Insulating Skilled Phishers

Read a story this morning about the supposed shrinking (and presumably non-renewable?) resource of phishable dollars this morning, aka, the Tragedy of the Phishing Commons. Just a thought I had while reading it. Phishing is stupendously easy, so the field will attract lots of stupid entry-level phishers. While this is a detriment to the professionals (someone phished by a dumb phisher may be less likely to be phished later by a smart one), it seems this field of less-skilled phishers are more likely to get caught, which itself gives two benefits to the smart criminals.

First, law enforcement has finite resources and are almost always driven by bust statistics, so if they hit their quota of easy targets, the hard targets will remain in the field longer.

Second, while the professional phishers stay in the game longer, they will get better at it. At the same time, the law enforcement types, through their success at busting dumb phishers, will get better at busting the same kind of dumb phisher over and over again, further insulating pro phishers.

So, phishing can be seen in the same light as, say, drug dealing -- cops will tend to spend most of their time taking the least skilled players off the street, while the kingpin types remain to operate relatively unimpeded.

All speculation, of course, but I watched The Wire, so I'm confident in my ability to comment intelligently on police procedure. :)

Clickjacking (Maybe? Sort of?) Speculation

Late last week, I wrote a couple blog posts speculating about RSnake and Jeremiah Grossman's canceled OWASP talk. After a couple thousand page views, I figure I ought to mention it here. The first post is about evading pop-up blockers through click trickery, the second is a postulation of what the "Clickjacking" problem really is.

To put it simply, human eyeballs don't adhere to the same-origin policy.

I've been spending the morning experimenting some more, and I'm pretty certain now that these techniques can be used to create some pretty convincing phishing sites.

At any rate, it would appear that sites can protect themselves with a frame busting snippet on every page with remotely useful forms. Requiring code like this duplicated all other the place sucks, of course. Practically, though, it's not a whole lot different from the ubiquitous browser detection snippets that litter the Internet.

Nginx http server, possibly a criminal indicator?

Just like using Linux doesn't automatically make you a criminal, I doubt that using Nginx (proncouned, "Engine-X") is necessarily a criminal act. But is it an indicator?

I noticed it today as part of a light analysis of a real world exploit of the Overlong RTSP link bug for Quicktime. This is a lightweight http server that is now associated with at least one case of network crime by serving up a fairly fresh exploit.

Again, most phishing sites today run on Apache with PHP, and most phishing login pages have words like "FDIC Insured" and "All Rights Reserved" and have a login form with a password input field. Taken separately, none of these indicators a phishing site make. Taken together, it's a strong indication of crime.

So, I'm wondering -- has anyone else run into Nginx doing evil? I'm curious what the evil:good ratio is in the real world, and if it's something defenders/auditors/LEOs can use to help profile potentially malicious sites.

Paypal Introduces Security Fob

Strikingly similar to the RSA SecurID, PayPal has rolled out their own two-factor authentication (2FA) dongle.

While it's easy to dismiss random number key fobs as susceptible to man-in-the-middle attacks, I do think that if such this device were required on all accounts, it would significantly impact the effectiveness of traditional phishing scams -- assuming the attacker is actually going for PayPal account access.

Trouble is, the Security Key is a) optional and b) non-free, which will surely impact its rollout significantly. Maybe VeriSign (the manufacturer of the fob) will have a fantastically better marketing plan than RSA did, and actually get more than 5% of the PayPal users to adopt it.

The other problem is that there are plenty of PayPal-targeted phishing sites that really don't care about your PayPal login information -- there's just riding on the trust of PayPal to do things like collect credit card numbers, secondary banking information, and identity information. So, they really won't care if you give a correct or incorrect security code.

All that said, it is nice to see that PayPal is deploying a real second channel 2FA, rather than the "ask me for more passwords" 2FA schemes that other financial sites have deployed to comply with U.S. regulatory requirements. I just don't think 2FA, generally, is particularly effective in solving the problem of phishing. I suppose it's better than nothing, though.