dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
7

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

1 edit

Name Game to Snowy

Premium Member

to Snowy

Re: Using the HTML5 Fullscreen API for Phishing Attacks

said by Snowy:

said by Name Game:

"I'm sure you're not agreeing with his claim that 10% of web users presented with a live page would become phish statistics."

If you are sure..then why ask..there is nothing to clarify..I did not mumble my words...your age thingie is funny too.

Aah,
Try this, I say the author didn't know what he was talking about when he tossed out the 10% figure.
In the very next post you say
said by Name Game:

Nevertheless I agree with him..even though you have a browser that is up to date and others do too. They all don't have the same features or versions.

What I wanted to post in reply to that was something more like
"Then you don't know what you're talking about too"
but I thought I'd soften it a bit.
So are talking about things you have no clue about again or are you going to stand up to prove it's me that's BS'ing my way through the forum?
10% is BS, give me anything that disputes that, anything.

Stop musing...

Then since you made the statement..tell us why 10% will not..you threw it out there.. you give the proof.

Every done online banking with anything beside a PC ?
»threatpost.com/en_us/blo ··· s-031512

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

said by Name Game:

Then since you made the statement..tell us why 10% will not..you threw it out there.. you give the proof.

I knew you would be unable to find anything to support your 10%.
Because after analyzing tens of thousands of phish campaigns from start to finish I've never seen a 1% return rate or anything even close to 1% which makes any discussion of 10% irresponsible.
said by Name Game:

Every done online banking with anything beside a PC ?
»threatpost.com/en_us/blo ··· s-031512

I won't even access my email from a smart phone.
I just don't know enough about what's under the hood.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

And on that I disagree..

Losses keep escalating over the years.. The IT bank peps are behind the power curve and much of it really goes unreported as individual banks struggle for competition. Friend in the business told me it is embarrassing.

Phishing FAQs
The cost of phishingPhishing FAQs
The cost of phishing

»www.brandprotect.com/cat ··· ish.html

Damage caused by phishing

The damage caused by phishing ranges from denial of access to e-mail to substantial financial loss. It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phishing, totaling approximately US$929 million. United States businesses lose an estimated US$2 billion per year as their clients become victims.[51] In 2007, phishing attacks escalated. 3.6 million adults lost US$3.2 billion in the 12 months ending in August 2007.[52] Microsoft claims these estimates are grossly exaggerated and puts the annual phishing loss in the US at US$60 million.[53] In the United Kingdom losses from web banking fraud—mostly from phishing—almost doubled to GB£23.2m in 2005, from GB£12.2m in 2004,[54] while 1 in 20 computer users claimed to have lost out to phishing in 2005.[55]
The stance adopted by the UK banking body APACS is that "customers must also take sensible precautions ... so that they are not vulnerable to the criminal."[56] Similarly, when the first spate of phishing attacks hit the Irish Republic's banking sector in September 2006, the Bank of Ireland initially refused to cover losses suffered by its customers (and it still insists that its policy is not to do so[57]), although losses to the tune of €11,300 were made good.[58]

»en.wikipedia.org/wiki/Phishing

But back to this "possible" particular attack vector when added to a badboy kit out there and perfected..I think 10% of the people that would test it not knowing what it would do..would do the clicks and input the info.

I see it as a technical vulnerability coupled with the fact the most people that do on-line banking on all devices ..not just PC at home..are not that tech savy..they just want to do the deed and get on with their lives.

My hope is that all browsers..on all devices "out of the box" have a way to stop it without third party proggies.

Back in 2010..

The rise of Zeus is an alarming development, as Zeus is particularly resistant to detection. According to a recent study by Trusteer involving 10,000 computers, 55 percent could not find and remove Zeus, even though they were equipped with the latest updates of their security and antivirus software.
• Traditional bank phishing now comprises about 50 percent of overall phishing, down from almost 60 percent in Q2 2009.

»www.securityweek.com/cyb ··· us-rises

Phishing attacks as a whole increased 86 percent across the world.

India bands saw a huge increase. The jump from May to April was 187 percent, with every attacked brand being from the banking sector.

»www.proofpoint.com/about ··· 00806760

Zeus is not dead and now you have Citadel and Gameover. Christmas is coming..hang on to your short. Citadel is "sold" with support. They don't just sell the trojan.
»www.bankinfosecurity.com ··· 085/op-1

Gameover is just plain nasty.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

said by Name Game:

Gameover is just plain nasty.

You can pretend that you posted something that spoke to your 10% belief but you didn't.
I'm not arguing whether phish content is on the rise, decline or losses due to phish content are on the rise or decline etc...
That's an argument you're trying to twist into being the same thing as your 10% argument, which it isn't.

I've already told you that you're not going find anything to support your 10% argument & being the prolific searcher that you are you would have found/posted anything that spoke to your uninformed 10% belief by now if it were there.

Stop trying to change the scope of the disagreement, it makes you look trivial.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

He stated "If this attack were used in the wild, I bet at least 10% of web users would get phished (probably many more)."

I take that to mean 10% would fall for that trick and get Phished. 90% would view it as not coming from the real source..even people that made comments at the site saw it that way.

Are you telling me you think he means 10% of total number of the web users out there ?

This to me makes no sense..

"Because after analyzing tens of thousands of phish campaigns from start to finish I've never seen a 1% return rate or anything even close to 1% which makes any discussion of 10% irresponsible."

Define these return rates. and your tens of thousands.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

said by Name Game:

Are you telling me you think he means 10% of total number of the web users out there ?

Nope, he means 10% of the web users that land on such a phish page.
said by Name Game:

"Because after analyzing tens of thousands of phish campaigns from start to finish I've never seen a 1% return rate or anything even close to 1% which makes any discussion of 10% irresponsible."

Define these return rates. and your tens of thousands.

You still can't find anything that supports your 10%.
I suppose you found references that support your 10% belief but have chosen to not post them for some reason.
That's as believable as a 10% success rate for a phish campaign.
Just in case you're being serious & not just trying deflect attention away from your inability to find even a single reference that supports your 10% belief Tens of thousands = 10K+ phish campaigns that I've personally analyzed from start to finish.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

1 edit

Name Game

Premium Member

"Because after analyzing tens of thousands of phish campaigns from start to finish I've never seen a 1% return rate or anything even close to 1% which makes any discussion of 10% irresponsible."

Now put that in real words..not just your % thingie..what is "return rate" and tell us about "tens of thousand"..and define what you mean by "campaigns"..and I am not trying to pull your chain..but since you used that to make a statement that you thought the authors 10% was wrong and he knew nothing about phish...I have no idea what you are talking about..and I still think at least 10% and maybe more of the peeps that saw a real exploit like the one he just did this POC (proof of concept)..would be clicking away.

therube
join:2004-11-11
Randallstown, MD

therube to Snowy

Member

to Snowy
quote:
I've never seen a 1% return rate or anything even close to 1% which makes any discussion of 10% irresponsible.
1%, 10%, 90%, I have no clue, & it is really immaterial.

But as some else said earlier, "Very good POC IMO", & "I can see that Phish catching a LOT of fish" & to me that, & not 1 or 10%, is the point.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy to Name Game

Premium Member

to Name Game
said by Name Game:

Now put that in real words..

You have a funny way of saying that you are unable to find any reference whatsoever to a 10% success rate on phish content.
Zero, zippo, nada, nothing.
The difference between you & I that is creating conflict is that while I accept that I'll make a mistake you'll just try to BS your way out.
Good luck Mr. Perfection!, that's a heavy but unnecessary load to carry.
I'm done with this thread, I'm conceding that your BS is superior to my tolerance for same.

Edit to add: Your Praetorian example was not an "in the wild" event but a controlled study. Get real, as in real events.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

1 edit

Name Game

Premium Member

Your musings over for me..you mix apple with oranges and you get bananas...but feel free to make a comment at his site like others have done..

»feross.org/html5-fullscr ··· -attack/

And tell him why he is irresponsible in saying ..

Humans are terrible at spotting subtle changes

If this attack were used in the wild, I bet at least 10% of web users would get phished (probably many more).

and doesn't speak well to his knowledge of phishing.

"Because (you) after analyzing tens of thousands of phish campaigns from start to finish I've never seen a 1% return rate or anything even close to 1% which makes any discussion of 10% irresponsible."

I think he will respond to you.
There is already 127 comment
»news.ycombinator.com/ite ··· =4629906

»news.ycombinator.com/ite ··· =4630156