Monday, February 28, 2005

Feeling insecure yet?

(Hat tip: Jerry Pournelle.)

A new, improved, phishing scam has surfaced.

Normally, phishing involves sending the intended mark (you and me, guys) an e-mail warning of some problem with his account. The e-mail helpfully includes a link to a page where you can log in and resubmit your information, and presumably, change your password to prevent this kind of thing from happening in the future.

Since most people know the target of a link displays on the status bar, at the bottom of a browser, phishers have started using the "on mouseover" command to change the text on the status bar to look like a valid link.

If you follow a link to a scam website, you can still discover whether it's bona-fide by entering a bogus name and password combination in the login form. If the form lets you in, it's a phishing site.

Now, e-bay has a script, available to anyone, that can be used to verify whether a user-name/password combination is valid.

The phishing site accepts a user-name and password, then runs it through the script. If the script rejects it, the phishing page rejects it. This may lead a person to believe the page really does belong to E-bay.


Now, before we get all hot and bothered at E-bay, it occurs to me upon reading this report that you may not need a specialized script provided by a company to pull this off. If you set up a scam to obtain someone's user-name and password at his bank, you could probably write a script that would pull up that bank's page, and try to log in with any name and password that's been handed to your form, and then report "success" or "failure" back to the phishing site.

This might introduce a second or two of delay, but that's indistinguishable from normal net congestion, and it would "clear up" once the user has "logged in".
Be careful out there.

Indeed.

No comments: