Previous month:
December 2009
Next month:
February 2010

January 2010

Phishers get big mileage by using info that looks credible

Gary Warner posted a sample of email recently used in a phishing attack against the American Banking Association. The email lures visitors to a malware drop site that hosts the Zeus/Zbot trojan. The email itself presents a great "teaching opportunity" to explain how phishers will frequently use information that is credible, alarming, and phony to convince recipients that the email is legitimate and that acting on the request in the email is safe.

What sort of information is both credible and phony? Let's start with key words in a Subject line. Subject lines in phish email associated with the ABA attack include "unauthorized transaction" and "billed to your account". "Transaction" is a word we associate with correspondence from banks and emerchants and so it's credible. "Unauthorized" and "billed to your account" set off alarms in our heads. The ABA phishers use these lures to make the recipient read the message, where they set the hook with the bait: a dollar amount and a transaction ID:, i.e.,

Amount of transaction: $1781.30
Transaction ID: 7980-9779263

The amount is typically set to a value that would raise suspicion. The Transaction ID is entirely random, but it passes the "looks like a duck, swims like a duck, must be a duck" test. Phishers include this information to lend credibility to the message. They exploit the fact that statistically few us have didactic memories or keep records of our transactions close at hand. They expect that victims will falsely conclude, "only my bank or merchant would know these details, so it's safe for me to do whatever this email asks of me". They visit the phish site  and thus fall for the phish, hook, line, sinker.

RSS: underappreciated technology or unobtrusive?

David Strom ended 2009 with a commentary on Real Simple Syndication (RSS), stating "it has been one of the most significant technologies that Rodney Dangerfield would say 'got no respect'. Providing the connective glue behind most social media, linking various Web sites for automatically posting content, being able to Webify various other protocols — RSS is the tech that most of us now take for granted."

In a personal email, I commented back to David, "Do you want appreciation or fanfare for RSS?"

Technology is a curious beast, embraced by the broadest collection of cultures imaginable. On one cultural extreme, we have the web-evolved-to-social-media cultists. Obsessed with content distribution, anything worthy of appreciation must surely go viral - and spectacularly so - or it's either unimportant or under-appreciated. The opposing cultural extreme, Old School Internetters, think quite differently. Old Schoolers have seen hundreds of technologies introduced, each heralded as the next, most disruptive, experience-altering, wildly beneficial breakthrough in communications. But Old Schoolers understand that a technology must weather the test of time, prove to scale commensurately with the growth of the Internet itself, outlast all wannabes and challengers, and in a true Heideggerian sense, become unobtrusive before it earns respect.

For an Old Schooler, there is no greater demonstration of appreciation of a technology than to use it until it eventually becomes unnoticed, unchallenged, and undisputed, or it reaches end of life. TCP and IP have achieved this happy state. Ethernet has (the MAC, not the underlying media). So has the web. If you think other technologies have, share them - comment!

RSS has experienced a rate of adoption and acceptance few applications have enjoyed, even the web. Practically no one who uses it today can tell you how the protocol works. Most folks who syndicate their content do so using automation (Feed managers, RSS creator wizards...), and the overwhelming majority would stare blankly at the XML file hidden beneath a subscribe or add Feed button or hyperlink. Nothing has come close to challenging RSS in terms of ubiquity and utility. People treat it matter of factly.

Unobtrusive? Yes. Under-appreciated? I think not.