| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 30 Jul 2008 21:27:45 +1200 From: Nick FitzGerald <nick@...us-l.demon.co.uk> To: full-disclosure@...ts.grok.org.uk Subject: Re: simple phishing fix lsi wrote: > Thank you all for your comments. However, I cannot disagree more > fully. Ignorance does that for people... > It doesn't matter that the blacklist is not complete, if a scammer > tries to phish a bank that's not on the list, eg. is not popular, he > won't make much money, because it's a small bank and the probability > of him hitting an email address which works, and is an address of a > customer of that tiny bank, and the customer gets suckered, and all > other security mechanisms fail, is very small. So, the spammer just sends _A LOT MORE_ phishing spam targetting that bank. There are US credit unions with only a few tens of thousands of customers that have been targets of (LARGE) phishing campigns. The phishers in at least some of those cases got several, to several dozen, known victims and helped themselves to the contents of their accounts, in the few hours between the beginning of the spam run and the CU becoming aware of it and disabling their online banking interface. Those few successful targets were more than reward enough... And I once got a phishing scam Email for a small US bank that only had _two_ physical branches according to the real bank's website (and no, they weren't a large "mostly online" bank but an old-style, small-town, bricks-and-mortar operation). Oh -- and those were _BEFORE_ some of the much more highly targetted, and thus _MUCH_ smaller phishing spam runs we have seen more recently. As you do not understand how these folk work, what a triflingly small successful victim rate they have to hit for their effort to be worthwhile, and so on, you are going to keep making the dumb-ass n00b mistakes in your reasoning that we've been seeing from you for the last few days. Phishing still exists _BECAUSE_ it is a hard problem to solve. Not because those who know how it works are lazy. Not because those who know how it works are stupid. Not because some, or even many, of those who know how it works are employed by companies that a conspiracy theorist will ignorantly argue have a vested interest in NOT solving the problem. No -- phishing still exists _BECAUSE it is a hard problem to solve_. If widely implemented, your trivial suggestions might, _just might_, ever so slightly reduce the total world-wide cost of bank losses due to phishing. But they would do so at a significantly greater cost in the effort required to implement your suggestions across the planet than they would save. Yes, the banks will spend a lot of money failing to entirely stamp out phishing, BUT they generally try to spend that money in ways that at least have some pay-off in terms of reassuring their customers that they are doing something to help... So, can you guess why your suggestions have not already been implemented? > The scammer knows this and so he targets the popular banks. Nope -- the scammers target pretty much any and every bank they can be bothered targeting. Yes -- the pre-packaged scams centre on the bigger targets, but those are probably not the bigger scammers in terms of actual impact -- I mean, a skiddie too stupid to know or be able to work out that the "free" phishing kits (that he has just downloaded off a more or less open web site) are backdoored and also sending his phished data to someone else is not goingto be a major figure in the underworld scam scene... And as further evidence of the breadth of opportunity scammers are prepared to deploy/employ, just this afternoon I uncovered a single phishing site hosting eleven different UK-only banks involving close to 1.5MB of phishing site code, images, scripts, etc, etc to fake the eleven target banks' sites. > Therefore, the blacklist only needs to contain popular banks. > However there is almost no penalty to add another 500 to the list, > it's a simple filter, it's fast. > > I do agree that the more banks on the list, the better, but there are > not millions of banks in the world, it's not a problem to list all > the major banks, and many of the smaller banks as well. Off you go then -- list 10% of the bank domains by this time tomorrow... > As the blacklist is deployed, the average revenue per mail (ARPM) > will fall. The more it is deployed, the more the ARPM will fall. > The ARPM does not need to hit zero. As soon as the ARPM falls below > the average cost to send each mail, phishing will be economically > unviable. As virtually all (phishing) spam is sent by "criminal gangs" using their own bot-nets effectively for free, your simple view of the economics of this fails rather badly. History has a lesson for us here -- as the amount of spam-filtering in use increased, so did the amount of spam being sent. If your economics argument had any validity that should not be the case, but what happened is that the spammers and associated scammers coalesced _AND_ changed hwo they sent the vast bulk of their spam. Now, sending spam is essentially free for sufficiently "big fish" in the underground spam community. > Eg. it might still be technically feasible, however it will no longer > be profitable to be a phisher. It will profitable until (vitually) no-one _EVER_ reponds to _ANY_ spam. > Repeat, phish do not need to be completely eliminated. Once they are > reduced below a certain level, it will become economically infeasible > to be a phisher. The invisible hand [1] will do the rest of the work > for us. I know of a nice bridge you may be interested in buying... > Other bits: > > I agree that by opening a hole in your phish firewall (eg. permitting > traffic from the Bank of Foo) you are making yourself slightly less > protected, however if a user has a blacklist where he has to > specifically ALLOW traffic from a certain bank that user will be well > aware that he has opened a hole in his phish wall and will be > extremely attentive when he actually gets a mail. (I'm appalled that You really have no f*&ing clue how "ordinary users'" tiny little brains work, have you??? > some banks actually use email, how cheap are they? If my bank did > that, I'd complain, and consider changing banks.) As with a real > firewall, it's not a total solution, but one layer of several. Your "solution" will only help people who don't need it. It will leave the low-hanging fruit just as numerous and just as close to ground... > The blacklist catches variations, of course the common variations are > listed as well, ... Oh, so we need some additional infrastructure to make this a dynamically (self)-updating blacklist mechanism. That works across all manner of Email clients. Maybe someone should productize this -- oh, wait... > ... again, every combination is not required, because the > probabilities of failure rapidly stack up once the scammers start to > get too imaginative with their variations (eg. they will have to use > more and more obscure variations, which will trick less and less > users). I hear unicode will make life interesting, I'm looking > forward to some samples. Wrong again. It's the low-hanging fruit thing. More than enough users are gullible enough to click on URLs in Email claiming to be from PayPal, say, that clearly some from gmail.com, say, addresses, _and then fill in all their identity details at, say, http://1.2.3.4/gotcha.htm Those folk will still be just as readily targetted by all the phish that totally evade your silly little scheme, _JUST AS THEY ARE NOW_. If you don't understand the problem -- and you clearly don't -- I doubt you're going to some up with (even a smallpart of) "the solution". > Blacklists do work. They are successfully used in many applications, > the Spamhaus blocklist, the denyhosts SSH tool and desktop AV > software all spring to mind. Blacklists don't work *when the content > they are checking is polymorphic*. Phish, by definition are NOT > polymorphic. We are talking banks here, they do not change their > names very often. As already explained, you're attributing far too much nouse to the typical victim of the phish we're already seeing today... > I think that is an important point. The problem space is a lot > smaller once you start working with a finite list of domainnames. A > blacklist is feasible in these circumstances. It's the infinite set of domain names (and simple IP-only phishing spam and websites) completely unrelated to your view of the apparently desirable phishing target domains' names that cause most of the problems _NOW_. Hoiw does your plan address them? Oh, that's right -- you don't understand that they are bulk of the problem set, so they're not even considered for consideration... > I agree my list is small, you'll note however it contains most of the > biggest banks, I didn't choose them, they self-selected, by being > sent to me. That's why they are the biggest banks, because the > scammers target those banks. There's obviously no reason why the > list could not contain every large bank in the world. I could maybe > hunt down some stats to add banks I don't get phished for, but that > would just slow down my filter! If others were to use it they'd want > to customise it. Because the blacklist is on the client machine, the > user is free to add banks they get hammered with, and free to remove > banks they want to correspond with. _IF_ we could depend on the end users to do this updating, we wouldn't have a phishing problem. Your failure to understand the nature of the problem undermines your solution again... > Don't forget that "achovia." can be listed, to catch wachovia.com, > vvachovia.com, vvachovia.co.uk etc. But not WA(HOVIA.COM, nor WACH0VIA.COM, nor WACHOVIA.C0M, nor WACHOV1A.COM nor WACHO\/IA.COM, etc, etc. How many permutations are there? For this one domain name? Hmmmm... > Think about it, most people have no need to accept mail from every > bank in the world. That is accept ALL. Using the blacklist means > they are now denying all bank traffic. (OK, denying all on the list, > I agree that it's not a complete deny all, because we cannot know the > names of all banks in advance. I do regret confusing the discussion > by mentioning DENY ALL, I was hoping to explain my analogy to a > firewall, eg., it blocks everything by default and then lets in what > you tell it to let in, I do accept that unlike a real firewall it can > be got around by using an unlisted name, it's really DENY MOST.) > > > "(x) Mailing lists and other legitimate email uses would be affected > > Irrelevant. They are affected already. They are the victims of > spoofing. It's either block their mails, or users suffer the spoofs. > Given than suffering the spoofs means bank-originated mails are > useless in any case, that means the only available course of action > is to deny all bank email traffic. > > > my Bayesian filter gets these anyway > > My spam filter misses some, hence my post, however following this > comment I have checked my config and the Bayesian plugin is disabled > ;) Thank you for the suggestion. > > [1] http://en.wikipedia.org/wiki/Invisible_hand Yawn... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists