New evil phishing scheme

[robmueller]

I just came across a new, very evil phishing scheme. Basically it's like all the usual ones, but it uses a special trick to try and make things look legitimate. Basically it:

1. Creates a form which POSTS to it's evil site
2. Puts an <a> link in the form that does point to ebay
3. Puts a button within the <a> link which has an image that looks like a URL

The tricky thing about this is that because of the <a> link, when you hover over the image that looks like a URL, it correctly displays the ebay URL in the status bar, but when you click on it, you're actually submitting a form back to the evil site which can now take over.

Now it appears that this doesn't work in firefox, the <a> overrides the button and sends you to the right place. However I'm betting in IE (though I don't want to try it), the button overrides the <a> tag, sending you to the evil site.

I've now updated the FastMail phishing filter to catch this type of phishing attempt and disable it as well.

Rob

Code:

<FORM target="_blank" action="http://posta.hgg.com.tr/data/.www.ebay.com">
<a href="https://signin.ebay.com/ws/eBayISAPI.dll?SignIn">
<INPUT style="BORDER-RIGHT: 0pt;
BORDER-TOP: 0pt; FONT-SIZE: 10pt; BORDER-LEFT: 0pt; CURSOR:
hand; COLOR:
blue; BORDER-BOTTOM: 0pt; BACKGROUND-COLOR: transparent;
TEXT-DECORATION: underline" type=submit
value=https://secure.ebay.com/eBayISAPI.dll?action=verify&id=00626654&user=> </a>

[Sherry]

Rob, (or anyone who may know)

For those of us who get their email with POP3 or IMAP will we see any warning about the phishing attemps in the email we receive in the client or is this just for those using the web?

Sherry

[robmueller]

It's just through the web at the moment (and likely to be for the foreseeable future I'm afraid). The main problem is false positives. What if you munge an email incorrectly, there's no easy way to get back the original when it's modified the original. In the web interface, it's just modified what's sent to the browser, so it's easy to just disable if it's wrong.

Rob

[Sherry]

Hmmm, since you're going through the trouble of examining these emails anyway is there a chance you could just put (possible phishing) in the subject or some code word we would know without modifying the whole email? If it's a legit mail, I wouldn't think the warning would need to be undone because it would just mean to watch out?

Sherry

[anj]

I like Sherry's suggestion.

[wibbly]

Ultimately replicate the spam system with a "phishing score" and similar headers and user controls/options?

J

[JRobert]

Quote:

Originally posted by wibbly
Ultimately replicate the spam system with a "phishing score" and similar headers and user controls/options?

J

Better! "X-Phish: Yes" is easy to filter on and doesn't mess up anything in case it's false.

-jeff-

[wibbly]

Are X-Phish like X-Men, but have special swimming powers?

Sorry, I couldn't resist....

J

[mlevin]

Quote:

Originally posted by robmueller
It's just through the web at the moment (and likely to be for the foreseeable future I'm afraid). The main problem is false positives. What if you munge an email incorrectly, there's no easy way to get back the original when it's modified the original. In the web interface, it's just modified what's sent to the browser, so it's easy to just disable if it's wrong.

Rob

I hope "for the foreseeable future" == forever. Please don't ever modify the permanent copy of my actual email. Modifying things on-the-fly when displayed in the browser is OK, but if I get my email via POP or IMAP, please give it to me the way it was received. Or at least make that a per-user option. Please let me be responsible for clicking or not clicking links...

That said, adding a new header indicating that suspicious links were found is fine with me -- that way I could set my mail reader to check for this and filter the messages in some way (highlight them, flag them, move them to a different folder, etc.).

[wibbly]

At the risk of repeating myself, all this functionality is already in place for spam. I can, at my option, refile, rewrite headers, even auto-delete spam if I really want to. I don't even need to go near a SIEVE script. It's all there on the Spam/Virus Protection page.

I vote Phising is a special case of (rather agressive) spam, and the same tools and options need to be made available. Not an alternate/different approach.

In the short term, I think simply "faking" Phishing mails as spam with a suitably high x-spam rating/score would work well, draw my attention to it, yet enable me to read it if I wanted.

Next step would be to allow me to weigh (increase score of) Phishing mails (like I can weigh downwards the score of mails from people in my address book)

Then, maybe a special section for X-Phish manipulation...

J

[trew]

Is it possible to set the options so all html emails is shown in plain text?

Would not that make it less vulnerable to such phishing?

We have a lot of warnings for these here in sweden too.

Big Banks here but fortunately the Swedish looked so amateurich only two persons trusted them so the ylost much money but nost people realized somethign very wrong and didn't respond to them.

Next time they buy somebody good at Swedish I 'm sure of.

So plain text will solve many things. Cost less on mobile GPRS too.

Trew

[honus]

Quote:

Originally posted by wibbly

In the short term, I think simply "faking" Phishing mails as spam with a suitably high x-spam rating/score would work well, draw my attention to it, yet enable me to read it if I wanted.

I vote against this. There are way too many false positives. I have set up rules to file emails and discard emails based on the x-spam score because, due to past performance, I expect the system to behave a certain way. If a x-spam score of 10 no longer just means "it got a spam score of 10" but now means "it got a spam score of 10 OR it was a phising mail" then I can no longer filter based on spam score.

[anj]

I agree with honus. The X-phishing header would be very useful, with no harm done. It may even be a useful distinction in some email clients without special requiring rules -- the current Thunderbird beta release has a "scam" warning system which is distinct from the junk mail flagging system. I am not sure how they are identifying this and mostly they have been wrong so far, but the certainly a x-phishing or x-scam header would be useful.

[Sherry]

I also agree with using X-phishing in the header (instead of changing the subject line) then I could put a rule in OE to move anything with that in the header to a special folder. Then, before clicking on a link I would know that the link is not going to the name in the link and would double check on the destination before clicking or just not click at all.

I love the way that FM protects me from getting a virus by not even letting OE have the email. Since FM already checks my mail for phishing then I would love how they would protect me with a warning (X-Phishing) also.

Sherry

[mlevin]

Quote:

Originally posted by Sherry
I also agree with using X-phishing in the header (instead of changing the subject line) then I could put a rule in OE to move anything with that in the header to a special folder. Then, before clicking on a link I would know that the link is not going to the name in the link and would double check on the destination before clicking or just not click at all.

I love the way that FM protects me from getting a virus by not even letting OE have the email. Since FM already checks my mail for phishing then I would love how they would protect me with a warning (X-Phishing) also.

Sherry

I think is a great idea as long as it can be turned on or off on a per-user basis. I don't want to be protected from myself. Maybe I'm in the minority here, but I just want my raw email the way it was received and I'll deal with it appropriately on my end.