lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu Jun 29 01:02:08 2006
From: n3td3v at gmail.com (n3td3v)
Subject: Are consumers being misled by "phishing"?

I believe the industry coined up "phishing" to make more money out of
social engineering. Its obvious now that both are over lapping. Only
the other day Gadi Evron was trying to coin up a phrase for "voice
phishing". Why can't we cut to the chase and drop the (ph)rases and
call it straight forward SOCIAL ENGINEERING.

I believe your average single mom and retired couple will easily
become confused if we keep throwing new catch phrase buzzwords at
them. If we could just call it social engineering, then the world
would be a less confusing place for the average social engineering
vitcim.

When Yahoo had "paydirect" (an online bank in partnership with HSBC,
which was later dropped by Yahoo!) there was an exploit for obtaining
account information you wanted from any Yahoo Account. So hundreds of
script kids had this exploit which was released by hackers in the
localised Yahoo security community. The technique was to get the
account information via the web-based exploit in the Yahoo Paydirect
service, then phone up Yahoo Customer Care and give them the account
information, and hey ho, customer care sends you a new password.
Around a hundred script kids were phoning customer care. I alerted
Yahoo what was going on, but Yahoo Customer Care didn't stop accepting
partial Yahoo account info in exchange for a new password. It was to
be one of the biggest compromises of Yahoo accounts. Yahoo didn't fix
the bug straight away, so it led to hundreds of accounts being
compromised and never recovered. After this incident, and still to
this day Yahoo Customer Care are easily socially engineered via the
telephone if you offer them partial yahoo account information.
(shocking)

Point being, web-to-voice social engineering has been around forever,
just a few smart guys are trying to coin a phrase, which is only going
to confuse the mess that is "phishing". The name phishing should never
have been coined, and I warn the industry not to add on anymore
variants to the phishing term, which is in all means just social
engineering.

Phishing was a big mistake by the industry, now the last thing we need
is "voice phishing" or any other (ph)rases...
See comments section of:
http://www.digg.com/security/Say_Hello_to_voice_phishing_2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ