[Cryptography] phishing, was Encryption opinion
John Levine
johnl at iecc.com
Mon Aug 25 17:38:38 EDT 2014
>> Except that the M isn't ITM in the case of phishing. Phishing is not so
>> much a Man In The Middle, it's more a Man On The Sidelines That Looks
>> Very Much Like Bob, or MOTSTLVMLB, but good luck pronouncing that.
>
>I don't see the distinction. The phisher redirects Alice's browser to
>him. He then goes to the site and extracts information to perpetuate
>the deception. What's not middle here?
Web phishes rarely do MITM. It's a site that looks like the real site
and tells you to log in. Once you do, it says oops, you mistyped your
password and perhaps redirects you to the real site. It's just
impersonation.
There is MITB malware that does interpose itself between the user and
the real bank, doing impressive things like OCR on images describing
the transaction which they then rewrite to show the transaction that
the user thinks he's approving. But that's not phishing, it's
something else.
I suspect bank MITM phishes would work poorly these days since banks
generally track use cookies and IP addresses to notice when a user
isn't logging in from the normal place. I was in the Bahamas for a
meeting a couple of weeks ago, and my bank was extremely sceptical
that it was me trying to check my balances.
R's,
John
More information about the cryptography
mailing list