[cap-talk] an attack on the pet name tool bar
Sandro Magi
smagi at naasking.homeip.net
Thu Feb 10 09:37:18 EST 2005
> OK, so here's the phishing attack against the
> pet name: Alice's browser is set up to have a
> pet name when browsing to the Bank.com.
>
> Phisher sends a phish from AuditProcessBank.com
> and says that ("blah blah") and please enter the
> pet name as well as other details into the form.
>
> If the user falls victim to this, a second pro-forma
> phish is then created with a false petname bar
> and the other details. (It would need to be
> indexed off of the user's IP address I guess.)
>
> So the question is, even though the pet name
> provides a useful defence against phishing, what
> is stopping the pet name itself from being phished?
A local petname would be useless to the phisher because he does not
control the petname bar. Even knowing my petname for his own site, what
could a phisher do with it? Perhaps I'm simply misunderstanding how this
is an attack on the petname system.
Sandro
More information about the cap-talk
mailing list