|
Shmoo Group exploit: 0wn any domain, no defense exists: "Cory Doctorow:
Pablos sez, 'Shmoocon ended today. And just to prove The Shmoo Group wasn't sitting on their (hands) for the entire time while planning the con - A new exploit was demo'd by EricJ that left all jaws our on the floor. Want to own ANY domain? Want a trusted SSL cert for it? Check it out here. We 0wnz0rd PayPal, but left the rest for you. We have no idea how to fix this and neither do the browser developers. Official advisory here. Phishing attacks of doom coming soon.'
Link (Via Boing Boing Blog.) Bottom Line: to avoid getting caught by a phishing attack, never trust a link to a web site where you may have to enter sensitive data. If you need to visit a secure site, don't click a link-- just type the url into the address bar yourself. Make sure you type carefully and spell the url correctly. Then, double-check to make sure you typed the address correctly. If you are entering sensitive data into a web form (including usernames and passwords), make sure the url begins with https:// (note the "s" after the http -- the "s" stands for secure). In a phishing attack, a malefactor sets up a web site that mimics an actual commercial web site. He or she then uses the legitimate appearance of the site to lure you into entering sensitive data. The miscreant then collects your sensitive data to use in later attacks on your real accounts.
Posted by Scott Girard on 2/7/05; 11:19:30 AM
from the News dept.
| 
