Increasing sophistication of phishing spammers

[David Farber <dave () farber net>]

Begin forwarded message:


Date: Tue, 23 Nov 2004 10:08:28 -0600
From: Dan Wallach <dwallach () cs rice edu>
Subject: Increasing sophistication of phishing spammers

I recently received a spam message claiming to be a response, forwarded 
to
me via eBay, in regards to an item I was auctioning.  Of course, I have 
no
auction going on eBay, making it obviously fake.  The message was an 
HTML
message and included numerous in-lined images from pics.ebaystatic.com,
helping make the message appear more real.  A link at the bottom, 
attacked
to a "Respond Now" button (which users might presumably click to 
helpfully
say "you got the wrong person") takes you to an IP address that has 
nothing
to do with eBay and which feeds you a recent JavaScript exploit against
Internet Explorer.  That JavaScript appears to be in Unicode (making it
annoying to look at with Emacs), and further contains a hex-encoded 
message
which is decoded with JavaScript's "unescape" operator.  The exploit is
designed for Internet Explorer, but caused Firefox 1.0 to wedge.  I had 
to
restart it.

This particular spam seems intended to take over machines, presumably 
for
zombie purposes.  I've gotten other spams that similarly inlined "real"
images to lure unsuspecting users toward credit card information 
phishing
sites.

Issue #1: eBay and similar companies should eliminate these public 
servers
that serve up static images for e-mail and should pay attention to 
referrer
information to refuse images being sent to pages other than their own.  
Make
the spammers work harder to make their pages look "real".  They'd either
need to set up their own static image servers, or they'd need to embed 
the
images in the spams as MIME attachments, making the spam larger and 
reducing
the number of spams they can send with a given amount of bandwidth.

Issue #2: I get plenty of legitimate e-mail from companies with which I 
do
business, such as my preferred airline, car rental, and credit card 
vendors.
All of them have my e-mail address and occasionally have real reason to 
send
me messages (e.g., I like getting an e-mail copy of my travel 
itinerary).
Even those companies, however, occasionally send me "promotional" 
messages
and such, even though I always go out of my way to select the "don't 
e-mail
me" option.  As long as we're using e-mail for business purposes 
(either in
response to actual business, like when I reserve a plane ticket, or
"promotional"), then we're going to have spam that imitates this 
legitimate
mail.  Probably the only true answer is for eBay, my credit card 
company,
and all of these other vendors to start digitally signing their mail.
S/MIME has been integrated in modern e-mail systems since 1996 or 1997.
It's time for these firms to use it.

------------------------------

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/