Blackhacker

PayPal to Safari users: ‘Ditch it’
While current browser share estimates for Apple’s Safari web browser hover somewhere in the 4.5 percent range, Safari is attracting some unwanted attention from PayPal, the eBay-owned payment company. PayPal is urging its users to ditch Safari and instead use alternative browsers such as Internet Explorer 7, IE 8, Firefox 2, Firefox 3, or even Opera.

This I feel is unfair to Safari. The problem here is not that the browser is particularly insecure, but lacks the capability to check URLs against phishing databases, which is not a core function of browsers, in my opinion, but it is an important one. Camino, another Mozilla browser for Mac, also has this problem. Switching to Firefox, or Opera, is the prefered way to handle this problem.

You could also, if you know what you are doing, update the DNS settings in your network config, to use opendns, when you browser reaches out to find the IP of an URL open DNS will sheck ti against its database of phishing sites. This should work in most cases except where the host in link is given as IP. The browser won’t do a DNS lookup in that case. Even if you are using a firefox an other browser that provides phishing protection, I still think you should you openDNS as your primary DNS. There are a host of benefits to doing this, add prhish protection, I mentioned, as well blocking of porn and adult sites(if you like), faster dnslookup which wil increase the over all net web experience.

RSA Security - Press Release - RSA Alert: New Universal Man-in-the-Middle Phishing Kit Discovered
BEDFORD, Mass, Wednesday, January 10, 2007 — RSA, The Security Division of EMC, (NYSE: EMC) announced today that its 24×7 Anti-Fraud Command Center (AFCC) has uncovered a new phishing kit being sold and used online by fraudsters.

This new kit, a Universal Man-in-the-Middle Phishing Kit, is designed to facilitate new and sophisticated attacks against global organizations in which the victims communicate with a legitimate web site via a fraudulent URL set by the fraudster. This allows the fraudster to capture victims’ personal information in real-time.

Who ! This hacker is impressed. Even though phishers are becoming more sophisticated, You should remember that in order for a phisher to get you must access HIS fraudulent site. As a long as you don’t do that he can’t get you. A while back I posted some tips to keep you safe from phishers. They still work.

Netcraft is reporting an ongoing phishing attack against Citibank customers that use Two Factor Authentication. You have to admire the elegance of the attack. The article does a good job of describing the attack, so i won’t do it here. But I will add the most successful data security breaches focus on the weakest part of any security system … the human element. Phishing is no different. Here are some tips to keep you safe from phishing:

1. Be wary of emails that ask you to update user information. Most legitimate financial sites, like banks and credit cards have disaster recover plans. Information is backuped daily, and shipped off site for safe keeping. They will NEVER have to ask you to update information because of “computer failure.” It is unheard of in the industry these days. In fact it is against the policy of Ebay, to even send such a message. So when you receive such and email reporting to be from Ebay, or Paypal, simply forward it to spoof@ebay.com or spoof@paypal.com respectively and then delete it.
2. Don’t click on links in emails to websites where sensitive info is stored. That is exactly how phishig is accomplished. Instead bookmark for easy access the sites where sensitive personal data or finances are stored, like your bank, credit card, and paypal accounts.
3. Download and install the Netcraft Security Toolbar. It displays a risk ratings of every website you visit. And warns you when you try to access a suspected phishing site.

Netcraft: PayPal Security Flaw allows Identity Theft
A security flaw in the PayPal web site is being actively exploited by fraudsters to steal credit card numbers and other personal information belonging to PayPal users. The issue was reported to Netcraft today via our anti-phishing toolbar.

The scam works quite convincingly, by tricking users into accessing a URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate is presented to confirm that the site does indeed belong to PayPal; however, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique (XSS).

Paypal has fixed the flaw that allowed the exploit. This type of exploit is called a Cross-Site Scripting(XSS) attack. The link will lead you to a very technical page which just means that, a web application is taking user information without validating and URL decoding the input. If it is not properly validated and decoded it could be malicious. The app then uses the potentially malicious data to build another web page. A fraudster would then find someway to trick you into accessing this new page. Usually using a technique called phishing, sending a fraudulent email made to appear that it is coming from a site that you normally do business with, like Paypal, or a bank. The fraudster could could then trick your web browser to redirecting you to his own site(if you are no paying attention), usually designed to look like the site you wanted to access. Where you would enter user name, password, or any other personal info he can trick you into entering.

For the past couple of weeks Bob X has been talking about phishing this week he poses a solution:

The simple way to kill phishing is by making it harder for the phisher to make money from it. Right now, a phisher sends out a million e-mails and gets back 100 replies that yield positive data. There is almost no effort involved in sending out the e-mails after the first one, and the quality of the return data is very high. No wonder this is such a popular business!

Let’s change that. If you get phishing e-mail, go the web sites and enter false data. Make up everything — name, sign-on name, password, credit card numbers, everything. Instead of one million messages yielding 100 good replies, now the phisher will have one million messages yielding 100,000 replies of which 100 are good, but WHICH 100?

This technique kills phishing two ways. It certainly increases the phishing labor requirement by about 10,000X. But even more importantly, if banks and e-commerce sites limit the number of failed sign-on attempts from a single IP address to, say, 10 per day, theft as an outcome of phishing becomes close to impossible.

No bounties are required, no cops, no parallel webmail systems that force us to log-in to e-commerce sites when they tell us to. Phishing just becomes a very unprofitable business, which it should be.

Are you in?

If you ask me thats a bot waiting to be written.