Skip to main content

Quantum Phishing: email is dead

Phishing has matured. The bad guys are now so adept at mimicking the actual emails sent by PayPal, that PayPal support apparently cannot tell the actual PayPal email apart from the Phishing emails.

PayPal mistakes own email for phishing attack [The Register]

PayPal admits to Phishing Users [eset.com]

I've wondered for years why the phishing emails were often so terribly lame. The ideal strategy would seem to be to read some actual emails from the intended target, and mimmic those as closely as possible. The traditional excuse offered by the security community is that the emails appear often to be generated by people who speak English as a second language, but that doesn't seem like it would be such a limiting factor, given the ease with which the translations could be corrected, even anonymously, using clever internet tricks, even fairly simple ones.

The real answer seemed to be that the text content of the email didn't much matter, as people don't read them very carefully. It appears to be from their bank. It's got a link. It says to fix your login. Click!

The competitive pressure, both from education efforts which make the population of victims more sensitive to potential identity theft, and from other Phishers seeking to exploit the same population of potential victims, seems to be forcing the emails to evolve to more closely resemble the target company's web site and actual emails. Witness the inevitable result: technical support can't tell the Phishing email from the actual company-generated email contact with their customer base.

Non-authenticated email is a zombie: un-dead, walking.

Comments

Popular posts from this blog

Verified by Visa (Veriphied Phishing?)

If you have used a Visa card to make a purchase online lately you may have encountered a relatively new program, Verified by Visa . I've encountered it twice. The system is an interesting attempt by Visa to reduce online fraud and identity theft. It's a noble effort, but the user experience is unsettling, and the security implications are not exactly crystal clear. Here's what happened to me, both times the system was activated. I was redirected away from the domain at which I was shopping, to a URL which was: not the domain where I was shopping, not the domain of the bank that issued my card not visa.com I've been telling people for years that if anything like that happens to you, close your web browser immediately and do not under any circumstances enter any personal information into the form, because this is a sure sign of a man in the middle or phishing scam. (Never mind that all the best phishing scams now-a-days look like the actual domai…

Hacker 0x80 0wn3d by FBI (Arrested after Accidental Outing by Washington Post) [1]

What can the botmaster 0x80's impending misfortune [1] teach us about information security? Quite a bit. What the botmaster and the reporter didn't count on is a security risk known as "the aggregation problem" or "point and click aggregation". It's not surprising, as even practicing security professionals are often unaware of this problem, or vaguely aware of the concept but not the name. Information Security dictionaries online generally lack the terms, and don't mention them in their discussion of "disclosure" either. The aggregation problem happens when a series of small facts, any one of which if disclosed present a minimal security risk, combine to present a greater security risk when disclosed together. When aggregated, information from publicly available sources may accidentally disclose information that was intended to remain confidential. As it happens, an IETF glossary contains a definition of the basic term. RFC 282…

Bourne Incrimination - bio identity theft, the next big problem

It was only a matter of time before it became possible to create fake DNA evidence. That time is now.DNA Evidence Can be Fabricated [New York Times]Think it's bad when somebody steals your identity, drains your bank account, and spends thousands of dollars on credit cards they opened with your name on it? This run of the mill identity theft can cost you thousands of dollars, and many years to clean up. It pales in comparison to what will happen if biometric data becomes commonly used as proof of identity. Sometimes also called bio-print (like fingerprint) or bio-identity mechanisms, such things as retina scans and fingerprint scans are already in use, or even common use. DNA scans are likely to become possible several years from now, as the technology to read DNA is evolving rapidly. An entire genome can be sequenced by three people and equipment costing a few hundred thousand dollars, in a very short period of time, several days. When it become possible to read DNA in more or les…