Security Incidents mailing list archives
RE: Discovering and Stopping Phishing/Scam Attacks
From: Nuno Costa <webcenter () sapo pt>
Date: Thu, 28 Apr 2005 16:57:49 +0100
Randy, the phisher needs to colect first the username and then the password with probably two interactions from the user... but the problem for the fisher is that, when i tries to get the 3rdfield, i need to authenticate if not, the username will be locked and a mail will be send from the bank site for example, saying that something happen, and this is your security code, to unlock your username and force to change the username, now the phisher guy, don't know again the username... i just can see a way to the phisher can get the user and pass, when he knows the username, he can brute force with just 3times, the other way is having access the user email account... regards Nuno Costa Randy : I think that the system you're proposing will stop *current* phishing schemes but it wouldnt take a lot for the phishers to come up with a way to retrieve that third piece of information from the user. A lot of places verify information with the "third question" you're referring to (pet's name, childhood superhero, mother's maiden name, etc) and identity theft is still a problem for us. If a user is willing to give their username and password to an unverified source, it only takes a little more work to get that third piece of information from them. ~randy On Thu, 28 Apr 2005 webcenter () sapo pt wrote:
ok mr. moderator... i think the real problem to phishing exists is the weak process of
login systems
today... anyone just needs a login and password, to be authenticated, i
think web
aplications needs to change login systems... to be more tight...
and the
phishers maybe loose there hope to grep information very easy with
just a
username and password... my idea and solution to a new login system is this... creating a 3rd field, this 3rd field the user will choose... it
will work like
saying yes this is the real bank system welcome back mr. user
insert your
password... the process... 1rst page user -> puts the username... second page.. 3rd field -> what is your cat name? now the user knows that this
was the
question that he have put int the 3rdfield from the real bank site
(he can put
what he want)... password ?? -> user puts the password.. he is athenticated. now the phishers they have more work, needs two process to gain
access to the
bank user account... first they need to colect the username to get the 3rd field... and
they need to
put the 3rdfield in the false website... to get the password... but
this is the
deal... when a user or anyone, puts the username in this login system needs
to proceed
with a password, if not, if the user close the browser, if he tries
3times and
can't login, the system will block the username and send a email to
the real
user, a code to unblock the username and force the user to change
the username
and 3rd field... and now the phishers don't know again what will be
the new
username and 3rdfield... this system, is nothing from other planet and i think that help a
lot the users,
and will stop a litle or a big % this phisher mans... regards Nuno Costa -----Original Message----- From: Krul Thomas [mailto:Thomas.Krul () psepc-sppcc gc ca] Sent: April 27, 2005 10:31 AM To: 'Alex'; incidents () securityfocus com Subject: RE: Discovering and Stopping Phishing/Scam Attacks I received a phishing scam email for RBC Bank literally moments
ago.
The Web site is based in the Czech Republic with very little in the way to disguise the address of the site. (At last check, the site was
still
up at: http://updatestatus.webz.cz/rbc/cgi-bin/rbaccess/login.html) Odd, either there are some newbie phishers out there, or they are starting to realise that no matter how much they disguise their
sites
someone will be having them shut down soon enough so catching the uninformed in the few moments they have is paramount. Will we be seeing an increase in the diversity of referring addresses in a flooding attempt to catch the last remaining moms and pops who don't know better versus well-crafted addresses that don't arouse suspicions? -----Original Message----- From: Alex [mailto:incidents () alex gotdns org] Sent: Tuesday, April 26, 2005 7:51 PM To: incidents () securityfocus com Subject: Re: Discovering and Stopping Phishing/Scam Attacks I agree that checking by referer addresses is a powerful way to detect phishing sites, but such logs can easily be adverted? Doesn't some anti-popup software remove referer fields? Simple use of javascript can allow a page to fetch anything without showing up in referer logs. While we are on the subject, has anyone come across commercial
and/or
government websites being (illegally?) mirrored? For example, I recently came a website located on a (Asian?)
hosting
provider where the content of the website was EXACTLY that of a well-known US govt website. (It appeared that they ran the equivalent of a recursive "wget" on the real site and hosted the files). It appeared to be several layers deep. Why would anyone want to do that? -Alex
------------------------------------------------------------------------
-- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------
--
------------------------------------------------------------------------
-- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------
--
--------------------------------------------------------------------------
Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
SMS GRÁTIS do seu PC para qualquer rede nacional (TMN, Vodafone,
Optimus e PTC). Basta instalar o SAPO Messenger e adicionar amigos!
Vá agora a : http://messenger.sapo.pt/sms/
--------------------------------------------------------------------------
Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks
from
CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
SMS GRÁTIS do seu PC para qualquer rede nacional (TMN, Vodafone, Optimus e PTC). Basta instalar o SAPO Messenger e adicionar amigos! Vá agora a : http://messenger.sapo.pt/sms/ -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: Discovering and Stopping Phishing/Scam Attacks, (continued)
- Re: Discovering and Stopping Phishing/Scam Attacks Alex (Apr 27)
- Re: Discovering and Stopping Phishing/Scam Attacks byte_jump (Apr 27)
- RE: Discovering and Stopping Phishing/Scam Attacks Thomas Adams (Apr 27)
- Re: Discovering and Stopping Phishing/Scam Attacks byte_jump (Apr 27)
- RE: Discovering and Stopping Phishing/Scam Attacks Scovetta, Michael V (Apr 27)
- RE: Discovering and Stopping Phishing/Scam Attacks Marco A. Zamora Cunningham (Apr 27)
- RE: Discovering and Stopping Phishing/Scam Attacks Krul Thomas (Apr 27)
- RE: Discovering and Stopping Phishing/Scam Attacks Calder, James (EXP) (Apr 27)
- RE: Discovering and Stopping Phishing/Scam Attacks webcenter (Apr 28)
- RE: Discovering and Stopping Phishing/Scam Attacks Randy (Apr 28)
- RE: Discovering and Stopping Phishing/Scam Attacks Nuno Costa (Apr 28)
- Re: Discovering and Stopping Phishing/Scam Attacks Dave Greer (Apr 28)
- Re: Discovering and Stopping Phishing/Scam Attacks Rainer Duffner (Apr 28)
- Message not available
- Administrivia: RE: Discovering and Stopping Phishing/Scam Attacks Daniel Hanson (Apr 28)
- Re: Administrivia: RE: Discovering and Stopping Phishing/Scam Attacks Valdis . Kletnieks (Apr 29)
- RE: Discovering and Stopping Phishing/Scam Attacks webcenter (Apr 28)
- Re: Discovering and Stopping Phishing/Scam Attacks Steven (Apr 28)
- RE: Discovering and Stopping Phishing/Scam Attacks Alex (Apr 28)
- RE: Discovering and Stopping Phishing/Scam Attacks webcenter (Apr 28)
- RE: Discovering and Stopping Phishing/Scam Attacks Michael J. Pomraning (Apr 28)
- Re: Discovering and Stopping Phishing/Scam Attacks Andrew Kopp (Apr 28)