General Discussion

For those lucky enough to snag one of Googles Gmail accounts here ' s an excellent article to read - " Phishing For Gmail Accounts "
http://www.webpronews.com/news/ebusinessnews/wpn-45-20040913PhishingForGmailAccounts.html

[Phishers Fake FDIC Web Site]

FYI...

Phishers Fake FDIC Web Site
- http://www.techweb.com/article/printableArticle.jhtml?articleID=47902790&site_section=700028
September 24, 2004
"Phishers spoofed the Federal Deposit Insurance Corporation's (FDIC) again Thursday and using bogus e-mails, tried to entice consumers to sign up for non-existent service that tracks suspicious activity on credit, debit, and bank ATM cards. Like many other recent phishing scams, this one plays off consumers' knowledge of the danger of identity theft...Once consumers have been drawn to the site, a very close copy of the actual Web site of the FDIC, the government-backed insurer of bank accounts, they're encouraged to "register" their cards with the service. "You will be protected from unauthorized use of your card or account information. With FDIC's Zero Liability policy, your liability for unauthorized transactions is $0 -- you pay nothing!" the site read.
-> Of course, there is no such thing as a "Zero Liability" policy through the FDIC..."

>>> http://www.fdic.gov/consumers/consumer/alerts/index.html
"...Since January 23, 2004, criminals have been using the FDIC's name and reputation to perpetrate various “phishing” schemes. It is important to note that the FDIC will -never- ask for personal or confidential information in this manner..."

.

[If It Sounds Too Good To Be True...]

FYI...

- http://isc.sans.org/diary.php?date=2004-11-16
Updated November 17th 2004 10:10 UTC
"If It Sounds Too Good To Be True...
We received a report from a reader who found a little more than he bargained for when looking for a cheap used car. It appears that some rather unsavory characters are posting "deals" online that carry some surprises. When you go to look at photos of your "ride-to-be", the seller tells you "please check the pictures on the file. Are packed with WinZip SelfExtract, I don't have much space in this free host and I can put the on the server. After you download it, if you open the file will ask you where to unpack the files."
Uh... sure...
The executable packs a bit more than some candid photos of your dream car. It carries a version of the QHosts trojan which makes changes to your hosts file pointing domain names for various escrow services to a specific IP address. The seller then insists that to "safeguard" the transaction, an escrow service must be used. Care to guess the rest?
Moral of the story: If it seems too good to be true, it probably is.

Don't Let This Happen To You
Another reader pointed out a different scam. This time, the victim receives an email claiming that their credit card has been charged. The victim is given a link to view their "invoice." While none of this is new, the almost overwhelming barrage of exploit attempts at the other end of the "invoice" link was astounding. The victim's machine is hit with three different exploit attempts, targeting different vulnerabilities. It appears that some piece of dirt out there is an over-achiever..."

 

[Anti-Phishing Working Group]

FYI...from the Anti-Phishing Working Group:

Busy week for Phishing code writer criminal activity... http://www.antiphishing.org/
"Recent Phishing Attacks:

    * 19-04-04 - eBay - 'Account Suspension Notice - Section 9'
- http://www.antiphishing.org/phishing_archive/11-18-04_Ebay/11-18-04_Ebay.html

    * 17-11-04 - Citibank - 'Your online activity confirmation'
- http://www.antiphishing.org/phishing_archive/11-17-04_Citibank/11-17-04_Citibank.html

    * 16-11-04 - Suntrust - 'Internet Banking with Bill Pay Fees Waived'
- http://www.antiphishing.org/phishing_archive/11-16-04_Suntrust/11-16-04_Suntrust.html

    * 15-11-04 - People's Bank - 'New Mail from People'
- http://www.antiphishing.org/phishing_archive/11-15-04_Peoples_Bank/11-15-04_Peoples_Bank.html ..."

 

[...Big Boost In Phishing Attacks]

FYI...

...Big Boost In Phishing Attacks
- http://www.techweb.com/article/printableArticle.jhtml?articleID=54200563&site_section=700028
November 24, 2004
"...From September to October, phishing sites increased more than 100 percent.
'Some automation had to be involved, with a bot network to either send more e-mails and/or host more sites,' said Dan Hubbard, the senior director of security at Websense, one of the two investigators who analyzed the phishing data for the group. 'In October, not only did the amount of reported phishing e-mails increase, but the number of phishing sites that were unique dramatically spiked, said Hubbard. Once we started investigating the characteristics of those sites, a lot of same traits kept repeating.'
The shared characteristics of those phishing sites -- which host phony pages that look remarkably like real credit card, bank, online retailer, or e-payment sites -- ranged from using a little-known Web server to being hosted on broadband-connected systems to running at IP addresses outside the US. More than half of the phishing sites, for instance, are hosted on what appears to be broadband-connected PCs, and the common Web server -- SHS -- is a favorite of phishers, since its small footprint makes it easy to plant on a hacked PC..."

 

[cnm]

FYI...posted by cnm at SWI:

Interesting anti-spoof weapon.
http://crypto.stanford.edu/SpoofGuard/
...SpoofGuard is a browser plug in that is compatible with Microsoft Internet Explorer. SpoofGuard places a traffic light in your browser toolbar that turns from green to yellow to red as you navigate to a spoof site. If you try to enter sensitive information into a form from a spoof site, SpoofGuard will save your data and warn you. SpoofGuard warnings occur when alarm indicators reach a level that depends on parameters that are set by the user....

Link courtesy of http://www.computercops.biz/forums.html

 

[Phishers Take Cues From Hackers]

FYI...

Phishers Take Cues From Hackers
- http://www.techweb.com/article/printableArticle.jhtml?articleID=55800279&site_section=700028
December 15, 2004
"Phishing scams again surged last month, an industry organization said Wednesday, as tech-savvy crooks increasingly took up the tools of the hacker trade to steal consumers' personal and financial identities. According to the monthly report from the Anti-Phishing Working Group (AWPG), a consortium of more than 1,000 firms, including a majority of the top U.S. banks and ISPs, November saw yet another increase in the number of phishing Web sites spotted. During November, the group detected 1,518 scam sites, a 29 percent increase over October, and another record for the year.

Worse news than the boost in scamming sites -- which are often "hit-and-run" Web sites that stay up only an average of 6 days -- is the AWPG's analysis of an increase in the use of malicious code by phishers to steal credit card and bank account access and information from users worldwide. "They're definitely starting to cross the boundaries of spyware, phishing, and general virus writing," he said. "Some phishers are using portable executable files that actually run on the user's machine rather than just put a link in an e-mail. They're using viruses on your machine, which get there a number of different ways, that are fairly sophisticated. They don't do anything until you go to a known banking or credit card or retailing site that's listed in the virus, and then they either replace the site with their own [fake] version or capture keystrokes and transmit them to the criminals." Keyloggers are often in place on PCs that have been compromised earlier by malicious computer worms and viruses. In some cases, the phishers are only using what's already available. This trend, said Hubbard, builds on the one outlined last month by the AWPG, which then noted that many of the most virulent phishing attacks seemed to be coming from "bot networks," collections of previously-infected computers..."We've already seen indications that phishers are commanding automated distribution systems, apparently leveraging bot nets, known as zombies," said David Jevans, the chairman of the AWPG, in a statement accompanying the November report. "Those resources, combined with conventional keylogging and other innovative malicious code, is a threat scenario that could deliver more sophisticated attacks," Jevans added..."

 

[Netcraft "anti-phishing" toolbar]

FYI...

Netcraft "anti-phishing" toolbar
- http://toolbar.netcraft.com/
"...The Toolbar community is effectively a giant neighbourhood watch scheme, empowering the most alert and most expert members to defend everyone within the community against phishing frauds. Once the first recipients of a phishing mail have reported the target URL, it is blocked for community members as they subsequently access the URL. Widely disseminated attacks (people constructing phishing attacks send literally millions of electronic mails in the expectation that some will reach customers of the bank) simply mean that the phishing attack will be reported and blocked sooner.

The Toolbar also:
    * Traps suspicious URLs containing characters which have no common purpose other than to deceive.
    * Enforces display of browser navigational controls (toolbar & address bar) in all windows, to defend against pop up windows which attempt to hide the navigational controls.
    * Clearly displays sites' hosting location, including country, helping you to evaluate fraudulent urls (e.g. the real citibank.com or barclays.co.uk sites are unlikely to be hosted in the former Soviet Union)..."

[Internet 'Phishing' Scams Getting More Devious]

FYI...

Internet 'Phishing' Scams Getting More Devious
- http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=7372773
Jan 19, 2005
" Internet "phishing" scams are becoming more difficult to detect as criminals develop new ways to trick consumers into revealing passwords, bank account numbers and other sensitive information, security experts say. Scam artists posed as banks and other legitimate businesses in thousands of phishing attacks last year, sending out millions of "spam" e-mails with subject lines like "account update needed" that pointed to fraudulent Web sites.

These attacks now increasingly use worms and spyware to divert consumers to fraudulent sites without their knowledge, experts say. "If you think of phishers initially as petty thieves, now they're more like an organized crime unit," said Paris Trudeau, senior product manager for Internet-security firm SurfControl. Phishing attacks have reached 57 million U.S. adults and compromised at least 122 well-known brands so far, according to several estimates.

At the end of 2004 nearly half of these attacks contained some sort of spyware or other malicious code, Trudeau said..."

"Phishiest" Countries
- http://toolbar.netcraft.com/stats/countries  

[Identity Theft, Net Scams Rose in '04-FTC]

FYI...

Identity Theft, Net Scams Rose in '04-FTC
- http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=7501166
Feb 1, 2005
"Americans lost at least $548 million to identity theft and consumer fraud last year as the Internet provided new victims for age-old scams, according to government statistics released Tuesday. The U.S. Federal Trade Commission said it received 635,000 consumer complaints in 2004 as criminals sold nonexistent products through online auction sites like eBay Inc. or went shopping with stolen credit cards.
> Identity theft -- the practice of running up bills or committing crimes in someone else's name -- topped the list with 247,000 complaints, up 15 percent from the previous year. Fraud and identity theft cost consumers at least $437 million in 2003. Internet-related fraud accounted for more than half of the remaining complaints as scammers found victims through Web sites or unsolicited e-mail, the FTC said.
> Auction fraud was the most common Internet scam, the FTC said in its annual fraud report, followed by complaints about online shopping and Internet access service..."

 

[Rise In Worst Spyware Shows Phishers At Work]

FYI...

Rise In Worst Spyware Shows Phishers At Work
- http://www.techweb.com/article/printableArticle.jhtml?articleID=59300537&site_section=700028
February 02, 2005
"The worst kinds of spyware reached all-time highs in the last quarter of 2004, said a national ISP and an anti-spyware vendor as they released their quarterly SpyAudit report Wednesday. The numbers offer hard evidence to back up suspicions that phishing scammers are turning to deadlier, stealthier spyware to hijack identities and empty bank accounts...According to Atlanta-based EarthLink and Boulder, Colo.-based Webroot, the instances of system monitors -- better known as key loggers and screen grabbers -- and Trojan horses soared in the fourth quarter. System monitors logged a 230 percent increase and Trojans jumped by 110 percent over the previous quarter. Both marked record highs for the year in the fourth quarter...On average, about 1 in 6 PCs scanned by the EarthLink and Webroot anti-spyware software contains a system monitor. The rate of "infection" by Trojans is about the same..."

   

[here]

FYI...

- http://www.phishreport.net/releases/launch_release.html
"Phish Report Network Availability:
The Phish Report Network is available immediately. Companies can sign up by visiting www.phishreport.net.

Additional Information About Phishing and Online Identity Theft Prevention:

    * http://www.antiphishing.org/
    * http://www.consumer.gov/idtheft
    * http://safety.msn.com/phishing
    * http://www.microsoft.com/presspass/safety
    * http://pages.ebay.com/securitycenter/stop_spoof_websites.html
    * http://www.paypal.com/security
    * http://www.visa.com/emailphishing

..."

 

[Why phishing works]

FYI...

Why phishing works
- http://johannes.homepc.org/blog/2005/02/why-phishing-works.html
February 14, 2005 - Johannes Ullrich, CTO SANS Internet Storm Center
"Enough has been said about phishing, but given the number of new scams I find in my inbox every day, not enough is been done against it. So what can be done against it? Maybe its time to look at why phishing works in the first place.
Phishing works because we click on links and trust whatever we see on the screen. We have been thoroughly conditioned by our banks and credit card company to follow this pattern. It has helped us remember when our credit card bill was due, and reminded us of this 0% balance transfer offer. Given that no bank wanted to be left behind, the systems that supported these mailings have been implemented with haste and not care. For one of my banks, it is easy to spot the phish: Valid e-mail from this bank uses the from address domain of the massmailer, not the banks domain. However, the official mails are nice enough to remind users to please add the strange address to their address book in order to avoid running afoul of spam filters. So we have all been perfectly conditioned to click on everything that moves, never mind the spelling, grammar and other inconsistencies...There does appear to be a difference between US and European banks as well. European banks regularly use one time passwords and tokens. I have yet to see a single US bank to use either. I did my first online banking back in Germany around 1985. Back then, the bank handed me a sheet with one time use "transaction numbers". The scheme is simple: Each time you authorize a transaction, you use one of these numbers and cross it off the list. The sheet lasts about a year, and the bank will send you a new one in time."

[ID fraud rife in the UK...]

FYI...

ID fraud rife in the UK...
- http://www.theregister.co.uk/2005/03/03/which_id_fraud_survey/
3rd March 2005
"...Consumers can take a number of simple steps to avoid getting caught out by ID fraudsters. These include:

- not using your mother's maiden name or place of birth as a security password
- shredding sensitive documents before binning them
- avoid using the same password on more than one account ..."

 

[Phishers Use Wildcard DNS to Build Convincing Bait URLs]

FYI...

Phishers Use Wildcard DNS to Build Convincing Bait URLs
- http://news.netcraft.com/archives/2005/03/07/phishers_use_wildcard_dns_to_build_convincing_bait_urls.html
March 7, 2005
"Phishing operations have begun using DNS wildcards and URL encoding to create email links that display the URLs of legitimate banking sites, but send victims to spoof sites designed to steal their login details. A wildcard DNS record (*.example.com) will resolve all requests that are not matched by any other record. Wildcards are typically used to manage errant or mistyped e-mail addresses, but have been routinely abused by spammers. In recent weeks wildcard DNS settings have been used in a wave of phishing attacks on Barclays Bank, in which the "bait" email included URLs starting with barclays.co.uk, followed by a lengthy sequence of letters and symbols. Several examples:
 
-http://barclays.co.uk|snc9d8ynusktl2wpqxzn1anes89gi8z.dvdlinKs.at/pgcgc3p/
-http://barclays.co.uk|YJ3EMOHOqljQ8J5oW2ZKyTaRMQOahSWaxTrFTEQK9l9VVQj6jDtyq10d24r2h0bijh2
-http://barclays.co.uk|34fdcb4rvdnp9phxbahhvbs6l56a2uyx%2edivxmovies%2ea%74/41pvaw3/

The phishers use a wildcard DNS setting at a third-party redirection service (kickme.to) to construct the URLS. The wildcard allows the display of URLs beginning with "barclays.co.uk," which is followed by a portion of the URL which is encoded to obscure the actual destination domain. The redirector at kickme.to/has.it forwards to a Barclays spoof site hosted...in Moscow. The spoof loads a page from the actual Barclays site, and then launches a data collection form in a pop-up window from the Russian server..."