The Latest in Phish Hooks
New year offers some new twists on attackers' favorite scams
January 3, 2007
5:15 PM -- It's a new year, and we're all making resolutions. I've resolved to lose weight. My editors have resolved to teach me how to write. And phishers have resolved to make their scams harder to detect than ever.
The folks at security vendor F-Secure report that they are now seeing phishing scams that use flash content, rather than HTML, to deliver recreations of real Websites. The flash pages look like the genuine article, but because they aren't written in HTML, they also escape detection by tools designed to seek out HTML fakes.
There are a couple of examples of the flash-based phishing pages on the F-Secure site here. Note how the flash login page looks exactly the same as usual -- the only difference is that it routes you to a new page to "verify" (i.e., retype) your login data, where the thieves nab it. Pretty tricky.
Separately, the folks over at Castlecops.com, a security awareness site, are reporting a new "man-in-the-middle" attack that uses a real site as its launch point. An attacker sends users a fake email, telling them that some unauthorized activity on an account has been detected. The attacker then directs the user to log onto a real site, such as Amazon.com, but then requests additional information, such as date of birth, address, and Social Security number. Users might be logged into the genuine site, then lower their guard and give up personal information.
Castlecops spokespeople believe the new exploits may be the product of some "phishing kits" sold on the black market, which include logos and templates to fake the Web pages of popular banks or retail institutions.
The new exploits prove that 2007's phishing attacks will be more believable than ever. Even users who are wise to recent scams may fall for these new ones. However, some of them are detectable simply by checking an IP address, and others can be prevented through "captchas" that use a mixture of letters and numbers to differentiate automated systems from real users, Castlecops says.
The key is not to focus entirely on how the site looks, but to observe how it operates. If it asks you to put in additional information, beyond what you usually enter, be suspicious.
Maybe you'd better make that your new year's resolution. Anyway, it's easier to stick to than the South Beach diet.
— Tim Wilson, Site Editor, Dark Reading
Read more about:
2007You May Also Like