Adam Stiles

I use SpamBayes to keep my inboxes virtually spam-free. I’ve also written and tweaked bayesian filters to solve other problems, but I realized a while back that personal bayesian spam-filters actually help phishers be more effective in their attacks. Stay with me…

Bayesian spam filters need to be trained. You teach the filter what you want to see and what you don’t, and it learns very quickly. I use eBay and PayPal all the time, so I’ve trained SpamBayes to let official-looking eBay and PayPal emails get through to me. Someone else might classify these emails as spam, but I definitely want to get them.

A phisher’s dream is to be able to send emails to the most likely targets. Citibank spoofs would only be sent to Citibank users, eBay spoofs to eBay users, etc. Phishers would get much higher "conversion rates" if they could do this. Luckily for us, they can’t.

But here’s the kicker - a well-trained bayesian filter makes sure you only see phishing emails for which you are a good target. SpamBayes makes sure I see eBay and PayPal spoofs in my inbox, but it also makes sure I don’t see attacks targetting Bank of America, AOL, SunTrust, etc. So, in a way, I’ve trained my filter to help phishers target me directly.

Every other Monday morning, I take Lauren (my first grader) to school and work in her classroom for about an hour. One of the things we do before the other students get there is to assemble homework folders for the week. Lauren’s job is to sort the folders (they are numbered) for the 20 students in her class, and I put the homework packets in the folders. You know you’re a geek when you watch your first grader sort things to see what algorithm she uses.

Turns out she uses a slightly optimized insertion sort — she scans for the smallest item (#1) and moves it to the front, then scans left-to-right looking for #2, etc. Sometimes her scan is optimized because she remembers #5 is near the end, and can jump near it instead of doing a full scan. Its not the fastest algorithm, but it works just fine for 20 items. I think I’ll wait until 2nd grade to teach her to quicksort

Most phishing sites replicate the login pages from financial institutions or ecommerce sites… not much creativity there. But we are starting to see more hybrid and creative spoof sites. Here’s a combination eBay/AOL spoof that showed up in my inbox the other day…

The email told me that a bid I’d made on eBay was being cancelled and that I needed to login again to re-enable my bid. 

The spoof site asks for my "AOL Email Password" and some other information, but none of it is especially dangerous. I don’t have an AOL account. Even if I gave them my password, zip code, and birth date, they still wouldn’t have my name, AOL screen name, or anything else of real value. I sent some bogus data to the phisher and was redirected to an actual eBay auction - no two-step phishing site here. Why wouldn’t the phishers ask for more valuable information? Could this be a phishing experiment? Perhaps the next iteration of this attack will be sent only to AOL users and the AOL screen name will be embedded in the URL (or form) so the phisher can connect that to the password.

This BBC article (via security-guru Bruce Scheier) discusses how easy it is to get people to give up personal information.

I’m directionally challenged in a big way, so I print direction maps all the time. I’ve used MapQuest for years, but Google Maps is my new favorite - big maps, cool UI, good directions.

Google has got this almost perfect, but here are things that could make it even better:

1. Don’t load the full map on the home page

Maps loads a full map of the US whenever it loads. That’s nice when you are playing with Maps for the first time, and want to drill down visually, but its a pain to wait for it to load when all I want to do is type in an address and find it.

2. Fix the tab order from the search box

When I search for an address, my fingers want to type in the search box, hit TAB, then ENTER to fire the search (yes, I know I could just hit ENTER without the TAB). This works on the Google home page. But, in Maps, the focus shifts to the Help link, so ENTER launches the help page and I lose my typed search. I’ve opened the help page way too many times.

3. Remember My Starting/Ending Addresses

When I print directions, I’m almost always printing them from home to some location. Maps doesn’t remember what I’ve typed before… so I have to type my address over and over again. Maps let me choose from a short list of recently typed addresses.

Any one else have suggestions for Google Maps?

Many phishing sites include a period (.) at the start of a folder name. Here’s a sanitized example:

Why is there a period (.) at the start of the the .bank folder? In unix and unix-like environments, a period at the start of a folder or file name makes that object a hidden object. When phishers take over machines to host their sites, they’ll often put the site in a hidden directory to minimize the chance that the owner of the box will find it. Apache won’t show the folder in its directory listings, and neither will the ls program (like dir in dos) unless you use a special command-line parameter (-a).

Earlier this week I noted that most PayPal phishing sites are stale - they are based on old versions of the PayPal login page. It seems that most WAMU phishing sites are also stale.

If you take a quick look at the HTML source of the standard WAMU login page, you’ll find some javascript that looks like this - its pre-populated with today’s date.

However, most WAMU phishing sites use a date from 10/29/2004.

Why is this significant? The old date (and other timestamp code in the HTML) creates a kind of signature. Either we have a single phisher creating most of the WAMU spoof sites, or someone created a kit that’s being used by multiple phishers.

First generation phishing attacks "sold" fear and ignorance - "you’re account has been compromised and will be shutdown - please login to re-enable your account". There are two ways to sell any product - sell decreased pain or increased pleasure. Fear sells, but so does greed. Phishers have been selling fear, but we’ve always expected them to try selling through incentives. We’re starting to see these new kinds of attacks - here’s an eWeek article detailing a Citizen’s Bank attack that tells the user they can get $5 for filling out a survey.

A couple of weeks ago there were reports of a bug at eBay.com that allowed phishers to create links to their own sites that redirected through ebay.com. Unless you looked closely at the link source, users clicking these links would assume they were visiting eBay but would wind up at the spoof site instead.

This one showed up in my inbox today - it takes advantage of a similar “bug”, but this time redirecting through ebay.doubleclick.net.

Its remarkably simple to create a new phishing site. Most phishers visit the target site using a standard web browser, save a local copy of the HTML code for the login page (and sometimes the images too), make a few minor modifications to the HTML so the form data can be captured, and finally upload the HTML code to a new location. I’d guess this would take about 5 minutes. Wouldn’t you think phishers would want their bogus site to be as similar as possible to the target site?

The screenshot above shows some HTML comments that PayPal embeds in their HTML (PayPal is one of the most frequently targetted sites for phishing attacks). The live PayPal site is using version 29 of the HTML code. Below it is an excerpt from a PayPal phishing site we saw today… its using version 24, and was created on October 29, 2004. Another one we saw today version 17, created on May 23, 2004. Talk about stale bait!