Wednesday, 9 September 2009

How To Get Phished

Too Much Information

Bosnia and Herzegovina, Croatia, Macedonia, Montenegro, Slovenia and Serbia, including the autonomous provinces of Vojvodina and Kosovo, were until 1991 all grouped together under a single country name, Yugoslavia.

They had one Air Force, in which my friend was a jet fighter pilot. Around the time of the great breakup, he moved to Scotland. Here he spent some time as a local council gardener, before starting, along with two boring accountant types (their own words), his own Computer Systems sales company.

With that background, you'll be unsurprised to hear, he was indisputably the most eccentric member of that group. And so yesterday, I was equally unsurprised to receive the following MSN message from him(1):


Here we go, I thought. He's Photoshopped my face into some German watersports pictures, or something similar. That crazy guy, always SHOUTING, this type of nonsense is just absolutely typical of him!

I forgot about it until today, when I noticed him logging in. It had been a recognisably genuine message from a known, reliable source; so I clicked on the first link.

Hello, what's this?

"Reported Web Forgery!" replied FireFox(2).

Remarkably, I'd already become so convinced that the original MSN message was real, that I then took note of the warning, and still clicked through (using the handy "Ignore this warning" link at the bottom right); fully expecting to discover some new Web 2.0 mashup or spoofing technique he'd recently mastered, and wanted to show off. What I found instead was a login screen. Only then did the proverbial penny drop!

The slightly ungrammatical prompt wasn't really a giveaway, since of course English isn't my friend's first language. It was just the fact that I was being asked to provide my login details, without having any clear understanding of exactly why these would be needed in order to show me, what I'd assumed was going to be, a few vaguely dirty and not-very-funny pictures.

Well, no thanks...

I tried contacting my friend by phone, but there was no answer. Using MSN, I then got him to identify himself by answering a couple of questions, after which I conveyed that his MSN account was compromised, and he should change his password.

Later, after researching - ok, Googling - the issue, I went through the handshake protocol again, this time advising an immediate and full antivirus scan. The exploit already seems to have quite a number of variations, some of which might be more malicious than others.

As an example of social engineering, this exploit owes much of its near-success with me, to sheer luck. The style of the SHOUTING, the rest of the message, and the implied content, all of these were just so absolutely typical of the person that the message purported to be from. That was a pure coincidence: nobody else I know could even conceivably have sent that particular message. Still, it reinforces the need to be on guard - at all times.

(1) Obviously I've mangled the actual content, including the site address!
(2) The same operation in IE8 gave no such warning.

No comments:

Post a Comment