Slashdot Mirror
Anti-Phishing Tools
mikeage writes "PCWorld has an article about an anti-phishing tool available that tries to detect fake websites." This is about Web Caller-ID already in use by eBay's custom user toolbar. The article also talks a bit about the incredible increase in phishing scams.
Also, I would like to see a program that would pre-scan a URL and if it appears to be a fake Paypal or Visa site to put the actual domain, and display a warning to alert newbie users.
Boxing Equipment Reviews
Glasses would be a good anti-phishing tool... Seems almost 95% of the sites I come across just replace a . with a - somewhere. If people could see it more clearly......... :D
Does That Web Site Look Phishy?
WholeSecurity's new software claims to identify fraudulent sites.
Paul Roberts, IDG News Service
Monday, August 16, 2004
A new software tool from WholeSecurity can spot fraudulent Web sites used in online cons known as "phishing" scams, according to a statement from the company.
Advertisement
The new product, called Web Caller-ID, can detect Web pages dressed up to look like legitimate e-commerce sites. WholeSecurity is marketing the technology to banks, credit card companies, and online retailers as a way to prevent unwitting customers from accessing false sites, to reduce fraud, and increase confidence in online commerce, the company says.
Phishing scams are online crimes that use unsolicited commercial, or "spam," e-mail to direct Internet users to Web sites controlled by thieves, but are designed to look like legitimate e-commerce sites. Users are asked to provide sensitive information such as a password, Social Security number, bank account, or credit card number, often under the guise of updating account information.
Already in Use
A version of Web Caller-ID is already being used by EBay in a feature called Account Guard, part of an EBay Web browser toolbar that users of the online auction site can download for free. The feature detects suspicious behavior, such as Web URLs that disguise the true Internet address of the site the user is visiting.
Companies can license a Web browser plug-in from WholeSecurity, which can then be distributed to customers directly or as part of a Web browser toolbar. Alternatively, companies can sign up for an e-mail processing service from WholeSecurity that harvests information on phishing scams from spam e-mail or customer complaint e-mail sent to the company, WholeSecurity says.
A Web browser-based management console lets administrators view suspected phisher sites, file complaints against spoof Web sites, or fine-tune the Web Caller-ID technology to adapt to their company's Web site.
On the Rise
Reports of phishing attacks have skyrocketed in recent months, according to the Anti-Phishing Working Group (APWG), a joint industry-law enforcement group.
There were 1422 new, unique attacks reported to the APWG in June, a 19 percent increase over the previous month. Since the beginning of 2004, reports of the attacks have grown by 52 percent a month on average, the group says.
A survey of 5000 adult Internet users by research firm Gartner released in April found that the number of phishing attacks spiked in the last year and that around 3 percent of those surveyed reported giving up personal financial or personal information after being drawn into a phishing scam. The results suggest that as many as 30 million adults have experienced a phishing attack and that 1.78 million adults could have fallen victim to the scams, Gartner says.
Taking the First Step
Web Caller-ID is not a cure-all for the phishing problem, but is a good first step to provide comprehensive protection from the scams, says Howard Schmidt, former White House cybersecurity advisor and the current chief information security officer at EBay.
"These are some of the things we need to do moving forward--getting technology built into the Web browsers themselves to do these things," he says.
However, better user education and stronger security from online retailers, banks, and financial institutions is also needed to protect technically unsophisticated consumers from complex online cons like phishing attacks, Schmidt says.
"You can't put somebody in a car and tell them to drive, but not tell them what the brake and gas pedal are for," he says.
I thought the general consensus was that technological solutions to a social problems don't work.
Spoofstick is a plugin for FireFox or Internet Explorer that can help identify 'phishy' sites while surfing.
It does take a little more real estate out of the browser's window, but it's a pretty useful tool when teaching people about the dangers of clicking links blindly.
"For every right, an equal responsibility..."
...I wasn't supposed to give s1ashdot my credit card number to read this story?
Sheesh, evil *and* a jerk. -- Jade
The proper solution to phishing scams is
1) Educate everyone not to give out confidential information to anyone.
2) Track the phishing sites and publically hang the owner. These things are not difficult to track by the very nature of the scam.
Just don't click on any links via email to anything unless you solicited it (such as an email verification to a mailing list you're subscribing to). When I'm in doubt, all I do is type in the URL to the bank/brokerage/etc. web site myself (fire up browser and type in homepage URL), log in and find out if there is anything going on. Most such websites have a way to look at everything and take any needed action right away after you type in a user/pass.
*sigh* and on that note there is a sucker born every minute I suppose.
...in bed
What we need is a way to automatically reply to these phishing scams with bogus information. I'd like to be able to order everything sent in a spam message too with bogus information. Beat them at their own game!
People who are likely to fall for the usual phishing techniques are, unfortunately, not likely to install any tools to prevent phising. Odds are, that they never knew it existed before they fell for it.
Visine?
I've tried to actually reply to some of the money-caught-in-forign-bank phish attempts and the only thing i get back is more and more phishing. I've failed to reach the point where they ask for your SSN credit card or my first born child. Either they're stupid and don't want my information, or they're smart and realize i know what they're up to.
-- Checking emails and kicking cheats `till the day I die.
From what you and I probably see, yes. Phishing begins with an email, because we probably don't browse shady sites regularly. I don't know what the average user sees in their regular browsing. I can't even figure out where people get all the spyware from in the first place. As far as phishing emails, I know I get one email regularly that looks like a CitiBank email, but it is a .jpg file embedded. The URL has citi in it, but if you look closer, it's obviously not the right sight. I'd report it, but Citi Bank's online reporting sucks.
It's called a healthy dose of cynicism.
If somebody I have financial dealings with contacts me out of the blue to check my password/account number/mother's maiden name etc. I contact them back - not using the linkback on that e-mail but using the contact details from the documentation I got when I signed up. And I ask them if it's a scam or not.
And I don't reply until the bank/whatever has got back to me.
'Don't worry' said the trees when they saw the axe coming, 'The handle is one of us.'
My Anti Phishing tool is my brain. I mean sometimes these phishing e-mails are nto even spoof so that they appear to come from the company that they are spoofing. Sometimes the website has graphics for the company they are trying to appear as and the URL is in CHINA! First off, No company shuld EVER ask you to click on a link and enter personal information for things. No mortgage company I know of will actually advertise in a spam and if they do, then your alert flag should go up. If you just use common sense, you should be more then able to determine if a web page or e-mail is a phishing attempt. Unfortunately, your grandma or your mom may not. I think that companies liek AOL need to add more training wheels to their service so to speak and help them with determining if something is legit or not. Would I ever load such software? No I would not because I don't need it....but my mom might.
Gorkman
Here is more information, the SANS Internet Storm Center has seen much activity (and growing) of this shit.
--------
is to install a spyware toolbar ?
i have enough trouble persuading users NOT to install crappy toolbars and plugins as it is without people reccomending that they do,
MS ActiveX and to a lesser extent Mozilla's XPInstall xpi features coupled with uninformed users are the main reason spyware/malware exists and is so easy to exploit, can you explain the difference to a (l)user between a good plugin/toolbar and a bad one ?
security should be built into the browser
My theory is that unlike the script-kiddies of the old days, 99% of all phishing is work of organized crime. I believe that they recruit users at ISP's in places where internet (or any for that matter) law is not enforced (like Kosovo), they provide people simple step-by-step instructions on what to do, give them lists of fake card numbers and pay them based on the number of accounts hacked (e.g. $1 for every 50 good passwords). The actual cleaning out of the accounts probably happens elsewhere and at a much higher level because you need a much more elaborate system for it (off-shore bank accounts, etc). At least if I was doing it, this is how I would set it up. The users appear to be not very smart - we often see weird typos, names spelled in all caps and other dead giveaways - why would ANNE FISHER from Ohio signup for a year of virtual hosting and register a domain XABCDFERNG.COM for 10 years?
We see that they are getting more elaborate in their attempts to sign up for an account. They try to use proxies or zombies now (because most same companies will flat out refuse any attempts to sign up from Indonesia, Romania, etc.).
A funny side note - we got a copy of a credit card statement from one of the unfortunate cardmembers whose card's been stolen as part of the "chargeback" report, and among various hosting accounts they signed up for, there was an $20 contribution to moveon.org - go figure!
Right now the best way to fight off phishers is to attempt to speak to the customer in person, it has worked 100% for us so far. But since this phishing thing is probably big money for some mafia boss, I think the motivation is there for them to get more technologically advanced, and I wouldn't be surprised if we start seeing fake VoIP phone numbers provided where the criminals would answer the phone in English and pretend to be cardmembers.
Another very unfortunate side-ffect of this is that it's the merchants who east the cost of it. For every instance of fraud, we get the funds withheld and transferred back to the cardmember (don't be fooled by those reports of "poor" cc companies bearing the cost of fraud!) AND we get slapped with an $25-$50 penalty by the CC processing company AND our rates go up. So it's almost in their interest that cards get stolen, it simply means more revenue for them. Now our services are "virtual", but for those who actually ship something physical (like a shirt), they get to eat the cost of that as well.
You can't put somebody in a car and tell them to drive, but not tell them what the brake and gas pedal are for
I think this statement is completely backwards. You can give someone the tools; ie. tell them what the gas and brake are for, but under no circumstances can you make them use them (properly) or understand the full consequences of not using them this is especially true for users who are not technically inclined.
My web domain.
Phish Net
Some folks here may find it usefull.
This nifty quiz can help you assess your phishing detection abilities. Recommended.
"There are already a million monkeys on a million typewriters, and Usenet is NOTHING like Shakespeare." - Blair Houghton
My Anti Phishing tool is my brain. I mean sometimes these phishing e-mails are nto even spoof so that they appear to come from the company that they are spoofing. Sometimes the website has graphics for the company they are trying to appear as and the URL is in CHINA! First off, No company shuld EVER ask you to click on a link and enter personal information for things. No mortgage company I know of will actually advertise in a spam and if they do, then your alert flag should go up. If you just use common sense, you should be more then able to determine if a web page or e-mail is a phishing attempt. Unfortunately, your grandma or your mom may not. I think that companies liek AOL need to add more training wheels to their service so to speak and help them with determining if something is legit or not. Would I ever load such software? No I would not because I don't need it....but my mom might.
I don't know... I was told that phishing scams often played on misspellings, so my "red alert" flag is going up on your message.
Someone should create a phishing-detection extension for Mozilla. Does anybody have any ideas about how that would work efficiently/effectively? Same as EBay technology?
an anti-phishing tool available that tries to detect fake websites.
I may be relatively new to the internet, but after my son cleaned my PC last month of a bunch of maluair, he told me to never install any tools for my internet, no matter how good it sounds. So you can hawk your "useful" tool as much as you want, I ain't biting.
I've noticed that neither Firefox nor new versions of IE let you do the www.cnn.com@http://myattackersite.com phishing vulnerability; Firefox warns you (as long as myattackersite.com doesn't request authentication), IE just doesn't let you do it as far as I've seen (but this is hearsay; I haven't used IE in years).
What about using something similar to the Sender Policy Framework (SPF) for web sites. Create a list of known good websites for your company, and if the browser attempts to access something say eBay related, it will look at eBay's SPF list and see wether it's an authorized server or not.
------
"And may your days be long upon the earth."
There are not many unique addresses in the list; most are repeated many times throughout the it. And there are a couple that just aren't valid IP addresses at all. Not much of a list yet, but good luck with it anyway.
this needs to happen, but it's like a spam Blacklist, it's pretty much out of date once it's created! better would be to have ISPs build a lists and flag certain sites as possible phishing grounds, but there again, how up to date would they be?
Bottom line is, all of our parents/kids/friends need to know; don't give info out online unless YOU initiated the contact.
CB#__8&*(#@
free ipod and free gmail!
Methinks you took a wrong turn by the AOL boards.
Web Caller-ID is not a cure-all for the phishing problem
How about actually going after the people doing the scams as a solution. Also the providers who don't shut them down.
I must have missed that part in the article. This is going to be just like the spam problem. It's a problem that the end user needs to deal with and not something to be corrected at the source. Well not until at least it gets to epidemic proportions.
Mud and police roadblocks?
sulli
RTFJ.
What will I do for fun if I am not able to see those extremely hilarious informercials about how you can do *nothing* and the fat will just dissolved off your body!
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
% perl -e 'print teamhasnoi.hasSenseOfHumor()'
0
%
I got an email from Earthlink that looks SO MUCH like a textbook Phishing scam ( your credit card number's going to expire... ) that I deleted it the first couple times it came my way.
It kept on coming, however, and I decided to go to earthlink myself ( e.g., not clicking the link ) and see what the deal was.
Turned out, it was legit. Amazing.
The trouble here, really, is how do we handle legitimate email from banks, ISPs, etc?
lorem ipsum, dolor sit amet
Damn!
http://www.advertysement.com/ is slashdotted already!
Too bad e-bay won't take the time to publish SPF records (spf.pobox.com) or microsoft "caller ID" records. It would probabaly take them less than a minute...
And on their websites they should say on top: "REMEMBER: WE *NEVER* SEND YOU EMAIL ABOUT ANYTHING."
If you want to know something, you just visit eBay or your bank account.
Best Buy can have you arrested
Don't forget
3) Use public key cryptography to verify the authenticity of sites you do business with.
-jim
Most of these phishing sites are set to get passwords and CC numbers. Solution: use one-time passwords as in Scandinavian banks, for all things involving CC and money. The phishers can grab your passwords all they want, they'll be useless.
When you get an email, at the top, 'caller ID' shows up (e.g. "This email was sent from: SOMEWHERE IN CHINA", vs. "This email was sent from: CITIBANK'S servers")
When you mouseover a link, a LARGE JavaScript thingy pops up saying "This link is to: SOMEWHERE IN NIGERIA" or "This link is to: CITIBANK'S site"
Honey, I shrunk the Cygwin
Phishing scams have no way to determine whether the password you enter is correct or incorrect.
If you enter in an incorrect password/username combo and the site redirects you to the real site's password and login prompt or does something other than telling you your username/password combo is incorrect, then you're definitely dealing with a phishing scam.
Of course, you can be clever and have the scam always return "wrong username/password." If the scam's set up to do that, the only way to tell that it's a scam is to enter... your correct password and username. Clever, eh?
So if your password "doesn't work" for an indefinite period, and then suddenly starts working again when you actually go to the site that requires your name/password via google, do yourself a favor and change your damn password.
Let's make a couple of risky assumptions
1) That as an educated user I only submit sensitive information over an SSL encrypted connection using an SSL certificate signed by a third party.
2) That I check that the certificate corresponds to the site I'm visiting.
This should prevent me from submitting any information to a phishing scam provided that I'm using a browser which correctly implements the SSL/TLS exchange.
So why would a hosting company or a user bother with Web caller ID? A properly configured browser and SSL should prevent phishing attacks. Correct?
--- Friends don't let friends sig
Consider the hotmail example. I need to be able to see the full headers to determine which IP address it arrived from. I would also need to be able to see where the "purchase upgrade" link points, to see whether it's a phishified URL. Without those, I'd lean towards non-scam just from the generally correct spelling and non-suspicious nature of the request, but really that's not enough to be sure.
Novice users hear about phishing, will think any old anti-phish tool will do.
Letter To Iran
Scams I have seen recently seen involve setting up an infringing domain name, say "online-citi.us" instead of "citi-online.com". One cannot expect the users to remember the host name of all their finaince and shopping site. Even when the infringing domain yet yanked after a few hours, it can remain cached in DNS for a long time.
Web-caller ID seems sensible - just get browsers to implement the web equivalent of SPF. Sounds pretty easy to me.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
0
%
Stop trying to infect me with your spyware! I'm wise to your tricks!
Most of the scam e-mails don't render properly in KMail -- which is what I mostly use -- anyway. But if they did, I'd probably go ahead and fill in a whole bunch of bogus details anyway. Can't be too hard to write a script that does a HTTP GET on the site URL, then submits random data. Preferably plausible data ..... maybe we could borrow the spammers' trick of picking words that seem to go together? And, of course, credit card numbers that pass The Test ..... not difficult, you just generate a 15 digit random string, and calculate the check digit.
IMHO the only thing missing from KMail is the ability to turn on and off off HTML rendering and image loading on a folder-by-folder basis (so I can view known "ham" e-mail in the format it was sent; but my brain already renders HTML so well that <em>this looks a bit slanty</em>).
Je fume. Tu fumes. Nous fûmes!
We are only about 7000 away from the ten million comment mark. Lets just hope the lucky poster is not the GNAA guy.
The first step is obviously to check the headers of an email you receive. Just see who sent you the damn thing (from Received headers). Was it actually an IP belonging to .paypal.com? This is easy to check using 'whois'. If the whois lookup shows the IP delivering you the email is from the company you expect (VISA, Paypal, Ebay) then it's fine.
OK, how about an example. Take this US Bank phishing scam, here are the Received headers:
The first Received hop is my ISP. The second Received hop is the only important one; it describes the connecting host. Note that the host here pretended to be usbank.com but that name is a sender-supplied ID; it's worthless. What you're looking for is the IP address between square brackets, which can not be forged. Now just check 211.209.208.87 using whois
See, easy. This email came from Korea, not US Bank. It's a scam!
Let's hear it for poor metaphors! Let's see... in this context, the gas pedal is entering your credit card onto a fake website? No, wait - maybe using your brain is the gas pedal, and entering your credit card numbers is the brake? Oh, I know - he's referring to the difference between dialup and DSL! No...maybe he's suggesting everyone has to get a license before browsing the web! Or...
I'm stumped!
% perl -e 'teamhasnoi.attemptHumor() or die "abort: $!"'
abort: Miserable failure.
%
...a large proportion of people using the internet don't even know what SSL means (or is), let alone what to check for. They just look for a padlock and think they're safe (many don't even do this).
Users normally glaze over when they hear about certificate signing and how to check site authenticity and it's not like it's particularly hard (or expensive) to get an SSL cert these days, the last one I purchased only performed the bare minimum of checks (that I had an invoice for the server I was using to "prove" my identity, hardly what I call a method of high integrity).
This kind of tech is just what the hordes of clueless AOL/internet users need, something to stop them hurting themselves on the internet, they are just like children that need looking after around the knife drawer.
I am NaN
There's only one true Phish website. I'm sure they're grateful to this new technology that helps keep people from being tricked into visiting websites belonging to boy bands, bleached blonde airheads, rappers or other so-called musicians. :)
[Hint to mods: The band Phish has been around about 20 years longer than the word 'phishing'. ]
I thought Phish broke up....
earthlink has a free toolbar that has their "scamblocker" thing and their pop-up blocker. I reviewed their scamblocker in one of my blog entries.
Extraordinary Vacations. Exceptional Prices
It would be useful to have a feature in browsers which looked for forms into which you were entering something that looked like a credit card number. This is tough, because it has to work with hostile websites. Web sites might put text in images, or even set up a form in Flash. That has to be detected.
When the browser detects a credit card number going in, it checks the page. It must be a secure page, it must be signed, and the certificate must be one with a Relying Party Agreement that financially guarantees the identity of the site owner. (This means something like a Verisign SecureSite certificate. Those "certifies nothing" $29.95 certificates aren't good enough.)
Yes, some low-end e-commerce sites will be locked out. Did you really want to buy from them anyway?
However I recently found myself in the middle of a transaction in cold sweat realising that it could have been phishing! ( I did my first SSL related project in 2000, and I still believe there is smth behind the glasses :)
Ok, imagine receiving a message from MIT press advertising a discount on a book you wanted to buy. Should I tell that I did not whois the senders IP but when credit card authorisation failed I freaked out. Fortunatly, this was a genuine email and a genuine error this time, but what if it were not!
Another scenario: You google for a thing and in the second page of results you find a very good price. Will you check the certificates of the http over SSL site and whois the IPs?
Actually in all email programs from the very early years to the latest Outlook there is a facility to see the whole header of the message. It should not be too difficult to incorporate the whois requests in a similar way. So that when the user receives an email with a link that she wants to follow, she can get a report similar to the one that bigberk found manualy.
It is not a bit more difficult to do the same thing with google: Just add a link to a script that generates a whois report.
One problem I see is that if this feature will become popular, the present whois service capacity may not be sufficient: as far as I know there is a single server to cover the whole of Asia-Pacific domains.
It's called a bookmark.
best web host ever
was an AOL thing. You know, back in the mid-late 90's people would im you saying they were the AOL Billing department and either ask you to "verify" your password or sometimes they would ask for billing information but usually just the password.
My how things have changed.
Am I the only one who doesn't understand this term? I probably am, since nobody bothers to briefly explain it in their posts, which probably happened for some time when I missed the whole thing altogether...
I feel sorry for Phish the band. Then again, I still eat Spam, so maybe it's quite all right after all.
I've bought some large items on ebay, but the best place to find scammers is when your buying expensive laptops. I've seen a lot of phishing for ebay. I saw a recent report, in which perdicted that for every legit technology buisness, there are two scam ones.
The most important thing, Citibank and Ebay and the others is to inform their current and future customers about problems such as this. The worst thing they can do is not talk about it, pretend the problem will go away, or it is an isolated inncedent. (I'm telling ya, if Firefighters took the same approach at doing their job...)
I like to think that some of my attention I brought to ebay, has paved some of the way, as they seem to be taking a stand to this kind of scam. For instance, now you can forward phishy looking emails to spoof@ebay.com.
Now if you surf the web, hundreds of hits come up when discussing phish and spoof emails regarding Ebay and the like, but just 8 months ago, I found only one hit (and it was actually claiming this to be a real email, not a fake), regarding a fake authentic ebay email, encoraging me that it was alright to pay Western Union with this one particular seller, because he has special circumstances, and ebay will give buyer protection, up to 80% of the sell price. And Ebay themselves gave NO reference to any kind of knowledge or other cases that this kind of stuff was going on and one should be catious.
I hate to mention it, but it is rumored that alot of this stuff, being so well organized with their i's dotted and T's crossed is because some/most of these scams is being ran by various mafia.
Makes me proud to be an employee of AboveNet everytime I read a ticket about child pornography and phishing scams which the majority point back to about.com one of our highest paying customers :)
Oh yeah and we also provide optical transport for a good 2/3 of all the internet's spam. s00t w00t g0 AboveNet/MFN!!!11eleventy
Any word on whether Trey Anastacio & Co. have planned a lawsuit similar to that of a certain processed meat company for this eggregious misuse of their product name? :)
(I think it's representative of the proclivities of the slashdot readership that it hasn't posted a dumb joke like this in the three hours that this story's been up. Or maybe it's just not funny...)
Anecdotal evidence! I'm sold!
If only the jukebox at the local bar had this anti-phish technology, then I wouldn't have to put up with some putz playing "Bounce around the Room" three times back to back all the time.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
I found a Citi phish in my spam-magnet email box and it evaded spoofstick: It went to move.kir.jp and very quickly redirected to web.da-us.citibank.com, which is the real Citi site. However, it left a menu-bar-less (and thus Spoof-stick-less) little window open which asked for Debit Card No, PIN, and Checking Accunt No, and then connected to move.kir.jp:
1 7d 2lhBJFkSUwjnw0C3PIGwmjY8r
www.citibank.com/?wBaObw7wXXYFv1PH9iuP8e8p8y449
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
Only script kiddies use "ph" as a replacement for "f"...
Oh wait...
"Software is like sex... it's better when it's free"
Here are my easy anti-phish rules that should allow almost any user to avoid all phishing scams:
- NEVER enter personal information into anything other than your web browser
- NEVER enter information unless the lock icon is displayed in the browser status bar, not just on a page
- NEVER enter information without first double-clicking the lock and verifying that the address is correct and correctly spelled.
What browser manufacturers can do is this:
- Make it more clear when you are on an SSL page. This needs to be non-forgable by websites. Make a big notification in the status bar, and make it impossible to turn the status bar off.
I'm beginning to think ICANN or whoever is responsible for internet access should just BAN anyone from these scammer countries or whatever other country they're using to scam on unless they have genuine official business on the internet. This would really reduce the scammers' abilities to scam. And Law enforcement has to be a lot better with heavier penalties.
Education only goes so far. Technology(like ebay's toolbar) only go so far before the scammer evolves.......
when buyers were getting scammed on ebay to wire money for expensive stuff like laptops, ebay people recommended buyers use escrow. Guess what the scammers did? They made fake escrow websites and buyers got scammed again.
when buyers wouldn't trust the escrow sites and wouldn't trust dealing with foreign countries, guess what the scammers did? They now use people who are desperate for jobs in the US as "foils" or "agents" by pretending they're an overseas company that hires the "foils" so they can use their Paypal accounts and have them send $$$ overseas to these scammers. Sometimes they'll just say they'll give them a reward of some kind in items or money if they can use their Paypal accounts. Then, the scammers use their stolen Credit Card numbers to "buy" items off of sellers and send these to the buyers. Guess what happens then? That's right, Police come knocking on the buyers' doors and the foil's door.
Govt officials won't help you out unless the $$$ amount is over the thousands. The scammers' country government are most times just scam accomplices or don't care.
What's all this forcing ME to do? Ditch IE browser for another browser. Firewall & AV on all the time. I no longer store financial/personal info on my computer. I do less business on the anonymous web and especially less on evilbay and would rather do business locally in person. I've pretty much ditched my email. If my banks or anyone need to contact me, they can do so the old fashioned way----->U.S. mail.
* weedshare.com 50% to artists, webjay.org iuma.com CDBaby.com Epitonic.com ampcast.com
Don't forget
4) Use pencil and peper to hand verify the public key cryptogracy signature.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.