Next Gen Phishing Improves on Simple Spam 112
An anonymous reader writes "ZDNet has a writeup about the next generation of phishing. According to the article, as anti-spam engines improve and user education levels increase, phishers will find it easier to hack into web servers and deliver password stealing trojans using browser vulnerabilities or Web 2.0 technologies than spam. Tom Chan from Messagelabs is quoted: 'They are trying to compromise poorly protected Web sites — they basically go in and enter their own code into that Web server,' said Chan, who explained that victims of this new phishing era would not have to do anything wrong in order to get hooked. 'You have gone to a legitimate Web site, you have not made a mistake and done everything right, but then your information gets compromised... because [the phishers] have taken over servers that belong to other people.'"
Inaccurate Term? (Score:4, Insightful)
Not to be pedantic here, but if a person gains access to users' passwords by hacking the actual site, rather than sending out bogus emails and/or setting up counterfeit web pages, can this activity really be called 'phishing'?
From TFA:
And from the 'phishing' entry in Wikipedia:
This attack does not consist of masquerading as a trusted party...it consists of compromising said trusted party. Thus, this activity cannot accurately be referred to as 'phishing'.
Need a new metaphor (Score:5, Insightful)
Re:Inaccurate Term? (Score:3, Insightful)
In other news I have created a Next-Gen motorcycle that gets unlimited miles to the gallon, due to the addition of two levers that you operate with your feet that drive the rear wheel using a combination of chains and sprockets.
Re:Next Gen? (Score:3, Insightful)
It's even worse in TFA. (Score:3, Insightful)
So you could break into a bank and steal a backup tape with usernames/passwords and that would be "phishing".
Has "phishing" become another meaningless buzzword for "security" "experts" to toss around?
Re:Even the well educated fall for it... (Score:5, Insightful)
I wonder if that has more to do with lack of education regarding bank/web security or have phishers just gotten that much better?
Phishers have gotten better, but the bottom line is: the average on-line banking customer is still pretty clueless. They subscribe to the theory, "if it walks like a duck and quacks like a duck and looks like a duck, it's a duck," which on the Internet is akin to measuring the speed of a bus by being hit by it and seeing how much it hurts.
My maxim has been: if it's actually from my bank, then I should be able to take a copy of the email to my local branch or call the bank and ask if the information in it is correct, i.e. have they lost all my data? The answer in 99.9% of cases will be no; of course there are increasingly less rare occasions where the bank has lost your data or let it get out into the wild. In those cases, the bank isn't generally going to admit it until some plucky person figures it out and makes them own up to it.
Re:Interesting theory but.... (Score:1, Insightful)
while your PC point might be correct, your pencil and motor vehicle analogies are bad. a pencil is just dead simple and, in fact, hides nothing from the user as to how it works (i'll let you argue mechanical pencils might). it also requires the user to perform all maintenance with regards to keeping the pencil in working condition.
your car example is just as bad. but for the opposite reason. cars DO hide most everything complicated from the user. about the simplest possible interface to getting the car to go from one location to another is presented to the user and not much more. ignition, gas, brake, steering wheel and gas tank entry point are the interface to the car. how it actually works is well beyond the knowledge of most people. when something is wrong with their car a light will go on or a noise will be made signalling that the user should take it to someone who knows what to do. under normal circumstances the user will need 0 knowledge of the internal workings of the car. exactly the opposite of what you're claiming.
Re:Even the well educated fall for it... (Score:3, Insightful)
Why should people on the internet be any smarter?
Don't waste your time (Score:3, Insightful)
Re:Even the well educated fall for it... (Score:3, Insightful)
How does this translate to the online world? Not so easily. It is easier to get tricked by things like mail headers and URLs.