Network News

X My Profile
View More Activity

Not Your Average Phishing Scam

One of the first phishing scams to catch Security Fix's eye in the new year -- a counterfeit Amazon.com login page -- may set the tone for the sophistication of online schemes involving fake bank and e-commerce sites in 2007. The bogus site, which was active as of early Tuesday morning, makes use of the real Amazon.com site in an effort to fool visitors into entering their real usernames and passwords.

This type of trick, known as a type of "man-in-the-middle" attack, logs the user into his or her account at Amazon.com, then it displays the data that Amazon serves up once the user is logged in. Visitors who supply bogus or otherwise incorrect usernames and passwords are shown a copy of the page Amazon users normally see if they mistype either of their credentials.


Click this image to see a screen shot of the phishing site.

The lure in this phishing attack is an e-mail that warns the recipient about supposed unauthorized activity on his or her Amazon account and directs the user to reset the account's credentials. Anyone who enters a real Amazon username and password is asked to provide their date of birth, address and Social Security number.

Security Fix first learned of this scam site from Paul Laudanski of Castlecops.com, a group of volunteers who work with Internet service providers, Web hosting companies and law enforcement to help find and disable phishing sites and other online scams.

Laundanski said the fake Amazon site appears to have been created from a phishing "kit," or a pre-packaged set of counterfeit Web pages sold on the Internet black market. Already, he said, the same Amazon phishing kit has been spotted in use on a number of separate Web servers, suggesting that the technique is indeed being shared among scammers.

For all its sophistication, though, this particular Amazon scam site has some serious weaknesses. For one, it didn't attempt to obfuscate the IP address or otherwise monkey with the appearance of the browser address bar to hide the fake server's true address. Also, the anti-phishing technology in the Netcraft Toolbar and the blacklists built into both Internet Explorer and Firefox flagged this site as malicious pretty early on.

Laudanski said that if this type of man-in-the-middle attack becomes the norm, it could prompt more online merchants implementing things like "captchas," online Turing tests that prompt the visitor to read and type in a series of jumbled letters and or numbers in an effort to separate real users from automatic logins of the sort used in this attack.

By Brian Krebs  |  January 3, 2007; 7:40 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: QuickTime Flaw Kicks Off Month of Apple Bugs
Next: Internet Explorer Unsafe for 284 Days in 2006

Comments

How does a captcha help this attack? What stops the phishing site from downloading the actual amazon captcha and presenting it to the victim? The key problem is that this isn't an automated login.

Posted by: Bovik | January 3, 2007 9:45 AM | Report abuse

Bovik -- You are correct in that captchas would not help the user with determining the legitimacy of a site, as you correctly note that phishers could simply copy or implement their own look-alike captcha. What I was referring to was the ability of captcha to interfere with phishing sites automatically relaying the user's login information to the actual Amazon.com site. If forced to enter a (relatively well-designed) captcha, the man-in-the-middle submission of the victim's credentials by the phishing site could be blocked.

Posted by: Bk | January 3, 2007 10:21 AM | Report abuse

What is to prevent the MITM from simply re-playing the CATPCHA?

Mutual authentication - that is, securely authenticating the host to the user and vice-versa, can not be done securely without encrpytion in some form or another.

Posted by: Nick Owen | January 3, 2007 10:58 AM | Report abuse

Much as I hate (just joking) to say anything nice, I'll comment that my very onlinishly naive wife understood this item -- unlike other warning articles we've seen recently.

Posted by: Dick Wexelblat | January 3, 2007 11:03 AM | Report abuse

What are you talking about? Your column appears to be written for a internet security expert. If I go to amazon.com am I in trouble? what if they ask me a question?
Maybe I should just forget about online shopping.

Posted by: Carroll B. | January 3, 2007 11:11 AM | Report abuse

One rule that should be drummed into the head of every internet surfer: -Never- click on a link in email. Period.

Posted by: MattF | January 3, 2007 11:40 AM | Report abuse

Dissassembling discoverd sites may help a little, I would much prefer that the crooks be dissassembled and their remains set high were all could comment.

Hanging is too good for them.

Posted by: JEREMY PALMER | January 3, 2007 11:42 AM | Report abuse

I have been using a password manager (Roboform) for the past year. It keeps track of the logon address and passwords (encrypted) on my computer. If I am ever asked to go to a company or business I do ecommerce with, I use the logon address saved in Roboform and can't be misdirected to a phishing site. It has saved me at least once that I know of.

Posted by: Kent Miller | January 3, 2007 11:43 AM | Report abuse

New, and informative:

Locating new phishing sites
- http://www.f-secure.com/weblog/archives/archive-012007.html#00001067
January 3, 2007 ~ "Phishing sites are easy to locate once the bad boys start spamming out thousands of mails linking to their site. But how can such sites be found before that?... At the time of posting this entry, none of the common browsers (IE, Firefox, Opera) detected this site as a phishing site with their built-in filters. Soon they will."

Flash Phishing
- http://www.f-secure.com/weblog/archives/archive-012007.html#00001066
January 3, 2007 ~ "We've now seen several phishing web sites that are using flash-based content instead of normal HTML. Probably the main to reason to do this is to try to avoid phishing toolbars that analyze page content. Two recent examples, both targeting PayPal: ... ppal-form-ssl. com and ... welcome-ppl. com . These sites look like the real PayPal front page, but they are actually Flash recreations..."

(Screenshots available at the URLs above.)

.

Posted by: J. Warren | January 3, 2007 11:52 AM | Report abuse

Another idea along the lines of Kent's Roboform - bookmark the HTTPS page of each financial site*. Never click on a link in E-mail. Always go to your bank / login ONLY FROM THE BOOKMARK. Stop if the browser throws up any warning. Then it has the added benefit protection against Pharming because of the certificate mismatch.

Captchas, SiteKeys, etc cannot be a phishing solution, only a bandaid that sometimes works.

* for extra credit, inspect the SSL certificate when you bookmark to be sure you haven't accidentally bookmarked a 'typealike' site.

Posted by: Moike | January 3, 2007 3:34 PM | Report abuse

I'm not very knowledgeable about Internet security, so please excuse me if this is just too basic. As an editor, the main thing I look for with regard to suspicious sites is editorial style. If you see minor misspellings, grammatical errors, or improper use of pronouns, most likely it's a phishing site (probably one developed in Russia or Pakistan and poorly localized). As a corporate editor, I can guarantee that Amazon, PayPal, and the like have teams of people tasked with proofing their web pages.

Also, most direct email correspondence (PayPal specifically does this) from companies like Amazon and PayPal will use a greeting in the message that includes the recipient's user name. If you don't see this level of personalization, run away fast (after you mark the sender as "spam" with your email application).

Posted by: TruthMaker | January 3, 2007 4:45 PM | Report abuse

Unless I didn't get the attack, Amazon's servers can see that the MITM comes from the fraudulent site's IP address, right?

Maybe things like ThreatMetrix.com can help sites like Amazon to identify the MITM web sites and stop giving them the standard Amazon web site content, maybe even warn the users about the phishing attempt as you showed some sites did last year.

Posted by: Amos | January 3, 2007 6:03 PM | Report abuse

Bookmarks and domain names won't protect you from a DNS-Cache poisoning attack. You will have to check the cert. From a consumer stand-point, check out petnames for Firefox. It will tell you if the certificate is the same as when you gave it the petname. That should work until your bank provides you with something else.

Posted by: Nick Owen | January 3, 2007 6:07 PM | Report abuse

First, Roboform rocks! I'm a long-time user and it makes a wide-ranging surfer's life like mine a breeze.

Second, Roboform users and users of similar products absolutely hate captchas and other goofy multi-page authentication schemes. Make it too hard to visit your site and I'll go to one that isn't as painful.

Third, Roboform and web link with form-filling does prevent against going to a bad URL, cleverly disguised or not (i.e. paypal.com vs. paypa1.com). It does not however protect you from a pharming attack whereby a valid address is rerouted to a phony site. As Moike points out, the new certificate checking graphical clues (red URL bar) will still light up in the new browsers, but if users were paying attention, phishing wouldn't be a problem in the first place.

Lastly, as Nick Owen pointed out, true mutual authentication where users have digital credentials suitable to providing client-SSL authentication signatures is the best way to go. MITM attacks are blown out of the water via either phishing or pharming. Why don't you have these digital credentials today? The technology behind traditional private key issuance was too hard and the non-traditional, but standards-based method is just beginning to gain traction. Some Banks and their ASPs are finally waking up to the cold, hard reality that real criminals have focused on the internet, not just nerds out to prove their hacking chops.

Want better security? Demand it.

Posted by: Hahleq | January 3, 2007 7:00 PM | Report abuse

I would be wary of Roboform, for as mentioned in an earlier security fix -- hackers/phishers are now attacking secondary apps in an effort to get to password saving programs like Roboform.

I think perhaps the only secure thing to do these days is totally turn off your password saving features/programs and save them in a notebook you keep under lock and key in your home safe.

Posted by: Larry D. | January 3, 2007 8:33 PM | Report abuse

>Bookmarks and domain names won't protect you from a DNS-Cache poisoning attack.

Bookmarks do protect you from a DNS-Cache poisoning attack if you bookmark only the HTTPS page. The browser cross checks the certificate each time for you and displays a warning if it doesn't match.

Posted by: Moike | January 3, 2007 8:49 PM | Report abuse

The only zero day solution for this attack is CallingID Toolbar that lets you see which site will receive the data you are about to send, who stands behind the site and if it is safe submitting data to that site.

Posted by: Oren | January 4, 2007 6:33 AM | Report abuse

In an earlier post, "Truthmaker" said
"Also, most direct email correspondence (PayPal specifically does this) from companies like Amazon and PayPal will use a greeting in the message that includes the recipient's user name. If you don't see this level of personalization, run away fast (after you mark the sender as "spam" with your email application)."

He's right in that PayPal does this--however, if that's what he's relying on to sniff out phishers, he's in trouble...PayPal phishing scams have been "personalized" for at least a year. I know--I got one, and immediately called PayPal, specifically because it WAS so personalized. Don't rely on personalization of e-mails as an anti-phishing tool. To reiterate what others have said, just don't click on a link in an e-mail, no matter what. Type the web address into your browser yourself.

Posted by: Clare | January 4, 2007 10:23 AM | Report abuse

Truthmaker also noted that one should avoid the sites after marking the message as spam. Better than that is forwarding the message, after copying and pasting full headers (available in Outlook and Outlook express under the "File," then "properties," then "details" ) to "spoof@paypal.com" so they can find and shut down faked sites. Also, viewing a messages's properties can be useful in determining its validity. Still, the best cure is prevention. Don't click on links from e-commerce sites. Period.

Posted by: Clare | January 4, 2007 10:34 AM | Report abuse

Another interesting study would be to determine how many days Microsoft recommended deactivating activeX during the year due to problems with Explorer,Outlook, Office and the base system.

Posted by: John G. | January 4, 2007 5:14 PM | Report abuse

WAIT! Don't click on links in email? That makes sense to me, but then what do I do to read my Washington Post daily email? It's nothing but an email filled with links.....

Posted by: Greg | January 5, 2007 10:21 AM | Report abuse

Greg> Don't click on links in email? That makes sense to me, but then what do I do to read my Washington Post daily email?

Use the RSS feeds instead. It's a lot more timely and convenient.

Posted by: antibozo | January 5, 2007 1:12 PM | Report abuse

Is clicking on a link itself going to somehow reveal information to the scammers, or is it that once you have gone to the link you type in sensitive information ? I have clicked on links, but never logged on to any site from my email, have I some how compromised my security? And can links from other web-sites or search engines be phishing sites?

Posted by: Linda | January 6, 2007 9:51 AM | Report abuse

It's unclear to me how the phishers can tell you are using a bogus login... I guess they're passing through the credentials to Amazon? It would be helpful to make this clear in the article.

One of my favorite online sports is responding to a phishing attack in extreme, bogus, detail. Poisoning their well a little is the least they deserve.

Posted by: bwessels | January 8, 2007 11:18 AM | Report abuse

I have a situation where someone continues to get in to send email from out corporate email address - I keep getting emails from people saying a trojan worm was attached to these email we sent them from email addresses that we don't even have ..... for example we may have info@xxx.com and support@xxx.com but the emails that we didn't send come from like amvs@xxx.com etc.... I have deleted the email address - changed the password - you name it and they keep getting in !!! HOW could they be doing this???? I would really appreciate the help or advice??

Posted by: Great Info! How do people get total access to your email | January 8, 2007 9:01 PM | Report abuse

Great Info, there is no general mechanism to forgery of arbitrary email sender addresses. The appearance of an email address in your domain as a sender address says absolutely nothing about the true origin of the email.

Email-borne worms typically use the victim's address book and saved email as a source for email addresses, as well as forging them out of whole cloth. The even more loathsome spammers also forge addresses, purchase them in bulk mailing lists, or crawl through web pages looking for them.

When spam or worm-laden emails are sent to undeliverable recipient addresses, they bounce back to the forged sender address as a form of backscatter. This is all you are seeing, and it can be safely ignored (just use caution in handling as the bounces may contain malware).

There are a few things you can do to reduce backscatter, but none is particularly effective. SPF is perhaps the best starting point.

Posted by: antibozo | January 9, 2007 12:27 AM | Report abuse

Oops--that should have said, "...there is no general mechanism to prevent forgery..."

Posted by: antibozo | January 9, 2007 12:29 AM | Report abuse

Hi! Why I can't fill my info in profile? Can somebody help me?
My login is Kisakookoo!

Posted by: Kisakookoo | January 25, 2007 11:28 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company