[ news_security_news ]
Phishers Could Trawl With Pre-Phishing Attacks
David Utter
Staff Writer
2007-04-24
 Security News RSS Feed
If a pre-phishing attack works, it gives up a couple of pieces of information to the attacker: a username and password combo for a 'non-critical' website, and the fact the recipient might be credulous enough to fall for other phishing attacks.
Patience may be a virtue for some online criminals. A minor phishing attempt could lead to a greater payoff later, setting the scenario for future attempts to make illicit financial gains.
Symantec researcher Nick Sullivan discussed the concept of pre-phishing on their Security Response Weblog. This reconnaissance lets the attacker find out just how successful other phishes could be, if a non-critical site phish works first.
"A site is considered non-critical if access does not give an attacker an immediate financial payoff. Examples of non-critical sites are Web-based email accounts and social networking sites," Sullivan said.
After a successful phish, the attacker has a login combination that could work on other sites. To get an idea of places to try, Sullivan wrote how a spammer could place a CSS history hack on the phishing website to grab a list of places the person visits.
If that yields sites like online banking or retailers, the criminal can try to login with the stolen non-critical credentials. A valid login will probably lead to a quick theft of funds, or an order from a retailer that would be directed to another address.
"Each successful pre-phishing recon attack will give an attacker a profile to be used in future context-aware attacks," said Sullivan. "The type of context-aware phishing attacks that can be thought up using this set of information is limited only by the attacker's creativity."
---
 
Tags: Phishing, Computer, Security
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
More news_security_news Articles
Security News RSS Feed
|
|
RSS
Archive
Contact Us
Advertise
