At the APWG Meeting

I’ll be at the Anti-Phishing Working Group’s Spring 2005 meeting for the next couple of days in San Jose. I’m going to pull a Scoble and publish my cell phone number – I’m at 626-298-0100 if you want to meet up.


IE7 Tabs to Gorge on Memory, Waste UI Space

Microsoft’s Tony Schreiner is in charge of the IE7’s tabbed browsing features. He posted today about the complications of adding tabs to IE. I still maintain that MS should have hired me to help in this process (quals: 7+ years of IE tabbed browser development) but they weren’t interested. Anyway…

Perhaps the trickiest decision MS was whether to break compatibility with 3rd-party IE toolbars. Currently, IE toolbars are "tied" one toolbar to one IE window. But when done right, tabbed browsers save memory compared to single-window browsers because tabs share toolbars. Use the RoboForm toolbar for example. In NetCaptor, you can have 20 tabs open and one RoboForm toolbar – but 20 IE windows would require 20 RoboForm toolbars.

After MS announced IE7 would have tabs, I expected to hear about changes to the add-on APIs to allow IE7 tabs so share toolbar instances. I never considered the possibility that each IE7 tab would have its own copy of 3rd party toolbars. But that’s the direction Microsoft has taken. What’s the problem with that approach? Every time you open a new browser tab (which tabbed browser users do much more frequently than single-window browser users), you have to create new instances of any 3rd-party bars. Ouch. Opening a folder of 25 Favorites in tabs? You get 25 RoboForm toolbars, and use much more memory and resources than necessary.

Beyond wasting memory and resources, it sounds like IE7 tabs will also waste user interface space. Tony wrote that 3rd party toolbars will now be a part of the tab instead of the IE frame. If I’m reading him right, IE7 could waste valuable vertical UI space, as shown in this doctored screenshot:

Warning Images on Spoof Sites

I stumbled on a new (to me) technique to defend against phishing attacks today.

A little background. Spoof sites use the same images as the sites they are spoofing. Sometimes those images are stored on the same server as the spoof site, and sometimes they are hot-linked to the target site directly. When image are hot-linked they are pulled from the target site and displayed on the phishing site.

Check out this spoof of Royal Bank of Canada we saw today.

Notice the WARNING! FRAUDULENT SITE! image at the top left? That image has been hot-linked so that it has been pulled directly from the RBC web site. Normally, the image at that URL is the RBC logo, but in this case, the RBC web site is serving an alternative image in an attempt to warn users about the danger. To reiterate – RBC is serving a warning image when their logo is displayed at this phishing site but display their normal logo when served on their own site. Cool!

Here’s how they are (probably) doing this:

When a browser requests an image from a web server, the request includes something called a referer – the browser tells the server the URL that referred the user to the image. It looks like RBC is serving different images based on the referer that the browser is sending. RBC may be serving the warning logo anytime someone hot-links their logo, or they may be doing it just for specific referers (known phishing sites). I don’t know and don’t have plans to test.

This technique is interesting though I don’t know how effective it is. Its trivial for phishers to serve local copies of images instead of hot-linking them, so there is a simple work-around for phishers.

More Confused Phishers

Here’s an excerpt from another multiple-personality phishing email. I wonder if this is from the same group that conflated WAMU, Charter, and Regions Bank.

We recently reviewed your account, and suspect that your Charter One Bank Internet Banking accountmay have been accessed by an unauthorized third party.

Protecting the security of your account and of the Washington Mutual network is our primary concern. Therefore, as a preventative measure, we have temporarily limited access to sensitive account features.

Money Laundering With Mules

Ever wonder what would happen if a phisher stole your bank account information? Phishers who want to stay in business won’t empty your account directly. They often operate in countries from which it is difficult to work directly with American banks. Plus they don’t want to lead authorities directly to them. So how do they get your money? Mules.

A mule is a go-between that phishers "use" to launder money. Phishers transfer money from compromised accounts to an account opened by the mule. The mule then withdraws those funds (minus a commission) and sends a money order to the phisher. Sounds easy enough, but who in their right mind would do this for a phisher? The paper trail leads directly to the mule, and money laundering is a serious offense.

So phishers have to be a little more creative in their recruiting practices.

This email showed up today and kicked off this post:

We are web designers/programmers team. We are located in Moscow, Russian Federation. Currently, our team works for several US companies and we have difficulty in getting our wages.

They’re to pay us but they don’t send money directly to Russia, because the companies we work for pay us by direct deposits available in USA and Canada only. Reasonable question: why don’t they pay us by checks? Yes, they could, but here in Moscow it is really hard to collect on the American checks (enormous commission fees and it takes 2-3 months).

We realize that you can’t provide your current bank account. So, if you are ready to help, would you be so kind as to open a new zero-balanced checking account where they could send our wages.

So, when our employers get the account information they will initiate the transfer. When the bank transfers are completed your assistance is needed once again to transfer the money via Western Union or Money Gramm (it is not the best (profitable) way but it’s the fastest one).

Finally, we have to solve the problem regarding your interest in this deal We suppose you should get an interest in this business and we can offer you a good compensation for your help. If you are ready to help, please, send your reply to the following email address…[edited]

Sounds more legit. I wouldn’t have to risk my own funds (no balance checking account), I’d make a little money, and help out a team of programmers who just want to get paid for work they have already done. I can see how these emails would be effective recruiting tools.

You’ve been warned 😉