
> >
> >
> > SMS GRÁTIS do seu PC para qualquer rede nacional (TMN, Vodafone,
> Optimus e
> PTC). Basta instalar o SAPO Messenger e adicionar amigos!
> > Vá agora a : http://messenger.sapo.pt/sms/
> >
> >
> >
> --------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks
> from
> > CORE IMPACT.
> > Go to
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > to learn more.
> >
> --------------------------------------------------------------------------
> >
> >
>
> SMS GRÁTIS do seu PC para qualquer rede nacional (TMN, Vodafone, Optimus e PTC). Basta instalar o SAPO Messenger e adicionar amigos!
> Vá agora a : http://messenger.sapo.pt/sms/
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> --------------------------------------------------------------------------
>
>
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]