RE: Discovering and Stopping Phishing/Scam Attacks

[Nuno Costa <webcenter () sapo pt>]

Randy,

the phisher needs to colect first the username and then the password with
probably two interactions from the user...

but the problem for the fisher is that, when i tries to get the 3rdfield, i need
to authenticate if not, the username will be locked and a mail will be send from
the bank site for example, saying that something happen, and this is your
security code, to unlock your username and force to change the username, now
the phisher guy, don't know again the username...

i just can see a way to the phisher can get the user and pass, when he knows the
username, he can brute force with just 3times, the other way is having access
the user email account...

regards
Nuno Costa


Randy :

I think that the system you're proposing will stop *current* phishing
schemes but it wouldnt take a lot for the phishers to come up with a
way
to retrieve that third piece of information from the user.

A lot of places verify information with the "third question" you're
referring to (pet's name, childhood superhero, mother's maiden name,
etc)
and identity theft is still a problem for us.

If a user is willing to give their username and password to an
unverified
source, it only takes a little more work to get that third piece of
information from them.

~randy

On Thu, 28 Apr 2005 webcenter () sapo pt wrote:

> ok mr. moderator...
>
> i think the real problem to phishing exists is the weak process of
login
systems
> today...
>
> anyone just needs a login and password, to be authenticated, i
think web
> aplications needs to change login systems... to be more tight...
and the
> phishers maybe loose there hope to grep information very easy with
just a
> username and password...
>
> my idea and solution to a new login system is this...
>
> creating a 3rd field, this 3rd field the user will choose... it
will work
like
> saying yes this is the real bank system welcome back mr. user
insert your
> password...
>
> the process...
>
> 1rst page
> user -> puts the username...
>
> second page..
>
> 3rd field -> what is your cat name? now the user knows that this
was the
> question that he have put int the 3rdfield from the real bank site
(he can
put
> what he want)...
> password ?? -> user puts the password.. he is athenticated.
>
> now the phishers they have more work, needs two process to gain
access to
the
> bank user account...
>
> first they need to colect the username to get the 3rd field... and
they need
to
> put the 3rdfield in the false website... to get the password... but
this is
the
> deal...
>
> when a user or anyone, puts the username in this login system needs
to
proceed
> with a password, if not, if the user close the browser, if he tries
3times
and
> can't login, the system will block the username and send a email to
the real
> user, a code to unblock the username and force the user to change
the
username
> and 3rd field... and now the phishers don't know again what will be
the new
> username and 3rdfield...
>
> this system, is nothing from other planet and i think that help a
lot the
users,
> and will stop a litle or a big % this phisher mans...
>
>
> regards
> Nuno Costa
>
> -----Original Message-----
> From: Krul Thomas [mailto:Thomas.Krul () psepc-sppcc gc ca]
> Sent: April 27, 2005 10:31 AM
> To: 'Alex'; incidents () securityfocus com
> Subject: RE: Discovering and Stopping Phishing/Scam Attacks
>
> I received a phishing scam email for RBC Bank literally moments
ago.
> The
> Web site is based in the Czech Republic with very little in the way
> to
> disguise the address of the site. (At last check, the site was
still
> up
> at:
> http://updatestatus.webz.cz/rbc/cgi-bin/rbaccess/login.html)
>
> Odd, either there are some newbie phishers out there, or they are
> starting to realise that no matter how much they disguise their
sites
> someone will be having them shut down soon enough so catching the
> uninformed in the few moments they have is paramount. Will we be
> seeing
> an increase in the diversity of referring addresses in a flooding
> attempt to catch the last remaining moms and pops who don't know
> better
> versus well-crafted addresses that don't arouse suspicions?
>
> -----Original Message-----
> From: Alex [mailto:incidents () alex gotdns org]
> Sent: Tuesday, April 26, 2005 7:51 PM
> To: incidents () securityfocus com
> Subject: Re: Discovering and Stopping Phishing/Scam Attacks
>
> I agree that checking by referer addresses is a powerful way to
> detect
> phishing sites, but such logs can easily be adverted?
>
> Doesn't some anti-popup software remove referer fields?
>
> Simple use of javascript can allow a page to fetch anything without
> showing
> up in referer logs.
>
> While we are on the subject, has anyone come across commercial
and/or
> government websites being (illegally?) mirrored?
>
> For example, I recently came a website located on a (Asian?)
hosting
> provider where the content of the website was EXACTLY that of a
> well-known
> US govt website. (It appeared that they ran the equivalent of a
> recursive
> "wget" on the real site and hosted the files). It appeared to be
> several
> layers deep.
>
> Why would anyone want to do that?
>
> -Alex
------------------------------------------------------------------------
> --
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks
> from
> CORE IMPACT.
> Go to
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>
> to learn more.
------------------------------------------------------------------------
> --
------------------------------------------------------------------------
> --
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks
> from
> CORE IMPACT.
> Go to
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>
> to learn more.
------------------------------------------------------------------------
> --
--------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks
> from
> CORE IMPACT.
> Go to
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
--------------------------------------------------------------------------
> SMS GRÁTIS do seu PC para qualquer rede nacional (TMN, Vodafone,
Optimus e
PTC). Basta instalar o SAPO Messenger e adicionar amigos!
> Vá agora a : http://messenger.sapo.pt/sms/
--------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks
from
> CORE IMPACT.
> Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
--------------------------------------------------------------------------
>




SMS GRÁTIS do seu PC para qualquer rede nacional (TMN, Vodafone, Optimus e PTC). Basta instalar o SAPO Messenger e 
adicionar amigos!
Vá agora a : http://messenger.sapo.pt/sms/


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------