Google warns journalists and professors: Your account is under attack

From Ars Technica:

A Google spokesman, citing this overview of the warnings, said it’s possible that the recent flurry may refer to hacking attempts that happened over the past month, as opposed to events that occurred more recently. He said Google officials deliberately delay warnings to prevent those behind the attacks from learning researchers’ sources and methods for detecting the attacks. The delays apply only to attack attempts, rather than cases where attacks result in a successful account takeover.

Phishing and account takeover is a very real threat. Yes, particular persons are sometimes targeted because they are personally identified as ‘high value targets’. However, persons antecendent to them are also targeted because high value targets can be more mindful of possible efforts to phish their credentials, while less mindful about clicking links from friends and family. As a result, the persons who the high value target communicates with may be used as the proxy to attacking the high value target.

Do you know someone who might be a target? Such as a prominent lawyer, business person, or politician? Or just someone who, themselves, would have access to such prominent persons or to sensitive information? If so, then you could be targeted by a sophisticated attacker not because you, yourself, are interesting but because you’re a gateway to those who are.


This is the problem. Against a sufficiently skilled, funded, and motivated adversary, no network is secure. Period. Attack is much easier than defense, and the reason we’ve been doing so well for so long is that most attackers are content to attack the most insecure networks and leave the rest alone.

* Bruce Schneier, “Phishing Has Gotten Very Good

The Financial Liability Game

Ars Technica has reported that a German court has found a victim of a phishing attack liable for successfully being phished. The finding is, at least in part, based on the bank’s position that they had previously warned customers about phishing attacks.

The court’s placement of liability is significant for a variety of reasons. Of course it’s important that the individual was victimized. The liability placement also defers expenses (likely through insurance) that the bank would have to assume were they at least partially liable for the customers’ actions. This said, we can understand (and perhaps disagree…) that, from a liberal position, individual citizens are responsible for their actions.

What is most significant are the consequences of placing liability on the individual. Specifically, it reduces the incentive that banks have to exercise their influence to address phishing. I’m not suggesting that the banks could hope to eliminate phishing by waving a gold-plated wand, but they are financially in a position to influence change and act on a global scale. Individuals – save for the ultra-rich – lack this degree of influence and power. While banks will be motivated to protect customers – and, more importantly, their customers’ money – if banks were found even partially liable for successful phishing attacks they would be significantly more motivated to remedy these attacks.


Poison Texts Targeting Mobile Phones

While smartphones get in the news for security reasons related to mobile malware, it’s important that we not forget about the other means of attacking mobile phones. USA Today has a piece which notes that,

One type of poison text message involves tricking people into signing up for worthless services for which they get billed $9.99 a month. Another type lures them into doing a survey to win a free iPhone or gift card. Instead, the attacker gets them to divulge payment card or other info useful for identity-theft scams. “Malicious attacks have exploded well beyond e-mail, and we are very aware of their move to mobile,” says Jacinta Tobin, a board member of the Messaging Anti-Abuse Working Group, an industry group combating the problem.

This approach is really just phishing using text messages. It’s significant, but not necessarily something that we should get particularly jumpy about. The same article recognizes that “hackers are repurposing skills honed in the PC world to attacks on specific mobile devices. Particularly, handsets using Google’s Android operating system are frequently the target of hackers.” What is missing in the article is a recognition that text-based phishing can be made considerably more effective if an individual’s smartphone has already leaked considerable amounts of personal data to the attacker via a third-party application. This is the scenario we should be leery of.

Specifically: we can easily imagine a situation where a hostile application that has been installed on a smartphone acquires enough personal information that an attacker can engage in targeted spear phishing. By getting name, address, names of friends and family, places of employment, recent photos that are geotagged, and so forth, it is possible to trick individuals by text messages to ‘give up’ information. Moreover, by first compromising devices attackers can better target specific individuals based on how the phishermen have profiled device owners: they can be choosy and target those who would either be most vulnerable or best resourced. It’s the integration of two known modes of attack – phishing and compromising smart devices – that will be particularly devastating far in excess of either attack vector on its own.


Phishing on Mobile Devices

A good paper on (you guessed it!) phishing on mobile devices. Paper is here (.pdf) and abstract is below.

We assess the risk of phishing on mobile platforms. Mobile operating systems and browsers lack secure application identity indicators, so the user cannot always identify whether a link has taken her to the expected application. We conduct a systematic analysis of ways in which mobile applications and web sites link to each other. To evaluate the risk, we study 85 web sites and 100 mobile applications and discover that web sites and applications regularly ask users to type their passwords into contexts that are vulnerable to spoofing. Our implementation of sample phishing attacks on the Android and iOS platforms demonstrates that attackers can spoof legitimate applications with high accuracy, suggesting that the risk of phishing attacks on mobile platforms is greater than has previously been appreciated.