beforeyoukillyourcomputer.com Saving computers one at a time from their owners

Alternative Details brings news that PayPal is developing a plan to stop users from accessing its financial services if they aren’t using browsers with anti-phishing protection. PayPal is recommending the use of blacklists, anti-fraud warning pages, and EV SSL certificates. Browsers without anti-phishing features will be considered "unsafe." It seems likely Safari will be included in this category given PayPal’s warning about the Apple browser last month.

"’At PayPal, we are in the process of reimplementing controls which will first warn our customers when logging in to PayPal of those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe–usually the oldest–browsers,’ he declared. Barrett only mentioned old, out-of-support versions of Microsoft’s Internet Explorer among this group of ‘unsafe browsers,’ but it’s clear his warning extends to Apple’s Safari browser, which offers no anti-phishing protection and does not support the use of EV SSL certificates."

Source

Officials at Indiana University have concluded that a 2006 phishing attack against university members was made possible by an earlier breach of one of the university’s main servers. This all came to light when one recipient of a phishing email — a cybersecurity Ph.D. student — wondered how an attacker could get his university email address, since he had never given it out to anyone. After requesting documents under the Indiana Public Records Act, the student discovered that the university had previously suffered an undisclosed breach, which is how the attacker obtained his information. This simple story underlines some important points. It shows that breaches aren’t harmless; even if the stolen data isn’t immediately used for direct fraud, it’s likely to be used in other ways down the road. If stolen data can help a phisher do a better job of personalizing an email to make it look more legitimate, then that stolen data has value. The case also demonstrates the importance of disclosure. People whose data is lost need to be aware of it so that they can be on guard for fraud. When we hear about massive losses of data, such as the incidents at the Veterans Administration or TJ Maxx, it’s easy to get lost in the staggering numbers and think of it all as an abstraction. But this incident shows, along with others before it, that breaches do have real consequences for the victims.

Source

There is a guy developing a web-based tool called Crows Nest that web sites used for phishing. Pretty nifty tool, you can see the author’s website here.

Jackson, a 26-year-old developer from New Bedford, Massachusetts, who works for the Massachusetts Department of Public Health, is spending his spare time on a Web-based application called Crows Nest. It’s designed to alert users when newly-registered domain names that are likely to be used as phishing sites go live on the Internet

Source

Online identity theft threats tripled in the first two months of 2007 as attackers shifted to simpler, more effective tactics, according to Cyveillance.

The risk monitoring company compiled data from its internet sweeps to report that the average daily count of URLs hosting malicious downloads climbed to 60,000 in February, 200 percent over the December 2006 figure. A single-day spike mid-month came close to 140,000 such sites.

“The traditional phishing technique is being replaced by putting a URL in the email,” said Manoj Srivastava, Cyveillance’s CTO. “The trend now is to use the browser as the attack vector.”

Phishing attacks have shifted from the usual emails that try to con users into visiting reproductions of legitimate pages, then duping them into entering their personal information. Instead, thieves simply stick a link in an email message and count on users’ gullibility.