I didn’t leave at that and I wanted to see how well the imitation continues in the rest of the steps. So I clicked on the link in the mail and it took me to an almost similar Paypal site. Look at the below snapshot and compare it with Paypal US website. In the phishing site the only way you can identify it is fraudulent is by looking at two things - one the URL and the second you click on any link like the “About”, “Privacy” etc., it always lands you back to the login page. But just by comparing these two screens you will be surprised at the amount of imitation in terms of fonts, styles, images etc.
Here is the fun part. The phishers can’t really validate if someone is genuinely using their paypal login and password. But their best bet is if someone really gets convinced that it is from paypal they would input their credentials. But what matters to these people are not the credentials, but the details in the subsequent page. So enter any invalid email address and password, you would be taken to the next page. In the next page comes the details that these guys want - the whole credit card section. Look at the screenshot (click to view original).
Again here the highlight is, to convince the user, they have links like “Help finding your Card Verification Number” and “why is ATM Pin required?”. Clicking on “Why is ATM Pin required?” link shows a popup with the below message.
“By adding VeriSign Payment Services industry-leading tools such as Payflow Link and Payflow Pro to PayPal’s suite of payment solutions, we’re now able to offer online merchants even more choices for their businesses.
Requiring PIN Signatures is the latest security measure against: identity theft, credit card fraud and unauthorized account access. PayPal will verify it with your bank records for your own protection.
If you provide a wrong PIN your account will be suspended for unauthorized account access.“
LOL for the last line there .
But Firefox was quick to mark this as a forgery website, when I tried second time clicking on the link to take screenshot for posting here. What surprises me most is, this is not a mere copy paste job, it involves lot of work to imitate the original site, including some testing. For example the login page does a valid email test. So there should be a team with good knowledge on web application programming (this one was done using php, just looking at the URL gave away that), HTML, CSS etc. If only these guys could use their skills to get into a decent job, not only will they be in for a bad cause but the software industry would have got few more good developers. Do these guys realize that by writing software for someone to steal money from those that succumb to this deceit is as good as being thieves themselves?]]>
Click the button below to download the zip file containing the white paper and the shell scripts.
|Download Dynamically Scaling Web Applications in EC2.zip|
This is just a first step to scaling the applications dynamically. It would still require someone to decide when the application needs to be scaled up or scaled down. But once that decision is made it is just a matter of bringing up or down the instances and the rest of the stuff is taken care of.
Feel free to pass on your comments and feedback.]]>
The connection from the client applications to the web service worked fine, but the connection from the web application to the web service failed. Inspecting the log file showed the below error.
streamHandler.rb in `send_post’: 301: Moved Permanently (SOAP::HTTPStreamError)
I was originally thinking that this could be a problem with using the web services application behind NGINX and proxying the request. But if that were the case, then even the requests coming from the client applications through the subdomain URL should have failed. So I wanted to dig this inside.
Oh by the way before I proceed, the application was on rails 1.1.6, rubygem 0.9.0 and ruby 1.8.5. I know this combination is quite old, but we never got a chance to port the app to newer versions and without code changes it breaks in the newer versions of ruby/rails.
So, I opened irb and tried to use the SOAP libraries directly to make a request to the web services. Here is the code snippet.
As you can see in the irb output above, once I create a RPC connection to the web services providing the WSDL URL, you can see the URL to the web service API misses the port number! Apparently the service calls are routed to my default redirection configuration in the NGINX server to the web application. Looking at the log in the NGINX web server confirms that the request is redirected with HTTP 301 status, which is what is thrown up as above.
Honestly I don’t know what would be the fix at a code level, but I did solve this problem, by simply changing the virtual host for localhost:8880 to localhost:80. My reasoning here is since I have specific server domain configurations listening to port 80 and one would not be able to access the localhost:80 from the internet.
My question now and something that I have to dig is, is there a way to tell the soap api explicitly, always use the host and port when calling the web services. Please post any comments/answers if you are aware of. Thanks.
My nephew who is ten years old has started to help his mom to get groceries and stuff all by himself. The last time when I was with him over the weekend he was going to buy groceries from shop. I asked him how you will cross the main road (that always has high traffic with town buses and trucks driving as though they are part of F1 race). He said I use a strategy. I asked him what that is. He said there is always one or more who cross the road. He said he will just walk along with them. I smiled and then he thought for a moment and asked this question, “What if others wait for someone to start crossing?” I smiled and told him if you take the first step, then you are leading and the rest follow you. It stuck me after I said that, probably that’s the only difference between a leader and a follower. A leader is confident of when to take the right step forward and the followers believe in the leader and follow the steps of the leader.
Read my other Foundation Stone posts.]]>
There was a marathon going on and there were people watching it. A villager who didn’t know about the Marathon asked a person watching the Race.
“Why are these people running?”
The person replied “The first person who reaches the target destination will get a prize”
The villager then asked, “Then why are others behind him running?”
The question the villager asked is thought provoking. Why should others keep running? - For several reasons. The person who is running ahead could slow down because he has lost his energy, or the people following could gain more speed and could come ahead. The point is nobody stops running just because someone is ahead. The hope and the confidence that you can make it to the top list is what keeps everyone running. Also in a marathon, you look upon who is running ahead of you and you are not bothered about who is following you. Set your target with someone who is ahead of you than trying to compare with people who are behind you. The basic point here is not to stop but keep running. You can be a commodity and running in the rat race but it is better than standing still.
Read other Foundation Stone posts.
Wish you a happy and prosperous new year! May the coming year bring you success, health and prosperity.]]>
Have a fantastic weekend!]]>
A popular motivational speaker was entertaining his audience. Said he: “The best years of my life were spent in the arms of a woman who wasn’t my wife!”
The audience was in silence and shock.
The speaker added: “And that woman was my mother!”
Laughter and applause.
A week later, a top manager trained by the motivational speaker tried to crack this very effective joke at home. He was a bit foggy after a drink.
He said loudly, “The greatest years of my life were spent in the arms of a woman who was not my wife!”
The wife went wan with shock and rage.
Standing there for 20 seconds trying to recall the second half of the joke, the manager finally blurted out “… and I can’t remember who she was!”
Moral of the story:
Don’t copy if you can’t paste!
The top manager must be a guy who would have never seen a computer in his life . Happy Thursday.]]>