lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 27 Apr 2005 21:01:27 -0400 (EDT) From: "J. Oquendo" <root@...lrouted.us> To: incidents@...urityfocus.com, bugtraq@...urityfocus.com Subject: Re: Re: Discovering and Stopping Phishing/Scam Attacks I sent a rant on about this same sort of topic revolving an incident with Hushmail where they MISLEAD their users. Thought the list would find some humor/insight in it. Original email from Hush can be seen at: http://lists.jammed.com/ISN/2005/04/0103.html ---------- Forwarded message ---------- On Tue, 26 Apr 2005, xxxxxxxxxxxxxxxxxxxxxxx wrote: > There was no unauthorized access to any of the Hush servers. Data > managed by Hush was not compromised. During this period, however, > some users were unable to log in to their email accounts, and email > sent to Hushmail Business domains may not have been delivered. Such a misleading statement from Hushmail when all one has to do is consider the following... Attacker redirects users to a complete mimic of the Hushmail website. All that would be necessary to compromise Hushmail users' information would be a form that would take a username and password and store it to file for later use. Talk about phishing! Imagine the scenario of someone mimicking let's say Citibank to the wire. Attacker redirects users for say 4 hours. That's a hell of a lot of time to capture data for later use wouldn't you think. I sometimes ponder how long would it be before lets say a rogue company pops up out of the blue, performs an attack like this let's say once per month for about an hour. Takes a year to capture data, then say files for bankruptcy because they managed to get enough information to do whatever they'd like to with that information. SCENARIO: SampleSales.com which is a small ISP pops up and for one hour per month for one year captures data for sites like say, Amazon, Ebay, Citigroup, etc.. SampleSales.com closes shop never to be heard of again... One year later, based on the traffic going to these sites, SampleSales.com was able to phish out about 100,000 records. What could they do with this? Well, they could card their sleazy little lives away to oblivion ordering things to resell on Ebay, they could sell information on the people ala identity theft, they could blackmail cheating scumbag spouses who say called escort agencies and things of that sleazy nature... Hell the possibilities are endless. For Hushmail to mislead their users by saying nothing was compromised is rather misleading considering Hushmail has no idea of what exactly happened other than DNS poisoning. For them to make a public statement showing the IP addresses of their machines as if it makes a difference, as if people are actually going to say, "Gee Mable, is this really Hushmail, let me do an nslookup first Ma!" is bananas. Even if someone did, imagine that DNS poison combined with some silly little worm that did some moronic: Ala Wintrash echo "HUSHMAILS.IP.ADDRESS BOGUS.ADDRESS.COM" >> C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS Ala Pwnix echo "GOOD.IP BAD.IP" >> /etc/hosts =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x0D99C05C http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0D99C05C sil @ infiltrated . net http://www.infiltrated.net "How a man plays the game shows something of his character - how he loses shows all" - Mr. Luckey -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Powered by blists - more mailing lists