New Scam: Hackers Use Phony Certificate To Seal Victims' ID-Fates
Posted by Keith Ferrell Monday, Apr 28, 2008, 04:51 PM ET
A new approach to password/account info-theft appeals to users' desire for enhanced protection, rather than directly asking for info. The scam asks users to install an important digital security certificate -- which is, of course, anything but secure.
Noted by security firm F-Secure over the last few days, the so-called "fly phishing" con looks as slick and "legit" as any I've seen.
Its masterstroke is its spot-on mimicry of banker boilerplate (and for that matter of techy install-prose) as it walks the recipient through the steps required to install the digital certificate that will enhance their security and simplify their bank's sign-on process.
What's installed, for those who bite at the fly phish, is a trojan that then captures passwords, account numbers etc.
The user is never once asked for an identifying number or piece of confidential information.
This one is smooth and polished, with a razor-sharp barb that might prove more effective than the "we need your password" approach that has long-since approached and passed the point of diminishing returns.
http://www.bmighty.com/blog/main/archives/2008/04/new_scam_hacker.html
Posted by Keith Ferrell Monday, Apr 28, 2008, 04:51 PM ET
A new approach to password/account info-theft appeals to users' desire for enhanced protection, rather than directly asking for info. The scam asks users to install an important digital security certificate -- which is, of course, anything but secure.
Noted by security firm F-Secure over the last few days, the so-called "fly phishing" con looks as slick and "legit" as any I've seen.
Its masterstroke is its spot-on mimicry of banker boilerplate (and for that matter of techy install-prose) as it walks the recipient through the steps required to install the digital certificate that will enhance their security and simplify their bank's sign-on process.
What's installed, for those who bite at the fly phish, is a trojan that then captures passwords, account numbers etc.
The user is never once asked for an identifying number or piece of confidential information.
This one is smooth and polished, with a razor-sharp barb that might prove more effective than the "we need your password" approach that has long-since approached and passed the point of diminishing returns.
http://www.bmighty.com/blog/main/archives/2008/04/new_scam_hacker.html