[Cryptography] phishing, was Encryption opinion
Dave Horsfall
dave at horsfall.org
Tue Aug 26 17:02:16 EDT 2014
On Tue, 26 Aug 2014, ianG wrote:
> Clearly, the phish site uses the information found on the bank site,
> captures the user's credentials, then hands the credentials over to
> another agent (site? human?) who then contacts the bank.
Not necessarily; it can hoover up the credentials, then claim a temporary
system error.
Back when Unix hit the scene (in Australia at least), bored CompSci
students would write fake login programs, gathering names and passwords,
claiming wrong password, then invoke the real login program. I wasn't a
malefactor (but I did do, ahem, things, before I was employed to keep
people like me out) but one of my tasks was to scan all executables,
looking for suspicious strings (this was in the days before obfuscation).
So, the way I would see it:
MITM: Alice <-> Mallory <-> Bob.
Phish: Alice -> Mallory, then: Alice -> Bob
-- Dave
More information about the cryptography
mailing list