Phriend Phishing

Everybody knows about phishing these days: the attempt by an attacker to trick a victim into revealing information to them by masquerading as somebody else. For example, a site called examplé.com might attempt to pretend to be site example.com. It is often initiated by e-mail, whose sender address can be easily falsified, and often works with those victims who have an existing relationship with example.com.

A novel variation is beginning to make the rounds that I’d like to call phriend phishing: the attacker masquerading as another individual that is known to the victim.

For example, let’s say you are my buddy, and like me, you frequent social networking website example.net (I actually don’t visit that particular site, for good reasons ;-) but this is just an example). This social networking site allows you to create private groups, such as "my buddies" whose content is not accessible to non-members. I have a unique user handle at this site, say jollyfellow. The phriend phisher attacks you by creating a user handle that’s very similar to mine, say jolly.fellow, and gets you to approve his request to be part of your private group, because you think it is me. It is an attack because he’s now able to access information that he should not have access to; depending on the group, that may open up all sorts of nasty "business opportunities" for the attacker.

There is an even more effective avenue for this: some sites believe that they should print more "human" identifiers (such as first and last name) instead of unique user handles. If a site does this, nothing prevents the attacker from simply calling himself Johannes Ernst using any user handle that they choose, which makes the attack even more successful. Many non-techie users would need a lot of education to even understand what the problem is here.

I’m bringing this up because of our work around the OpenID User Experience. As user-centric identity, like OpenID, is intended to empower the individual and make them safer on-line, this type of attack is one that we definitely need to build defenses against. I figured it needed a description and a name.

P.S.: How do you like it? [the name]


Posted

in

by

Tags: