John Levine wrote:

My girlfriend just got an (apparently legitimate from what I can tell)
HTML email from her credit card company, complete with lots of lovely
images and an exhortation to sign up for their new secure online
"ShopSafe" service that apparently generates one time credit card
numbers on the fly.

John, I have some serious samples of "Consumer Mis-education" as it's been dubbed - I actually provided some of the samples in Aaron's report.

Side note, not only are the emails confusing, but every email that I get from a consumer, so far I've gotten (the american express in the powerpoint especially is really screwed) ebay, amex, bank of america all had major vulnerabilities that allow cross-user attacks within them. Not only that, to add to his report, with cross-user attacks (I'm probably preaching to the choir but, it's still interesting) you can foil SSL connections with the lock by using what I call a "Mixed-SSL" attack, where you have multiple frame control with your valid certs, but the domain url is https://www.americanexpress.com. This in essence only indicates one SSL cert, that being the banks site that you have injected code into and by walking the DOM you essentially use your certs to maintain the secure frame objects. (For a demo of this contact me offline).

There was a point - oh yes, with the emails - in most of these cases, there can be what I call a bulk mail "replay" attack. Assume a phisher has a "BofA" account, and receives the bulk mailings of the legitimate Financial Institution (FI). This is a safe assumption because in the past we have seen a phisher utilize a real BofA email and just replaced the links with poisoned links that used BofA's site to phish the user. So with some timing, a "replay" attack can be organized - since we establish that say "BofA" has some vulnerabilities in XSS (This is just an example, no offense to BofA), the phisher can wait for a commerical legitimate marketing campaign and then mix in his poisoned mass mailing within the same time frame as these are going out. This will not only confuse the customer, but when reported may get underestimated because the FI did in fact send out a mass-mail to their customers*. The poisoned URL with the real domain and real (SSL-MIX) lock at the bottom of the screen belonging to Bank of America (even though the phisher took over the site) could potentially increase ROI by inducing "misplaced trust" or cause severe lack of confidence within the already troubling concept of online banking.

-Lance

*Ironically, i did find a vulnerability previously in a certain FI mass mailing campaign that allowed me to arbitrarily subscribe anyone's email address to their campaign list and control settings for whether they get the "Solicited" Commercial Email. This adds to the effect since phishers can subscribe anyone, not just their customers.


Shopsafe is rather nice.  I use it all the time, and it's written in
flash which works on my FreeBSD laptop.

On the other hand, MBNA's mail practices would be laughable if they
weren't entirely in line with every other bank in the country.  If you
read Dave Farber's IP list, a couple of days ago Bob Frankston sent in
an alarmed note saying that some info from his Bank of America account
had apparently been stolen and used in a phish, and I wrote to tell him
that no, the mail was real, from the service bureau they use which has
a name nobody outside the banking industry knows.

Aaron Emigh of Radix Labs wrote to tell me about a talk he gave
earlier this year at an Anti-Phishing Working Group earlier this year
on this topic, which starts with a set of examples of real bank mail
each of which looks phishier than the last.

This is 30MB due to the voiceover, but if you have a fast web
connection, it's worth running.  It needs Powerpoint:

http://www.radixlabs.com/idtheft/aaron-emigh-education.pps

Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for 
Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]




--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to