Phishing & BotNets
What else to be done ? Feb 14 2007 06:40AM
dubaisans dubai (dubaisans gmail com) (2 replies)
Re: What else to be done ? Feb 16 2007 06:56AM
Carl Jongsma (info skiifwrald com) (1 replies)

The more skilled phishers are probably already aware of the length of
useful time that they can run a particular phish. Anti-phishing
vendors who run domain searches and spam traps will always be behind
the curve when it comes to defeating these phishers (although it is a
nice way of guaranteeing constant income).

Take-down services run the same risk as take-down services against
spammers. Unless you are 100% certain of the target's identity and
online location, it is possible to take out innocent bystanders (spam
black lists I am looking at you). The ethics of what could amount to
a DoS are also dubious. If someone is just selling you their service
which comprises contacting the abuse@ email address, or reporting it
to legal authorities, then you may as well do the work yourself.

Professionally, I believe that many of these services are more snake
oil than substance, and none really appear to be coming anywhere near
close to addressing the situation in any meaningful way (including
services like SiteAdvisor).

I think that the big problem is that there are too many 'Tech' people
out there, especially at companies and institutions that control
sensitive data, who don't understand the risks, who don't comprehend
the problems that they are causing for their end users with their
poor online service models and random email contacts. There are also
more than enough institutions that just don't regard it as enough of
a risk (financial or technical) to make a significant investment in
fixing it. Take our own recent experience with phishing on business
networking sites. Only the networking site took any interest in
actively dealing with the situation. The webmail provider, the
individual whose identity was stolen, and the service providers whose
services were used to perpetrate the phish didn't respond with any
action (beyond automated replies from those that even bothered to
acknowledge our contact).

Of course, the industry response hasn't quite been overwhelming.
Take the recent RSA conference, for example. Most of the reports and
stories that have been written about the conference were from
companies and people completely underwhelmed by the material
presented in the keynotes and panels, and also in the products and
services being hawked by the vendors on the display floor.

What can be done? Even 2FA is being worked around by the more
technically proficient phishers, and user awareness will only go so
far when to successfully identify an advanced phish, the user needs a
fair mix of luck, technical proficiency, and scepticism.

Unless a company or body that is being targeted is willing to step up
and make various technical changes, there isn't a whole lot that can
be done to prevent successful phishing attacks. Unfortunately, it is
something that we are all going to have to live with for a very long
time (even though the developers in our R&D lab believe they have it


Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia

On 14/02/2007, at 5:10 PM, dubaisans dubai wrote:

> Apart from two-factor and user awareness is there anything meaningful
> we can do against phishing ?
> Is it time to stop paying anti-phishing vendors who do domain-name
> search , who have spam traps etc ?
> There are many vendors providing take down services - pay-per-use and
> also bulk - do these make sense?

[ reply ]
RE: What else to be done ? Feb 20 2007 12:31PM
Anoop Mangla (anoop mangla paladion net) (1 replies)
Re: What else to be done ? Feb 21 2007 02:42PM
Carl Jongsma (info skiifwrald com)
Re: What else to be done ? Feb 15 2007 08:35AM
Isaac Perez (suscripcions tsolucio com)


Privacy Statement
Copyright 2010, SecurityFocus