phishing attacks against ISPs (also with Google translations)
In this email message I'd like to discuss two subjects: a. Phishing against ISPs. b. Phishing in different languages against ISPs as soon as Google adds a new translation module. [My apologies to those who receive this email more than once. I am approaching several different industries on this matter] In the past few weeks there has been an increasing number of phishing attacks against clients of Israeli ISPs. I've only seen a few of these, but the local ISPs confirm it's happening across the board. In all these cases, the phishing email is in Hebrew. While we have seen ISP phishing and Hebrew phishing before, these attacks started when Google added translation into Hebrew. Is this a trend? Have other countries (or populations) been targeted when Google added a translation module for more languages? Notes: a. Some Israeli ISPs emailed their clients warning against such attacks. Saying they'd never ask for their password, etc. b. While I was certainly heavily involved with phishing originally and even started the first coordination group to deal with the issue, I am somewhat removed from it now, dealing more with phishing/banking Trojan horses. Can anyone educate me as to how often ISPs get phished, if at all? c. If you get phished, what strategies if any have you taken to prevent the attacks/respond to them/educate your clients? What worked? d. I wonder if these translation misuses could eventually translate into some intelligence we will see in Google security reports, such as on malware. Gadi.
On Wed, Mar 25, 2009 at 7:38 AM, Gadi Evron <ge@linuxbox.org> wrote:
In this email message I'd like to discuss two subjects:
That makes one of us,
b. Phishing in different languages against ISPs as soon as Google adds a new translation module.
In the past few weeks there has been an increasing number of phishing attacks against clients of Israeli ISPs. I've only seen a few of these, but the local ISPs confirm it's happening across the board.
Confirmed. Not more than two days after google added its /intl/xx-bork/ translation site, my best friend, (he's Swedish - a high profile Chef), told me he was scammed out of thousands of dollars by someone on the internet that he didnt know. (actually his words were "Eye lost all mee moolah on der webs! Its der Googol web-en page-en! Eye don know whatta think-a, bork bork bork!"). .. On a more serious note, how does this relate to network operations?
In all these cases, the phishing email is in Hebrew. While we have seen ISP phishing and Hebrew phishing before, these attacks started when Google added translation into Hebrew.
Since at the time Google added Hebrew translations, they also added 1. Vietnamese, 2. Slovak, 3. Serbian, 4. Catalan, 5. Filipino, 6. Indonesian, 7. Latvian, 8. Lithuanian, 9. Hebrew, and 10. Ukranian, Any reasonable person might assume that your 1/11th of new languages would make up a little less than 100% of what is probably hand-picked "data". Your data, or, to wit, your attempts to link Google and Phishing, need(s) some work. And by "needs some work" one might mean "are full of fail, try again later" Is this a trend? Have other countries (or populations) been targeted
when Google added a translation module for more languages?
^^ Insert blatant attempts to get unfounded interviews with clueless media here. ^^ Router(enable)# no ip mailing-list crazy
Paul Wall wrote:
That makes one of us,
Paul, please refrain from silly attacks, as your message didn't provide anything substantive for this list. And your attempts at derisive humor weren't amusing. Grow up. === I've not recently seen an ISP account phish here. The last one I remember was circa 2003. It was a dictionary attack, arriving at my was@ account (long since rendered useless by spam volume and terminated). However, I don't save phish/spam anymore. I used to save everything -- providing many of the examples for http://fraudgallery.com/ -- nowadays, just daily scan for false positives, report monetary phish to the few ISPs that actually promptly close down bad actors, and delete the rest. Good luck, Gadi.
William Allen Simpson wrote:
I've not recently seen an ISP account phish here. The last one I remember was circa 2003. It was a dictionary attack, arriving at my was@ account (long since rendered useless by spam volume and terminated).
However, I don't save phish/spam anymore. I used to save everything -- providing many of the examples for http://fraudgallery.com/ -- nowadays, just daily scan for false positives, report monetary phish to the few ISPs that actually promptly close down bad actors, and delete the rest.
One of the responses off NANOG was very interesting. I will attribute after asking for permission to re-post. The guy mentioned the concept of sending warning emails to customers to begin with. His opinion is that it is a mistake, and only causes confusion. On top of that it raises support desk costs as people call in for explanation, as well as to report new fraudulent emails they see while in the past they mostly just ignored them. I hope to get more feedback on the matter, and see if other folks have the same experience.
Good luck, Gadi.
I appreciate your feedback, I had no idea ISP phishing goes all the way back to 2003.. although dictionary attacks may not be best defined that way. Definition discussions are boring though. Danke, Gadi.
Gadi Evron wrote:
The guy mentioned the concept of sending warning emails to customers to begin with. His opinion is that it is a mistake, and only causes confusion. On top of that it raises support desk costs as people call in for explanation, as well as to report new fraudulent emails they see while in the past they mostly just ignored them.
The earliest warning email we sent out to customers was: # Date: Mon, 11 Aug 2003 15:34:43 -0500 # Subject: New Virus Warning #... # There is a new virus spreading around the internet. It has a subject like # "your account" and it has the following text in it: # # > I would like to inform you about important information regarding your # > email address. This email address will be expiring. # > Please read attachment for details. #... I don't remember an uptick in support calls after that message, but there were plenty of calls about the phish message itself, so we hoped that sending a warning to everybody would reduce the problems. We'd had a user taken over, and then the account was used for so much spam that the bounce messages totally filled the incoming mail (filter) server.
I appreciate your feedback, I had no idea ISP phishing goes all the way back to 2003..
Ha! Goes back much farther than that! The earliest I have at my fingertips (saved email on this laptop only goes back to 1999): # DATE: 27 Dec 00 7:43:14 PM # SUBJECT: re: your account # That was a web phish at hxxp://vaginaonline.com/a.usertrack2781.75/5/ And they were obviously tracking exactly which users responded! You'd think our customers would notice that domain wasn't us. ;-) But even today, it's a security problem that users don't notice the URL they're clicking, or pay attention to security warnings less subtle than a big gray popup dialog box....
although dictionary attacks may not be best defined that way. Definition discussions are boring though.
I meant that they tried every word in the dictionary for user names, maybe every combination of letters and numbers. Anyway, I was wrong about the most recent one that I'd saved. Who could forget the especially virulent (976 Google hits): # Date: Tue, 16 Mar 2004 10:59:13 +0100 # Subject: Important notify about your e-mail account. Anyway, none of this helps you with researching non-English ISP phishing. But it shows that this isn't a /new/ problem around here.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Mar 25, 2009 at 9:02 AM, William Allen Simpson <william.allen.simpson@gmail.com> wrote:
I've not recently seen an ISP account phish here. The last one I remember was circa 2003. It was a dictionary attack, arriving at my was@ account (long since rendered useless by spam volume and terminated).
However, I don't save phish/spam anymore. I used to save everything -- providing many of the examples for http://fraudgallery.com/ -- nowadays, just daily scan for false positives, report monetary phish to the few ISPs that actually promptly close down bad actors, and delete the rest.
The only recently successful scams that I am aware of which specifically targeted ISPs have been to obtain control of domain registrar accounts. Whether that was accomplished via phishing, or via some other nefarious method, is still unclear. - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFJymASq1pz9mNUZTMRAiE4AKCLBejTuPz2U6fy+Tuw0cKiOoX77ACeMxrz T+OobJm3VwvGRY/337TZrOQ= =IQDP -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
participants (5)
-
Gadi Evron
-
Paul Ferguson
-
Paul Wall
-
Valdis.Kletnieks@vt.edu
-
William Allen Simpson