How Not to Protect Your Customers from Phishing

When we talk about security awareness, we sometimes say that a certain company “does not get it”. It’s hard to define how we measure that and what makes us say that a certain company does or does not “get it” (or even what “it” is) – we just know, just like you can tell which mp3 players suck or which jokes are funny but you can’t always say why.

Many security experts will agree that companies that “don’t get it” fail time after time in trivial security matters, whereas companies with high security awareness will only rarely screw up.

The Bank of America was on my list of companies who ‘got’ what security really is. From the first time I signed up to the service, I noticed they did not fall into the Security by Obstruction trap. Signing up was easy, I got to select my own username and password which means I didn’t need to write either one down (finally an online bank that understands brute force attacks should be blocked at the server side and not by forcing the client to choose an impossible password). In fact, it’s the only password or PIN that I don’t have 3-4 copies of in all my electronic and physical wallets.



Internet Security Operations and Intelligence II

isoi 2 is finalized. the schedule and agenda can be found here:

i am going to do my best to release some of these presentation publically after the event (if the authors agree), but it is not likely.

some public feedback will be relayed from the workshop.

gadi evron,


Phishing vulnerability reported at American Express site

The most important thing first:

The researcher Andrea Giuliani, 16 years old geek from Italy, has contacted credit card giant about the flaw.

The problem is that intl_ads_redirect.jsp enables redirecting outside of American Express domain too (!), i.e. .jsp?location=

Link to the Andrea’s Italian language blog entry:

More information and sample links here:

Yeah, Italian entry again. But will help You.

No need to say that the second example uses location=%68%74%74%70%3A%2F%2F…

I have confirmed with phone and e-mail on Monday that AMEX is aware.


CyLab report: An Evaluation of Anti-Phishing Toolbars

Carnegie Mellon University’s CyLab has released a new study entitled as “Phinding Phish: An Evaluation of Anti-Phishing Toolbars“.

PDF document of 20 pages is located here:

E.g. SpoofGuard, EarthLink, Google, Netcraft, Cloudmark, TrustWatch, eBay and McAfee SiteAdvisor products and IE7 and Netscape 8 browsers were tested.


Defeating Image-Based Virtual Keyboards and Phishing Banks

recently, i stumbled upon which nicely showed how a trojan horse can, utilizing a key stroke capture and screenshot capture, grab a user’s pin, fairly easily, and wondered why are they taking this approach when the pins can be easily retrieved by sniffing the data sent by the user to the banking site, even though they are “encrypted”.

image based keyboard (or virtual keyboards) were invented to make life harder for banking or phishing trojan horses (specifically key-stroke loggers or key loggers), some even suggested they be used specifically to avoid these trojan horses. the bad guys adapted to this technology and escalated. now the trojan horses take screenshots of where the mouse pointer is to determine what number they clicked on. thing is, it is often unnecessary as in most implementations of this technique that we looked into (meaning, not all) it was flawed.

instead of sending the remote image and waiting for the key-stroke information to be sent back to the server (the technique which the screenshots for pointer location on-click described above was used) some banks send the pin in cleartext, while others encrypt them, one such example is cajamurcia. even when the encryption is used, banks tend to implement it badly making it easy to recover the pin from the encrypted form.

i investigated a bit more on how cajamurcia handles such pin strokes (with virtual keyboards) and i noticed something strange, they take the timestamp of their server (cajamurcia) and send it to you – this already posses a security problem – and this timestamp is then used to encrypt the pin you entered.

this would have been a good idea if the timestamp was not sent back to the server, making it hard or semi-hard to guess the timestamp used to encrypt the data, but at the same time making it harder for the server to know what timestamp was provided to the client (unless they store it inside their session information). anyhow, as it is sent back to the server, we have everything we need to decrypt the data (pin).


a request to the server would look like:


P2P as a new spam medium, moving from PoC to full operations

spam on p2p networks used to be mainly with advertising inside downloaded movies and pictures (mainly pornographic in nature), as well as by hiding viruses and other malware in downloaded warez and most any other file type (from zip archives to movie files). further, p2p networks were in the past used for harvesting by spammers.
today, p2p has become a direct to customer spamvertizing medium. this has been an ongoing change for a while. as we speak, it is moving from a proof of concept trial to a full spread of spam, day in, day out.
the idea is not new, but now it is becoming serious.

some choice picks:
ebook – googlecash – make money using google (learn to use affiliate programs to make easy money).pdf [i've been made aware this one is a real, yet pirated, book. call it a false positive]
us banks acounts information [dir]
how to create an automated ebay money machine.pdf
easy chair millionaire review.pdf
press equalizer review – flood your site with targeted traffic, achieve top rankings and gain dozens or more backlinks.pdf
top home based jobs [dir]

and so on. these are just some of the scams now being pushed over p2p.

we discussed this before; it started with fake books on the subject of online marketing, and now it has gone all the way to spammers/phishing/”affiliate programs”/spyware (or in other words online fraud related organized crime groups) looking for new ways and mediums by which to reach target audience, with email becoming more and more scrutinized and filtered.


Webattacker exposed

websense has done some amazing work, and posted a blog entry on webattacker.

highly recommended.

gadi evron,


P2P: “work from home” mule recruitment and Citibank scam

hi guys, as you know, i follow p2p very closely, and see many marketing
and opt-out scams.

the lastest one is these two texts. i think it’s pretty neat that the bad
guys seed p2p like this!


top 10 home based jobs – genuine opportunities
i. surveys2 (more…)


Real life uses for vulnerabilities: [funsec] Haxdoor: UK Police Count 8, 500 Victims in Data Theft (So Far)

as can be seen in the quoted message below –

so, here we go. real-life uses for vulnerabilities.

below is an example of just one “drop-zone” server in the united states, which has “600 financial companies and banks”.

several gigs of data.

how do these things work?


Firefox 2.0 with phishing detection arrived

Firefox version 2.0 is officially out now.

Mozilla Foundation has introduced a new Phishing Protection page at the same time:

Firefox 2 contains a built-in Phishing Protection feature that warns you of suspected Web forgeries, and offers to take you directly to a search page so you can find the real Web site you were looking for. You can test the Phishing Protection feature by browsing to this test site.

Page Known Vulnerabilities in Mozilla Products will be likely updated shortly too.

It appears that the most of localized builds are available.

Update 26th Oct: There was no security fixes included this time.


Money Mule Recruitment Over IM

how many times have you received an email offering “work from home” or 75k a year? these are money mule recruitment emails.

a money mule is much like a drugs mule. the mule facilitates the transfer of the money as a middle-man. if say, an eastern european mobster wants to get the money he stole from a bank account in the us by the means of phishing, he’d have to somehow transfer that money.

the money mule would get the money, keep a small percentage and send the rest via the anonymous western union, laundering it.

today was the first time we observed a money mule recruitment happening on instant messaging.

be careful on what you believe, no matter if via email, the phone or im.

gadi evron,


ISOI II – a DA Workshop (announcement and CFP)

the second internet security operations and intelligence (isoi) da workshop will take place on the 25th and 26th of january, 2007. it will be hosted by the microsoft corporation, in redmond wa. an after-party dinner will be hosted by trendmicro.

this workshop’s main topic is botmaster operational tactics – the use of vulnerabilities and 0day exploits in the wild. (by spyware, phishing and botnets for their businesses).
secondary subjects include ddos, phishing and general botnet subjects.


Wikipedia Abused in a Nigerian Scam [updated]

apparently, this guy spammed himself and referred to a wikipedia article he created to give himself credibility.

cute! :)

phishing by wikipedia? the admins will probably notice this soon and remove it, but if this becomes as common-place as comment spam has, i am not sure they can handle the over-head. this is about money, and the bad guys make a lot.

it’s also possible this is a joe job on someone real.

the entry in wikipedia appears to be about a real person related to organized crime. i wonder why he of all people was chosen to be used in this scam?

hello dear friend!!!
vladimir ivanov (vladimir ivanov)
today 18:11:52


setSlice() exploitation in the wild – MASSIVE

exploit code is available:

sans diary:

and this is so massively exploited, it makes vml look cute. there’s a rootkit, some other malware, and haxdor! (a phishing trojan horse)

thanks to roger thompson at for first reporting it.


Identities Lost in Phishing

i just opened this discussion on the phishing mailing list. you are all invited to join in.

as i often comment, it is funny to me (not really but hold on) when people scream about this or that organization losing a laptop with 20k identities. what’s 20k?

obviously that is important, and speaks volumes of corporate security and of privacy issues. still, it is insignificant in a laughable fashion when compared to what’s being stolen daily online.

every day, millions of online identities and website credentials are lost. millions. every day. (more…)


Passwords people use on MySpace from a phishing site

this is from /. today. the author happened upon a phishing site with an open directory index. he proceeded to find the phisher’s database, where he analyzed passwords that were there for myspace.

although somewhat problematic statistically, his results are very interesting:

gadi evron,