The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [51]
Analyzing the Con
Edgar had been taken in by a commonplace Internet scam. It’s a scam that comes in a variety of forms. One of them (detailed in Chapter 9) involves a decoy login screen created by the attacker that looks identical to the real thing. The difference is that the phony screen doesn’t give access to the computer system that the user is trying to reach, but instead feeds his username and password to the hacker.
Edgar had been taken in by a scam in which the crooks had registered a Web site with the name “paypal-secure.com”—which sounds as if it should have been a secure page on the legitimate PayPal site, but it isn’t. When he entered information on that site, the attackers got just what they wanted.
mitnick message
While not foolproof (no security is), whenever visiting a site that requests information you consider private, always ensure that the connection is authenticated and encrypted. And even more important, do not automatically click Yes in any dialog box that may indicate a security issue, such as an invalid, expired, or revoked digital certificate.
VARIATIONS ON THE VARIATION
How many other ways are there to deceive computer users into going to a bogus Web site where they provide confidential information? I don’t suppose anyone has a valid, accurate answer, but “lots and lots” will serve the purpose.
The Missing Link
One trick pops up regularly: Sending out an email that offers a tempting reason to visit a site, and provides a link for going directly to it. Except that the link doesn’t take you to the site you think you’re going to, because the link actually only resembles a link for that site. Here’s another example that has actually been used on the Internet, again involving misuse of the name PayPal:
At a quick glance, this looks as if it says PayPal. Even if the victim notices, he may think it’s just a slight defect in the text that makes the “I” of Pal look like an “i.” And who would notice at a glance that:
uses the number 1 instead of a lowercase letter L? There are enough people who accept misspellings and other misdirection to make this gambit continually popular with credit card bandits. When people go to the phony site, it looks like the site they expected to go to, and they blithely enter their credit card information. To set up one of these scams, an attacker only needs to register the phony domain name, send out his emails, and wait for suckers to show up, ready to be cheated.
In mid-2002, I received an email, apparently part of a mass mailing that was marked as being from “Ebay@ebay.com.” The message is shown in Figure 8.1.
Figure 8.1 The link in this or any other email should be used with caution.
Victims who clicked on the link went to a Web page that looked very much like an eBay page. In fact, the page was well designed, with an authentic eBay logo, and “Browse,” “Sell” and other navigation links that, if clicked, took the visitor to the actual eBay site. There was also a security logo in the bottom right corner. To deter the savvy victim, the designer had even used HTML encryption to mask where the user-provided information was being sent.
It was an excellent example of a malicious computer-based social engineering attack. Still, it was not without several flaws.
The email message was not well written; in particular, the paragraph beginning “You received this notice” is clumsy and inept (the people responsible for these hoaxes never hire a professional to edit their copy, and it always shows). Also, anybody who was paying close attention would have become suspicious about eBay asking for the visitor’s PayPal information; there is no reason eBay would ask