Saturday, June 24, 2006

Only the Paranoid Survive - Phishing

It would seem that you can those tricky phishers have designed a new attack method.

They send a SMS message to your phone. The message describes how you have been signed up to a new dating service and will be charged $2.00 per day on your phone bill. The message directs you to a website if you want to cancel the service.

Ohh there’s the rub! Once loaded the page drops a Trojan, which at that point you are welcomed with open arms to a fresh new botnet family.

Why does this work? Couples of reasons come to my mind:

1) People are so connected to the virtual world of today, they almost forget about the cons of the real world like advance free fraud, pyramid letters schemes, etc.

Blended media attacks like the one described are normally crafted to reach a smaller target group. The bad guys take the time to build in more social engineering into the attack, therefore increasing the likelihood of success.

These facts also have the side-effect of reducing the surface exposure of the attack and therefore decreasing the chance of being stopped by the good guys.

The Mountain America Credit Union phish attack in Feb 2006 is a perfect example.

2) People want to be nice to other people - it is built into our nature. This niceness translates into trust far too often however. Then that false sense of trust is used by the attackers as a jumping point. They build and build on it until you forget why you even trusted them in the first place.

Very simple example - If someone is carrying a load full of things and can't get the door, we will open it.

This is a common trick used physical penetration testers to gain access to restricted areas.

Always remember to question the world around you.

“Only the paranoid survive” – Andrew S. Grove

No comments:

Post a Comment