Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SpamAssassin: users

why don't banks do more against phishing?

 

 

SpamAssassin users RSS feed   Index | Next | Previous | View Threaded


Jason_Haar at trimble

Apr 22, 2012, 7:40 PM

Post #1 of 17 (1339 views)
Permalink
why don't banks do more against phishing?

OT but related

I just got a bunch of phishing attacks against a bank come through.
Following the link leads me to some owned website with the fake bank
frontend - and it had a feature that I've seen time and time again:
images and links from the real banksite

Why don't banks rub two braincells together and start monitoring the
referrers on their primary webpages (eg logos, terms and conditions) and
return a "RUN AWAY!!! IT'S A TRAP!!!" page whenever someone views the
phishing sites? The Referrer header would allow that instantly

They really don't give a damn do they...

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


noel.butler at ausics

Apr 22, 2012, 7:47 PM

Post #2 of 17 (1315 views)
Permalink
Re: why don't banks do more against phishing? [In reply to]

On Mon, 2012-04-23 at 14:40 +1200, Jason Haar wrote:

> OT but related
>
> I just got a bunch of phishing attacks against a bank come through.
> Following the link leads me to some owned website with the fake bank
> frontend - and it had a feature that I've seen time and time again:
> images and links from the real banksite
>


My personal banks phishing scams ended a couple years ago, when they
introduced SPF,
the oppositions still arrive in my inbox or spam folders every so often.



> Why don't banks rub two braincells together and start monitoring the


because that means their IT dept needs to employ someone with a clue
about DNS.



> They really don't give a damn do they...
>

some certainly don't
Attachments: signature.asc (0.48 KB)


jimpop at gmail

Apr 22, 2012, 7:47 PM

Post #3 of 17 (1314 views)
Permalink
Re: why don't banks do more against phishing? [In reply to]

On Sun, Apr 22, 2012 at 10:40 PM, Jason Haar <Jason_Haar [at] trimble> wrote:
> OT but related
>
> I just got a bunch of phishing attacks against a bank come through.
> Following the link leads me to some owned website with the fake bank
> frontend - and it had a feature that I've seen time and time again:
> images and links from the real banksite
>
> Why don't banks rub two braincells together and start monitoring the
> referrers on their primary webpages (eg logos, terms and conditions) and
> return a "RUN AWAY!!! IT'S A TRAP!!!" page whenever someone views the
> phishing sites? The Referrer header would allow that instantly
>
> They really don't give a damn do they...

Bingo!

I presented that very idea to a big bank (you would recognize the
name) approx 8 years ago. I suggested they monitor the referrers
(with the security product we were installing) and automatically
increase situational awareness accordingly, and at some point move to
replacing images that didn't match certain referrers. I was ignored,
almost scoffed at.

-Jim P.

-Jim P.


hamann.w at t-online

Apr 22, 2012, 8:31 PM

Post #4 of 17 (1310 views)
Permalink
Re: why don't banks do more against phishing? [In reply to]

>> OT but related
>>
>> I just got a bunch of phishing attacks against a bank come through.
>> Following the link leads me to some owned website with the fake bank
>> frontend - and it had a feature that I've seen time and time again:
>> images and links from the real banksite
>>
>> Why don't banks rub two braincells together and start monitoring the
>> referrers on their primary webpages (eg logos, terms and conditions) and
>> return a "RUN AWAY!!! IT'S A TRAP!!!" page whenever someone views the
>> phishing sites? The Referrer header would allow that instantly
>>
>> They really don't give a damn do they...
>>

Hi Jason,

a) phishers would probably move to hosting their own copies of the logos
b) some users of image resizers would see the warning sign reduced
(I recently had someone complain about an error on our google maps "our office is here"
page, and it turned out the visitor was using a smartphone via an image resize service)

Regards
Wolfgang


m at khonji

Apr 22, 2012, 8:32 PM

Post #5 of 17 (1312 views)
Permalink
Re: why don't banks do more against phishing? [In reply to]

On 04/23/2012 06:40 AM, Jason Haar wrote:
> OT but related
>
> I just got a bunch of phishing attacks against a bank come through.
> Following the link leads me to some owned website with the fake bank
> frontend - and it had a feature that I've seen time and time again:
> images and links from the real banksite
>
> Why don't banks rub two braincells together and start monitoring the
> referrers on their primary webpages (eg logos, terms and conditions) and
> return a "RUN AWAY!!! IT'S A TRAP!!!" page whenever someone views the
> phishing sites? The Referrer header would allow that instantly
>
> They really don't give a damn do they...

Seems OK for existing clients who type the domain manually (or via a
bookmark). However, newly visiting clients might find the link via a
search engine, or (say) a site that contains a ranked list of the banks.
In the latter case, the referrer's domain name will not be that of the
bank's, and will likely trigger a false positive.

Boils down to risk management -- money to lose by being a victim, versus
that of turning new customers away due to the false positives.

--
Regards,
Mahmoud Khonji
PGP Key: 0x92584ECA


xtrade at matik

Apr 22, 2012, 9:20 PM

Post #6 of 17 (1309 views)
Permalink
Re: why don't banks do more against phishing? [In reply to]

Jason Haar wrote:
> OT but related
>
> I just got a bunch of phishing attacks against a bank come through.
> Following the link leads me to some owned website with the fake bank
> frontend - and it had a feature that I've seen time and time again:
> images and links from the real banksite
>
> Why don't banks rub two braincells together and start monitoring the
> referrers on their primary webpages (eg logos, terms and conditions) and
> return a "RUN AWAY!!! IT'S A TRAP!!!" page whenever someone views the
> phishing sites? The Referrer header would allow that instantly
>
> They really don't give a damn do they...
>


well, this is completely nonsense, not only your opinion but also your
technical suggestion

in first place phishing is not targeting the bank nor it is the victim

phishing deals with the stupidity of the "clickers"

no serious bank, as any other serious company, would ever send out
emails asking for user details

the user who believes that, is or incredible ingenious or incredible
stupid, so: happy clicking

it is honorable that developers and technicians care and try to find
counter measurements, but it is not their responsibility, either the bank's

who clicks on a phishing attempt, I'd say, well done, hopefully he types
in name and passwd, so that would be then a real learning lesson, one
more saved :)

what you're asking for is making the police pay for a stolen car ...


if you target a culprit you should go after all this irresponsible
webhosting companies which do not review the content and web admins who
do not have a clew about what they are doing


Hans






--
XTrade Assessory
International Facilitator
BR - US - CA - DE - GB - RU - UK
+55 (11) 4249.2222
http://xtrade.matik.com.br


lists at hireahit

Apr 23, 2012, 12:35 AM

Post #7 of 17 (1306 views)
Permalink
Re: why don't banks do more against phishing? [In reply to]

On 4/22/2012 8:31 PM, hamann.w [at] t-online wrote:
> a) phishers would probably move to hosting their own copies of the logos

Yup. However, spammers haven't completely adapted to greylisting, and
still spam from SBL/ZEN listed IPs, so perhaps this would catch some of
the long-hanging fruit?

> b) some users of image resizers would see the warning sign reduced
> (I recently had someone complain about an error on our google maps "our office is here"
> page, and it turned out the visitor was using a smartphone via an image resize service)

Were you tripping on a lack of referrer, or was an image resizing
service actually returning a completely incorrect referrer? When
attacking phishing websites who are abusing legitimately hosted images,
you should be able to return the correct image for requests that are
completely missing a referrer, it's only when you get a third-party site
in the referrer that you should return the "This is a phishing site!" image.

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


hamann.w at t-online

Apr 23, 2012, 3:41 AM

Post #8 of 17 (1315 views)
Permalink
Re: why don't banks do more against phishing? [In reply to]

Dave Warren wrote:

> b) some users of image resizers would see the warning sign reduced
> (I recently had someone complain about an error on our google maps "our office is here"
> page, and it turned out the visitor was using a smartphone via an image resize service)

Were you tripping on a lack of referrer, or was an image resizing
service actually returning a completely incorrect referrer? When

Hi Dave,

all I know is that someone told about a broken cid:something image on the
phone for Google maps
I recently tried a wrong google key and noticed that I would see the correct
map for a second, until a javascript shows an error message.
So my conclusion was that the resizing image loaded the original image
(from google server), replaced it by a cid: url, and then the Google
javascript would somehow fail.

Now thinking about the bank situation: the bank's webserver would see a request
from the resizing service, but it is up to the resizer to behave like a
real browser, or a proper http proxy

Wolfgang


lists at hireahit

Apr 23, 2012, 6:46 PM

Post #9 of 17 (1302 views)
Permalink
Re: why don't banks do more against phishing? [In reply to]

On 4/23/2012 4:41 AM, hamann.w [at] t-online wrote:
> Now thinking about the bank situation: the bank's webserver would see a request
> from the resizing service, but it is up to the resizer to behave like a
> real browser, or a proper http proxy

That's basically what I'm thinking. If the service fails to send a
referrer at all, you can generally serve images reasonably safely. Email
phishes can still use images, but given how few email clients actually
load HTTP images anyway, it's a minor part of the problem.

It's only when there's an incorrect referrer that you can assume the
request isn't legitimate and you should return something different.
Whether you do this immediately or have someone review before making the
decision is a business decision, for banks that can't confine themselves
to a single domain then a manual review might be needed, but such is life.

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


me at junc

Apr 23, 2012, 7:10 PM

Post #10 of 17 (1300 views)
Permalink
Re: why don't banks do more against phishing? [In reply to]

Den 2012-04-24 03:46, Dave Warren skrev:

> It's only when there's an incorrect referrer that you can assume the
> request isn't legitimate and you should return something different.

or banks care to send the image over https protocol not just http

> Whether you do this immediately or have someone review before making
> the decision is a business decision,

bah

> for banks that can't confine
> themselves to a single domain then a manual review might be needed,
> but such is life.

yep it would be more funn to see the first bank that works in links
text mode webbrowser, and only display graphics if started with links
-g, any other browser is unsecure :=)


rwmaillists at googlemail

Apr 24, 2012, 6:25 AM

Post #11 of 17 (1301 views)
Permalink
Re: why don't banks do more against phishing? [In reply to]

On Mon, 23 Apr 2012 01:20:13 -0300
xTrade Assessory wrote:


> no serious bank, as any other serious company, would ever send out
> emails asking for user details
>
> the user who believes that, is or incredible ingenious or incredible
> stupid, so: happy clicking

I don't think it's all that stupid given that many banks and other
companies do more or less the same thing when they phone their
customers.


martin at gregorie

Apr 24, 2012, 7:23 AM

Post #12 of 17 (1301 views)
Permalink
Re: why don't banks do more against phishing? [In reply to]

On Tue, 2012-04-24 at 14:25 +0100, RW wrote:
> On Mon, 23 Apr 2012 01:20:13 -0300
> xTrade Assessory wrote:
>
>
> > no serious bank, as any other serious company, would ever send out
> > emails asking for user details
> >
> > the user who believes that, is or incredible ingenious or incredible
> > stupid, so: happy clicking
>
> I don't think it's all that stupid given that many banks and other
> companies do more or less the same thing when they phone their
> customers.
>
That merely shows that stupidity is extremely widespread: other outfits
being lax about security doesn't give the banks a free pass. And, what
about companies who confirm an account sign-up by sending a single plain
text e-mail containing the name of the company, your login name and your
password? Or the multitude that use your e-mail address as the login
name?

But back to banking? In the UK, anyway, you don't need to be either
intelligent or have any industry qualifications to run a bank. Back in
2007 or thereabouts a quiz master asked what was the difference
between:
- the CEO who bankrupted the Northern Rock Building Society
- the CEO who bankrupted the Royal Bank of Scotland
- the boss of Barclays (I think - might have been the Co-OP Bank)
- Terry Wogan, who was a well-known radio presenter at the time.

The answer was that the only one of them with any banking qualifications
was Terry Wogan.

My bank says up front and in writing that they will never ask for
account or login details by e-mail. I suggest moving your account away
from any bank that doesn't have the same policy and stick to it. Make
sure you tell them why you're leaving, though.


Martin


ned at unixmail

Apr 24, 2012, 8:14 AM

Post #13 of 17 (1299 views)
Permalink
Re: why don't banks do more against phishing? [In reply to]

On 24/04/12 15:23, Martin Gregorie wrote:
>
> My bank says up front and in writing that they will never ask for
> account or login details by e-mail. I suggest moving your account away
> from any bank that doesn't have the same policy and stick to it. Make
> sure you tell them why you're leaving, though.
>
>

In addition to helping customers in this way, it would be really nice if
they would similarly help mail admins to by also having a well defined
email policy, clearly stating which addresses they will send email from
and publishing accurate SPF records for those domains.

That would make it trivial for all mail admins to detect and block bank
phishing attempts.

It's not rocket science!


xtrade at matik

Apr 24, 2012, 2:25 PM

Post #14 of 17 (1300 views)
Permalink
Re: why don't banks do more against phishing? [In reply to]

Martin Gregorie wrote:
> On Tue, 2012-04-24 at 14:25 +0100, RW wrote:
>> On Mon, 23 Apr 2012 01:20:13 -0300
>> xTrade Assessory wrote:
>>
>>
>>> no serious bank, as any other serious company, would ever send out
>>> emails asking for user details
>>>
>>> the user who believes that, is or incredible ingenious or incredible
>>> stupid, so: happy clicking
>>
>> I don't think it's all that stupid given that many banks and other
>> companies do more or less the same thing when they phone their
>> customers.
>>
> That merely shows that stupidity is extremely widespread: other outfits
> being lax about security doesn't give the banks a free pass. And, what
> about companies who confirm an account sign-up by sending a single plain
> text e-mail containing the name of the company, your login name and your
> password? Or the multitude that use your e-mail address as the login
> name?
>
> But back to banking? In the UK, anyway, you don't need to be either
> intelligent or have any industry qualifications to run a bank. Back in
> 2007 or thereabouts a quiz master asked what was the difference
> between:
> - the CEO who bankrupted the Northern Rock Building Society
> - the CEO who bankrupted the Royal Bank of Scotland
> - the boss of Barclays (I think - might have been the Co-OP Bank)
> - Terry Wogan, who was a well-known radio presenter at the time.
>
> The answer was that the only one of them with any banking qualifications
> was Terry Wogan.

media jokes certainly are not a good base for classification :)

>
> My bank says up front and in writing that they will never ask for
> account or login details by e-mail. I suggest moving your account away
> from any bank that doesn't have the same policy and stick to it. Make
> sure you tell them why you're leaving, though.
>

I'm getting really curious because some of you insist

I can not believe that there is somewhere a bank passing/asking
credentials by email, I never saw it and I know about internal bank
policies which do not permit *any* kind of email contact with clients



Hans


--
XTrade Assessory
International Facilitator
BR - US - CA - DE - GB - RU - UK
+55 (11) 4249.2222
http://xtrade.matik.com.br


rwmaillists at googlemail

Apr 24, 2012, 4:08 PM

Post #15 of 17 (1291 views)
Permalink
Re: why don't banks do more against phishing? [In reply to]

On Tue, 24 Apr 2012 15:23:28 +0100
Martin Gregorie wrote:

> On Tue, 2012-04-24 at 14:25 +0100, RW wrote:
> > On Mon, 23 Apr 2012 01:20:13 -0300
> > xTrade Assessory wrote:
> >
> >
> > > no serious bank, as any other serious company, would ever send out
> > > emails asking for user details
> > >
> > > the user who believes that, is or incredible ingenious or
> > > incredible stupid, so: happy clicking
> >
> > I don't think it's all that stupid given that many banks and other
> > companies do more or less the same thing when they phone their
> > customers.
> >
> That merely shows that stupidity is extremely widespread: other
> outfits being lax about security doesn't give the banks a free pass.


I meant that it's understandable that people fall for phishing when
banks set a bad example by phoning customers and requiring the customer
to provide personal information to establish his or her identity.


martin at gregorie

Apr 25, 2012, 1:50 AM

Post #16 of 17 (1291 views)
Permalink
Re: why don't banks do more against phishing? [In reply to]

On Wed, 2012-04-25 at 00:08 +0100, RW wrote:
> On Tue, 24 Apr 2012 15:23:28 +0100
> Martin Gregorie wrote:
>
> > On Tue, 2012-04-24 at 14:25 +0100, RW wrote:
> > > On Mon, 23 Apr 2012 01:20:13 -0300
> > > xTrade Assessory wrote:
> > >
> > >
> > > > no serious bank, as any other serious company, would ever send out
> > > > emails asking for user details
> > > >
> > > > the user who believes that, is or incredible ingenious or
> > > > incredible stupid, so: happy clicking
> > >
> > > I don't think it's all that stupid given that many banks and other
> > > companies do more or less the same thing when they phone their
> > > customers.
> > >
> > That merely shows that stupidity is extremely widespread: other
> > outfits being lax about security doesn't give the banks a free pass.
>
>
> I meant that it's understandable that people fall for phishing when
> banks set a bad example by phoning customers and requiring the customer
> to provide personal information to establish his or her identity.
>
Point taken, but its still inexcusable of a bank to do that.

If somebody claiming to be my bank calls me and starts asking security
questions I tell them politely but firmly that I don't believe they are
from the bank and that I'll call them. Then I put down the phone and
ring the number I have on file for that bank.


Martin


nix at esperi

Jul 7, 2012, 10:31 AM

Post #17 of 17 (1121 views)
Permalink
Re: why don't banks do more against phishing? [In reply to]

Coming to this a few months late provides some... interesting
perspective.

On 24 Apr 2012, xTrade Assessory uttered the following:
> Martin Gregorie wrote:
>> But back to banking? In the UK, anyway, you don't need to be either
>> intelligent or have any industry qualifications to run a bank. Back in
>> 2007 or thereabouts a quiz master asked what was the difference
>> between:
>> - the CEO who bankrupted the Northern Rock Building Society
>> - the CEO who bankrupted the Royal Bank of Scotland
>> - the boss of Barclays (I think - might have been the Co-OP Bank)
>> - Terry Wogan, who was a well-known radio presenter at the time.
>>
>> The answer was that the only one of them with any banking qualifications
>> was Terry Wogan.
>
> media jokes certainly are not a good base for classification :)

Perhaps not. I think the near-ruination of the world economy, the
near-bankrupting of numerous rich states, and now the hilarious RBS
epic computing disaster and long-running but now-exploding LIBOR rigging
scandal put a slightly different tone on things.

It's not only a quiz show host to figured that Bob Diamond shouldn't be
running a major bank. It's the chairman of the Bank of England (oh, the
FSA too).

--
NULL && (void)

SpamAssassin users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.