RE: Phishing

["Zoso" <zoso () laz com>]

Also, this was released earlier this month:

On 5 May 2004, Gartner announced the results of a survey showing that an
estimated 57 million American adults received e-mail attacks from "phishers"
- hackers or cyberthieves who pretend to be trusted service providers to
steal consumer account information. Survey respondents included 5,000 online
adults, selected as a representative sample of the U.S. population.
Extrapolating from this sample, Gartner concludes that more than 30 million
people were "absolutely sure" they were victims of a phishing attack, and
another 27 million thought they had received what "looked like" a phishing
attack - and over 90 percent said the attacks happened within the past year.
Another 35 million were unsure whether they had experienced an attack, and
just 49 million of 141 million online consumers said they had not
experienced one. 

-----Original Message-----
From: Shivangi Nadkarni [mailto:shivangi () safescrypt com] 
Sent: Wednesday, May 12, 2004 12:15 PM
To: webappsec () securityfocus com
Subject: RE: Phishing

For those interested in phishing - which has seen an alarming rise in the
recent past - check out www.antiphishing.org. Lots of useful info available
there.

cheers,
Shivangi

> -----Original Message-----
> From: Sarah Elan [mailto:selan () testsys com]
> Sent: Wednesday, May 12, 2004 8:42 PM
> To: webappsec () securityfocus com
> Subject: RE: Phishing
>
>
> One hole I've seen on many large, respected sites are pages that 
> accept any url as input and will automatically redirect to that url 
> without (appearing
> to) perform any validation that the requested url is one which they 
> want to redirect to.
>
> For example, http://www.trustme.com/url?q=http://www.phishme.com.
> Url?q=http://www.phishme.com can be obfuscated with the usual 
> techniques and the user thinks he is going to trustme.com, when in 
> fact trustme.com has blindly redirected him to phishme.com.
>
> Redirect pages should always validate against a list of known good urls.
>
> -----Original Message-----
> From: Jordan Dimov [mailto:jdimov () nsegcorp com]
> Sent: Wednesday, May 12, 2004 10:51 AM
> To: webappsec () securityfocus com
> Subject: Re: Phishing
>
>
> These are good starting points, Rogan.  I'd love to see further 
> discussion on this topic.
>
> > Make the site name as short as possible, and as obvious as possible, 
> > to reduce confusion. Rather than
> "www{1,2,3,4,5,6,7,8,9}.encrypt.bank.com",
> > try to use something short and simple like "secure.bank.com",
> and use it
> > consistently for all servers supporting a particular application. 
> > That way there is less confusion for users, and less likelihood that 
> > a scammer will get away with using a slightly different domain name.
>
> This doesn't really protect against typographical domain name scams (e.g.
> paypai.com vs. paypal.com)
>
> Additionally, there are several known security vulnerabilities in MSIE 
> and other browsers that make it much easier for attackers to hide the 
> true identity of their fake site and mislead the user.
>
>   -- Jordan
>
> Association for Information Security (www.iseca.org)