lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu Jun 29 01:14:38 2006 From: michaelslists at gmail.com (mikeiscool) Subject: Are consumers being misled by "phishing"? On 6/29/06, n3td3v <n3td3v@...il.com> wrote: > I believe the industry coined up "phishing" to make more money out of > social engineering. Its obvious now that both are over lapping. Only > the other day Gadi Evron was trying to coin up a phrase for "voice > phishing". Why can't we cut to the chase and drop the (ph)rases and > call it straight forward SOCIAL ENGINEERING. > > I believe your average single mom and retired couple will easily > become confused if we keep throwing new catch phrase buzzwords at > them. If we could just call it social engineering, then the world > would be a less confusing place for the average social engineering > vitcim. > > When Yahoo had "paydirect" (an online bank in partnership with HSBC, > which was later dropped by Yahoo!) there was an exploit for obtaining > account information you wanted from any Yahoo Account. So hundreds of > script kids had this exploit which was released by hackers in the > localised Yahoo security community. The technique was to get the > account information via the web-based exploit in the Yahoo Paydirect > service, then phone up Yahoo Customer Care and give them the account > information, and hey ho, customer care sends you a new password. > Around a hundred script kids were phoning customer care. I alerted > Yahoo what was going on, but Yahoo Customer Care didn't stop accepting > partial Yahoo account info in exchange for a new password. It was to > be one of the biggest compromises of Yahoo accounts. Yahoo didn't fix > the bug straight away, so it led to hundreds of accounts being > compromised and never recovered. After this incident, and still to > this day Yahoo Customer Care are easily socially engineered via the > telephone if you offer them partial yahoo account information. > (shocking) > > Point being, web-to-voice social engineering has been around forever, > just a few smart guys are trying to coin a phrase, which is only going > to confuse the mess that is "phishing". The name phishing should never > have been coined, and I warn the industry not to add on anymore > variants to the phishing term, which is in all means just social > engineering. > > Phishing was a big mistake by the industry, now the last thing we need > is "voice phishing" or any other (ph)rases... > See comments section of: > http://www.digg.com/security/Say_Hello_to_voice_phishing_2 but calling it something different allows gadi to add another item on his list of things to complain about. we all know there are only three security issues: bugs, design faults, and social enginering. let the idiots have their terms, there is nothing you can do about it. -- mic
Powered by blists - more mailing lists