[cap-talk] an attack on the pet name tool bar
Ian G
iang at systemics.com
Thu Feb 10 21:55:16 EST 2005
David Hopwood wrote:
> Ian G wrote:
>
>> OK, so here's the phishing attack against the
>> pet name: Alice's browser is set up to have a
>> pet name when browsing to the Bank.com.
>>
>> Phisher sends a phish from AuditProcessBank.com
>> and says that ("blah blah") and please enter the
>> pet name as well as other details into the form.
>
>
> A bit of an odd request, since only Alice's software can
> resolve her pet names and so there's normally no reason why
> anyone else would want them, but go on...
Well, I'm just brainstorming an attack here. I
don't have an incentive to make it viable .. yet :)
>> If the user falls victim to this, a second pro-forma
>> phish is then created with a false petname bar
>> and the other details. (It would need to be
>> indexed off of the user's IP address I guess.)
>
>
> The problem here is obviously the "false petname bar".
> It almost goes without saying that the petname bar must not
> be spoofable (e.g. by always displaying it at the top of
> all windows that can be used for browsing, and preferably
> by distinguishing those from all other windows). Isn't this
> true of the security-related GUI elements for any possible
> solution, including the TrustBar?
Yep. But how does a phisher ask for the logo?
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
More information about the cap-talk
mailing list