[Full-disclosure] [HV-PAPER] Anti-Phishing Tips You ShouldNotFollow
Mike Nice
niceman at att.net
Sat Apr 1 07:13:48 BST 2006
1) Any different social engineering besides "login to your bank
account". For example, "Chase will pay you $20 to fill out a short
survey!" (of course, after filling out the survey you must provide
your debit card number or account login information to get the $20).
This should be tip #5, back to the old 'don't click on anything from
your bank in an E-mail - for any reason'.
3) Any attack that spoofs the SSL cert box (The Codefish web site had
a good example...what ever happened to Codefish, anyway?...pharming,
MITM, and type-alike can fit in here, too)
Tip #4 works precisely because it defeats pharming, MITM and type-alike.
The Cert box is nearly impossible to spoof because you would have to spoof
the actual bank's certificate. Any error and your browser will pop up a
warning dialog that the host name on the SSL cert doesn't match the name of
the host. That's only assuming that some corrupt CA hasn't issued a
second SSL cert for the real bank host name.
Full-Disclosure is hosted and sponsored by Secunia.