RE: Discovering and Stopping Phishing/Scam Attacks

[Randy <rho () clunet edu>]

I think that the system you're proposing will stop *current* phishing 
schemes but it wouldnt take a lot for the phishers to come up with a way 
to retrieve that third piece of information from the user.

A lot of places verify information with the "third question" you're 
referring to (pet's name, childhood superhero, mother's maiden name, etc) 
and identity theft is still a problem for us.

If a user is willing to give their username and password to an unverified 
source, it only takes a little more work to get that third piece of 
information from them.

~randy

On Thu, 28 Apr 2005 webcenter () sapo pt wrote:

> ok mr. moderator...
>
> i think the real problem to phishing exists is the weak process of login systems
> today...
>
> anyone just needs a login and password, to be authenticated, i think web
> aplications needs to change login systems... to be more tight... and the
> phishers maybe loose there hope to grep information very easy with just a
> username and password...
>
> my idea and solution to a new login system is this...
>
> creating a 3rd field, this 3rd field the user will choose... it will work like
> saying yes this is the real bank system welcome back mr. user insert your
> password...
>
> the process...
>
> 1rst page
> user -> puts the username...
>
> second page..
>
> 3rd field -> what is your cat name? now the user knows that this was the
> question that he have put int the 3rdfield from the real bank site (he can put
> what he want)...
> password ?? -> user puts the password.. he is athenticated.
>
> now the phishers they have more work, needs two process to gain access to the
> bank user account...
>
> first they need to colect the username to get the 3rd field... and they need to
> put the 3rdfield in the false website... to get the password... but this is the
> deal...
>
> when a user or anyone, puts the username in this login system needs to proceed
> with a password, if not, if the user close the browser, if he tries 3times and
> can't login, the system will block the username and send a email to the real
> user, a code to unblock the username and force the user to change the username
> and 3rd field... and now the phishers don't know again what will be the new
> username and 3rdfield...
>
> this system, is nothing from other planet and i think that help a lot the users,
> and will stop a litle or a big % this phisher mans...
>
>
> regards
> Nuno Costa
>
> -----Original Message-----
> From: Krul Thomas [mailto:Thomas.Krul () psepc-sppcc gc ca]
> Sent: April 27, 2005 10:31 AM
> To: 'Alex'; incidents () securityfocus com
> Subject: RE: Discovering and Stopping Phishing/Scam Attacks
>
> I received a phishing scam email for RBC Bank literally moments ago.
> The
> Web site is based in the Czech Republic with very little in the way
> to
> disguise the address of the site. (At last check, the site was still
> up
> at:
> http://updatestatus.webz.cz/rbc/cgi-bin/rbaccess/login.html)
>
> Odd, either there are some newbie phishers out there, or they are
> starting to realise that no matter how much they disguise their sites
> someone will be having them shut down soon enough so catching the
> uninformed in the few moments they have is paramount. Will we be
> seeing
> an increase in the diversity of referring addresses in a flooding
> attempt to catch the last remaining moms and pops who don't know
> better
> versus well-crafted addresses that don't arouse suspicions?
>
> -----Original Message-----
> From: Alex [mailto:incidents () alex gotdns org]
> Sent: Tuesday, April 26, 2005 7:51 PM
> To: incidents () securityfocus com
> Subject: Re: Discovering and Stopping Phishing/Scam Attacks
>
> I agree that checking by referer addresses is a powerful way to
> detect
> phishing sites, but such logs can easily be adverted?
>
> Doesn't some anti-popup software remove referer fields?
>
> Simple use of javascript can allow a page to fetch anything without
> showing
> up in referer logs.
>
> While we are on the subject, has anyone come across commercial and/or
> government websites being (illegally?) mirrored?
>
> For example, I recently came a website located on a (Asian?) hosting
> provider where the content of the website was EXACTLY that of a
> well-known
> US govt website. (It appeared that they ran the equivalent of a
> recursive
> "wget" on the real site and hosted the files). It appeared to be
> several
> layers deep.
>
> Why would anyone want to do that?
>
> -Alex
>
> ------------------------------------------------------------------------
> --
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks
> from
> CORE IMPACT.
> Go to
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>
> to learn more.
> ------------------------------------------------------------------------
> --
>
> ------------------------------------------------------------------------
> --
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks
> from
> CORE IMPACT.
> Go to
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>
> to learn more.
> ------------------------------------------------------------------------
> --
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks
> from
> CORE IMPACT.
> Go to
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> --------------------------------------------------------------------------
>
>
>
>
>
> SMS GRÁTIS do seu PC para qualquer rede nacional (TMN, Vodafone, Optimus e PTC). Basta instalar o SAPO Messenger e 
> adicionar amigos!
> Vá agora a : http://messenger.sapo.pt/sms/
>
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> --------------------------------------------------------------------------
--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------