A whole new meaning to Phishing.

UPDATE: At the suggestion of Dan Raywood from SC Magazine I am now offering up a prize to the first person to mail me all the fish I have (kind of) hidden in the blog entry. You can win my splendid USB fridge to keep your prize catch cool.

UPDATE 2: This competition has now closed and the prize been claimed. The lucky recipient of a Trend Micro USB fridge is The Harmony Guy, congratulations and may you have many happy hours together, and many thanks to all who played.

________________________________________________________________________________________

Good Cod! Sometimes it feels as though I am endlessly carping on about web site security and the value of personal information and while I realise that this is no plaice for levity, this most recent hake is noteworthy enough to cover. Most recent victims of the cybercriminal in their pursuit of gold, fishkeepers are not immune.

 

The web site Practical Fishkeeping has been compromised and the details of their forum users have been put at risk. Practical Fishkeeping is no sprat, boasting almost 24,000 registered users. The site is currently offline as the damage is repaired.

 

Practical Fishkeeping offline

 

Practical Fishkeeping have not left their members floundering, an email from Matt Clarke, Editor-in-Chief of the Practical Fishkeeping magazine was sent to all forum members on Friday evening. It is not immediately clear how the hack came to light, but the mail noted

We have been made aware that hackers have breached our website security. This is a criminal offence, and information on our register about our readers (usernames, passwords, email addresses, postal addresses and in some cases telephone numbers) may have been viewed or taken.

The mail goes on to say “If you used your password for practicalfishkeeping.co.uk for other websites, you should change those passwords.

 

It may be easy from my perch to criticise. but if passwords truly were visible to attackers, then the web site was not applying even the most bassic secure design principles such as storing passwords in an encrypted format (along with other personally identifiable information). This would ensure they are not made available to any john dory.

 

In all seriousness, this attack is highly reminiscent of the recent hack of the Richard Dawkins forum and is very much a trend I expect to see increasing over the coming months and years. Gaining access to the database of a popular website offers potential high returns for relatively little effort. If this phenomenon is in need of a new name, I offer up the term Phlatphishing.

 

There are several ways that your details can be exposed when they are stored by third parties; misconfiguration, poor coding or unpatched systems for example. This will only increase in importance as cloud services are more widely adopted. Remember, when you are registering for a community such as an online forum, you are under no obligation to give either complete or accurate personal information.

 

Only give whatever information is essential for the use of the service you are registering.

 

If the service requires more details than you are willing to share, you don’t necessarily have to be truthful, there’s always room for a red herring.

 

Consider using disposable email addresses for online services, that way if there is a compromise you can simply delete the address.

 

If you are concerned that you may have been affected by this attack and have not yet received a notification from Practical Fishkeeping, you could try contacting the publishing house Bauer Media in the first instance.

 

You may have noted I am not one to let the chance for a good pun goby, and if any of these have been crappie, I offer my sincere apologies.

3 thoughts on “A whole new meaning to Phishing.

  1. Reader

    “but if passwords truly were visible to attackers, then the web site was not applying even the most bassic secure design principles such as storing passwords in an encrypted format”

    Now I neither know that site nor do I know what forum software they use or used to use,

    but even if the forum usually doesn’t store passwords in plaintext,
    there’s still the possibility that the attacker modified it to log (or the like) them on login/registration, along with other regular plain information (email address, username, …).

    Reply
  2. Pingback: A whole new meaning to Phishing. » CounterMeasures « Jared Rimer’s Technology blog and podcast

  3. Pingback: Tweets that mention A whole new meaning to Phishing. » CounterMeasures -- Topsy.com

Leave a Reply

Your email address will not be published. Required fields are marked *

*