[Cryptography] phishing attack again - $300m in losses?

Christian Huitema huitema at huitema.net
Sun Feb 15 21:35:36 EST 2015 

On Sunday, February 15, 2015 6:45 AM, ianG wrote:

> So, it's phishing, again.  Exotically called spear phishing, but still 
> your common or garden phishing attack.

The spear part points to the reconnaissance of the target, usually through social networks. Reconnaissance helps a lot building context and making the bait much more tempting, because it is specially crafted for the target.

> It is clearly the fault of the browser [1].  All the finger pointing -- 
> user responsibility for social engineering, mailer, standards -- is just 
> that, finger pointing in ways to move the angst away from the mind of 
> the owners of the browser projects.  The successful strategy for doing 
> nothing has been a mix of "It's not our fault" and "we're working in XYZ 
> cartel..."

The usual finger points "between the keyboard and the chair." But obviously this is not sufficient. The classic attack operates through e-mail, and only involves a browser in a second stage, if at all. Attacks through spiked attachments do not involve a browser at all. The gaping hole there is the ease of forging an e-mail source.

Note that this is a very hard problem. For example, ensuring that the mail really comes from the source address "John Doe <john at example.com>" would help, but would still leave open forgeries like a source set to "John Doe <john2345 at email-for-dummies.com>". Part of the problem is indeed between the chair and the screen, and fixing that requires lots of work on the user interface.

> And, it isn't as if we can't calculate the value of the take.  Mozilla 
> for example takes something like 85% of its revenues from one source, 
> google, for one purpose, browser advertisement, which serves as a pretty 
> good proxy for the value of Firefox to users. 

You missed the news on the new deal, Yahoo instead of Google: http://www.cnet.com/news/in-major-shift-firefox-to-use-yahoo-search-by-default-in-us/. The purpose is not "browser advertisement" but "default setting for the search engine." Of course, setting the search engine results in steering search traffic and the corresponding advertisements to the highest bidder.

-- Christian Huitema

More information about the cryptography mailing list