Next Gen Phishing Improves on Simple Spam

An anonymous reader writes "ZDNet has a writeup about the next generation of phishing. According to the article, as anti-spam engines improve and user education levels increase, phishers will find it easier to hack into web servers and deliver password stealing trojans using browser vulnerabilities or Web 2.0 technologies than spam. Tom Chan from Messagelabs is quoted: 'They are trying to compromise poorly protected Web sites — they basically go in and enter their own code into that Web server,' said Chan, who explained that victims of this new phishing era would not have to do anything wrong in order to get hooked. 'You have gone to a legitimate Web site, you have not made a mistake and done everything right, but then your information gets compromised... because [the phishers] have taken over servers that belong to other people.'"

Even the well educated fall for it...

[Alkivar]

After working in bank security for a few months, I was always constantly amazed by how even the most educated of web users still falls for a phishing scam. I wonder if that has more to do with lack of education regarding bank/web security or have phishers just gotten that much better?

Happened to us

[Exp315]

I'd call it hacking, not phishing, but this happened to us earlier this year. Our company web site at was hacked many times over a period of a month to insert code redirecting visitors to a Russian site that attempted to install a trojan. We knew that 's server was compromised because other users of the same server were also complaining about the same thing. 's reaction?: "We are aware of the problem and we are investigating". We abandoned our account there and moved to another web host after repairing our site every day (often several times per day) for a month.

Vouchsafe

[Doc Ruby]

It's obvious that the current security practices we use on the Net are totally inadequate for our society. Most people have adopted some of us geeks' toys, like networks, email and multimedia - even custom T-shirts. But few of the normals have adopted some of the tools we geeks learned we needed to play with our toys without getting hurt. Geek posers are killing themselves, and dragging down our geek paradise with them.

The best solution to all this phishing, spam and other harvesting naive "normals" is the trust web. Everyone has a private key for signing assertions, and a contact list with trust levels. Every message is signed (or default untrusted) by the sender and vouchers. When enough vouchers sign a message, it is trustworthy. The Web contains vouching centers, including diverse security analysts signing messages (including each others' assertions). People subscribe to many vouch sources, as well as "vouchmasters" which publish formulas for securing transactions. This way, anyone who says a transaction is unsafe, and is vouched by someone else, makes that transaction at least subject to review, or blocked, depending on the person's policy. Which depends on whom they trust.

That is the kind of system I'd expect banks and governments to deploy for the public. They are the ones we are paying, and relying on, for security. There's so much efficiency to gain from security compared to the losses from insecurity that I expect a very diverse, competitive market of vouchers to thrive. The underlying tech, like PGP/GPG signing and other trustweb tools, already exists. There are already relatively informal vouchers, like CERT, DHS, and lots of independents.

What's needed are standards for trust degrees, and simple UIs for using the trust web without learning many new skills. UIs simpler than antiphishing techniques will win. UAs like Firefox and Outlook merely coloring buttons red to blue for degrees of trust, keeping personal info stored locally for standard submission to standard requests graded by risk and identified by trustworthyness would go very far. Onetime passwords for every transaction to prevent replay attacks would go even further. And local databases with audit trails of every transaction would make it even easier to use once a transaction is doubted.

All those features hook an automated trust web into many existing security practices already used by most people in person. A really secure regime would include privacy laws prohibiting transfer of personal info outside the transaction expressly required by the requester and expressly permitted by the sender. Putting personal info under copyright in detail, and a US Constitutional Amendment in general, would really lock our existing judicial/police/security system into a consistent defense of people as well as corporations.

The time is now. Why doesn't Novell's Evolution at least require PGP/GPG by default? Why doesn't Firefox keep personal info stored encrypted for form submissions with a separate log? Why don't banks issue onetime password credit "cards" for Web use? We've already gone far enough down the path that it's obvious Microsoft, the US government, Chase Bank aren't going to move first. Let's see some of the UIs start to make it easy, and force the backend of the trust web to catch up. I'm doing it in my own software. What are you doing?

Re:What the article lacked...an example

[aliendisaster]

E-Bay really did that to themselfs by allowing outside code on the auctions. I guess a prettier auction is more important than security for the millions of e-bay users.

Welcome to the wonderful world of AJAX

[Colin Smith]

And client side code. The Web 2.0 and Security 2.0 where we have a generation of "web programmers" who have to learn all of the security lessons from scratch. Hmmm, I wonder when we'll see the first viruses.

 

Re:What the article lacked...an example

[jnaujok]

Tell me about it. After I reported it, they took three days to take it down. I'm so glad they're right on top of things.

Re:Don't waste your time

[jnaujok]

Clearly you are not married.

I used to be just like you. I could tell you the balance of my account to within 5 dollars just because I knew all the ins and outs.

Suddenly I'm married, and the word "Overdrawn" entered my vocabulary.

Imagine the dulcet tones of your wife saying, "How can we be overdrawn? I didn't spend that much when I was out shopping. Didn't I tell you I went shopping? What bills?"

All I know for certain is that since I got married, I've increased my earnings by a factor of 400%, and there's still no money in the account...

Sigh...

No cookies, no Javascript, no Java.

[Anonymous Coward]

That is my solution. Cookies off, Javascript off, Java off.
Even less Flash or other even shadier active media.

Web designers with huge egos have no business running their often crappy programs on my box.

BTW, that is whi I'll always post here as Anonymous Coward:

No cookies, honey.

Re:Vouchsafe

[krack]

Please take my comments as constructive, they are intended as such.

I think these things are not well- and widely-implemented for the same reasons that caused the dichotomy of MS releasing a DRM patch in 3 days but yet a security patch we must wait for while it goes through the "rigorous" testing process ends up corrupting my data.

Many humans do not seem to view security as an advantage; they view it as a (potentially unnecessary in their perspective) hindrance. In other words, there is no percieved profit in implementing security. If it costs you 10$/widget to secure each widget, and you can sell them without securing them, securing them actually cuts into the quarterly bottom line. You would only want to spend the money and time on security when you can't sell your widgets without it (regulation, bad PR, competition, etc). It is my perspective that this is why security, as a general rule, sucks.

Obviously, the rebuttal is that security is an investment, not overhead, and if you don't invest in the security of your widget you will eventually lose much more money than you made by skimping on the security.

I think you are right, it is long past time that we have effective, intuitive and 'just works' security in our F/OSS offerings. I think the reason we have not seen it yet is detailed in my third paragraph. I have no idea how to resolve these difficulties.