back to article Strange spoofing technique evades anti-phishing filters

A Reg reader has produced screen shots that demonstrate a powerful phishing technique that's able to spoof eBay, PayPal and other top web destinations without triggering antiphishing filters in IE 7 or Norton 360. Plenty of other PayPal users are experiencing the same ruse, according to search engine results. Matty Hall, a …

COMMENTS

This topic is closed for new posts.
  1. Cyfaill

    Microsoft's IE will never be secure, Don't trust it, ever.

    Netcraft's anti phishing tool bar is pretty good.

    Added to a respectable web browser such as Firefox and running in a respectable Operating System such as Debian GNU/Linux 3.1 or 4.0 (Any good Linux will do very well) such as we use, you would have a pretty good chance of being warned as to being on a phishing site.

    I've seen it work.

    Of course it is very advisable to look at the whole URL and being sure of were you are.

    The best tool is your own intelligence, and knowledge.

    But if you are just depending on tools to warn you... at least use good ones.

    Your description of your system does not impress me with its "safety".

  2. Jason Togneri

    Netcraft toolbar

    I wasn't even aware of this issue and I normally check URLs and certificates quite thoroughly. That's because even though I use XP, I only use Firefox. Some sites only load in IE? No problem, I use the IE rendering engine under Firefox (such as with the IETabs extension). However, having the latest version helps a lot with these issues but Netcraft's toolbar isn't compatible with the latest version of Firefox...

  3. Aaron

    It might not be a dll

    I'm speculating that the strange wording is meant to throw off the phishing filter's recognition system so it "looks" like a legitimate page to the filters.

  4. David Urmston

    mucking around with science teaching ?

    When the gap between nerds and everyone else finally closes, this type of vulnerability might disappear, along with some of the infuriating comments.

    Until then, it might be more helpful if the holier than thou's amongst us came down off their lofty platters once in a while and descended into the valley along with the rest of us. Particularly when folks are trying to resolve a serious issue. Rather than trotting out that tired old line, "it never happens to me".

    I don't know which is sadder, those who get ripped off through their lack of technical knonwledge or those who never leave their monitors.

    Yes, "running a respectable Operating System" is part of the solution, but we also need an operating system that everyone can use without requiring a team of petrol heads to get it going and to make sure that it hasn't slipped into promiscuous mode because the user clicked on something or went to a popular web site.

    Cyfaill's smugness won't last forever, and then maybe I'll laugh, or not.

    By the way Cyfaill, I've been using Windoze Orrible Systems for a number (17) of years, and (touching the wood of my head) I haven't succumbed to any invasion yet, though I have witnessed numerous malicious attempts.

    Luckily todays end users are becoming more observant, well maybe the non Linux people anyways.

    regards Alf

  5. Doug Bird

    Sad

    Its too bad the only solution, time and time again, to being certain about web browsing security is using a less commonly used web browser (like firefox), and less commonly used OS like Linux. Wouldn't phishers target strange fishing techniques to these environments if they were more popular?

  6. Pascal Monett Silver badge

    They can spoof to their heart's content

    I will never be taken by such spoofing, for I have a method that is unbeatable as far as security is concerned : I don't use IE, I don't have a Paypal account, and I know that banks NEVER, EVER ask people to log on and input their password with a friendly link.

    Personally, if my bank deems there is a problem with my online account, I expect them to block it immediately, and send me a snail mail describing the problem and the steps to go back to a functional state. If my bank doesn't do that, and actually sends me a mail, I'll be on the market for a new bank the next day.

    What is it with people who think everything can be solved with a URL ? Can't they pick up a phone from time to time ?

  7. amanfromMars

    Strange things can happen ...... Enron/Worldcom/etc etc.

    It could also be IE free-lancing/going mercenary .... with stealth. Especially if you consider that we are a Connected Village run from a Central Call Centre/Despatch Office.

  8. Drew Masters

    Malware

    This looks suspiciously like malware, Torpig for example displays that exact page for hsbc...

  9. Paul

    Netcraft Toolbar

    Jason,

    The Netcraft Toolbar is compatible with the latest version of Firefox. It has been since FF2 was officially released.

  10. Simon Brown

    ie tab

    Following on from Jason Togneri's post it would be interesting to see if the same fault occurred using Firefox with the IE tab.

    Oh by the way is your login at the bottom supposed to ask for my credit card details?

  11. Anonymous Coward
    Anonymous Coward

    Slow news day?

    "Dodgy website found on internet!" Shock horror.

    Personally I don't much care how many nightclubs this person owns, or how well up on computers he thinks he is. I would, however be interested to read some actual technical details about this.

    What did the URLs show as? The certificates? How did this person come across this page? Was it a standard phishing message via e-mail that he should've known better than to click on? Am I reading The Register, or my local free paper?

  12. richard

    Hmm, not helping

    The whoe 'use linux because its perfect' argument is a lil bit dated now, both are as bad as eachother.

    Part of me would be inclinded to ditch norton and use something else, that would probobly help. Curious to see if a copy of DansGuardian inline might also pick it up.

  13. RMartin

    Malware

    This sounds like the m.o. of one of the Haxdoor family, aka Torpig, A311Death etc. Its an html injector and a clever one at that. The victim has obviously loaded one specialising in IE, but there are versions in the wild that are perfectly effective against Firefox, Opera and a few other browsers. Unfortunataly even up to date AV may miss this family as it is quite sneaky and also possesses rootkit functionality so even new AV signatures loaded subsequent to the malware's installation may miss it. Use an anti-rootkit tool as well as anti-spyware to discover and remove.

    On a wider note I am concerned that non-Windows users are creating a psychological barrier for themselves by denying that anything bad can happen to their OS which may leave them severely exposed if/when an attack does come their way. And it will. As soon as Firefox climbed above 10% of the browser market we began seeing intensive development of attacks directed against it, and now such exploits are a standard part of many malware packages. Please don't be complacent, its your money that is at risk, not just your pride.

  14. Robert Grant

    What an odd thing to say

    The only person who used the phrase "It only happens to me" was you, David/Alf. Cyfail didn't even imply it, all he said was using a much more secure setup will mean you have "a pretty good chance" of being warned. That's hardly smug.

    Time for someone to invent a flame filter...:)

  15. Chris Harden

    No one is impeccable

    Bravo David, Bravo.

    I have (probally as does most of the reg readership) some geek in me, and fortunatly I have never been hit by a pish/virus either (Vista, Firefox, no virus killer), however a guy I used to work with was a hardcore geek (hacking PHP till 2am on his linux box) and managed to get himself hit hard by a virus (which hit his windows machine, not the linux box), and another (again, java programmer, *nix geek) got pished. It just goes to show that even the hardcore geeks get hit sometimes, all it takes is one moment browsing with your gaurd down, and clicking that flashing link...ooo free screen saver.

  16. Mike Pellatt

    It's not as if MS weren't warned

    Whilst apparently not directly relevant to this attack (which, at first glance, could also have been carried out by hijacking the local machine's DNS resolver), let's not forget that MS were warned in advance by the security community that some of their planned browser techologies were major secuirty risks. They went ahead regardless, citing "user convenience" as the major justification.

    And here we are today..........

    This is why some of us prefer FOSS, not for religious reasons. MS have historically been utterly cavalier in their attitude towards security, and if it hasn't been considered properly in the original design decisions, it's impossible to fix retroatively. Impossible.

  17. IanKRolfe

    Windoze security

    Mr Urmston - Why criticise people for saying "It never happens to me" and then 4 paragraphs later say essentially the same thing?

    Anyway, the whole windows vs Linux debate is getting rather old now. The only real difference between modern Linux and Modern Windows is not in capability - both are capable of being equally secure - it's just that on the whole Linux comes secure out of the box, and people have to learn to 'relax' it, whereas Windows comes with all the bells and whistles enabled, all the doors open and no security, and it takes the user time to learn how to tighten it up to make it safe.

    The real underlying problem is that the whole industry has become obsessed with "chrome". 99.9% of the PC owning public use their computer for a small number of tasks - surfing the web, reading email, chatting on AOL, violating copyright law and downloading porn. You don't need bleeding edge technology to do that.

    I once dreamed that Linux would be as easy to use as Windows - now that dream has come true, because I no longer have the time to understand the 1001 subsystems that have been bolted on to windows!!

  18. Ash

    The quirks of the English language foil scammers!

    Cyfail - "Of course it is very advisable to look at the whole URL and being sure of were you are."

    That's the point; the URL is correct with this attack. That's why it's so serious!

    The crux of the matter is that while Firefox is (mostly) more secure, Johnny eBayuser is more intrested in being able to see the funky flash animation than reading Certificate revocation details. IE has the biggest exposure, therefore IE is what major sites are coded for.

    He may know to look for "Https" at the start of the url, and he may know to look for the correct domain name before the first forward slash, and MAYBE they even know how to check certificates, but they're all CORRECT on this attack. NOTHING is amiss that all the lofty security "experts" are touting as the be-all and end-all in verification. Figuring out this is not what it seems requires common sense, not technical computer knowledge, and fortunately at least one guy on this planet still has some.

    I think the scammers have shot themselves in the foot with this one. The technical prowess is there in abundance; it's the grammar that's gave them away this time.

  19. John Imrie

    A minor gripe

    You wrote

    We left messages for representatives of eBay, Symantec and Microsoft late on Thursday, but had not heard back at the time of writing.

    But you were writing this early on Friday. At least give the poor PR wonk time to get in to work and finish their first coffe before assuming they have nothing to say.

  20. Jeff Paffett

    I suspect NatWest are having this problem too

    This message has appeared at login for a few days:

    "A small number of customers have encountered a screen that asks for full PIN and password details. This screen appears when logging into their OnLine Banking service."

    I thought the wording was a bit strange, not referring to bogus emails as usual.

  21. Daniel Silver badge

    Cyfaill's Smugness

    Cyfaill, your smugness is only exceeded by your inability to read an article and work out what it's really talking about.

    If you'd bothered to take a moment to analyse the real issue before jumping into the pulpit to start preaching, you'd have seen that this problem almost certainly has nothing to do with a phishing site per se, and everything to do with content fudgers, injectors or similar which corrupt and rewrite the code of respectable pages in real time. This being the case, any phishing detector on any platform would report the page as genuine, because it IS genuine. (at least as far as the detector can see).

    Oh and thanks for your advice to "look at the whole URL and being sure of were you are" - I'm sure there are at least 3 people on the planet who hadn't figured that out for themselves already.

    And while I'm at it, I'm quite sure the people experiencing this problem don't give a rat's arse whether it "impresses you with it's safety". They've got better things to do.

    </rant>

  22. David Urmston

    NOT mucking around with science teaching ?

    Apologies for a quirk of the OS, as the title of my earlier comment has somehow been replaced with the title of a post that I made about two weeks ago.

    ?????

    If you can fathom that one you can solve the strange phishing attempt.

    regards

    Alf

  23. Ian Ferguson

    I can't wait until Linux becomes popular enough to be a target

    Then the fanboys will really be caught out with their pants down!

  24. Anonymous Coward
    Anonymous Coward

    It can happen to anyone

    However careful you are it can still happen. I got sent an attachment prices.xls by someone i was expecting a file of prices from. Fully patched, AV protected Windows box but this was the day the virus went wild and AV update didn't cover it until the next morning....

  25. Anonymous Coward
    Anonymous Coward

    sandbox the OS/browser

    This is very worrying as the article suggests that the certificate was inspected and that no other common techniques were used. In fact the article goes on to say that the web feed was genuine but it maybe possible an IE component (a .dll) was injecting html into the feed.

    This must mean that the PC was compromised by something like a zero day exploit as none of the security software had picked it up. You then have no choice but to completely rebuild the OS and carefully re-apply all the apps etc, from trusted sources. This is the only way to be sure that no other system functions have been compromised and will only re-introduce the malware after it has seemed to be removed. In fact you don't know what is running or going on with your PC at that point, its basically it can not be trusted.

    A rebuild of this magnitude is usually beyond most regular PC users , who will try and get along with what they have, trusting that new versions of their security software will help. Therefore we need something that lets you be sure you are using a completely trusted machine for when you need to give out details that can be used by fraudsters and can be fixed and used by regular users.

    Therefore I think the only way to do that is to have a VM which runs a cut down OS with just the browser. The image should be secured with something like an MD5, the VM should not run the image unless the MD5 checks out. After using the VM/OS/Browser, the image resets to the original. Therefore any malware in the VM/OS/Browser dies when finished.

    There are draw backs with licensing, no stored details, etc and you still need security software running in the VM just in case you pick up something before getting to the entering of sensitive data while using the VM, but good practice by the user should reduce the chance and in any case it only effects the single session.

    At the current time I can see this as the only way to prevent zero day exploits (which this sounds like) from affecting the regular user.

  26. Anonymous Coward
    Anonymous Coward

    Autoresponse bots are active again

    IF article contains 'Microsoft' or 'IE', THEN 'post smug response about how great Linux is (or Mac)'

    Of course you Linux guys have robust web servers that never have flaws in the server or any hosted applications just because it's Linux... oh wait, what's my web server log filled to the brim with? Attacks on flaws almost exclusively php based directed mostly at Linux/Unix systems. How come I'm having to patch my Linux web server on a monthly basis? Hmm. ;-)

    Oh, and what's that? A security update for Firefox? Surely not! ;-)

    Oh and malware targeted at OpenOffice that even threatens Linux? Good grief!

    Seriously though. I'm not a total MS fan. I use linux a fair bit for what it's good at and enjoy using it, just the same as I use Windows for what it's best at. However I'm not as blinkered as to just smugly assume I'm immune to everything just because it's Linux or non-Microsoft (as the recent example with PlusNet clearly shows with their lack of patching a PHP based mail app resulting in hackers getting in).

  27. Joel

    False security

    What I think is interesting is that Norton 360 has put a green banner at the top giving the message "no fraud detected". Talk about giving a false sense of security!

    Since the verification from Norton is obviously not worth much, I would have thought that it would be better not to display anything unless a definite fraud has been detected. What they are doing at present is effectively saying "switch intelligence off, we say that this site is OK!"

    At the very least they should have a neutral unobtrusive banner, which should not be green. They are not saying that the site is clean, just that they can't see anything bad on it. Not the same thing at all!

  28. Anonymous Coward
    Anonymous Coward

    Very very worrying

    "He may know to look for "Https" at the start of the url, and he may know to look for the correct domain name before the first forward slash, and MAYBE they even know how to check certificates, but they're all CORRECT on this attack. NOTHING is amiss that all the lofty security "experts" are touting as the be-all and end-all in verification."

    This is why this attack is so terrifying. If they hadn't used incorrect grammar, who would have even know it was a spoof?

    In fact, if the spoof page had been identical to the real Paypal page, how could anyone have possibly known it was a spoof?

    This is what's so worrying, there's no practical way to tell the difference between a real and a fake page any more.

  29. Anonymous Coward
    Anonymous Coward

    Re: Sad (@Doug)

    Doug writes: Wouldn't phishers target strange fishing techniques to these environments if they were more popular?

    First of all, yes, they probably would. But their attacks will be short-lived. The great thing about Open-Source software is that projects such as firefox/thunderbird et al. are updated regularly whenever a vulnerability is found - usually within 24-48 hours. Users are also informed when an update is available so that their machines are in left a vulnerable state for as little time as possible.

    Secondly, there's the underlying O/S.

    Windows is a monoculture. Yes there are variations between versions of Windows, but with IE on all of them they all have similar weak spots. It could therefore be argued that with firefox on so many Linux/BSD/other *nix machines, they too should all have identical weak spots.

    Not so.

    To start with, there are over 200 different GNU/Linux distributions, many of which install firefox in different locations in the filesystem.

    Secondly, there are many different versions of glibc in circulation, which creates yet more differences between variants of GNU/Linux.

    Thirdly, although this is more and more true of MS-Windows as time passes by, browsers on a GNU/Linux machine run as the user who invokes them. The most damage a browser can do - or malware injected via a browser - is as much as the user can do. Superuser ('root' in Unix parlance) privileges are needed in order to install, for example, a keylogger so that someone else can "see" what you're typing into your bank's/eBay's/PayPal's login page. Furthermore, obtaining root privileges on a Unix system is damn near impossible unless authorized by root.

    Yes, there have been other vulnerabilities that allow remote attackers to gain root privileges on a cracked box, but that happens through the insecure use of services such as SMTP, SSH, HTTP etc. and vulnerable web content management systems that shouldn't be running on Joe Sixpack's Linux box in the first place. Also, most distros come with a firewall that prevents all inbound access anyway. The only way in is through protocol injection in a user-initiated session - IOW, a web page with malware on it.

    So, even if firefox and GNU/Linux do become the predominant combo, there will be fewer successfully infected machines because of the difficulty of infection in the first place and because of the natural diversity of systems all grouped under the same generic name.

  30. Gav

    Has The Register Become Slashdot?

    Do we really need every discussion about internet security to become a IE/Firefox Windows/Linux fanboy bore-fest?

    The significant part of this story, just to spell it out to those who haven't bothered actually digesting what it says, is that it is not the usual phishing technique. People who do follow proper internet security advice will get caught out. In fact, the only reason that it's been rumbled is because it tried to take it too far. If it had only asked for the usual login details it would almost certainly have got them. This is scary and should concern people.

  31. Robert Harrison

    Re: They can spoof to their heart's content

    Well said Pascal (comment way back up near the top). It never ceases to amaze me just how willing people are to hand over their personal details (even when irrelevant ) to the website being visited just because it looks the part.

    I appreciate that if a phishing scam *just* asked you for the exact same login details that the bank/auction site/etc typically asked you for then an attack such as this is very serious. However, it seems to me that the phishers always overplay their hand by asking for oodles of personal details, this should set alarm bells ringing!

    I try to deal with people who come knocking at the door offering cheaper electricity and gas in the same way. All they need are my bank details to set up the direct debit. Legit or not, no thanks! Why hand over your details to a complete stranger 'off the cuff' as it were?

  32. Mike

    Can you get a tcpdump?

    If there's no sensitive information in the URL Mr Hall is trying to access, can he download wireshark and get a tcp trace? Would be interesting to see what's going on.

  33. arbeyu

    The internet is broken

    Forget which browser or o/s you are using. The simple and appalling fact is that the internet is irredemiably broken and really, really cannot be trusted.

    I took the decision years ago to never use on-line banking of any form, and I don’t even buy stuff on-line now except as part of my job where (a) I’m behind a firewall, (b) I’m working only with trusted sites, (c) I’m using a computer that has never, ever been used to browse anything even remotely dodgy, (d) when I do buy something over the ‘net it’s from a company with whom we’ve got an account (so no credit card details ever passed), and finally (e) when (and it will be when) my computer is finally compromised, it’s not my money that goes missing: it’s the company's.

    Is this a hassle for me? Of course it is, but I take the view that being ripped-off and having my bank account emptied would be worse.

  34. Daniel

    Gaming Common Sense

    Someday, someone who is fluent in English will make one of these - and it'll spoof an initial signup screen too (you know, when you actually DO have to give some of that sort of info out).

    I'm not saying give up common sense, I'm just saying eventually a phisher who isn't a sixteen year old Latvian in his mother's basement will actually launch an attack that won't raise your God given bs detectors either.

  35. Philip the Duck

    wininet.dll being compromised?

    I'm not a low-level browser geek, but I seem to remember that IE uses wininet.dll to access the web whereas FireFox uses sockets directly (probably due to its multi-platform codebase not wanting to rely on a Windows-only DLL).

    So I'd start to look at who/what is hooking/replacing wininet.dll on machines that exhibit this problem with IE but not FireFox. A good starting point ace might be Fiddler ( http://www.fiddlertool.com/fiddler/ ), an MS tool for monitoring web access, which itself hooks wininet.dll (which is why it only works as a proxy when used with FireFox).

    Just my 2p worth...

  36. Thomas Martin

    If you get in email, it is a spoof

    How many times to people have to be told that organisations will never ask you for confidential and personal information in an email? That has been publicised too many times not to have everyone know it. I will never understand it.

    I get phishing attempts regularly and just put them in the rubbish bin.

    TM

  37. This post has been deleted by its author

  38. Dillon Pyron

    Newsletter

    Hmm, looks like I'll have to post another newsletter to my clients.

    Dillon, CISSP

  39. Anonymous Coward
    Anonymous Coward

    Firefox not fool proof...

    I setup firefox on my mums machine as I figured it was probably more

    secure. However after a year or so it caught something,

    which caused popups to come up when she went to Barclays site.

    This was disconcerting.

    I tried the usual thing of creating a new profile, but it didn't work.

    I tried a complete uninstall/reinstall.

    I'm sure someone with more know how could have got it working again,

    but I didn't have time to play. It was updated to the latest version

    at the time.

    For now she's back to IE7 which is working well for her.

    Firefox is good but it isn't perfect.

  40. Simon Ball

    Except

    Except that a genuine page will never, ever ask you for that kind of information, as all banks and online financial institutions make very clear.

  41. A J Stiles

    Sometimes it IS the victims' fault

    Being a victim does not in and of itself absolve you from blame. If you sit on a tree branch, sawing through it between the tree and yourself, then what happens next is entirely your own fault.

    When you open a bank account, they tell you right there in the welcome pack, in bold print, that you will *NEVER*, *EVER* be asked for confidential information by e-mail or telephone -- and definitely not by means of an e-mail with lousy spelling and grammar and similar to several e-mails you have already received purporting to be from banks with which you do not even have accounts. If they need to contact you about something really important, they will contact you by snail mail and ask you to visit a branch.

    I don't use online banking myself anyway. There are exactly two reasons why I ever have any dealings with a bank. One: to pay cash or cheques in through the hole-in-the-wall machine; and two: to withdraw cash through the hole-in-the-wall machine. Neither of these functions are available through a PC, or ever likely to be so.

  42. kasparator

    HSBC security still a joke

    Just read this and out of curiosity tried logging into HSBC - it appears they have changed the text on login page, pretty sure it was shorter just a couple of days ago:

    "Your security number is a 6-10 digit number, which you may already use to help identify yourself when calling us. Please don't use family phone numbers, birthdates, simple sequences, or repetitions, which are all relatively easy to guess. We never ask you to enter or tell us your security number in full."

    Trouble is - it's still a joke. Using a DoB and a static NUMERIC security number that never changes as means of authentication? Which planet are you from, HSBC? Call me cynical but it lookes like it takes massive lawsuits/financial losses to get banks to change something.

    Threats like this only expose the fact that many institutions that SHOULD know better still take a pee out of their customers.

  43. StaudN

    Oh dear

    Hehe, I love that phrase "the internet is broken" - reminds me of doing tech support at my university years ago.

    No, the internet isn't broken m8 - it's just the plebs that are now allowed to use something that was originally designed for military/scientific use and has now morphed into something that any joe bloggs off the street is able to access.

    You should need an internet access license just like you need a driving licence imho ^^

  44. Rick

    NatWest

    As Jeff says, a message appears on the NatWest site which implies something similar is happening there. What is worrying is that this message only appears after you have logged on. It seems they are happy to tell people that they may have already given their details away, but they don't bother warning anyone beforehand so they can avoid doing so.

  45. Giles Jones Gold badge

    With power comes responsiblity

    Unfortunately, Microsoft have provided the power but people don't use it responsibly.

    Producing a web browser wasn't enough for Microsoft, they had to allow the browser to access Windows components and resources. They had to integrate the browser into the OS to kill Netscape.

    IE7 doesn't seem to change anything. Will they never learn?

  46. Daniel

    Gaming Common Sense

    Someday, someone who is fluent in English will make one of these - and it'll spoof an initial signup screen too (you know, when you actually DO have to give some of that sort of info out).

    I'm not saying give up common sense, I'm just saying eventually a phisher who isn't a sixteen year old Latvian in his mother's basement will actually launch an attack that won't raise your God given bs detectors either.

  47. Andy Bright

    While I'm the first to agree with those that shun IE

    It's important to remember there really isn't such a thing as a completely safe web browser.

    I don't use Opera, but from reliable reports I've heard it is the safest available.

    I have been using Firefox almost exclusively (unfortunately there are still too many archaic websites that only function correctly under IE, not to mention Microsoft's own update sites), but that has done little to stop my machine from getting infected every now and then.

    I'm a fairly safe surfer, but even with the best intentions its possible to get scammed once in a while.

    I think the rule of thumb is to make sure your anti-spyware software is top of the line, and I'm afraid Symantec are nowhere near the best in that field - in fact they're pretty much as bad as you can get.

    Adaware is great for finding Amazon and CNN cookies, I believe it also finds malware, but it's hard to tell amongst all the useless 'look at me, I'm the best, I've found 24000 harmless cookies' results.

    PC Tools make probably the best anti-spyware software, it's incredibly slow to load and a resource hog - but it's as good as it gets for finding real problems. It's also the only product I know of that actively prevents key loggers from infecting your PC (as long as they're in the definition database, no software is perfect in that regard) and is significantly better than Microsoft at warning you when IE goes to a bad site.

    I can't tell you the number of times Spyware Doctor has found trojans or reg hacks after Norton AV has given my PC a clean bill of health.

    Obviously there are other good products too - but the moral of the story is just because you don't use IE don't think you're safe from malware or phishing scams.

  48. Michael J Evans

    Title

    "Barklays" Barklays??? Have you people been reading too many scammers' pages?

  49. Anonymous Coward
    Anonymous Coward

    Online buying stuff ... and security

    Here's an anecdote from a couple of years ago. ( about 8 years ago )

    System affected : a multi million dollar Sun server ...

    The culprit : me (using a windows 95 machine on the network).

    When enabling the network in win95 you need to provide a username and password. So jokingly, i had created an account on win95 called 'root' with the password set to 'blah'.

    I plug the machine on the network and access the network disks shared out by this Sun server. I copied a couple of files to the server. Try to open them from a Unix workstation and it says permission denied. A quick ls-l shows owner as 'root'... That's odd..... this couldn't be could it ? I tried a couple more things ... I could use the win95 box to write anywhere, move directories, delete files. I had full root permission just like the legit root user.

    Why ? Because stupid Samba running on hypersecure Unix negotiated in the following way :

    Samba : who is logged on ?

    Win95 : her it says 'root' .

    Samba : did he log on correctly on your side ?

    Win95 : his password matches what is stored on my side

    Samba : ah, it;'s ok then: go ahead.

    Security on Unix ? that hole was so big you could run a 6 lane highway through it and have room to spare for a bunch of exits , a shopping mall , a couple of casino's , hotels and a small city with a population of a couple million.

    When we flagged this, the answer was : oops. well have to patch that ... in the mean time the IT department issued this statement : It is not allowed to plug win95 machines on the network since they make unix unstable. Solve the disease by killing the patient...

    The morale of the story is this: It all comes down to who has the bigger hammer !

    Thats exactly the case with this phishing stuff. Norton , McAfee, Windows Linux , Unix , Firefox , IE , Opera whatever ... the guy with the biggest hammer pounds the hole in the wall.

    Online banking ? no thank you... My bank is just around the corner.

    What we need for online buying stuff on the internet are 'one-time use' bank cards. You go to an ATM machine punch in the request for money and instead of bills it gives you a paper slip with a unique code. This is a virtual cheque that is limited to the exact amount you put in it.

    You feed that number to the payment site. When it's spent, the 'account' is empty. So it can not be used a second time.

    If someone phishes it : no damage done. If they try to cash it in 2 things can happen :

    - it was already cashed in so they get caught because they tried cashing it in a second time .

    - if it was not cashed in : they still get caught because the cashing in can only be done by having a bank account. Their identity is known. So if the legit receiver files complaint : bingo you can trace where the money went.

    The technology exists. So start using it.

  50. Nick Ryan

    IE = Suicide

    Using Internet Explorer to browse the Internet is security suicide. The only way MS could make IE "secure" is to start again from scratch, dispose entirely of ActiveX, install-on-demand, rewrite j-script (it still doesn't support JavaScript) and then give the uses PROPER control over just what the hell is going on.

    IE7 is a slight step in the right direction with users at least being able to "view" the plugins that are attached to IE, it's just a shame that the interface is so awful and inexplicable even to those that are more that just familiar with computers... The "sandbox" mode in Vista is no good at all and is just an vague attempt to stop further damage from a thoroughly borked browser.

    Anybody, who even pretends to be a computer professional, that uses Internet Explorer to browse the Internet should be shot.

    Personally, if I'm going to browse the Internet and go to untrusted sites, I'll use my install of Mozilla... with Flash Block and NoScript plugins. Mozilla might not be the best browser on the block, but with no Flash or Java/JavaScript running it's damn secure and so far no unscrupulous website has managed to pop up windows, grab information or do anything nefarious (that've I've detected anyway). For the browsing of trusted websites I use FireFox (once again with FlashBlock plugin because I *hate* being interrupted by flash popups, sounds, etc). Internet Explorer is used solely to access Windows Update, nothing more. Ever.

    Now, I'm not claiming that FireFox doesn't have or hasn't had security holes in it, but in all the time it's been going it's been considerably more secure that Internet Explorer. This is likely to be due partly due to the massively better design of it and non-commingling with the OS, but also because malware writers have been targetting the much easier and more prevalent target, Internet Explorer.

    Installing and using Linux is of course even more secure, partly by a much better OS design (and even a semblance of security in the OS) but also by the further reduction in target demographics making targeting it less worthwhile (the reduction in target is made wider still with the much wider spread of Linux distributions out there).

    Of course, if you're the type of user that when presented with a popup box that reads "your computer is not secure, click here to make it more secure" or "you must download this (executable) codec to watch this video" then it doesn't matter whether you use Internet Explorer, FireFox, Mozilla, Opera or any other PC browser... you're screwed anyway.

  51. Anonymous Coward
    Anonymous Coward

    keylogger on linux

    "Superuser ('root' in Unix parlance) privileges are needed in order to install, for example, a keylogger so that someone else can "see" what you're typing into your bank's/eBay's/PayPal's login page"

    Hmm, I'm not so sure this is true. Whilst you can't have it gain root privileges, a keylogger could simply be run under the same account as your Firefox or whatever browser is running given a suitable flaw in the browser. It may not log anyone else's bank details but it will sure as hell log yours. On top of that, given a suitable flaw or phishing attack that convinces a user in the right way, such a logger could be installed as a plugin for Firefox that will sit there happily spying on what the user does (much the same way as Google's Toolbar in fact).

    Not only that but it's not unknown for poorly configured web servers to actually be running under the root account, or the web server account to have been granted access to critical parts of the system giving it effectively similar rights to root. Yes it's mad, but it happens. Then it just takes an inbound attack on a poorly written PHP app or an unpatched web server with more holes than swiss cheese, get in as root, install a keylogger and then you grab all the users passwords and if lucky they are using browsers and logging onto banks... ;-)

    "Furthermore, obtaining root privileges on a Unix system is damn near impossible unless authorized by root"

    Except if the root password is easy to guess. Which is surprisingly more often the case than you'd think, despite the smugness of Unix gurus who just assume because people use it they must be clever enough to practice good security. As the case of the Brit guy who's being extradited to the US for "hacking" into US military systems which had zero security shows, security is only as good as the person implementing it. You can have the most top notch security system but supply a weak or no password and that system is useless.

  52. adam

    Most of you missed the most important point!

    He didn't get to this site by clicking on a link in an email. He went to the REAL SITE and this page appeared instead. He was typing the url himself!!

    Malware on his machine had injected this site into the html stream. The phishing filters couldn't detect it because, as far as they could tell, he was accessing the real site!!!

  53. Anonymous Coward
    Anonymous Coward

    wasnt ther another posting on The register...

    about some guy that did a 6 month test with a popup that said: Your PC is clean. Click here to infect it. and 235000 people clicked the link ?

    was a couple of weeks ago ...

    IQ is measured on a scale between 0 and roughly 200

    Stupiditiy goes between zero and infinite,

    If you apply the bell curve then most people end up in the middle region... and you don't need to know a lot of mathematics that half of infinity is still .... you got it.

  54. Colin Wilson

    Linux / Keyloggers

    About 2 years ago, keylogging devices started to appear on the market that evaded the OS altogether - the only problem being you needed physical access to the machine twice (once to install, once to uninstall)*

    * IIRC this was how a large japanese bank was robbed, the office cleaners were either in on the act, or had been offered bungs to fit them

    The device was a simple in-line through connector that the keyboard plugged into, then the device plugged into the PC, and internal memory on the device would store every keypress which could later be downloaded for examination.

    Just because you run a linux distrib doesn't mean you're safe - i'd guess that very few people visually check all their hardware in work on a daily basis...

  55. Anonymous Coward
    Anonymous Coward

    Trojan

    Looks like it might be Torpig or similar, certainly it displays that kind of behaviour for hsbc...

  56. Jeff Paffett

    I suspect NatWest are having this problem too

    The following message has been appearing at login for the last few days:

    "A small number of customers have encountered a screen that asks for full PIN and password details. This screen appears when logging into their OnLine Banking service."

    No mention of bogus emails as usual

  57. Anonymous Coward
    Anonymous Coward

    "he's been careful to practice good PC hygiene. He runs Norton 360"

    LOL!

  58. Danny

    Use Knoppix

    As well as the usual stuff of not using IE nor Windows, if you need access to your online bank the simple solution is to boot from Knoppix. It being a live-CD that doesn't touch the hard disk you can use it with confidence even if you are uncertain about what may be lurking within your OS.

    Connection to Ethernet modems is easy-peasy with DHCP - no configuration required. Your milage might vary with a USB modem (throw it away and get a real modem). Even though I'm a happy Debian user I still use this technique to access my bank, just to be sure. Rebooting the machine is a hassle but it is *your* money that's at stake.

    http://www.knoppix.net/

  59. Anonymous Coward
    Anonymous Coward

    PC hygiene

    IE & Symantec = Secure PC is an oxymoron. Stop using IE and deploy one of the many products that are far better than the over hyped, well marketed Norton products.

  60. arkanabar

    live CD

    Knoppix was the first, but there are now many live CD distributions. Any of them should be entirely beyond an attacker's ability to modify. Damn Small and Puppy Linux both run off of 50Mb credit-card sized CDs.

  61. arbeyu

    To most posters, especially StaudN

    Have any of you bothered to read the article? The man visited the web-site from his browser. He didn't follow a link in an email.

    The problem is that, to a trained eye (excepting the poor grammar), the site visited is 100% genuine.

    You can be smug gits all you like, talking about "Joe Blow" being incapable of using the internet safely, but the simple fact is that NOBODY can use the internet safely: It's inherently unsafe.

    This attack proves that which has been my position all along: The internet is not suitable, and cannot be made suitable, for security-critical applications such as online banking or payment services.

    As StaudN points out, the original design of the internet was by the American military and then academia. Trusted computers were linked to trusted computers over a private network. Security existed in the users; not the design. In the case of academia, the whole point was to freely share information. In the case of the military, the unsecured computers were in secured military bases.

    I said "the internet is broken" and perhaps there I was wrong: I should have said "the internet never worked in the first place, if you want to use it for online banking and payments" I was aiming for brevity in the title of my posting.

    "You should need an internet access license just like you need a driving licence imho" There's nothing humble about your opinion, matey-boy. Your use of the word "plebs" shows that clearly. Your arrogance will land you in deep trouble one day, so convinced that you are in your own superiority.

    The same goes for all you who say "I use Linux and Firefox and so I am secure by definition." You think that you are secure, and that your o/s and browser are secure, and so you are in danger of switching off your brain...

    ...and with no brain in charge, you are in danger of falling foul of a (less obvious than this current example) phising attack.

    Pride, as they say, comes before a fall. It's no less true for being a cliche.

  62. Scowners

    Missing the point

    I agree with Adam that you have all mostly missed the point. He didnt get there via an email link, he went to the actual address. Im sure that all of us on here would never bother to follow this sort of link from an email (except to deliberately fill up the database with stupid numbers, answers etc) as we are all far to wary, regardless of the browser, os etc blah blah but if we actually typed in www.websiteofchoice.whatever we would therefore expect that we were on that site and probably wouldnt check the padlock, https etc because WE decided to visit it, we were NOT directed to it!! Out of all the people in the world.. I trust ME!!

  63. C M

    Phishers their own worst enemy

    I've never really understood why phishers don't brush up on their English, I guess they just don't have to yet. The browser, the OS and the security software don't make a difference as they can all be targetted, and the malware could grab the details and then actually log you into the Site none the wiser for having your credentials stolen.

    When the scammers learn a decent standard of english banks will start counting the cost vs convienience.

  64. Anonymous Coward
    Anonymous Coward

    Not too much surprise, this is 2007

    Antivirus engines don't keep the pace of malware factories. See percentages on

    http://winnow.oitc.com/malewarestats.php (near 0-day malware detection statistics)

    (some people dont understand / dont believe those low numbers; you wiil do).

    Current detection rate is around 33% (dependind on specific engine), i.e., you can get 3 new malware samples in your desktop, but 'probably' only one will be detected by your AV. You must wait 2 days... 1 week, 2 weeks for your AV to detect the other 2 malware samples.

    "Blacklist-only based AV" is becoming obsolete. There are interesting approaches to increase security (as some of you know) like LinkScanner (Exploit Prevention Labs), and Prevx1 (blacklist/whitelist/graylist)-based AV.

    Current malware is theft-oriented; so, malware-factory worldwide budget is unlimited. But AV companies have limited budgets...

This topic is closed for new posts.

Other stories you might like