Slashdot Mirror
Anti-Phishing Tools
mikeage writes "PCWorld has an article about an anti-phishing tool available that tries to detect fake websites." This is about Web Caller-ID already in use by eBay's custom user toolbar. The article also talks a bit about the incredible increase in phishing scams.
I've tried to actually reply to some of the money-caught-in-forign-bank phish attempts and the only thing i get back is more and more phishing. I've failed to reach the point where they ask for your SSN credit card or my first born child. Either they're stupid and don't want my information, or they're smart and realize i know what they're up to.
-- Checking emails and kicking cheats `till the day I die.
is to install a spyware toolbar ?
i have enough trouble persuading users NOT to install crappy toolbars and plugins as it is without people reccomending that they do,
MS ActiveX and to a lesser extent Mozilla's XPInstall xpi features coupled with uninformed users are the main reason spyware/malware exists and is so easy to exploit, can you explain the difference to a (l)user between a good plugin/toolbar and a bad one ?
security should be built into the browser
My theory is that unlike the script-kiddies of the old days, 99% of all phishing is work of organized crime. I believe that they recruit users at ISP's in places where internet (or any for that matter) law is not enforced (like Kosovo), they provide people simple step-by-step instructions on what to do, give them lists of fake card numbers and pay them based on the number of accounts hacked (e.g. $1 for every 50 good passwords). The actual cleaning out of the accounts probably happens elsewhere and at a much higher level because you need a much more elaborate system for it (off-shore bank accounts, etc). At least if I was doing it, this is how I would set it up. The users appear to be not very smart - we often see weird typos, names spelled in all caps and other dead giveaways - why would ANNE FISHER from Ohio signup for a year of virtual hosting and register a domain XABCDFERNG.COM for 10 years?
We see that they are getting more elaborate in their attempts to sign up for an account. They try to use proxies or zombies now (because most same companies will flat out refuse any attempts to sign up from Indonesia, Romania, etc.).
A funny side note - we got a copy of a credit card statement from one of the unfortunate cardmembers whose card's been stolen as part of the "chargeback" report, and among various hosting accounts they signed up for, there was an $20 contribution to moveon.org - go figure!
Right now the best way to fight off phishers is to attempt to speak to the customer in person, it has worked 100% for us so far. But since this phishing thing is probably big money for some mafia boss, I think the motivation is there for them to get more technologically advanced, and I wouldn't be surprised if we start seeing fake VoIP phone numbers provided where the criminals would answer the phone in English and pretend to be cardmembers.
Another very unfortunate side-ffect of this is that it's the merchants who east the cost of it. For every instance of fraud, we get the funds withheld and transferred back to the cardmember (don't be fooled by those reports of "poor" cc companies bearing the cost of fraud!) AND we get slapped with an $25-$50 penalty by the CC processing company AND our rates go up. So it's almost in their interest that cards get stolen, it simply means more revenue for them. Now our services are "virtual", but for those who actually ship something physical (like a shirt), they get to eat the cost of that as well.
You can't put somebody in a car and tell them to drive, but not tell them what the brake and gas pedal are for
I think this statement is completely backwards. You can give someone the tools; ie. tell them what the gas and brake are for, but under no circumstances can you make them use them (properly) or understand the full consequences of not using them this is especially true for users who are not technically inclined.
The problem arises with this when a website has multiple domains to cover their content. That can confuse users. Multiple domains shouldn't be used just to serve media from another server, but I've seen it done. Also, what happens when you are drawing content from other domains? Will Spoofstick list all the domains?
Someone should create a phishing-detection extension for Mozilla. Does anybody have any ideas about how that would work efficiently/effectively? Same as EBay technology?
Actually there have been a large number of cases where an ISP's DNS server has been poisoned so users type in the legimate www.somehugebank.com and it brings them to a proxy mirror image of the site where you gleefully login in and they scarf your information.
Yes Francis, the world has gone crazy.
It's for mortgage spammers and not phishers, but I'm a fan of the Unsolicited Commando project. It's a little Java app that spends its day filling out mortgage applications on spamvertised sites with completely believable - but totally bogus - personal data. The source is available so perhaps a clever person could randomly generate credit card numbers and adapt the program to attack phish sites.
I've noticed that neither Firefox nor new versions of IE let you do the www.cnn.com@http://myattackersite.com phishing vulnerability; Firefox warns you (as long as myattackersite.com doesn't request authentication), IE just doesn't let you do it as far as I've seen (but this is hearsay; I haven't used IE in years).
Sites like apple use other domains for their images. It looks like apple has recently changed a bit though. Instead of all images coming from akamai directly, they come from images.apple.com.
But...
ping images.apple.com
PING a932.g.akamai.net (38.115.177.150) 56(84) bytes of data.
64 bytes from 38.115.177.150: icmp_seq=1 ttl=57 time=30.6 ms
Always go to other people's funerals, otherwise they won't come to yours.
Citibank can't do anything about it anyway; they're not law enforcement, and even if they were, what exactly do you see law enforcement doing about SPAM or phish emails? Nada.
I used to work at eBay and the phishing problem was terrible (though I didn't deal with it directly, that wasn't my department). When users would find out, they'd demand to know why eBay didn't do something about it. The people who worked on that floor would stand around in the smoking shed and bitch, "What do they want us to do, buy some guns and go to Romania and raid the guy's house wearing little eBay uniforms?"
STOP . AMERICA . NOW
I got an email from Earthlink that looks SO MUCH like a textbook Phishing scam ( your credit card number's going to expire... ) that I deleted it the first couple times it came my way.
It kept on coming, however, and I decided to go to earthlink myself ( e.g., not clicking the link ) and see what the deal was.
Turned out, it was legit. Amazing.
The trouble here, really, is how do we handle legitimate email from banks, ISPs, etc?
lorem ipsum, dolor sit amet
And on their websites they should say on top: "REMEMBER: WE *NEVER* SEND YOU EMAIL ABOUT ANYTHING."
If you want to know something, you just visit eBay or your bank account.
Best Buy can have you arrested
I reported one of these scams to Citibank through their website (I'm not even a customer, just a nice guy). They didn't even ackknowledge my report, let alone fix it.
98%, eh? heh.
One other problem companies have is changing their website's appearance. For example, CapitalOne recently changed their homepage and I was actually too nervous to log in for a few days.
Also, a poor quality website can make people suspicious. A friend of mine asked me to inspect his cable company's website to see if it were real or not because it was so poorly designed. I told him since it was so poorly designed to not trust it's security, either, and not bother doing the online bill pay.
When you get an email, at the top, 'caller ID' shows up (e.g. "This email was sent from: SOMEWHERE IN CHINA", vs. "This email was sent from: CITIBANK'S servers")
When you mouseover a link, a LARGE JavaScript thingy pops up saying "This link is to: SOMEWHERE IN NIGERIA" or "This link is to: CITIBANK'S site"
Honey, I shrunk the Cygwin
You know? That would be absolutely delightful. Hell, I'm sure there would be legions of geeks willing to ensure that the information entered into their systems wasn't "Murder", but "Tickling with fluffy bunnies" instead.
I've always wondered just what law enforcement would do if someone started to serially hunt spammers, and I keep coming to the conclusion that all you need to keep the trail cold is leave a note saying "This man sent your daughter emails about zoo porn"
"What do they want us to do, buy some guns and go to Romania and raid the guy's house wearing little eBay uniforms?"
How about persuading the government to put pressure on the foreign country's government until they sort the problem out? If the MPAA can get "DVD Jon" arrested all the way over in Norway, surely eBay can get some spammers arrested?
Most of the scam e-mails don't render properly in KMail -- which is what I mostly use -- anyway. But if they did, I'd probably go ahead and fill in a whole bunch of bogus details anyway. Can't be too hard to write a script that does a HTTP GET on the site URL, then submits random data. Preferably plausible data ..... maybe we could borrow the spammers' trick of picking words that seem to go together? And, of course, credit card numbers that pass The Test ..... not difficult, you just generate a 15 digit random string, and calculate the check digit.
IMHO the only thing missing from KMail is the ability to turn on and off off HTML rendering and image loading on a folder-by-folder basis (so I can view known "ham" e-mail in the format it was sent; but my brain already renders HTML so well that <em>this looks a bit slanty</em>).
Je fume. Tu fumes. Nous fûmes!
That's not all that far from the real world. Goverment is corporations; corporations is government.
You're right. Additionally...
The type of user that knows enough to install such a tool will be the same user that wouldn't be fooled in the first place.
Vice versa: a user that doesn't know about phishing and would get fooled is also the user that doesn't understand why such a toolbar would be useful!
My dad recently showed me that e-mail, that exact one, and the link says http://www.citibank.com/blah.aspx but if you were to actually click the link it goes to citibank.ru or something similar.
What is slashdot?
It'd be like Boondock Saint's with T-1's.
"Television is the explanation for this. You see this in bad television. Little assault guys creeping through the vents, coming in through the ceiling - that James Bond shit never happens in real life, professionals don't do that."
Jaysyn
There is a war going on for your mind.
Am I the only one who doesn't understand this term? I probably am, since nobody bothers to briefly explain it in their posts, which probably happened for some time when I missed the whole thing altogether...
I feel sorry for Phish the band. Then again, I still eat Spam, so maybe it's quite all right after all.