Home page logo

fulldisclosure logo Full Disclosure mailing list archives

The New Face of Phishing
From: Gadi Evron <ge () linuxbox org>
Date: Sun, 19 Feb 2006 02:19:51 +0200

Taken from IP:

The New Face of Phishing
By Brian Krebs |  February 13, 2006


Now here's where it gets really interesting. The phishing site, which
is still up at the time of this writing, is protected by a Secure
Sockets Layer (SSL) encryption certificate issued by a division of
the credit reporting bureau Equifax that is now part of a company
called Geotrust. SSL is a technology designed to ensure that
sensitive information transmitted online cannot be read by a
third-party who may have access to the data stream while it is being
transmitted. All legitimate banking sites use them, but it's pretty
rare to see them on fraudulent sites.



Brian is one of the more serious security-working reporters out there, I
always enjoy what he writes.

Still, this may be newly utilized these days, but it isn't new. This was
*even* reported on TechTV 2 years ago or so.

*Some* new disturbing phishing trends from the past year:

POST information in the mail message
That means that the user fills his or her data in the HTML email message
itself, which then sends the information to a legit-looking site.

The problem with that, is how do you convince an ISP that a real
(compromised) site is indeed a phishing site, if there is no
phishy-looking page there, but rather a script hiding somewhere?

Trojan horses
This is an increasing problem. People get infected with these bots,
zombies or whatever else you'd like to call them and then start sending
out the phishing spam, while alternating the IP address of the phishing
server, which brings us to...

Fast Flux is a term coined in the anti spam world to describe such
Trojan horses' activity.

The DNS RR leading to the phishing server keeps changing, with a new IP
address (or 10) every 10 minutes to a day.

Trying to keep up and eliminate these sites before they move again is
frustrating and problematic, making the bottle-neck the DNS RR which
needs to be nuked.


There are others, but as always - don't rely on the written press for
your updated security information.

A few weeks ago Dr. Alan Solomon (drsolly) wrote on the funsec list,
responding to someone saying he is shocked how inaccurate media reports
can be about his region in the world.

Alan said something the sort of: "What? Being in the security world and
seeing how security informations get mis-represented in the papers all
these years didn't give you a hint? You honestly thought that it was
limited to your field?"

(Not what he said, can't find the exact quote right now, but I loved it.
His was a lot shorter. Gotta love that guy).




"Out of the box is where I live".
        -- Cara "Starbuck" Thrace, Battlestar Galactica.
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • The New Face of Phishing Gadi Evron (Feb 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]