Phishing scam: onlinewebshop.net

This morning, a friend appeared to send me an instant message on AIM, which simply said:

http:// tinyurl . com / 3akotpx

[without the spaces]

That redirects you to:

http:// frid.onlinewebshop . net / ?sn1=intelliot&
amp;sn2=fluttrbylilibyrd

The whole page looked exactly like the “AIM Fight” website. The only difference was that once you tried to do the “fight” it would say your account was “not cached” and ask you to enter your password.

No way.

The only way to really know this isn’t a legitimate website is to look at the address in your browser’s address bar. (Other than the fact that it asks for your password, which the real aimfight.com site doesn’t do.)

Be careful out there on the web!

Between the Gawker database leak, Firesheep, this phishing scam, and the growing internet penetration in developing nations, the internet is definitely a more dangerous place today than ever before. When security wasn’t a big concern, there were many wide-open vulnerabilities in popular systems. But as vendors have started to build better security procedures and patch security flaws, we’re starting to realize that no matter how good the security is, a sufficiently motivated attacker can always find a way in.

The key is not to build better barriers to keep people out, but rather to reduce the motivations for people to carry out these attacks. And that is a difficult thing to realize and believe. If you don’t have a deep understanding of the underlying complexity of internet-connected systems, it is tempting to think that you could build (or have some other engineers build) a perfectly secure system. Good luck with that!

Even if you did succeed, social engineering is an even more difficult thing to protect against…

One thing on my mind recently: how do you know there isn’t a keylogger on the system you’re using? If your personal computer has ever been out of your sight, it is possible that someone accessed it and installed a keylogger, or worse. It could be recording every keystroke, capturing screenshots, recording audio via the microphone, taking pictures using the webcam, logging data and cookies sent out over networking interfaces… basically everything. And it could be silently transmitting all of this information to the hidden infiltrator who once had physical access to your machine for 5 minutes.

That’s just one of many potential attacks. How about a man-in-the-middle-type attack on someone’s router or ISP? You could set up a proxy that takes everything you send to the internet, sends it to your intended destination, and gives you a reply– such that you never even notice that anything is wrong. Kind of like those new routers that have Tor built-in. Those routers are used for something good (anonymity) — but the same technology could be easily modified to do something much more sinister.

It’s not much different in physical security. Airports will never be able to guarantee perfect security, no matter how many pat-downs or electronic scanners they employ. The key is to reduce the motivations for people to carry out attacks. If nobody wants to attack you, then nobody will. But if lots of people want to attack you, nothing you do will be able to stop all of them.