Anti-Phishing Tools

mikeage writes "PCWorld has an article about an anti-phishing tool available that tries to detect fake websites." This is about Web Caller-ID already in use by eBay's custom user toolbar. The article also talks a bit about the incredible increase in phishing scams.

Phishing is a big problem for hosting companies

[gtrubetskoy]

Phishers need a place to host their fake sites, and hosting companies like ours are prime targets for phishers to set up their "collection points", and we see a lot of those.

My theory is that unlike the script-kiddies of the old days, 99% of all phishing is work of organized crime. I believe that they recruit users at ISP's in places where internet (or any for that matter) law is not enforced (like Kosovo), they provide people simple step-by-step instructions on what to do, give them lists of fake card numbers and pay them based on the number of accounts hacked (e.g. $1 for every 50 good passwords). The actual cleaning out of the accounts probably happens elsewhere and at a much higher level because you need a much more elaborate system for it (off-shore bank accounts, etc). At least if I was doing it, this is how I would set it up. The users appear to be not very smart - we often see weird typos, names spelled in all caps and other dead giveaways - why would ANNE FISHER from Ohio signup for a year of virtual hosting and register a domain XABCDFERNG.COM for 10 years?

We see that they are getting more elaborate in their attempts to sign up for an account. They try to use proxies or zombies now (because most same companies will flat out refuse any attempts to sign up from Indonesia, Romania, etc.).

A funny side note - we got a copy of a credit card statement from one of the unfortunate cardmembers whose card's been stolen as part of the "chargeback" report, and among various hosting accounts they signed up for, there was an $20 contribution to moveon.org - go figure!

Right now the best way to fight off phishers is to attempt to speak to the customer in person, it has worked 100% for us so far. But since this phishing thing is probably big money for some mafia boss, I think the motivation is there for them to get more technologically advanced, and I wouldn't be surprised if we start seeing fake VoIP phone numbers provided where the criminals would answer the phone in English and pretend to be cardmembers.

Another very unfortunate side-ffect of this is that it's the merchants who east the cost of it. For every instance of fraud, we get the funds withheld and transferred back to the cardmember (don't be fooled by those reports of "poor" cc companies bearing the cost of fraud!) AND we get slapped with an $25-$50 penalty by the CC processing company AND our rates go up. So it's almost in their interest that cards get stolen, it simply means more revenue for them. Now our services are "virtual", but for those who actually ship something physical (like a shirt), they get to eat the cost of that as well.

Re:phishing automated reply

[The+Ultimate+Fartkno]

It's for mortgage spammers and not phishers, but I'm a fan of the Unsolicited Commando project. It's a little Java app that spends its day filling out mortgage applications on spamvertised sites with completely believable - but totally bogus - personal data. The source is available so perhaps a clever person could randomly generate credit card numbers and adapt the program to attack phish sites.

Firefox/IE

[mrseigen]

I've noticed that neither Firefox nor new versions of IE let you do the www.cnn.com@http://myattackersite.com phishing vulnerability; Firefox warns you (as long as myattackersite.com doesn't request authentication), IE just doesn't let you do it as far as I've seen (but this is hearsay; I haven't used IE in years).

Re:Email Phishing

[aussersterne]

Citibank can't do anything about it anyway; they're not law enforcement, and even if they were, what exactly do you see law enforcement doing about SPAM or phish emails? Nada.

I used to work at eBay and the phishing problem was terrible (though I didn't deal with it directly, that wasn't my department). When users would find out, they'd demand to know why eBay didn't do something about it. The people who worked on that floor would stand around in the smoking shed and bitch, "What do they want us to do, buy some guns and go to Romania and raid the guy's house wearing little eBay uniforms?"

What banks *should* do!

[callipygian-showsyst]

What banks (and eBay) should do is NEVER, EVER send an email to customers. Period.

And on their websites they should say on top: "REMEMBER: WE *NEVER* SEND YOU EMAIL ABOUT ANYTHING."

If you want to know something, you just visit eBay or your bank account.