Slashdot Mirror
Anti-Phishing Tools
mikeage writes "PCWorld has an article about an anti-phishing tool available that tries to detect fake websites." This is about Web Caller-ID already in use by eBay's custom user toolbar. The article also talks a bit about the incredible increase in phishing scams.
I've tried to actually reply to some of the money-caught-in-forign-bank phish attempts and the only thing i get back is more and more phishing. I've failed to reach the point where they ask for your SSN credit card or my first born child. Either they're stupid and don't want my information, or they're smart and realize i know what they're up to.
-- Checking emails and kicking cheats `till the day I die.
My theory is that unlike the script-kiddies of the old days, 99% of all phishing is work of organized crime. I believe that they recruit users at ISP's in places where internet (or any for that matter) law is not enforced (like Kosovo), they provide people simple step-by-step instructions on what to do, give them lists of fake card numbers and pay them based on the number of accounts hacked (e.g. $1 for every 50 good passwords). The actual cleaning out of the accounts probably happens elsewhere and at a much higher level because you need a much more elaborate system for it (off-shore bank accounts, etc). At least if I was doing it, this is how I would set it up. The users appear to be not very smart - we often see weird typos, names spelled in all caps and other dead giveaways - why would ANNE FISHER from Ohio signup for a year of virtual hosting and register a domain XABCDFERNG.COM for 10 years?
We see that they are getting more elaborate in their attempts to sign up for an account. They try to use proxies or zombies now (because most same companies will flat out refuse any attempts to sign up from Indonesia, Romania, etc.).
A funny side note - we got a copy of a credit card statement from one of the unfortunate cardmembers whose card's been stolen as part of the "chargeback" report, and among various hosting accounts they signed up for, there was an $20 contribution to moveon.org - go figure!
Right now the best way to fight off phishers is to attempt to speak to the customer in person, it has worked 100% for us so far. But since this phishing thing is probably big money for some mafia boss, I think the motivation is there for them to get more technologically advanced, and I wouldn't be surprised if we start seeing fake VoIP phone numbers provided where the criminals would answer the phone in English and pretend to be cardmembers.
Another very unfortunate side-ffect of this is that it's the merchants who east the cost of it. For every instance of fraud, we get the funds withheld and transferred back to the cardmember (don't be fooled by those reports of "poor" cc companies bearing the cost of fraud!) AND we get slapped with an $25-$50 penalty by the CC processing company AND our rates go up. So it's almost in their interest that cards get stolen, it simply means more revenue for them. Now our services are "virtual", but for those who actually ship something physical (like a shirt), they get to eat the cost of that as well.
It's for mortgage spammers and not phishers, but I'm a fan of the Unsolicited Commando project. It's a little Java app that spends its day filling out mortgage applications on spamvertised sites with completely believable - but totally bogus - personal data. The source is available so perhaps a clever person could randomly generate credit card numbers and adapt the program to attack phish sites.
I've noticed that neither Firefox nor new versions of IE let you do the www.cnn.com@http://myattackersite.com phishing vulnerability; Firefox warns you (as long as myattackersite.com doesn't request authentication), IE just doesn't let you do it as far as I've seen (but this is hearsay; I haven't used IE in years).
Citibank can't do anything about it anyway; they're not law enforcement, and even if they were, what exactly do you see law enforcement doing about SPAM or phish emails? Nada.
I used to work at eBay and the phishing problem was terrible (though I didn't deal with it directly, that wasn't my department). When users would find out, they'd demand to know why eBay didn't do something about it. The people who worked on that floor would stand around in the smoking shed and bitch, "What do they want us to do, buy some guns and go to Romania and raid the guy's house wearing little eBay uniforms?"
STOP . AMERICA . NOW
And on their websites they should say on top: "REMEMBER: WE *NEVER* SEND YOU EMAIL ABOUT ANYTHING."
If you want to know something, you just visit eBay or your bank account.
Best Buy can have you arrested
When you get an email, at the top, 'caller ID' shows up (e.g. "This email was sent from: SOMEWHERE IN CHINA", vs. "This email was sent from: CITIBANK'S servers")
When you mouseover a link, a LARGE JavaScript thingy pops up saying "This link is to: SOMEWHERE IN NIGERIA" or "This link is to: CITIBANK'S site"
Honey, I shrunk the Cygwin
Most of the scam e-mails don't render properly in KMail -- which is what I mostly use -- anyway. But if they did, I'd probably go ahead and fill in a whole bunch of bogus details anyway. Can't be too hard to write a script that does a HTTP GET on the site URL, then submits random data. Preferably plausible data ..... maybe we could borrow the spammers' trick of picking words that seem to go together? And, of course, credit card numbers that pass The Test ..... not difficult, you just generate a 15 digit random string, and calculate the check digit.
IMHO the only thing missing from KMail is the ability to turn on and off off HTML rendering and image loading on a folder-by-folder basis (so I can view known "ham" e-mail in the format it was sent; but my brain already renders HTML so well that <em>this looks a bit slanty</em>).
Je fume. Tu fumes. Nous fûmes!