Re: why don't banks do more against phishing?
Coming to this a few months late provides some... interesting perspective. On 24 Apr 2012, xTrade Assessory uttered the following: Martin Gregorie wrote: But back to banking? In the UK, anyway, you don't need to be either intelligent or have any industry qualifications to run a bank. Back in 2007 or thereabouts a quiz master asked what was the difference between: - the CEO who bankrupted the Northern Rock Building Society - the CEO who bankrupted the Royal Bank of Scotland - the boss of Barclays (I think - might have been the Co-OP Bank) - Terry Wogan, who was a well-known radio presenter at the time. The answer was that the only one of them with any banking qualifications was Terry Wogan. media jokes certainly are not a good base for classification :) Perhaps not. I think the near-ruination of the world economy, the near-bankrupting of numerous rich states, and now the hilarious RBS epic computing disaster and long-running but now-exploding LIBOR rigging scandal put a slightly different tone on things. It's not only a quiz show host to figured that Bob Diamond shouldn't be running a major bank. It's the chairman of the Bank of England (oh, the FSA too). -- NULL (void)
Re: why don't banks do more against phishing?
On Wed, 2012-04-25 at 00:08 +0100, RW wrote: On Tue, 24 Apr 2012 15:23:28 +0100 Martin Gregorie wrote: On Tue, 2012-04-24 at 14:25 +0100, RW wrote: On Mon, 23 Apr 2012 01:20:13 -0300 xTrade Assessory wrote: no serious bank, as any other serious company, would ever send out emails asking for user details the user who believes that, is or incredible ingenious or incredible stupid, so: happy clicking I don't think it's all that stupid given that many banks and other companies do more or less the same thing when they phone their customers. That merely shows that stupidity is extremely widespread: other outfits being lax about security doesn't give the banks a free pass. I meant that it's understandable that people fall for phishing when banks set a bad example by phoning customers and requiring the customer to provide personal information to establish his or her identity. Point taken, but its still inexcusable of a bank to do that. If somebody claiming to be my bank calls me and starts asking security questions I tell them politely but firmly that I don't believe they are from the bank and that I'll call them. Then I put down the phone and ring the number I have on file for that bank. Martin
Re: why don't banks do more against phishing?
On Mon, 23 Apr 2012 01:20:13 -0300 xTrade Assessory wrote: no serious bank, as any other serious company, would ever send out emails asking for user details the user who believes that, is or incredible ingenious or incredible stupid, so: happy clicking I don't think it's all that stupid given that many banks and other companies do more or less the same thing when they phone their customers.
Re: why don't banks do more against phishing?
On Tue, 2012-04-24 at 14:25 +0100, RW wrote: On Mon, 23 Apr 2012 01:20:13 -0300 xTrade Assessory wrote: no serious bank, as any other serious company, would ever send out emails asking for user details the user who believes that, is or incredible ingenious or incredible stupid, so: happy clicking I don't think it's all that stupid given that many banks and other companies do more or less the same thing when they phone their customers. That merely shows that stupidity is extremely widespread: other outfits being lax about security doesn't give the banks a free pass. And, what about companies who confirm an account sign-up by sending a single plain text e-mail containing the name of the company, your login name and your password? Or the multitude that use your e-mail address as the login name? But back to banking? In the UK, anyway, you don't need to be either intelligent or have any industry qualifications to run a bank. Back in 2007 or thereabouts a quiz master asked what was the difference between: - the CEO who bankrupted the Northern Rock Building Society - the CEO who bankrupted the Royal Bank of Scotland - the boss of Barclays (I think - might have been the Co-OP Bank) - Terry Wogan, who was a well-known radio presenter at the time. The answer was that the only one of them with any banking qualifications was Terry Wogan. My bank says up front and in writing that they will never ask for account or login details by e-mail. I suggest moving your account away from any bank that doesn't have the same policy and stick to it. Make sure you tell them why you're leaving, though. Martin
Re: why don't banks do more against phishing?
On 24/04/12 15:23, Martin Gregorie wrote: My bank says up front and in writing that they will never ask for account or login details by e-mail. I suggest moving your account away from any bank that doesn't have the same policy and stick to it. Make sure you tell them why you're leaving, though. In addition to helping customers in this way, it would be really nice if they would similarly help mail admins to by also having a well defined email policy, clearly stating which addresses they will send email from and publishing accurate SPF records for those domains. That would make it trivial for all mail admins to detect and block bank phishing attempts. It's not rocket science!
Re: why don't banks do more against phishing?
Martin Gregorie wrote: On Tue, 2012-04-24 at 14:25 +0100, RW wrote: On Mon, 23 Apr 2012 01:20:13 -0300 xTrade Assessory wrote: no serious bank, as any other serious company, would ever send out emails asking for user details the user who believes that, is or incredible ingenious or incredible stupid, so: happy clicking I don't think it's all that stupid given that many banks and other companies do more or less the same thing when they phone their customers. That merely shows that stupidity is extremely widespread: other outfits being lax about security doesn't give the banks a free pass. And, what about companies who confirm an account sign-up by sending a single plain text e-mail containing the name of the company, your login name and your password? Or the multitude that use your e-mail address as the login name? But back to banking? In the UK, anyway, you don't need to be either intelligent or have any industry qualifications to run a bank. Back in 2007 or thereabouts a quiz master asked what was the difference between: - the CEO who bankrupted the Northern Rock Building Society - the CEO who bankrupted the Royal Bank of Scotland - the boss of Barclays (I think - might have been the Co-OP Bank) - Terry Wogan, who was a well-known radio presenter at the time. The answer was that the only one of them with any banking qualifications was Terry Wogan. media jokes certainly are not a good base for classification :) My bank says up front and in writing that they will never ask for account or login details by e-mail. I suggest moving your account away from any bank that doesn't have the same policy and stick to it. Make sure you tell them why you're leaving, though. I'm getting really curious because some of you insist I can not believe that there is somewhere a bank passing/asking credentials by email, I never saw it and I know about internal bank policies which do not permit *any* kind of email contact with clients Hans -- XTrade Assessory International Facilitator BR - US - CA - DE - GB - RU - UK +55 (11) 4249. http://xtrade.matik.com.br
Re: why don't banks do more against phishing?
On Tue, 24 Apr 2012 15:23:28 +0100 Martin Gregorie wrote: On Tue, 2012-04-24 at 14:25 +0100, RW wrote: On Mon, 23 Apr 2012 01:20:13 -0300 xTrade Assessory wrote: no serious bank, as any other serious company, would ever send out emails asking for user details the user who believes that, is or incredible ingenious or incredible stupid, so: happy clicking I don't think it's all that stupid given that many banks and other companies do more or less the same thing when they phone their customers. That merely shows that stupidity is extremely widespread: other outfits being lax about security doesn't give the banks a free pass. I meant that it's understandable that people fall for phishing when banks set a bad example by phoning customers and requiring the customer to provide personal information to establish his or her identity.
Re: why don't banks do more against phishing?
On 4/22/2012 8:31 PM, haman...@t-online.de wrote: a) phishers would probably move to hosting their own copies of the logos Yup. However, spammers haven't completely adapted to greylisting, and still spam from SBL/ZEN listed IPs, so perhaps this would catch some of the long-hanging fruit? b) some users of image resizers would see the warning sign reduced (I recently had someone complain about an error on our google maps our office is here page, and it turned out the visitor was using a smartphone via an image resize service) Were you tripping on a lack of referrer, or was an image resizing service actually returning a completely incorrect referrer? When attacking phishing websites who are abusing legitimately hosted images, you should be able to return the correct image for requests that are completely missing a referrer, it's only when you get a third-party site in the referrer that you should return the This is a phishing site! image. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren
Re: why don't banks do more against phishing?
Dave Warren wrote: b) some users of image resizers would see the warning sign reduced (I recently had someone complain about an error on our google maps our office is here page, and it turned out the visitor was using a smartphone via an image resize service) Were you tripping on a lack of referrer, or was an image resizing service actually returning a completely incorrect referrer? When Hi Dave, all I know is that someone told about a broken cid:something image on the phone for Google maps I recently tried a wrong google key and noticed that I would see the correct map for a second, until a javascript shows an error message. So my conclusion was that the resizing image loaded the original image (from google server), replaced it by a cid: url, and then the Google javascript would somehow fail. Now thinking about the bank situation: the bank's webserver would see a request from the resizing service, but it is up to the resizer to behave like a real browser, or a proper http proxy Wolfgang
Re: why don't banks do more against phishing?
On 4/23/2012 4:41 AM, haman...@t-online.de wrote: Now thinking about the bank situation: the bank's webserver would see a request from the resizing service, but it is up to the resizer to behave like a real browser, or a proper http proxy That's basically what I'm thinking. If the service fails to send a referrer at all, you can generally serve images reasonably safely. Email phishes can still use images, but given how few email clients actually load HTTP images anyway, it's a minor part of the problem. It's only when there's an incorrect referrer that you can assume the request isn't legitimate and you should return something different. Whether you do this immediately or have someone review before making the decision is a business decision, for banks that can't confine themselves to a single domain then a manual review might be needed, but such is life. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren
Re: why don't banks do more against phishing?
Den 2012-04-24 03:46, Dave Warren skrev: It's only when there's an incorrect referrer that you can assume the request isn't legitimate and you should return something different. or banks care to send the image over https protocol not just http Whether you do this immediately or have someone review before making the decision is a business decision, bah for banks that can't confine themselves to a single domain then a manual review might be needed, but such is life. yep it would be more funn to see the first bank that works in links text mode webbrowser, and only display graphics if started with links -g, any other browser is unsecure :=)
why don't banks do more against phishing?
OT but related I just got a bunch of phishing attacks against a bank come through. Following the link leads me to some owned website with the fake bank frontend - and it had a feature that I've seen time and time again: images and links from the real banksite Why don't banks rub two braincells together and start monitoring the referrers on their primary webpages (eg logos, terms and conditions) and return a RUN AWAY!!! IT'S A TRAP!!! page whenever someone views the phishing sites? The Referrer header would allow that instantly They really don't give a damn do they... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: why don't banks do more against phishing?
On Mon, 2012-04-23 at 14:40 +1200, Jason Haar wrote: OT but related I just got a bunch of phishing attacks against a bank come through. Following the link leads me to some owned website with the fake bank frontend - and it had a feature that I've seen time and time again: images and links from the real banksite My personal banks phishing scams ended a couple years ago, when they introduced SPF, the oppositions still arrive in my inbox or spam folders every so often. Why don't banks rub two braincells together and start monitoring the because that means their IT dept needs to employ someone with a clue about DNS. They really don't give a damn do they... some certainly don't signature.asc Description: This is a digitally signed message part
Re: why don't banks do more against phishing?
On Sun, Apr 22, 2012 at 10:40 PM, Jason Haar jason_h...@trimble.com wrote: OT but related I just got a bunch of phishing attacks against a bank come through. Following the link leads me to some owned website with the fake bank frontend - and it had a feature that I've seen time and time again: images and links from the real banksite Why don't banks rub two braincells together and start monitoring the referrers on their primary webpages (eg logos, terms and conditions) and return a RUN AWAY!!! IT'S A TRAP!!! page whenever someone views the phishing sites? The Referrer header would allow that instantly They really don't give a damn do they... Bingo! I presented that very idea to a big bank (you would recognize the name) approx 8 years ago. I suggested they monitor the referrers (with the security product we were installing) and automatically increase situational awareness accordingly, and at some point move to replacing images that didn't match certain referrers. I was ignored, almost scoffed at. -Jim P. -Jim P.
Re: why don't banks do more against phishing?
OT but related I just got a bunch of phishing attacks against a bank come through. Following the link leads me to some owned website with the fake bank frontend - and it had a feature that I've seen time and time again: images and links from the real banksite Why don't banks rub two braincells together and start monitoring the referrers on their primary webpages (eg logos, terms and conditions) and return a RUN AWAY!!! IT'S A TRAP!!! page whenever someone views the phishing sites? The Referrer header would allow that instantly They really don't give a damn do they... Hi Jason, a) phishers would probably move to hosting their own copies of the logos b) some users of image resizers would see the warning sign reduced (I recently had someone complain about an error on our google maps our office is here page, and it turned out the visitor was using a smartphone via an image resize service) Regards Wolfgang
Re: why don't banks do more against phishing?
On 04/23/2012 06:40 AM, Jason Haar wrote: OT but related I just got a bunch of phishing attacks against a bank come through. Following the link leads me to some owned website with the fake bank frontend - and it had a feature that I've seen time and time again: images and links from the real banksite Why don't banks rub two braincells together and start monitoring the referrers on their primary webpages (eg logos, terms and conditions) and return a RUN AWAY!!! IT'S A TRAP!!! page whenever someone views the phishing sites? The Referrer header would allow that instantly They really don't give a damn do they... Seems OK for existing clients who type the domain manually (or via a bookmark). However, newly visiting clients might find the link via a search engine, or (say) a site that contains a ranked list of the banks. In the latter case, the referrer's domain name will not be that of the bank's, and will likely trigger a false positive. Boils down to risk management -- money to lose by being a victim, versus that of turning new customers away due to the false positives. -- Regards, Mahmoud Khonji PGP Key: 0x92584ECA
Re: why don't banks do more against phishing?
Jason Haar wrote: OT but related I just got a bunch of phishing attacks against a bank come through. Following the link leads me to some owned website with the fake bank frontend - and it had a feature that I've seen time and time again: images and links from the real banksite Why don't banks rub two braincells together and start monitoring the referrers on their primary webpages (eg logos, terms and conditions) and return a RUN AWAY!!! IT'S A TRAP!!! page whenever someone views the phishing sites? The Referrer header would allow that instantly They really don't give a damn do they... well, this is completely nonsense, not only your opinion but also your technical suggestion in first place phishing is not targeting the bank nor it is the victim phishing deals with the stupidity of the clickers no serious bank, as any other serious company, would ever send out emails asking for user details the user who believes that, is or incredible ingenious or incredible stupid, so: happy clicking it is honorable that developers and technicians care and try to find counter measurements, but it is not their responsibility, either the bank's who clicks on a phishing attempt, I'd say, well done, hopefully he types in name and passwd, so that would be then a real learning lesson, one more saved :) what you're asking for is making the police pay for a stolen car ... if you target a culprit you should go after all this irresponsible webhosting companies which do not review the content and web admins who do not have a clew about what they are doing Hans -- XTrade Assessory International Facilitator BR - US - CA - DE - GB - RU - UK +55 (11) 4249. http://xtrade.matik.com.br
Re: More on phishing
Philip Prindeville wrote: What about flagging HTML that has: a href=.* onMouseOver=window.status I.e. any links that attempt to intercept onMouseOver events and override the status window should be flagged as suspect... -Philip Actually, this seems to work: rawbody L_PHISH /[aA] [hH][rR][eE][fF]=.* (onMouseOver|onMouseMouse)=window\.status=/ describe L_PHISHTest for PHISH overwrites the status bar score L_PHISH 6.0 I suppose I could beef it up with a test to see if __CTYPE_HTML was set at the same time... Not sure how case-sensitive JavaScript is to whether onmouseover is the same as onMouseOver... I'm not a JS-head. -Philip
Re: More on phishing
Philip Prindeville wrote: Actually, this seems to work: rawbody L_PHISH /[aA] [hH][rR][eE][fF]=.* (onMouseOver|onMouseMouse)=window\.status=/ describe L_PHISHTest for PHISH overwrites the status bar score L_PHISH 6.0 I suppose I could beef it up with a test to see if __CTYPE_HTML was set at the same time... Not sure how case-sensitive JavaScript is to whether onmouseover is the same as onMouseOver... I'm not a JS-head. JavaScript is case sensitive, but HTML is not. (XHTML, however, is -- at least in theory.) In this syntax, onMouseOver is actually an HTML attribute of the A tag. The value of that attribute, however, contains JavaScript. So onMouseOver, ONMOUSEOVER, onmouseover are all equivalent, but window.status has to be in all lower case. Incidentally, I've never heard of onMouseMouse. Should that be onMouseMove? -- Kelson Vibber SpeedGate Communications www.speed.net
Re: More on phishing
Kelson wrote: Philip Prindeville wrote: Actually, this seems to work: rawbody L_PHISH /[aA] [hH][rR][eE][fF]=.* (onMouseOver|onMouseMouse)=window\.status=/ describe L_PHISHTest for PHISH overwrites the status bar score L_PHISH 6.0 I suppose I could beef it up with a test to see if __CTYPE_HTML was set at the same time... Not sure how case-sensitive JavaScript is to whether onmouseover is the same as onMouseOver... I'm not a JS-head. JavaScript is case sensitive, but HTML is not. (XHTML, however, is -- at least in theory.) In this syntax, onMouseOver is actually an HTML attribute of the A tag. The value of that attribute, however, contains JavaScript. So onMouseOver, ONMOUSEOVER, onmouseover are all equivalent, but window.status has to be in all lower case. Incidentally, I've never heard of onMouseMouse. Should that be onMouseMove? Gah... Fat fingers. Yes, onMouseOver or onMouseMove. Although I've not seen spam containing onMouseMove, but looking at: http://www.w3.org/TR/html4/interact/scripts.html it would seem to be useful to protect against both. -Philip
Re: More on phishing
What about flagging HTML that has: a href=.* onMouseOver=window.status I.e. any links that attempt to intercept onMouseOver events and override the status window should be flagged as suspect... That would be nice, but spammers learned long ago (after I wrote rules for those things) that all you need to do is break the html over two lines and SA can't catch it, because rawbody can only work on one line at a time. Loren
Re: More on phishing
On Thu, Mar 09, 2006 at 09:38:57PM -0800, Loren Wilton wrote: That would be nice, but spammers learned long ago (after I wrote rules for those things) that all you need to do is break the html over two lines and SA can't catch it, because rawbody can only work on one line at a time. Just to cancel the misinformation a bit. SA *can* catch any of this stuff, it just may not be as easy as writing a RE rule. It's also worth noting that rawbody works differently in 3.2 so writing RE rules for this stuff will be possible/easier when it's released. -- Randomly Generated Tagline: If you take the plunge, return it by Tuesday. pgpM3IM6usaDw.pgp Description: PGP signature
