dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
6
share rss forum feed


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Snowy

Re: Using the HTML5 Fullscreen API for Phishing Attacks

"I'm sure you're not agreeing with his claim that 10% of web users presented with a live page would become phish statistics."

If you are sure..then why ask..there is nothing to clarify..I did not mumble my words...your age thingie is funny too.


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless
said by Name Game:

"I'm sure you're not agreeing with his claim that 10% of web users presented with a live page would become phish statistics."

If you are sure..then why ask..there is nothing to clarify..I did not mumble my words...your age thingie is funny too.

Aah,
Try this, I say the author didn't know what he was talking about when he tossed out the 10% figure.
In the very next post you say
said by Name Game:

Nevertheless I agree with him..even though you have a browser that is up to date and others do too. They all don't have the same features or versions.

What I wanted to post in reply to that was something more like
"Then you don't know what you're talking about too"
but I thought I'd soften it a bit.
So are talking about things you have no clue about again or are you going to stand up to prove it's me that's BS'ing my way through the forum?
10% is BS, give me anything that disputes that, anything.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit
said by Snowy:

said by Name Game:

"I'm sure you're not agreeing with his claim that 10% of web users presented with a live page would become phish statistics."

If you are sure..then why ask..there is nothing to clarify..I did not mumble my words...your age thingie is funny too.

Aah,
Try this, I say the author didn't know what he was talking about when he tossed out the 10% figure.
In the very next post you say
said by Name Game:

Nevertheless I agree with him..even though you have a browser that is up to date and others do too. They all don't have the same features or versions.

What I wanted to post in reply to that was something more like
"Then you don't know what you're talking about too"
but I thought I'd soften it a bit.
So are talking about things you have no clue about again or are you going to stand up to prove it's me that's BS'ing my way through the forum?
10% is BS, give me anything that disputes that, anything.

Stop musing...

Then since you made the statement..tell us why 10% will not..you threw it out there.. you give the proof.

Every done online banking with anything beside a PC ?
»threatpost.com/en_us/blogs/andro···s-031512
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless
said by Name Game:

Then since you made the statement..tell us why 10% will not..you threw it out there.. you give the proof.

I knew you would be unable to find anything to support your 10%.
Because after analyzing tens of thousands of phish campaigns from start to finish I've never seen a 1% return rate or anything even close to 1% which makes any discussion of 10% irresponsible.

said by Name Game:

Every done online banking with anything beside a PC ?
»threatpost.com/en_us/blogs/andro···s-031512

I won't even access my email from a smart phone.
I just don't know enough about what's under the hood.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
And on that I disagree..

Losses keep escalating over the years.. The IT bank peps are behind the power curve and much of it really goes unreported as individual banks struggle for competition. Friend in the business told me it is embarrassing.

Phishing FAQs
The cost of phishingPhishing FAQs
The cost of phishing

»www.brandprotect.com/catching-a-phish.html

Damage caused by phishing

The damage caused by phishing ranges from denial of access to e-mail to substantial financial loss. It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phishing, totaling approximately US$929 million. United States businesses lose an estimated US$2 billion per year as their clients become victims.[51] In 2007, phishing attacks escalated. 3.6 million adults lost US$3.2 billion in the 12 months ending in August 2007.[52] Microsoft claims these estimates are grossly exaggerated and puts the annual phishing loss in the US at US$60 million.[53] In the United Kingdom losses from web banking fraud—mostly from phishing—almost doubled to GB£23.2m in 2005, from GB£12.2m in 2004,[54] while 1 in 20 computer users claimed to have lost out to phishing in 2005.[55]
The stance adopted by the UK banking body APACS is that "customers must also take sensible precautions ... so that they are not vulnerable to the criminal."[56] Similarly, when the first spate of phishing attacks hit the Irish Republic's banking sector in September 2006, the Bank of Ireland initially refused to cover losses suffered by its customers (and it still insists that its policy is not to do so[57]), although losses to the tune of €11,300 were made good.[58]

»en.wikipedia.org/wiki/Phishing

But back to this "possible" particular attack vector when added to a badboy kit out there and perfected..I think 10% of the people that would test it not knowing what it would do..would do the clicks and input the info.

I see it as a technical vulnerability coupled with the fact the most people that do on-line banking on all devices ..not just PC at home..are not that tech savy..they just want to do the deed and get on with their lives.

My hope is that all browsers..on all devices "out of the box" have a way to stop it without third party proggies.

Back in 2010..

The rise of Zeus is an alarming development, as Zeus is particularly resistant to detection. According to a recent study by Trusteer involving 10,000 computers, 55 percent could not find and remove Zeus, even though they were equipped with the latest updates of their security and antivirus software.
• Traditional bank phishing now comprises about 50 percent of overall phishing, down from almost 60 percent in Q2 2009.

»www.securityweek.com/cybercrimin···us-rises

Phishing attacks as a whole increased 86 percent across the world.

India bands saw a huge increase. The jump from May to April was 187 percent, with every attacked brand being from the banking sector.

»www.proofpoint.com/about-us/secu···00806760

Zeus is not dead and now you have Citadel and Gameover. Christmas is coming..hang on to your short. Citadel is "sold" with support. They don't just sell the trojan.
»www.bankinfosecurity.com/citadel···085/op-1

Gameover is just plain nasty.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless
said by Name Game:

Gameover is just plain nasty.

You can pretend that you posted something that spoke to your 10% belief but you didn't.
I'm not arguing whether phish content is on the rise, decline or losses due to phish content are on the rise or decline etc...
That's an argument you're trying to twist into being the same thing as your 10% argument, which it isn't.

I've already told you that you're not going find anything to support your 10% argument & being the prolific searcher that you are you would have found/posted anything that spoke to your uninformed 10% belief by now if it were there.

Stop trying to change the scope of the disagreement, it makes you look trivial.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
He stated "If this attack were used in the wild, I bet at least 10% of web users would get phished (probably many more)."

I take that to mean 10% would fall for that trick and get Phished. 90% would view it as not coming from the real source..even people that made comments at the site saw it that way.

Are you telling me you think he means 10% of total number of the web users out there ?

This to me makes no sense..

"Because after analyzing tens of thousands of phish campaigns from start to finish I've never seen a 1% return rate or anything even close to 1% which makes any discussion of 10% irresponsible."

Define these return rates. and your tens of thousands.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless
said by Name Game:

Are you telling me you think he means 10% of total number of the web users out there ?

Nope, he means 10% of the web users that land on such a phish page.
said by Name Game:

"Because after analyzing tens of thousands of phish campaigns from start to finish I've never seen a 1% return rate or anything even close to 1% which makes any discussion of 10% irresponsible."

Define these return rates. and your tens of thousands.

You still can't find anything that supports your 10%.
I suppose you found references that support your 10% belief but have chosen to not post them for some reason.
That's as believable as a 10% success rate for a phish campaign.
Just in case you're being serious & not just trying deflect attention away from your inability to find even a single reference that supports your 10% belief Tens of thousands = 10K+ phish campaigns that I've personally analyzed from start to finish.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit
"Because after analyzing tens of thousands of phish campaigns from start to finish I've never seen a 1% return rate or anything even close to 1% which makes any discussion of 10% irresponsible."

Now put that in real words..not just your % thingie..what is "return rate" and tell us about "tens of thousand"..and define what you mean by "campaigns"..and I am not trying to pull your chain..but since you used that to make a statement that you thought the authors 10% was wrong and he knew nothing about phish...I have no idea what you are talking about..and I still think at least 10% and maybe more of the peeps that saw a real exploit like the one he just did this POC (proof of concept)..would be clicking away.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Snowy

Social responses
One strategy for combating phishing is to train people to recognize phishing attempts, and to deal with them. Education can be effective, especially where training provides direct feedback.[59] One newer phishing tactic, which uses phishing e-mails targeted at a specific company, known as spear phishing, has been harnessed to train individuals at various locations, including United States Military Academy at West Point, NY. In a June 2004 experiment with spear phishing, 80% of 500 West Point cadets who were sent a fake e-mail from a non-existent Col. Robert Melville at West Point, were tricked into clicking on a link that would supposedly take them to a page where they would enter personal information. (The page informed them that they had been lured.)[60]

Recent phishing attempts
Experiments show a success rate of over 70% for phishing attacks on social networks.

»en.wikipedia.org/wiki/Phishing

Praetorian was hired by a private equity firm to create a phishing campaign against end users to evaluate their employees' susceptibility and the company's responsiveness. To prevent any skewing of the results, only senior management had knowledge of the upcoming test.
The first step of the engagement was to devise a plan of execution. For this scenario, Praetorian decided the highest probability for success would be a phishing campaign that masked itself as an internal company initiative. To that end, Praetorian registered a domain confusingly similar to the company's domain (e.g. www.abc.com and www.abcsecurity.com) and created a site that mimicked the look and layout of the company's official website.
Praetorian then harvested valid employee emails through social networking and sales sites such as LinkedIn and JigSaw. Once the list of harvested accounts was approved by the client, Praetorian sent targeted phishing emails to convince users the company was performing an anonymous, random security audit of user passwords and requested their account credentials to test password strength. Of the random user sample targeted, Praetorian had a twenty two percent success rate where users voluntarily provided their usernames and passwords.With the credentials in hand, Praetorian could move deeper into the organization infrastructures via a SSL VPN portal that did not employ two-factor authentication.
The results of the assessment highlighted a need for user awareness and security training as well as the utilization of additional controls such as two-factor authentication. In addition, the equity firm requested follow-on phishing campaigns for metrics and trending analysis as a way to measure the success of the new employee training initiatives.

»www.praetorian.com/penetration-t···-testing
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL
reply to Snowy
quote:
I've never seen a 1% return rate or anything even close to 1% which makes any discussion of 10% irresponsible.
1%, 10%, 90%, I have no clue, & it is really immaterial.

But as some else said earlier, "Very good POC IMO", & "I can see that Phish catching a LOT of fish" & to me that, & not 1 or 10%, is the point.


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless
reply to Name Game
said by Name Game:

Now put that in real words..

You have a funny way of saying that you are unable to find any reference whatsoever to a 10% success rate on phish content.
Zero, zippo, nada, nothing.
The difference between you & I that is creating conflict is that while I accept that I'll make a mistake you'll just try to BS your way out.
Good luck Mr. Perfection!, that's a heavy but unnecessary load to carry.
I'm done with this thread, I'm conceding that your BS is superior to my tolerance for same.

Edit to add: Your Praetorian example was not an "in the wild" event but a controlled study. Get real, as in real events.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit
Your musings over for me..you mix apple with oranges and you get bananas...but feel free to make a comment at his site like others have done..

»feross.org/html5-fullscreen-api-attack/

And tell him why he is irresponsible in saying ..

Humans are terrible at spotting subtle changes

If this attack were used in the wild, I bet at least 10% of web users would get phished (probably many more).

and doesn't speak well to his knowledge of phishing.

"Because (you) after analyzing tens of thousands of phish campaigns from start to finish I've never seen a 1% return rate or anything even close to 1% which makes any discussion of 10% irresponsible."

I think he will respond to you.
There is already 127 comment
»news.ycombinator.com/item?id=4629906

»news.ycombinator.com/item?id=4630156

--
Gladiator Security Forum
»www.gladiator-antivirus.com/