go phish attacks

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

an excerpt from an msnbc article re: a phish scam reads...

"But computers always check a local host file for such a catalog first
and that

local host file overrides information contained in the Internet's Domain
Name Servers.  "

so if they can change the local host file is there a way when i go to the
bank web site i can double check and verify that the site i am accessing is
the actual bank through other means?

i only took a few intro to programming classes (no networking).  as i
understand it ping wont work because of firewalls...it will never get
returned.  the dhcp server knows about the requested ip address leased to
the client.  the banks ip address for the website is probably dynamic.  

so how does one verify that yes this ip is my bank.  can you use the first
three 207.46.150 somehow??

thank you,

Re: go phish attacks


i came back and looked at it again.  apparently the only way for the local
host file to get changed is a virus or opening an email that changes it on
an unpatched browser.  i will go searching for that patch now to make sure
i have it.  this is kind of scary because of the fact that i dont even open
an attachment ...just an email and can still get attacked.

reasoning through it i did a whois search of a domain name.  i thought
now how can they have 2 of the same domain name.  that is when it sunk in
that it is the local host file that is changed making it appear like there
is 2 domain names www.mybank.com and the local one takes precedence.  now
that i thought of it that way i think i understand.  as in the highlander
movie "there can be only one."


Re: go phish attacks...new twist


now i am back to square one kind of.
norton 2005 personal firewall has touted a new feature of protecting my
information from getting to a new site.  has this new finding of the
security article of msnbc and the new feature norton proclaims to protect
my information "crossed in the mail" sort of advertising?  i searched the
knowledgebase to see how the new feature is implemented.  i came across one
section where they talk about indicating trusted sites which based on the
new article dont seem to work if the  host file listing of ip addresses is

please forgive my ignorance if i am off base as i am just a computer


Re: go phish attacks...new twist

j-marvin wrote:
Quoted text here. Click to load it

I don't understand your question about the firewall, and don't know about
this Norton feature.

However, I do suggest that you consider using non-microsoft mail and web
software. Doing so will reduce the likelihood of bad software getting to
your machine. Consider Mozilla (does both mail and web), or using
thunderbird (mail) and firefox (www web).

If you ping your bank, ping will say something like:
  Pinging www.mybank.com (
This tells you the IP address that your PC thinks mybank.com has at the
moment. You can try and verify this with whios. The bank's address is not
likely to change - they'd have to keep changing their DNS entry.

Once you know the banks IP address, you can use that instead of the
name, which would then bypass the name lookup and defeat the scam: /


Re: go phish attacks...new twist

On Sat, 06 Nov 2004 09:08:45 GMT, j-marvin spoketh

Quoted text here. Click to load it

For most home users, the hosts file should be virtually empty. The only
entry found in there should be:        localhost

If there are any other entries in there, then you'll have to review what
those are and consider removing them if they are references to any
external sites that are not a part of any company and/or organization
that you (or your computer) are affiliated with.

Lars M. Hansen
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

Re: go phish attacks...new twist

On Sat, 06 Nov 2004 15:54:42 GMT, Lars M. Hansen

Quoted text here. Click to load it

And here is your chance to get rich.  Develop a mechanism which
hardens the hosts file and provides strong integrity checking.  In an
ideal world it should use a private crypto key for integrity checking
which is specific to that PC and which is not accessible to an
unauthorised process - but <sigh> the limitations of the Wintel PC as
a secure platform make that extremely difficult, if not impossible.
You could do it with a USB token to store the key, perhaps.

Even a program which looks up entries in the hosts file, resolves
them, and identifies cases where the DNS-derived IP address for a site
whose name is present in the hosts file is not the same as the actual
IP address in the hosts file would be an improvement.    To cover
cases where a popup blocker has put a local entry in the hosts file
for an external site (e.g. ads-r-us.com -> or whatever) you
could flag hosts file pointers to unroutable IP addresses, to
differentiate them from host file pointers to external IP addresses.

Please remove "nospam" from mailto address
when replying

Re: go phish attacks...new twist

On Tue, 09 Nov 2004 10:04:35 GMT, John Elsbury spoketh

Quoted text here. Click to load it

There's no issue with Wintel PC as a secure platform. Your computer is
as safe as you make it, regardless of the operating system.

As for the hosts file, it shouldn't be too difficult to do a simple
checksum test of the file at regular intervals, and alert you if it
changed. Don't be surprised if that now shows up in a number of personal

Quoted text here. Click to load it

Not really, because entries in the hosts file might be there because
there's no DNS server that'll resolve them correctly. For instance, if
you are connected to a large, slow WAN, there may be static entries in
the hosts file to speed up lookup of servers on your WAN.

Lars M. Hansen
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

Re: go phish attacks...new twist

Lars M. Hansen wrote:
Quoted text here. Click to load it

 From Perl for system Administration

#* print the MD5 fingerprint for the /etc/passwd file

use Digest::MD5 qw(md5);

$md5 = new Digest::MD5;

open(PASSWD,"/etc/passwd") or die "Unable to open passwd:$!\n";

# these two lines called also be rolled into one:
#   print Digest::MD5->new->addfile(PASSWD)->hexdigest,"\n";
print $md5->hexdigest."\n";


This will work on windows platform


Re: go phish attacks...new twist

On Tue, 09 Nov 2004 13:30:04 GMT, Lars M. Hansen

Quoted text here. Click to load it

Yes, that is true.  It is another way of saying that security is the
responsibility of the user - but it would be a lot easier to secure if
some of the architectural deficiencies weren't there.  

The deficiencies in the architecture include lack of separation
between the OS and the application program, both in terms of access to
files and programs (and tasks) and in terms of physical access to
memory.   On the 360, for example, an application program physically
couldn't write memory assigned to the OS, or memory assigned to a
different application program.   A system programmer could write
supervisor call code which promoted the problem program to a state
where it could gain privilege, but that was manageable by inspection.
Likewise, OS add-ins such as RACF made access to files securable and
auditable.  PCs just can't do that.  This isn't a criticism of the
WINTEL architecture, it's more a summation of the legacy arising from
the fact that the first PC was never intended to be multi-user and
wasn't designed to run on a network sharing files.  Even the first
general-purpose OS to get any security rating at all (NT4, iirc, and
it wasn't a high rating either) only retained the rating if is was not
connected to another computer.

Things may improve.  I see that crypto chips are starting to appear on
motherboards and, with a bit of work, a relatively secure OS might be
developed based on those.   If every PC has a unique private key which
can only be utilised after independent authorisation - e.g. plugging
in a USB dongle before software can be modified or objects "signed" -
then we are heading in the right direction.   An architectural change
to the memory management structure could improve matters too, at least
in terms of buffer overflow exploits and the like.  For example, one
could prevent, at the hardware level, an application from overwriting
memory tagged as "program: read-only".

It still all comes back to the user.  I expect the people who run
Windows as administrators are the same people who would leave the
dongle plugged in the whole time...
Please remove "nospam" from mailto address
when replying

Re: go phish attacks


here is the article below.  the tips you gave me are really good.
thanks for your help,

A new, more sneaky phishing attack
Victim computers hijacked, sent to fake bank sitesBy Bob Sullivan
Technology correspondent
Updated: 5:12 p.m. ET Nov. 5, 2004Phishing scams, already one of the
main nemeses on the Net, have apparently just become even more sneaky
and ingenious. Now, it appears phishing authors are borrowing some time-
tested tactics from computer virus writers to steal personal information
from e-mail users.

E-mail filtering firm MessageLabs says it recently began intercepting
messages that use the new technique, which in certain cases is
completely invisible to victims. Essentially, the tactic redirects a
victim's computer to a Web site controlled by a criminal every time the
victim types in the Web address of his or her online bank. Even if the
victim follows a shortcut or Web browser favorite link, the computer is
seamlessly directed to the criminal's site instead. Once there, it's
easy to trick a confused consumer into typing in banking account numbers
and logins, because he or she is easily convinced that the destination
is the correct banking site.

"It's very nasty," said Ken Schneider, chief architect at antivirus firm
Symantec Corp. "(A user) could be doing everything right, but in this
case they are still going to the wrong place."

Phishing is already a major problem for both consumers and financial
companies, and the scope of the problem continues to grow. The number of
phishing attacks swells by about 50 percent each month, according to the
Anti-Phishing Working Group. Earlier this year, an analyst at Gartner
said some 2 million people had fallen for phishing attacks, costing U.S.
banks about $2 billion.

The new technique involves changing a little-known piece of software on
most Web-ready computers called a "host file."  All Web sites have
numeric Internet addresses, called IP addresses, that contain a string
of four numbers, such as They also have friendly, easy-
to-remember names like MSNBC.com. The names and numbers are linked by
means of a catalog kept on various computers connected to the Internet
called Domain Name Servers. But computers always check a local host file
for such a catalog first and that local host file overrides
information contained in the Internet's Domain Name Servers.  

So by changing a victim computer's host file, the attacker can change
the Web site that computer visits. Typing in MSNBC.com, for example,
could point a victim's computer toward a hacker's site instead.  

A useless feature
Years ago, before the Internet's domain name system was in place, the
local host file was useful, says software engineer and privacy advocate
Richard Smith, who operates ComputerBytesMan.com. But now, it's just a
relic, he says, kind of like an appendix on Internet software.

"It's useless now," he said.  "But it's an attack vector.... This just
points out that at some point you have to age out features and get rid
of them."

Host file attacks have been relatively common in recent computer
viruses, Smith said.  They have been used to siphon off traffic destined
for high-profile sites like Google.com toward pornography sites, for
example. But this is the first time he'd seen the tactic used in
combination with phishing, he said.

The e-mails intercepted by MessageLabs also include another tactic to
trick Internet users there's no need to click on a link or attachment
to become a victim. Simply opening the e-mail is enough to allow the
malicious message to alter the host file on a target computer. That part
of the e-mail takes advantage of a well-known, relatively old flaw in
Microsoft's Internet Explorer, which can be patched a number of ways.

Unlike traditional phishing e-mails, which suggest they are from PayPal,
eBay, Citibank or other legitimate companies, this new kind of e-mail is
unrelated to the targeted financial institution.  One subject line
reads, "Oi!! olha aqui!! vc nem precisa procurar mais!!!" which
essentially urges the recipient to try whatever it is inside the e-mail.

MessageLabs has intercepted only some 30 copies of the e-mail, and in
each case the target was a bank in Brazil. Symantec researchers have yet
to spot copies of the e-mail so far.  So the host file attack is hardly
widespread. Still, MessageLabs' Alex Shipp thinks it's an alarming step
forward in the programming of phishing tactics.  Antivirus scans
generally wouldn't pick up host file changes.

"It's more dangerous than standard phishing," he said.  "There is
nothing in the e-mail to give it away. Nothing has to happen. The next
time you bank there, you might be in for a shock."

And even if the fake bank site was eventually pulled down by the
Internet host, which usually happens within a few days, victim consumers
would still have a problem. Their computers would no longer be able to
visit the legitimate bank site, but instead would get a "file not
found" error, as their computers were redirected to the criminal's

"The person would be mystified that they can't get to their bank any
more," Shipp said.

Re: go phish attacks


i looked at the settings in webroot spysweeper the other
day and discovered it had a host file shield.  so i am
covered. i probably saw it before but didnt pay attention
to what it was until i visited the newsgroup and read the
msnbc article on security vulnerabilities.


Site Timeline