Previous month:
February 2010
Next month:
April 2010

March 2010

Offline phishing: nasty attacks that phish with a fax

While driveby malware downloads and browser in the middle attacks capture imaginations and headlines, a recent thread on an antiphishing discussion list highlights that criminals are happy to go Old School when low tech provides a convenient means to steal identities.

Offline phishing convinces victims to fax personal or sensitive information to a phone number provided in an email message. The email message may include a form to print and send by fax, or it may ask for a copy of a document containing personal information. The attacker doesn't require botnets or a heavy tech footprint to receive fax. He can utilize "use once then throw away services" - free fax-to-email services and free email accounts that set a low bar for user verification or have poor defenses to counter automation - and access these from public Internet kiosks.

A typical tax refund phish or bank phish asks targets to visit a hyperlink. An offline phish asks the target to submit personal information via a fax. Putting on my creative criminal hat, I can imagine that an offline phish could be very persuasive:

Dear customer,

As part of our continuing efforts to improve our electronic services, and because of the growing concern over phishing, we are discontinuing the use of email messages containing hyperlinks to our secure site.

We are implementing a secure fax submission process for updating our records. Our fax service is not connected to the Internet so your correspondence will remain confidential and secure.

Please fax the attached form to submit a new login and password for your account to <number>.

Offline phishing attempts to defeat antiphishing education that discourages mail users from clicking on hyperlinks in email they receive. Phishers expect that the absence of hyperlinks will convince certain users that this mail is legitimate. Any financial institution, healthcare or government agency is as vulnerable to this form of phishing as hyperlink based phishing.

All the conventional advice to protect yourself against phishing apply to offline phishing. Read the message carefully. Don't act in haste. Contact your bank or agency using contact information other than what you receive in the email message. Ask them to verify the new process.

Survey of commercial firewall security features for IPv6

ICANN's Security and Stability Advisory Committee (SSAC) is conducting a survey to collect information regarding the availability of IPv6 support among commercial firewalls and security systems.

This is an update of a survey SSAC conducted in 2007. The committee expects that the responses will provide the community with some insight into the ease or challenges it will face as we exhaust IPv4 addresses and adopt IPv6 at increasingly faster rates. The meta-issues the committee hopes to explore include:
  • How broadly is IPv6 transport supported by commercial firewalls?
  • Is IPv6 support available from commercial firewalls for all market segments?
  • Which commonly used security enforcement features can be deployed from commercial firewalls when IPv6 transport is used?
  • Can an organization enforce a security policy from commercial firewalls when using IPv6 that is commensurate to a policy currently supported when IPv4 is used?
The formal public announcement for the survey is posted at ICANN here.

Vendors of commercial firewalls and business users are invited to participate in the survey online here.