July 28, 2008
No Mail, we’re iPhone users.
In a surprising piece of news it seems that the iPhone 3G - Apple’s impressive-looking but feature-lacking device – is vulnerable to phishing attacks. I know, I know. Who’d have thought it?
Security research Aviv Raff exposed the hole, metaphorically speaking, on his personal blog. (Link)
“By creating a specially crafted URL, and sending it via an email, an attacker can convince the user that the spoofed URL, showed in the mail application, is from a trusted domain. When clicking on the URL, the Safari browser will be opened. The spoofed URL, showed in the address bar of the Safari browser, will still be viewed by the victim as if it is of a trusted domain.”
As if that wasn’t enough, he also “PS’d” that Apple’s mail application – inventively called “Mail” – is spammable.
“This is a basic security design flaw which might already be exploited in-the-wild. iPhone users should consider [not] using the Mail application until Apple fixes this issue, unless they want to be spammed.”
So, in summary: don’t trust the emails you get and, in fact, don’t use the iPhone’s email application at all. If only we had a visual way to recognise legitimate emails…
One hundred and eeeeiigghtyy!
That clichéd subject line refers to the increase in bank phishing scams in the first six months of 2008: attacks are at 21,000 until the end of June which is a rise of more than 180%.
(Link)
Sandra Quinn of banking body, Apacs, stated the obvious:
“We strongly urge banking customers to make sure they remain wary of online scams such as unsolicited e-mails claiming to be from their bank."
More than 21 million people in the UK are now using online banking and with faster transaction processing set to encourage more and more users to their bank’s website, the risks will increase even more.
While we’re on the subject
This one looks nasty. Phishers have changed their approach slightly for a new attempted fraud which some analysts say could become the first “$1m phishing fraud”.
Rather than select a single financial institution and send out a million emails hoping to catch a percentage of recipients who are with that bank, this new method invites intended victims to actually identify which bank account they’d like to be scammed from. (Link)
Presented with a drop-down box with a list of banks, the uninitiated are offered the chance to win a huge money prize or all-expense-paid holiday if they log in to their bank and join a casino reward program. David Franklin of Internet intelligence specialists, Envisional said:
“Despite all the previous warnings to consumers, a phishing attack on a single bank’s customers often leads to losses of up to $100,000. But this attack is unusual, fairly subtle and targeted at 12 banks at once. Many more people will be taken in by this two-stage approach.”
Oh well, let’s look at the bright side. I suppose the good thing about world recession is that none of us will have any money left to be scammed out of.
Update…update…update…update
That was meant to mimic a TV news ticker – but without the motion. Which I suppose renders it as merely “a sentence”.
We reported on the Romanian-based phishing group who were charged back in May and news reaches us this week that one of them – 22-year-old Ovidiu-Ionut Nicola-Roman – has pleaded guilty. (Link)
Prosecutors have estimated that Nicola-Roman was responsible for $400,000 in fraud and could go to prison for about four years (the story said 46-57 months but I get fed up doing advanced mathematics in my head in order to find out how much that is in real time).
He will be sentenced on October 10th and I might throw a cook-out that night to celebrate if you’d like to come?
|
