Wednesday, January 03, 2007

Phishing, Phishing and Phishing

I have posted a bit about phishing here at Security Garden, hoping to provide readers with the knowledge of what to do -- and not do -- when an e-mail arrives in your email Inbox that appears to be from a bank, eBay, credit card company, etc. In this post, you will learn about a relatively new type of phish, an active "Man-in-the-Middle-attack" and an IRS Phishing Scam.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

A New Type of Phish

With the release of Opera's latest beta, all three major browsers now include anti-phishing technology. What, however, happens when the phishers try a different tact? While browsing my RSS feeds at lunch today, I saw a report by F-Secure of Flash Phishing where the phish is not HTML but Flash. At this time, Flash is not examined by the current anti-phishing tools. Note that with a Flash phish, the other "links" on the page cannot be clicked.

Further reading took me to Heise Security which also reported on Phishing with Plash. Heise provided excellent advice for Firefox users:
"Although the entry form is the only link that works on these Flash pages and all other links cannot be clicked, the pages that have emerged, are good enough to deceive some users. The only remedy is to install a Flash blocker, which prevents Flash movies from being played automatically, for instance, the plug-in FlashBlock for Firefox."
After installing FlashBlock, restart Firefox. Next, test the installation at

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Man-in-the-Middle Attack

In October (was it really that long ago?) I quoted Bruce Schneier's description of the Man-in-the-Middle attack from his post on "The Failure of Two-Factor Authentication". The description is repeated here since it applies to a recent phish outbreak.
  • "Man-in-the-Middle attack. An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank's real website. Done right, the user will never realize that he isn't at the bank's website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user's banking transactions while making his own transactions at the same time.
Brian Krebs of Security Fix wrote about a counterfeit login page that uses the Man-in-the-Middle attack described above. If successful, the phish tricks the recipient into providing their date of birth, address and Social Security number after entering the Amazon account logon information. That is certainly identity theft in the making!

The good news about the fake page is that the CastleCops PIRT Squad had already analyzed the phish and reported it to the team's many contacts, listed at Fried Phish(TM). The not-so-good news that Brian reported was provided by Paul Laudanski, Microsoft MVP and owner of CastleCops with his wife, Robin Laudanski, also a Microsoft MVP:
"Laundanski said the fake Amazon site appears to have been created from a phishing "kit," or a pre-packaged set of counterfeit Web pages sold on the Internet black market. Already, he said, the same Amazon phishing kit has been spotted in use on a number of separate Web servers, suggesting that the technique is indeed being shared among scammers."
Read the complete article, Not Your Average Phishing Scam, at Security Fix.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

IRS Phishing Scam

The last bit of information is that CERT reported that recent reports are from users receiving emails that appear to be from the U.S. Internal Revenue Service (IRS). The phish offers a tax refund and provides a link to submit information. I have no doubt that the information requested includes full name, address, birth date, and, of course, Social Security Number.

The IRS does not solicit by email.

In addition to CERT's helpful information on preventing phishing attacks, copied below, don't forget to forward the phish email (with full headers) to or go to http:/ and paste the information in the provided form.

For more information on phishing, see
The Phishing Guide, Understanding and Preventing Phishing Attacks (PDF). It is an excellent reference on phishing, prepared by Next Generation Security Software (NGS) for NISCC (the National Infrastructure Security Co-ordination Centre).

Provided by CERT:

  1. Do not follow unsolicited web links received in email messages.
  2. Contact your financial institution and file a complaint with the Federal Trade Commission (FTC) immediately if you believe your account or financial information has been compromised.
  3. Review FTC's web site on how to protect yourself from identity theft.
  4. Review the OnGuard Online practical tips to guard against Internet fraud, secure your computer, and protect your personal information.
  5. Refer to the US-CERT Cyber Security Tip on Avoiding Social Engineering and Phishing Attacks.
  6. Refer to the CERT Coordination Center document on understanding Spoofed/Forged Email.

No comments: