Shallow Thoughts
Akkana's Musings on Open Source, Science, and Nature.
Tue, 24 Oct 2006
I get tons of phishing scam emails spoofing Amazon. You know, the
ones that say "Your Amazon account may have been compromised: please
click here to log in and verify your identity", and if you look at the
link, it goes to
http://123.45.67.8/morestuff instead of
http://www.amazon.com/morestuff. I get lots of similar phishing
emails spoofing ebay and various banks.
But yesterday's was different. The URL was this:
http://www.amazon.com/gp/amabot/?pf_rd_url=http://211.75.237.149/%20%20/amazon/xec.php?cmd=sign-in
Check it out: they're actually using amazon.com, and Amazon has a 'bot
called amabot that redirects you to somewhere else. Try this, for
example:
http://www.amazon.com/gp/amabot/?pf_rd_url=http://bn.com
-- you start on Amazon's site and end up at Barnes & Noble.
When a family member got tricked by a phish email a few months ago
(fortunately she became suspicious and stopped before revealing
anything important)
I gave her a quick lesson in how URLs work and how to recognize the
host part. "If the host part isn't what you think it should be,
it's probably a scam," I told her. That's pretty much the same as what
Amazon says (#6 on their "Identifying Phishing or Spoofed E-mails"
page). I guess now I need to teach her how to notice
that there's another URL embedded in the original one, even when the
original one goes to the right place. That's a bit more advanced.
I suspect a lot of anti-phishing software uses the same technique and
wouldn't have flagged this URL.
I reported the phish to Amazon (so far, just an automated reply, but
it hasn't been very long). I hope they look into this use of their
amabot and consider whether such a major phishing target really needs
a 'bot that can redirect anywhere on the net.
Tags: tech, web, security
[
10:34 Oct 24, 2006
More tech/web |
permalink to this entry
]
Sun, 14 Aug 2005
I bet I'm not the only one who uses Ubuntu (Hoary Hedgehog) and didn't
realize that it doesn't automatically put the security sources in
/etc/apt/sources.list, so apt-get and aptitude don't pick up
any of the security updates without extra help.
After about a month with no security updates on any ubuntu machines
(during which time I know there were security alerts in Debian for
packages I use), I finally tracked down the answer.
It turns out that if you use synaptic, click on "Mark All Upgrades",
then click on Apply, synaptic will pull in security updates.
However, if you use the "Ubuntu Upgrade Manager" in the
System->Administration menu, or if you use commands
like apt-get -f dist-upgrade or aptitude -f dist-upgrade,
then the sources which synaptic wrote into sources.list are not
sufficient to get the security updates.
(Where synaptic keeps its extra sources, I still don't know.)
When I asked about this on #ubuntu, I was pointed to a page on
the Ubuntu wiki which walks you through selecting sources in synaptic.
Unfortunately, the screenshots on the wiki show lots of sources that
none of my Ubuntu machines show, and the wiki doesn't give you the
sources.list lines or tell you what to do if synaptic doesn't
automagically show the security sources.
The solution: to edit /etc/apt/sources.list and make sure the
following lines are there (which some of the people on the IRC channel
were kind enough to paste for me):
## All officially supported packages, including security- and other updates
deb http://archive.ubuntu.com/ubuntu hoary main restricted
deb http://security.ubuntu.com/ubuntu hoary-security main restricted
deb http://archive.ubuntu.com/ubuntu hoary-updates main restricted
In addition, if you use "universe" and "multiverse", you probably also
want these lines:
deb http://archive.ubuntu.com/ubuntu hoary universe multiverse
deb http://security.ubuntu.com/ubuntu hoary-security universe multiverse
deb http://archive.ubuntu.com/ubuntu hoary-updates universe multiverse
Tags: linux, ubuntu, security
[
21:49 Aug 14, 2005
More linux |
permalink to this entry
]
Sat, 24 Jul 2004
We had dinner with Tim and Pam last night (visiting for AstroCon)
at "Skates on the Bay" in Berkeley -- excellent food.
so I told Tim about the virus attack on
Shallow-Sky
a few days ago, perpetrated in his name.
Messages were sent to the list, ostensibly from his address,
containing various attachments which were obviously Windows viruses.
Unfortunately, I was out on a hike when the attack happened, so five
of them slipped through before I found out about it and blocked
his address in order to investigate further.
The virus turned out to be
W32.Beagle.AG@mm
(W32 is obvious, and f3ew tells me that "mm" stands for "mass
mailing").
Pasc gave me a procmail rule to block this virus, to put in
smartlist's rc.submit. It should have worked, but it didn't,
so I ended up using a more general rule to block all base64 encoded
attachments (that'll probably piss off some people who like to send
images to one of our other lists, but Dave says he's asked them not
to do that anyway and doesn't mind having the rule there).
Of course, the messages weren't really coming from Tim: he doesn't
even use Windows (Mac and Sun, usually). It turns out they're
coming from a Comcast address, which doesn't narrow things down
much. There are nine @comcast.net addresses on the list, so I
notified them privately, but it could easily be someone else or
even someone off the list (though I suspect it's a list member,
since it's someone who has Shallow in their addressbook).
I suppose I'll probably never know who it was. The "Tim" attacks
have stopped (so I don't even know for sure that my filter works,
though it worked for a test message I sent) but I've gotten two
attempts spoofing Peter J (who is not currently on the list, so
they bounced with "Not on accept list" before they could test the
filter).
Grumble grumble Windows security grumble ...
Tags: linux, security
[
14:13 Jul 24, 2004
More linux |
permalink to this entry
]