phishing attacks against ISPs (also with Google translations)

In this email message I'd like to discuss two subjects:
a. Phishing against ISPs.
b. Phishing in different languages against ISPs as soon as Google adds a
new translation module.

[My apologies to those who receive this email more than once. I am
approaching several different industries on this matter]

In the past few weeks there has been an increasing number of phishing
attacks against clients of Israeli ISPs. I've only seen a few of these,
but the local ISPs confirm it's happening across the board.

In all these cases, the phishing email is in Hebrew.

While we have seen ISP phishing and Hebrew phishing before, these
attacks started when Google added translation into Hebrew.

Is this a trend? Have other countries (or populations) been targeted
when Google added a translation module for more languages?

Notes:
a. Some Israeli ISPs emailed their clients warning against such attacks.
Saying they'd never ask for their password, etc.

b. While I was certainly heavily involved with phishing originally and
even started the first coordination group to deal with the issue, I am
somewhat removed from it now, dealing more with phishing/banking Trojan
horses.
Can anyone educate me as to how often ISPs get phished, if at all?

c. If you get phished, what strategies if any have you taken to prevent
the attacks/respond to them/educate your clients? What worked?

d. I wonder if these translation misuses could eventually translate into
some intelligence we will see in Google security reports, such as on
malware.

  Gadi.

In this email message I'd like to discuss two subjects:

That makes one of us,

b. Phishing in different languages against ISPs as soon as Google adds a
new translation module.

In the past few weeks there has been an increasing number of phishing
attacks against clients of Israeli ISPs. I've only seen a few of these,
but the local ISPs confirm it's happening across the board.

Confirmed. Not more than two days after google added its /intl/xx-bork/
translation site, my best friend, (he's Swedish - a high profile Chef), told
me he was scammed out of thousands of dollars by someone on the internet
that he didnt know. (actually his words were "Eye lost all mee moolah on
der webs! Its der Googol web-en page-en! Eye don know whatta think-a, bork
bork bork!").
..
On a more serious note, how does this relate to network operations?

In all these cases, the phishing email is in Hebrew. While we have seen
ISP phishing and Hebrew phishing before, these
attacks started when Google added translation into Hebrew.

Since at the time Google added Hebrew translations, they also added

   1. Vietnamese,
   2. Slovak,
   3. Serbian,
   4. Catalan,
   5. Filipino,
   6. Indonesian,
   7. Latvian,
   8. Lithuanian,
   9. Hebrew, and
   10. Ukranian,

Any reasonable person might assume that your 1/11th of new languages would
make up a little less than 100% of what is probably hand-picked "data".

Your data, or, to wit, your attempts to link Google and Phishing, need(s)
some work.

And by "needs some work" one might mean "are full of fail, try again later"

Is this a trend? Have other countries (or populations) been targeted

when Google added a translation module for more languages?

^^ Insert blatant attempts to get unfounded interviews with clueless media
here. ^^

Router(enable)# no ip mailing-list crazy

Paul Wall wrote:

That makes one of us,

Paul, please refrain from silly attacks, as your message didn't provide
anything substantive for this list. And your attempts at derisive humor
weren't amusing. Grow up.

William Allen Simpson wrote:

I've not recently seen an ISP account phish here. The last one I remember
was circa 2003. It was a dictionary attack, arriving at my was@ account
(long since rendered useless by spam volume and terminated).

However, I don't save phish/spam anymore. I used to save everything --
providing many of the examples for http://fraudgallery.com/ -- nowadays,
just daily scan for false positives, report monetary phish to the few
ISPs that actually promptly close down bad actors, and delete the rest.

One of the responses off NANOG was very interesting. I will attribute after asking for permission to re-post.

The guy mentioned the concept of sending warning emails to customers to begin with. His opinion is that it is a mistake, and only causes confusion. On top of that it raises support desk costs as people call in for explanation, as well as to report new fraudulent emails they see while in the past they mostly just ignored them.

I hope to get more feedback on the matter, and see if other folks have the same experience.

Good luck, Gadi.

I appreciate your feedback, I had no idea ISP phishing goes all the way back to 2003.. although dictionary attacks may not be best defined that way. Definition discussions are boring though.

Danke,

  Gadi.

If I see actually *see* one, I'll let you know. Would be a welcome change
from all the scams I continually get in languages I *can't* read.

The only recently successful scams that I am aware of which specifically
targeted ISPs have been to obtain control of domain registrar accounts.
Whether that was accomplished via phishing, or via some other nefarious
method, is still unclear.

- - ferg

Gadi Evron wrote:

The guy mentioned the concept of sending warning emails to customers to begin with. His opinion is that it is a mistake, and only causes confusion. On top of that it raises support desk costs as people call in for explanation, as well as to report new fraudulent emails they see while in the past they mostly just ignored them.

The earliest warning email we sent out to customers was:

# Date: Mon, 11 Aug 2003 15:34:43 -0500
# Subject: New Virus Warning
#...
# There is a new virus spreading around the internet. It has a subject like
# "your account" and it has the following text in it: