Key-loggers the new phisherman's friend

http://www.vnunet.com/news/1162890

"Phishing attacks are increasingly using key-loggers as another method to steal personal information, according to the Anti-Phishing Working Group (APWG).

These attacks usually redirect users to a bogus website and record details once they are entered. But the past six months has seen a tenfold rise in the number of phishing sites hosting key-logging software which can be transferred to a user's PC via an improperly patched browser.

"Phishing techniques are evolving in sophistication and complexity at a rapid pace," warned Mark Murtagh, technical director at Websense, a member of the APWG.

"As awareness of phishing among web users has grown, fraudsters are using new attack methods in addition to fake websites.

"One of the most common forms is where malicious code modifies host files and points end users to a fraudulent site despite them having typed the correct URL into their browser."

At the end of last year there were only 10 phishing sites being found each week hosting such code, but by March this had risen to 100. Some web pages remained up for over a month, but the average time to take down a phishing site was 5.8 days.

The move to key-loggers could reflect growing security awareness among consumers regarding online commerce.

Banks have always told customers that they do not ask for personal information via email, and are working with police and the government on other ways to fix the problem."

And - with SpyCop ( http://spycop.com/products.htm ) now supplemented by ProcessGuard ( http://www.diamondcs.com.au/processguard/ ) - I don't have to worry about this, either! Life is good. Pete

 

Pete

There are only two that I know of that deal with this issue right now

http://www.phishguard.com/

Huge database deticated to only phishing stuff

&

http://www.tenebril.com/products/ghostsurf/


I use both, PG won't help you here :-(

This is one of the most nasty things happening right now. You have the most to lose with this crap



Bruce

 

Well, I'm not really sure how you figure that, Bruce. With PG the way I run it (with "Block new and changed applications" check-marked and the program locked) - nothing "new" can be installed behind my back without warning.

Remember, too - you're only vulnerable to what they're talking about to begin with if you're running "an improperly patched browser." (according to the article).

So I guess I really don't understand what you mean by that particular comment. Pete

 

I agree, I pity the poor fellows who don't run PG and spycop as well as Shadowuser, they simply don't stand a chance!

 

I agree, I don't know what Bruce is smoking, but he's probably referring to the phishing tricks used by websites to fool the browser.No additional process beyond the browser runs, so PG doesnt help against that. Neither does Firefox actually unless you take care to change the defaults.

 

? If so, then it looks like I've under-estimated the depth of the problem (and that Bruce is right, too).

Guess I'd have to actually go to one of those types of sites and see what happens to know for sure. Pete

 

I am sorry for not being more clear again.

yes I ment the ones you get in e-mail. They look ligit.
Once added to Phishguards database, PhishGuard won't allow your default browser to go to the site. GhostSurf does the same thing but I am not sure how big the database is they use. When you look at the list that shows up in the GUI, the list appears small. I contacted them about this but they aren't the speediest responders LOL

With this type Phishing, PG, Firewall, ect won't matter. Of course we might not be tricked by these tactics but many other less educated on the issue do fall pray to Phishing.

But I still love Shadowuser & PG

Bruce

 

Bruce - can one examine their database if you d/l the program? Or, if you can, could you simply send me a listing of the IP addresses being blocked? I'll give it a whirl here. Pete

 

PG is nice, but it's best to have some understanding of basic security issues, so you can understand what PG protects against and what it doesnt. Nothing is more dangerous than a false sense of security.

In the past, lots of browser exploits, eg the IDN issue, javascript exploits etc ,problems with 'race conditions', XSS exploits all can mask the real domain-name in the location bar and/or status bar. Most have being fixed, but not all.

You can do some things to protect yourself , https://www.wilderssecurity.com/showthread.php?t=78859 but..........

Even assuming all browser holes are plugged, a careless user can still be fooled if he doesn't know how that www.ebay.evilsite.com is not owned by ebay for instance.

 

Pollmaster - PM or email me some "live ones", would you? Pete

 

There are many more Bruce....

Thunderbird has some built in protection for example.

Then there is spoofstick and the much more superior Standford's spoofguard, Earthlink's Scamguard, and more.

The better tools, use both a database of reported phishing sites, coupled with dynamic heuristical analysis of the url to spot possible phishing/spoofing sites.

 

Yes after googling I found a bunch

netcraft toolbar, AOL, G-Mail, ect.

Spycatcher compares the actual site to the fake site, since most Phishing scams usualy only last 6 days.


Bruce

 

Done.