South Africa Info Forums

Full Version: Phishing con hijacks browser bar
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Scammers are using increasingly sophisticated methods to trick people into handing over personal information.

The latest con uses a fake version of a web browser's address bar to hide a bogus site set up to collect Pin codes for cash machines.

The address bar stays in place and could be used to steal information about other sites too.

Security experts said users should be suspicious of any e-mail that asks them to verify confidential information.

Scam spotting

So-called phishing cons have become increasingly common recently among tech-savvy criminals keen to steal cash from gullible users by making them hand over sign on or account details.

Most phishing attacks involve an e-mail that purports to be sent out by a legitimate organisation, such as a bank, that asks users to enter information on a special site.

Anyone following the instructions will unwittingly be handing over details to conmen who use them to empty the account of cash.

Often the fake websites are difficult to spot because they do a good job of reproducing the website of the company they are impersonating.

Now the Anti-Phishing Working Group has come across an even more sophisticated attack that targets Citibank customers.

When users visit click on the web link in the e-mail of this latest attack, the site they are taken to detects what browser they are using, suppresses the real address bar and generates a fake one to take its place.

This fake browser bar shows the real web address of the firm being impersonated rather than the address of the scam site the user is actually visiting.

"The biggest problem you have when trying to fool people is what appears in the address bar of the browser," said Dave Brunswick, technical director at Tumbleweed and a member of the APWG.

But, he said, this attack removes that problem.

The address bar even acts like a real part of the browser and will direct net users to other website addresses that are typed into it.

The website also fakes the appearance of the webpage code used to create it to make it look more convincing.

One of the few clues that it is a fake is the fact that it does not show a locked padlock icon for the supposedly secure web-browsing session it is supporting.

The grammar and style of the original e-mail is also slightly suspect.

Mr Brunswick advised people to be suspicious of any e-mail message that asked users to supply key login or personal information.

"The idea is to be cynical and ask: 'Why would my bank be sending me this e-mail?'" he said.

There were 60% more phishing attacks in February than January according to the APWG.
"AD - AWARE" will eliminate these problems for you if found.

Full description somewhere in this forum.

picanin

OK not getting picky but the person who wrote this story obviously isnt tech savvy. How will your browser get the pin number for your cash card? And even if you do enter your cash card pin, without the actual card that pin is pretty useless.

What they should be pointing out is that it affects online banking and the like! Not actual card transactions.
Quote:Originally posted by picanin
OK not getting picky but the person who wrote this story obviously isnt tech savvy. How will your browser get the pin number for your cash card? And even if you do enter your cash card pin, without the actual card that pin is pretty useless.

What they should be pointing out is that it affects online banking and the like! Not actual card transactions.


You have a very good point there pics :haha:
me finks anyone who give banking details or any kind of personal info to anyone they dont know ESPECIALLY VIA THE INTERNET is fick anyway :p
Quote:Originally posted by picanin
OK not getting picky but the person who wrote this story obviously isnt tech savvy. How will your browser get the pin number for your cash card? And even if you do enter your cash card pin, without the actual card that pin is pretty useless.

What they should be pointing out is that it affects online banking and the like! Not actual card transactions.


This is what struck me as odd too Sad Perhaps the author doesn't keep his money in a bank or uses and old fashioned bank book instead of an ATM card.... :haha:

picanin

Quote:Originally posted by Jangar
This is what struck me as odd too Sad Perhaps the author doesn't keep his money in a bank or uses and old fashioned bank book instead of an ATM card.... :haha:


Thanks to the wonders of Linux I ahve been able to investigate this in complete safety! (Bill Gates your software sucks!). I received the email in my M-Mail software and followed the instructions. It didnt actually try to install a new browser bar. What it did do was direct me to the correct Citibank website. However, it also opened up a secondary window asking for my debit card number and pin. The secondary window had come from a Russian webserver. So the actual gist of the article is correct. What I want to know is how they plan to use said card number and your PIN? Possibly a case of social engineering or maybe contacts within Citibank who can arrange for new cards to be made of the compromised accounts.

PS This is once more proof to drop the losers software and move over to safe *nix based software. Using Windows is like trying to cross the Atlantic in a bath tub full of holes! Big Grin
Quote:Originally posted by picanin
Using Windows is like trying to cross the Atlantic in a bath tub full of holes! Big Grin



Seriously thinking of buying a Apple Mac lapdog next .... just to get the software is sooooo expensive :bigcry:

whirlpool

Quote:Originally posted by picanin
Using Windows is like trying to cross the Atlantic in a bath tub full of holes! Big Grin
and as he is no longer the worlds richest man he can't even afford the bath tub Big Grin

picanin

Quote:Originally posted by FlyingBok
Seriously thinking of buying a Apple Mac lapdog next .... just to get the software is sooooo expensive :bigcry:



Why waste your money on a mac FB? Use Linux on a PC laptop. Mac OSX is just another *nix based OS that you pay a fortune for to use on a pretty little piece of kit that looks more suited to a womans makeup puch than real world needs.

Use Linux for free on a PC with most of the software you will ever want available for free.