Broadband Tech > Security > Security > Using the HTML5 Fullscreen API for Phishing Attacks

reply to Name Game

Re: Using the HTML5 Fullscreen API for Phishing Attacks

Firefox 15.0.1

reply to Snowy

reply to Name Game

"I'm sure you're not agreeing with his claim that 10% of web users presented with a live page would become phish statistics."

If you are sure..then why ask..there is nothing to clarify..I did not mumble my words...your age thingie is funny too.

And on that I disagree..

Losses keep escalating over the years.. The IT bank peps are behind the power curve and much of it really goes unreported as individual banks struggle for competition. Friend in the business told me it is embarrassing.

Phishing FAQs
The cost of phishingPhishing FAQs
The cost of phishing

»www.brandprotect.com/catching-a-phish.html

Damage caused by phishing

The damage caused by phishing ranges from denial of access to e-mail to substantial financial loss. It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phishing, totaling approximately US$929 million. United States businesses lose an estimated US$2 billion per year as their clients become victims.[51] In 2007, phishing attacks escalated. 3.6 million adults lost US$3.2 billion in the 12 months ending in August 2007.[52] Microsoft claims these estimates are grossly exaggerated and puts the annual phishing loss in the US at US$60 million.[53] In the United Kingdom losses from web banking fraud—mostly from phishing—almost doubled to GB£23.2m in 2005, from GB£12.2m in 2004,[54] while 1 in 20 computer users claimed to have lost out to phishing in 2005.[55]
The stance adopted by the UK banking body APACS is that "customers must also take sensible precautions ... so that they are not vulnerable to the criminal."[56] Similarly, when the first spate of phishing attacks hit the Irish Republic's banking sector in September 2006, the Bank of Ireland initially refused to cover losses suffered by its customers (and it still insists that its policy is not to do so[57]), although losses to the tune of €11,300 were made good.[58]

»en.wikipedia.org/wiki/Phishing

But back to this "possible" particular attack vector when added to a badboy kit out there and perfected..I think 10% of the people that would test it not knowing what it would do..would do the clicks and input the info.

I see it as a technical vulnerability coupled with the fact the most people that do on-line banking on all devices ..not just PC at home..are not that tech savy..they just want to do the deed and get on with their lives.

My hope is that all browsers..on all devices "out of the box" have a way to stop it without third party proggies.

Back in 2010..

The rise of Zeus is an alarming development, as Zeus is particularly resistant to detection. According to a recent study by Trusteer involving 10,000 computers, 55 percent could not find and remove Zeus, even though they were equipped with the latest updates of their security and antivirus software.
• Traditional bank phishing now comprises about 50 percent of overall phishing, down from almost 60 percent in Q2 2009.

»www.securityweek.com/cybercrimin···us-rises

Phishing attacks as a whole increased 86 percent across the world.

India bands saw a huge increase. The jump from May to April was 187 percent, with every attacked brand being from the banking sector.

»www.proofpoint.com/about-us/secu···00806760

Zeus is not dead and now you have Citadel and Gameover. Christmas is coming..hang on to your short. Citadel is "sold" with support. They don't just sell the trojan.
»www.bankinfosecurity.com/citadel···085/op-1

Gameover is just plain nasty.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

He stated "If this attack were used in the wild, I bet at least 10% of web users would get phished (probably many more)."

I take that to mean 10% would fall for that trick and get Phished. 90% would view it as not coming from the real source..even people that made comments at the site saw it that way.

Are you telling me you think he means 10% of total number of the web users out there ?

This to me makes no sense..

"Because after analyzing tens of thousands of phish campaigns from start to finish I've never seen a 1% return rate or anything even close to 1% which makes any discussion of 10% irresponsible."

Define these return rates. and your tens of thousands.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

"Because after analyzing tens of thousands of phish campaigns from start to finish I've never seen a 1% return rate or anything even close to 1% which makes any discussion of 10% irresponsible."

Now put that in real words..not just your % thingie..what is "return rate" and tell us about "tens of thousand"..and define what you mean by "campaigns"..and I am not trying to pull your chain..but since you used that to make a statement that you thought the authors 10% was wrong and he knew nothing about phish...I have no idea what you are talking about..and I still think at least 10% and maybe more of the peeps that saw a real exploit like the one he just did this POC (proof of concept)..would be clicking away.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

reply to Snowy
Does not work (fully) in SeaMonkey.
You get a bit of bouncing, the music, & the Phish warning, but BoA is never displayed.

Now on visiting his website with NoScript, that gives you a pretty good clue that something is amiss.

> I bet at least 10% of web users would get phished (probably many more)

I would bet on the "probably many more" part, actually.

Very good POC IMO.

I typically don't use FF & have never seen a "fullscreen" warning like that. If I had not, & in particular if I had no idea what feross.org was, & to top it off if I were in the ranks of the clueless (I want to belong :sad:) I can see that Phish catching a LOT of fish.

reply to Snowy

reply to Snowy

quote:

---

I've never seen a 1% return rate or anything even close to 1% which makes any discussion of 10% irresponsible.

---