A fun story from a cmall country.

Forum Moderators: open

Message Too Old, No Replies

A fun story from a cmall country.

What did 'hackers' do with an IE bug :)

WeirdoPL

12:08 am on Feb 25, 2004 (gmt 0)

Remember this one?

[webmasterworld.com...]

The funny thing was what some clever guys did in Poland. They sent a false e-mail to clients of one of the banks saying: "Please log onto Your account cause *blah blah blah*" . There was a link page under the text which used the exact bug mentioned in the topic linked above. Since the bank normally used credit card PIN as password...

A bunch of no-brains got their cards ripped and their accounts cleared nicely!

What makes it even funnier: MS issued a "IE 6 security patch" before (i think) the 'attack'.

Now I seriously don't think that Poland is the only place where You can find such idiots as the ones that did try to login on the 'hacked' page. I was just wondering...

Does it make You laugh or cry?..
Cause it makes me laugh my lungs out.

PS. This is an all-topic issue: how can we make our stuff idiot-proof and idiot-compatibile?

DrDoc

1:46 am on Feb 25, 2004 (gmt 0)

how can we make our stuff idiot-proof and idiot-compatibile

Use SSL for all critical information. Tell your users to never trust a page unless it has [yourdomain.com...] in the address bar, and to never trust it if they get a security warning...

D_Blackwell

2:47 am on Feb 25, 2004 (gmt 0)

-----Tell your users to never trust a page unless it has [-----...]

You can tell them till your blue. They still won't even look.

eWhisper

3:16 am on Feb 25, 2004 (gmt 0)

I know net savvy people who have had cards stolen in the past that if they really want to buy something will still ignore the fact it doesn't have an ssl cert. I don't think its just 'average joes' that fall for this stuff, it's also letting impulses get the better of judgement.

WeirdoPL

8:04 am on Feb 25, 2004 (gmt 0)

Tell your users to never trust a page unless it has [yourdomain.com...] in the address bar.

But the page in the story DID have the same thing in the address bar.

Hagstrom

9:02 am on Feb 25, 2004 (gmt 0)

Now I seriously don't think that Poland is the only place where You can find such idiots

Normally ethnical jokes are not allowed here, but I suppose weirdoPL is Polish himself ;)

I remember a similar incident from the U.S. where scammers asked people to log on to h*ttp://www.paypaI.com in order to "verify" their accounts.

The trick being that in many fonts a capital "I" looks pretty much like a lowercase "l".

grahamstewart

10:36 am on Feb 25, 2004 (gmt 0)

It happens all the time and it is usually called 'phishing'.

See this story: http://news.bbc.co.uk/1/hi/technology/3518411.stm on the BBC news site for the latest one to hit Britain.

Tell your users to never trust a page unless it has [<...]
Unfortunately that is no guarantee. Much of the phishing recently has been exploiting the Microsoft URL exploit mentioned above. So you could gain a server certificate for one site and the use the bug to make it look like another.
The bank I use (NatWest) never ask for your full password. Instead they ask for a few selected letters from it. This seems like a good approach as users would be suspicious if they suddenly had to enter the full thing.

Leosghost

11:37 am on Feb 25, 2004 (gmt 0)

I just yesterday got the same kind of thing asking me to update my info for Ebay ...course it refers me back to Ebey...were I dumb enough to have done anything except laugh when I got it ....
Ps.Being Irish this disproves many cherished "Anglo saxon" predjudices...