[CLUE-Talk] Red Hat phish

[Charles Oriez]

Just in case someone hasn't heard about this already. I got the alert from 
SANS this morning.  Details are presumably available on /.

<http://news.netcraft.com/archives/2004/10/25/deceptive_domain_attacks_launched_against_customers_of_wells_fargo_paypal_aol_even_red_hat.html>Deceptive 
domain attacks launched against customers of Wells Fargo, Paypal, AOL, ... 
even Red Hat <http://news.netcraft.com/archives/security.html>Security

A second fraudulent electronic mail targeting Red Hat Linux users has 
emerged, this time using a deceptive domain, fedora-redhat.com The new 
wrinkle reflects a common trend in phishing scans, in which an initial 
attack is refined over time, becoming more convincing and plausible with 
each enhancement.

Detail oriented Red Hat users on /. have 
<http://it.slashdot.org/article.pl?sid=04/10/24/2352234&tid=172&tid=110&tid=218&tid=106>had 
a field day ridiculing the grammar and spelling mistakes in the mail (Red 
Hat was spelled as one word) and listing numerous inconsistencies between 
the attack code and standard Red Hat update practices.

However, the Red Hat and /. communities are progressively diverging, and 
the mail will have reached some people with Red Hat systems who are much 
less cautious and observent than the traditional Linux community.

The new scam, which follows on a 
<http://news.netcraft.com/archives/2004/10/25/red_hat_users_targeted_by_bogus_advisory.html>similar 
attack over the weekend uses a domain fedora-redhat.com which might 
plausibly belong to Red Hat. While many phishing attacks rely on obfuscated 
URLs to deceive recipients, a growing number of scams are 
<http://news.netcraft.com/archives/2004/10/08/cardholders_targetted_by_phishing_attack_using_visasecurecom.html>registering 
look alike domains to snare users. The fedora-redhat.com domain was 
registered on Saturday through Yahoo, which offers domains for $9.95.

Similarly, over the weekend Wells Fargo customers were targetted with a 
mail leading to a site in the domain wellzfargo.com, while other recent 
attacks have involved the domains my-paypal.com, and errorbillingaol.com.

The trend illustrates the importance of defending domain names with 
business value, through avoiding using multiple domains for bona fide 
business, and monitoring the status of derivations of those names. 
Symmetrically, the registration or deployment of a domain can be a useful 
early warning of a fraud attack to targets of phishing scams, whereby 
prompt action can pre-empt such frauds.


--
coriez at oriez.org 39  34' 34.4"N / 105 00' 06.3"W
Lamport's Law: "A distributed system is one in which the failure of a 
computer you didn't even know existed can render your own computer unusable."