lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu Jun 29 01:14:38 2006
From: michaelslists at gmail.com (mikeiscool)
Subject: Are consumers being misled by "phishing"?

On 6/29/06, n3td3v <n3td3v@...il.com> wrote:
> I believe the industry coined up "phishing" to make more money out of
> social engineering. Its obvious now that both are over lapping. Only
> the other day Gadi Evron was trying to coin up a phrase for "voice
> phishing". Why can't we cut to the chase and drop the (ph)rases and
> call it straight forward SOCIAL ENGINEERING.
>
> I believe your average single mom and retired couple will easily
> become confused if we keep throwing new catch phrase buzzwords at
> them. If we could just call it social engineering, then the world
> would be a less confusing place for the average social engineering
> vitcim.
>
> When Yahoo had "paydirect" (an online bank in partnership with HSBC,
> which was later dropped by Yahoo!) there was an exploit for obtaining
> account information you wanted from any Yahoo Account. So hundreds of
> script kids had this exploit which was released by hackers in the
> localised Yahoo security community. The technique was to get the
> account information via the web-based exploit in the Yahoo Paydirect
> service, then phone up Yahoo Customer Care and give them the account
> information, and hey ho, customer care sends you a new password.
> Around a hundred script kids were phoning customer care. I alerted
> Yahoo what was going on, but Yahoo Customer Care didn't stop accepting
> partial Yahoo account info in exchange for a new password. It was to
> be one of the biggest compromises of Yahoo accounts. Yahoo didn't fix
> the bug straight away, so it led to hundreds of accounts being
> compromised and never recovered. After this incident, and still to
> this day Yahoo Customer Care are easily socially engineered via the
> telephone if you offer them partial yahoo account information.
> (shocking)
>
> Point being, web-to-voice social engineering has been around forever,
> just a few smart guys are trying to coin a phrase, which is only going
> to confuse the mess that is "phishing". The name phishing should never
> have been coined, and I warn the industry not to add on anymore
> variants to the phishing term, which is in all means just social
> engineering.
>
> Phishing was a big mistake by the industry, now the last thing we need
> is "voice phishing" or any other (ph)rases...
> See comments section of:
> http://www.digg.com/security/Say_Hello_to_voice_phishing_2

but calling it something different allows gadi to add another item on
his list of things to complain about. we all know there are only three
security issues: bugs, design faults, and social enginering. let the
idiots have their terms, there is nothing you can do about it.

-- mic

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ