You've heard it before: "If they're intent on breaking in, they're going to break in. You can't stop a good criminal."
With browsers, web sites and financial institutions becoming more and more anti-phishing savvy, organized online crime also raises the bar.
For the first time, phishing attacks have outnumbered e-mails infected with viruses and Trojan horse programs. It must be working.
Phishing is getting much more sophisticated, as illustrated on another eBay knock-off that hit Germany on Thursday. The email itself claims that a direct debit order could not be processed and asks users to double check their account details and enter the correct details. That's not so bad. However, clicking executes the attachment ('bill.exe') which initiates a malicious code downloaded which hides in the background while the web page displays a PDF file.
TMCnet's Raju Shanbhag, TMCnet explains about the new "Two-factor authentication"
"Two-factor authentication involves the user entering pseudorandomly generated codes and a password. This method of authentication was developed after hackers used keyloggers to get the password and broke into the accounts. This pseudorandomly generated code can be used only once."
But just about as fast as the banks can protect themselves, online crime and terrorists program around it...
"The hackers have found a new workaround for this authentication tool. The man-in-the-middle attack hijacks a user session and users are lured into visiting a spoofed portal. This portal is hosted on a compromised machine and once the information is entered, such bank details and codes are relayed to the to the real bank site. Once the users have validated their identity on the real system by way of the compromised relay, hackers take over the session."
Most people think it can't happen here, but it's getting harder and harder to tell the difference between the good and the evil...
"To make the phishing e-mails more believable, they are becoming more personalized. While earlier attackers just sent phishing e-mails to a randomly selected list, nowadays these messages contain details about the banks, which the receiver actually uses. Also, many phishing Web sites are now using Flash content rather than HTML to escape anti-phishing technology deployed in modern Web browsers."
Here's an excellent PodCast from CNet: Joris Evers and CNET's Robert Vamosi give their take in this week's Security Bites podcast : Phishing overtakes viruses, Trojan horses
(Listen to the PodCast MP3)
Fortunately the implementation and deployment of IPv6 will cure all this. But when it's become standard, I have a gut feeling that organized online crime will break that too.
Thanks for reading...
Fred Showker, Editor, Graphic Design & Publishing