Fighting Phishing, Pharming on the Internet
By now, its old news that Paris Hilton and Fred Durst are the first notable victims of twenty first century invasions of privacy. The celebrity’s phone numbers, calendars, chat logs, and lets not forget the dirty pictures, were leaked onto the Internet for the world to peruse spurring a short media frenzy. Do you think it will make the news when your sidekick or PDA gets hacked? I doubt it. The Phisherman has better things to do like get to know more about you so he can come up with better ways to con you out of your money.
It seems that the Phishermen are getting surgical with their strikes. First the cracker obtains a list of email addresses usually by less than virtuous means but sometimes they just buy them outright. The attacker codes a script that queries a list of websites password reminder pages. Any reply qualifies as a “hit” for the cracker and a profile is created detailing your interests and habits based on the types of websites you’ve subscribed to using your email address. Now the Phisherman tailors an email just for you with all the right words and catch phrases that convince you to give him whatever he asks for. Maybe his spoofed email is all about your recent purchase from latexunderwear.com asking for your account number and those unimportant looking numbers on the bottom of your check so they can process your refund. Maybe they’ll simply ask for your password and take care of the rest themselves.
Now for the bad news. The new buzz word in security circles is “pharming”, a fairly new type of attack gaining popularity from which
the everyday user has no defense. The root of the attack has to do with spoofing DNS records. The Domain Name System is what turns IP addresses into website names for browsers. How can you tell if you’re really at citibank.com if you don’t know what the original IP was supposed to be or how long since its been legitimately changed?
Netcraft’s anti-phishing web toolbar (http://toolbar.netcraft.com) is a start in defending against a spoofed DNS record although improvements can be made. I think the software should automatically let the user know if a website changed IP addresses recently as a flag that should arouse one’s suspicion. Currently you need to click the link in the toolbar to find out about the website you’re visiting and it doesn’t tell you how long the host has been using that IP address. In short, its a start and its better than nothing. The tools are already out there for you to fight the Phisherman, but its a war and the stakes are your identity. It will take diligence and education just to stay one step behind him and out of his range of range of fire.
There is some more good news. Recently, people seem to be getting smarter about locking down their Wireless Access Points. I read a while back about the abundance of unsecure WAPs in Manhattan and it was even a topic of an online webcast last December. I’m spending a lot of time outdoors lately and I had noticed that there did seem to be quite a bit of unsecured WAPs named “linksys” that were wide open to my connection and happily dishing out IP addresses to anyone wanting a net connection. For a cracker with a WiFi capable laptop jacking into these open WAPs, the possibilities are endless. So if you’re one of those “I took it out of the box and it works” wireless users, why don’t you jump on the bandwagon. Take the time to read about your wireless access point and secure it. Show me you’re out there listening and give your WAP a funny and unique name like “IRTFManual” for starters.
Lets be frank about the bottom line here. Its all about the money. The money the Phisherman steals from you. The money the credit card and insurance companies lose from stolen goods. The money the government loses repaying FDIC insured thefts. The money the banks lose afterwards. The money cost of the bandwidth usage from the unstoppable flow of spam because someone has to pay for it. Someone always has to pay for it and that someone is usually one of us.
By the way, rumors are floating around in the seedy, underground IRC channels that the Hilton Hack’s success was in thanks mostly to academy award winning social engineering skills used on an unsuspecting T-Mobile customer service representative, but you didn’t hear it from me.
