Phishing: The Forever Hack

Most of the hacking techniques described in the 1994 book Secrets of a Super-Hacker are now laughably out of date. But not all of them. A few are not only still effective, but far more effective in the current era of ubiquitous internet access. As the author notes early in the book, some attacks are timeless:


This is a companion discussion topic for the original blog entry at: http://www.codinghorror.com/blog/2007/05/phishing-the-forever-hack.html

Phishing via email would be a whole lot harder if companies would digitally sign their newsletters. In all my years on the internet, I’ve NEVER received a digitally signed email. Like others, I, too, am always getting real emails from the companies I do business with that contain links. If those emails were signed, I’d feel a lot better about them. For instance, I get Microsoft’s TechNet and MSDN Flash newsletters. Those things are chock full of links. Not only are they not signed, sometimes they purportedly come from a named individual on the Microsoft newsletter domain and not from the domain itself. I have no idea whether they are valid or phishing attempts. Surely, any company that does business on the web (especially Microsoft) must have some kind of certificate. Why don’t they use one to sign their emails?

Most people should not use the web, at least not someone who couldn’t set the time on their VCR.

Furthermore, a good percentage of those who do shouldn’t buy things or do financial business on the web.

Personal computers quit being personal as soon as we moved off of Windows 3.11. Now they are ‘1984-esque’ adapter units into the Matrix.

People who incorrectly identified legit sites as illegitimate sites shouldn’t be considered to have done the wrong thing. Any site which presents a login/password form without SSL has blown it and people are right to be refuse to interact with it.

And another thing: Those alerts you get for self-signed certificates on production servers? Pure evil. Regular people have no idea what they mean and just try to figure what to click to continue with whatever they are doing regardless of the stern wording. We knew that. But I wanted to point out there is common practice which makes this even worse than usual. Many sites put self-signed certificates into production and then tell people who complain to just click through the warning alert. How stupid is that? The sites are too cheap to get a proper certificate, or perhaps they use software which is architected to scale poorly such that proper certificates are cost-prohibitive, and then the site takes the attitude that its users are being unreasonable when they try to protect themselves. cPanel, I’m looking at you.

Hack != Crack.

This might not work for the average user, but I would love to see a “details” section in the warning notice that explained which traits of the page triggered the warning. That would help people learn what to look for even when there is no warning.

I just picked a random site from PhishTank and tested it with IE 6. It did not give any warning or whatsoever and merrily continued showing the page. The mere thought of number of users still using IE 6 give me shudders!

I haven’t read the study in detail but it seem to me that it’s sort of missing the point. The issue is surely how to train people to only use their bookmarks to reach important sites in the first place. If people don’t click on links in e-mails and on the web in the first place, it’s less important that they are an expert on how to tell a phishing site from one that’s not.

Also if people are told to expect a mix of real and fake sites, they may feel that they have to put half real and half fake and if they err on the side of caution as they might in real life, they might feel they are putting too many as fake.

@Kiran

IE6 doesn’t have any phishing filter whatsoever installed so don’t be surprised :slight_smile:

My mom has just started using the Internet recently, and this sort of thing terrifies me.

How do you explain to a total neophyte how to identity that poorly defined “shadiness” that gives away a scam on the Web?

It scares the crap out of me that I pretty much have to rely on Internet Explorer to protect her from this stuff…unless I want to sit there with her the entire time she’s using her computer and personally check the validity of each and every site she browses to.

“The issue is surely how to train people to only use their bookmarks to reach important sites in the first place.”

That’s how I taught my parents to do: “Only use this bookmark here to open the Internet Banking page. Period. Never, ever, give any attention to any e-mail you receive from your own bank.” They’ve never been caught (yet), although I’m sure they’d not succeed in that study.

delirium:

That’s fine and dandy, but (IMHO) on the other side, we also need to teach companies not to send e-mail out with web links in them. It’s a major convenience, but it would be a lot simpler to teach neophytes “don’t click on any link that comes from e-mail.” Instead, I get e-mails from capital one saying “Hey! Your statement is ready! Click here to check it!”

Also, Jeff: Phishtank is a cool resource, but it really just band-aids the problem. I’m part of a group that combats phishing websites, and the general consensus is that phishtank, while a very good repository of data, doesn’t actually DO anything besides say “yup, thats a phish!”

While this is arguably useful for the reasons you stated, this only helps people who use the phishtank feed. The sizable majority of people on the website do nothing to remove the phish. Which is the real-world equivalent of watching a mugging and doing nothing.

Just a plug for one of the groups that do stuff (not the one I’m involved with: a href="http://wiki.castlecops.com/PIRT"CastleCops’ Phishing Incident Reporting and Termination Squad/a a crack group individuals that handle termination of phish. If you ever get a phish, submit it to them.

Just my $0.02

To Matt Blodgett: You do not have to rely on IE. Install FireFox and also install the “McAfee SiteAdvisor” plugin/extension. Not only does this give you one extra line of defense, it also rates search results from the major engines. After you install it, with the pluging, go to Google, search on screen savers. To the right of the results one each line you will see either a Green check, yellow or red X. The sites that are know for bad things will be marked with the red x’s. I put this on my wife’s pc and we have had no issues for over a year with spyware and the likes. And yes the siteAdvisor helps with Phishing too.

To Jeff: Good article!

Hey I have that book !
Ah the memories… it was my first “computer security” book :slight_smile:

They are really smart, I have maximum variation for paypal hacks. I have also made a post for it.

Some are with https, some https://paypal.com.something.com and rest is all paypal look. The emails are smart too the anchor text is for paypal.com but the link to some other sites.

http://www.idealwebtools.com/blog/paypal-hacking/ has more variations.

Stonehat: You’re probably going to have to give that one up. So few people know there’s a distinction, and even fewer care.

What about DOS attacks by inclusion of real sites to blacklists?

Personally, I suspect the quoted study is flawed in several ways.

I might fail some of the sample “is this website phishing?” tests, but that doesn’t make me susceptible in the real world as I would never end up logging in to a phishing site anyway.

Why?

Well, despite several of my financial services’ attempts to defeat my browser’s autocompleting feature, I have forced my browser to autocomplete part of my login information. As a result, when I login to PayPal, if I make a typo in the URL, (or otherwise end up at a phishing site) the login information won’t complete and I’ll be suspicious.

Unfortunately, one day one of my banks will find a way to completely block autocomplete, at which time either they will indemnify me against any successful phishing attacks or I will find a bank with a focus on security rather then one so devoted to wasting my time.

More importantly though, phishing IS solvable using a security technique that does not rely on the user being responsible for the identification AND authentication mechanisms.

Right now, bank security is “something you know” online, and “something you know” AND (“something you have” OR “something you are”) in person. We need to get “something you have” into the picture when banking online.

In other words, if the user is not capable of revealing their password in a trivial way, it will stop phishing in it’s tracks.

Smartcards are one solution. Client side certificates are another.

Neither are a perfect security solution themselves, but both can stop phishing completely if properly implemented.

People should follow one simple rule: never click in a link in an email. Always use bookmarks to go to banking shopping sites.