Slashdot Mirror
"Phishing" Attacks to Increase
neutron_p writes "The number of people who succumb to identity thieves' "phishing" e-mails could go way up if immediate action isn't taken to preempt the next generation of attacks, according to an Indiana University School of Informatics researcher. "Phishing" e-mails appear to be sent by legitimate businesses, but are actually created and distributed by villains who are after your personal information. They describe some thieves' tricks. One kind of context-aware attack tricks eBay bidders into giving out identifying information by leading bidders to believe they've won an auction. In another kind of context-aware attack, a potential victim might receive a message from a known person -- for example, a friend or loved one - asking him or her to go to a Web site to update banking information."
But off-topic, did anyone else notice the "Further Reading" section below the article?
- The Elements of Style, Fourth Edition by Roger Angell
- The Art of Innovation : Lessons in Creativity from IDEO, America's Leading Design Firm by by Tom Peters
- Reporting Technical Information by Thomas E. Pearsall
- Optical Illusions : Lucent and the Crash of Telecom by Lisa Endlich
- National Electrical Code 2002 Handbook
The dead tree compilation of HOWTO: PHISH (except for maybe the last one). Ha!wasnt there a recent article about google doing something about this here: http://it.slashdot.org/article.pl?sid=04/10/18/023 6201&tid=111&tid=217&tid=95&tid=1
as I understand it, yahoo's signing technology, which hopefully will become a standard, will help stop such attacks. Google signing on to it helps push it quite a bit
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
because hackers cannot break secure servers, they are resorting to tricking clueless users to revealing important information.
Keep up the good work, admins.
Number of Idiots On the Internet To Increase...
Was the addition of yellow highlighting for secure sites, and the domain in the status bar. It really makes picking up when you're on a secure site easier. In the past you had to really look for that little lock icon or whatever.
Phishing is just conmen moving to the internet. They use similar tricks in the real world, just on a smaller audience. Here in the DC area there are several police imposters running around, some of them tricking people into withdrawing all the money from their bank (it's counterfeit!!!) and others actually using flashing lights to pull over people on the road.
Give anyone who falls for one a Darwin award.
[ Monday is a terrible way to spend one seventh of your life. ]
Social engineering will always work, and will always be very easy, because users are stupid.
Phishing is just technology-enabled social engineering.
- Adam L. Beberg - The Cosm Project - http://www.mithral.com/
Until the majority of the people out there have the critial thinking skills to deal with this sort of thing the problems will continue. The same people who are stupid enough to give out their info to someone who e-mails them are the one buying shit from SPAM e-mails.
Humor from a Genetically Molested Mind
Can someone tell me what Pishing is? From what I gather its tricking people into giving them details but im usually wrong on these sort of things.
In related news, Google has recently updated Gmail with an automatic detection of phishing attempts / spoofed emails; suspicious emails will be displayed with a warning:
"Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information. Learn more"
Like spam detection, it's not perfect, of course, but I think it's a very good idea.
quidquid latine dictum sit altum videtur.
The author of the article is just jealous because I'm going to get millions from Nigeria, and he isn't!
For example
1.) fleetbank send out some email advertisment
2.) hackers now have a model email to modify
3.) hackers can just redirect some links and resend it to different users.
So to fix this, real companies need to STOP sending out spam.
for example, a friend or loved one - asking him or her to go to a Web site to update banking information
OK, hands up, whose mother has a habit of wanting one to provide bank account info via some web site? I can see the duplicitous falling for the fake 'from your bank' emails, but from friends and loved ones???
And some people want democracy to be MORE direct???
This is one from a friend I only know online, so take it's truthfulness with a grain of salt. Out of a mix of curiosity and a bet/dare with a co-worker, he engineered to insert a small harmless fake phish into email, one distributed to members of staff around the organisation, which provides financial support for other government departments. It was a completely stupid one, with the email simply asking staff members to go to a site and re-confirm their credit information, and the site took down names/addresses/SS/credit card numbers etc. Out of more than a hundred employees, *ONE* person came to him as support to check what the email might be, and fifteen filled out their complete credit information.
That was around 10% of people, adults who should know better, who simply gave up their personal information to nobody they knew, just because they were asked. My friend lost his bet, he thought it would be closer to 30%, but still... send out hundreds of thousands of phish scams and you're guaranteed a good haul.
How are we supposed to tell the difference between a legitimate email from a company and a phishing attempt when places like CapitalOne use skeezy companies like bfi0.com for sending email to their customers? A link that says "Click here to access your statement" that actually goes to http://capitalone.bfi0.com/T8RT044ABB6D98DEB357FB2 EDD4A80 makes me feel safe inside.
I KNOW they are all bogus and just ignore them, but I'm worried that friends or family will fall to them. I have a number of elderly family members that surf and no matter how hard you try to explain things to them, they just don't get it.
Some of these things look very legit to the untrained eye and some of them are pretty frightening, such as warnings that your account has been abused and that you need to log in to update your security profile or some such nonsense.
I finally got it through to my elderly aunt to CALL ME FIRST before clicking on anything that comes in email telling her to click or log in or whatever. She still wants to click everything that comes in, I guess she's just goofy in the head.
Sad thing is, there are so many people out there that don't have someone they can call about this stuff and don't know what to do when they get one of these things.
I've tracked a LOT of these ebay scams to Korea.
Dubya was right, North Korea is a threat.
Last time I checked, I've never seen a phishing attack from Iraq.. We should have attacked North Korea instead. Hell, let's just nuke them and stop this nonsense...
One easy way to address this situation would be to have a plugin or feature for most e-mail clients that would prominently display the general source of the message (i.e. "China, Brazil, DSL user in Texas, etc.) as a prominent part of the normally-viewable message headers.
It is well known that most spam and phishing e-mails are coming from one of two sets of IP space: China and Korea and related "rogue IP space", and DSL-based zombie proxies. It would not be difficult to use a database or design an algorhythm which could 'flag' e-mail messages as suspicious based on the comparison between the from header information and the SMTP relay.
Users who then received messages could get a color-coded warning when they view the message, i.e.:
"WARNING: This e-mail claims to be from the domain ebay.com but it originated from a system suspected of being located in China - use caution"
Very simple, elegant and helpful solution. Which probably means it would never be adopted.
fixed link
here
oh, and btw, how the hell is my post offtopic???
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
Yeah, that's a likely scenario. Your dad or mom writing you all concerned that your bank information needs updating. Has anyone, anywhere, ever had that happen in real life? OK, never mind, I'm sure it has happened to someone, and for sure that person is reading this comment and will respond all indignantly. But you get the point. I cannot believe this approach would be accepted. This is not a typical, 'Hey, check this out' type of email from a relative. It's just a little too strange to work.
Now I have been phished, usually by Citibank-looking emails asking me to click here and update my information. The fact that I don't have a Citibank account was my first clue. The fact that I read /. and know about phishing was my second clue. The fact that I know banks don't operate that way was my third clue. But they are professionally looking emails, until you look closely and find all the typos. But pretending the email comes from Mom?? The first thing I would do is call her up and ask what's going on. And then she could say, "You called, it worked!"
Oh wait, this is a phishing expedition, not from bad guys, but from parents who want more phone calls from their children!
You can read more about efforts to combat phishing here. Lots of purty charts and plenty of specific examples.
#!
I was pleasantly surprised at a commercial I recently heard on the radio while driving. It was a public service announcement laying down the basics of phishing (they even said "spelled with a 'ph'") and what kinds of warning signs to look for. I hope to see more announcements of this type, as computers begin to affect almost 100% of the people in our society.
...I thought Microsoft was responsible for this. I mean, we blame "M$" when people don't run antivirus software and open infected e-mails. How about some consistency, friend?
"Ask not what your country can do for you." --John F. Kennedy
Dastardly villians.
I bet the axis of evil is involved...
or was that the Russians.
stuff
With implementation of DomainKeys by Gmail (and hopefully others to follow), it might not stop but at least reduce the number of cases. GMail and DomainKeys article
http://www.up0.com/
I use phishing techniques to get 419 scammers to give me their email password so i can shut them down. I usually direct them to a URL promising to contain a scanned image of my passport or whatever. The link usually goes to a log in screen for their particular email provider. This works great. I know they'll just get another email address, but this is a small thing I can do to disrupt them a little.
Now that we're in the PTO War that will last the rest of our lives, is Congress cracking down on the phishers who depend on trademark violation to bait their hooks as hard as the RIAA is persecuting perceived violators of their copyrights?
--
make install -not war
The same folks will fall for Pharting scemes.
"It has come to our attention that your Scents information may have been compromised. In order to prevent you becoming victim to an incorrect Rose scent on a virtual bouquet, or an invalid Roast Turkey smell this Christmas you should log in and sniff at our server to verify your sniffers.
Thank you!"
Ewwww!
Busy aligning my non-linear thoughts.
An interesting thing about these scams is how game theory applies to them. If they don't send out any emails, of course they don't make any money. If they send out only a thousand or so per day, they'll probably succeed one or two people, and make a decent amount of money. Additionally, they'll remain more anonymous and reduce the risk of word spreading about this scam. If EVERY scammer sends out millions of these emails, people will catch on quickly and profits will plummet. That's what they did now. Everyone jumped on the bandwagon and the scam bubble burst.
I believe that the success of these scams will decline over time. Just like with the 409 scams, there will a larger number of people who fall for it at the beginning, but then numbers will drop. Will it always be profittable for them? Most likely, yes, unless email verification becomes much more standard. Will they go away? No. Will they eventually find some new scheme that is even more clever? Without a doubt.
I dunno what my point is. Someone agree with me.
The couple of beers I had before checking my email on one Saturday night might have effected my judgement a bit, but I got this email from what appeared to be etrade a while ago, they said that there had been an attempt to access my account and that I needed to take action to change my password and verify the account.
What tipped me off was that the URL went to an IP address instead of etrade.com and that they asked too many questions on the page that came up. But the site looked exactly like etrade.com and if they had just asked fewer questions instead of everything then I might have hit submit before I realized what was going on.
Needless to say I now have a no beer and online banking rule, but I wonder how many people are targeted on Weekend nights figuring they might have had a few to drink and might be more susceptible to trickery. Is the company's domain name in the URL the only realistic way to verify that they are who they say they are.
I got a phishing e-mail (should it be called 'bate'?) a week or so ago, but there were two key things that let me know it was a scam (aside from general common sense):
1) I don't have an account at the bank listed (Citibank, in this case.)
2) The e-mail itself was a giant GIF. (It did have the 'fail-to-get-around-spamblocker' words in text at the bottom, though.)
Instead of getting rid of phishing scams, we should get rid of low-common sense/stupid people on the net. Then we wouldn't have this problem. Or many others.
A leader is only a leader when he has followers.
People dont use the word 'villain' enough. I think it has something to do with the fact that having a villain requires having some sort of superhero.
Whenever I get a phishing email I click the link so that I get the real url (the emails usually use Javascript to make it look like you're going to a legitimate website). I try to load the base url to see if it's actually some person's website who's been hacked, and doesn't know that he's hosting phishing pages. But usually, it's someone who's probably hosting a site on a residential connection. A traceroute should tell you where. Then, I blast that site with as much traffic as I can. Because they're often on low bandwidth connections, I can often take them out myself. The apachebench tool is handy for this.
These people are often located in countries where the law enforcement of these crimes may be lax or non-existent. Therefore, I believe that vigilante justice, along with consumer education, are some of the few things we can do to prevent people from getting ripped off.
Sad to say, but there are simply too many people out there that believe everything they read on the internet. Once the older generation passes on, I suspect this problem will go away, but until then scams like this and the old telephone ones will be a ripe place for ripoffs.
Never give personal information to anyone requesting in online.
PdcsvdCVCD*(B))
free ipod and free gmail!
Americans lose $500 mln yearly to phishing.
That's large enough amount for personal scale, especially if you've lost the savings that have been put up against a new house or new car.
But on the large scale, banks won't care, the loss is $3-4 a person, you lose more per year on some dubious surcharges.
A while back there was a /. post and/or article that had a "phishing or real" test. There were several test emails, some of which were legit, some were phishing.
Does anyone know where that test is? I'd like to forward it to some friends/family.
-S
--- What parts of "shall make no law", "shall not be infringed", and "shall not be violated" don't you understand?
....me to update my Citibank account... ..umm..
I'm going to tell him to go to hell.
"a potential victim might receive a message from a known person -- for example, a friend or loved one - asking him or her to go to a Web site to update banking information"
There's a problem when legit businesses sell your personal information (full name for example) to those 419/Nigerian scammers. And yes, it does happen. Of course, not sure if they can be called "legit" anymore.
its so easy to blame the problem being stupid. but people that grew up with only the 'real world' don't really have any referance to understand this by. I mean, I'd be dumb to fall for a trick where a dumpster across the street from me claims to be my bank. but you don't have to settle for that online, copys are easy. if a building across the street from me became a perfect copy of the bank I went to, I'd be like "hey, new branch, convenient"
-You're wasting your time. Alfador only likes me.
I sent e-mail to spoof@ebay.com and abuse@aitcom.net about a spam of an ebay fraud site last week. The site (at this writing) is still up. That doesn't help, but like spam in general, if everyone wouldn't fall for these they'd pretty much go away.
Credit card companies, banks, paypal, and any site that deals with financial transactions that could be comprimised by phishing scams need to establish a 1-point policy for client email: never link back to the site from the email. If every company did this, and users were instructed to always type the url in the browser to access thier account, and made if clear that the company would never send an email with links to the site or account, eventually people would be able to tell the phishing from the real. I know its not a perfect solution, but the convenience of "click here to access your account" emails is what fuels the phishing scams.
OTOH, I have yet to personally get a phising scam (and I get them every day) that purported to be from a company I actually do business with, with the exception of paypal. And all my credit cards are from big, national companies.
"I forgot my mantra."
This problem is directly caused by the use of insecure human-readable names, and the use of IP addresses as identifiers. Both things don't work on the Internet. You need names that can be mathematically verified to be owned by the party you're communicating with. Names should be public keys.
Need a Python, C++, Unix, Linux develop
Please go to reputablenews.com@makemerichbiatch.somewhere.net/l egitsignup.php?id=sucker
-- if you supply your credit card number, we'll give you a free credit report instantly!
My firewall was subjected to the now-often seen ssh attacks.. but this one was different, there were thousands of attempts.
When I pasted the originating IP address into Firefox, a web-based interface for sending phishing emails was shown, complete with defalt 'paypal' text filled in.
When I followed the link in the 'paypal' email (another IP address) i discovered that not only did the site contain a 'paypal' site, but also an 'ebay' and 'Wells Fargo' site too.
I took a mirror of the offending pages, and I'm about to do a write-up... but I thought I'd post a quick precis of what I found, considering the relevance of the story.
I'm just afraid of When the next worm/exploit hits phishers(ms) could change the hosts file on a pc to point to a server in singapore. I mean then what do you tell friends and family go and check c:\windows||winnt\system32\drivers\etc\hosts everytime they need to check their bank accouunt.
Offtopic but just had to share:
http://www.thewvsr.com/thewvsrcam.htm
I've actually recieved one of these emails. It looked legit.
Really legit.
In fact, the only clue that it wasnt an official notice was the email came from ebay.(official sounding name).com
That and they asked for my l/p, which I know not to give over email.
Honestly, I can say that this goes beyond normal user stupidity. People are being scammed, and these are expert scams. Yeah, people need to apply more critical thinking skills to these things, but I think you are not giving the creators of these emails enough credit.
I mean, they look _really_ official.
no
On that note, most people attempting to guess my system's root password over SSH seem to be using computers in Korea as well. :)
The World Wide Web is dying. Soon, we shall have only the Internet.
I get email all the time in my inbox with things like "undeliverable: subject: Get a free loan". I tried a different email account and within 24 hours I began to recieve more undeliverable spam messages.
My parents also use Verizon and have the same problem.
My guess is a spammer cracked their email server and he just phises real email addresses to hide his identity.
Nice.
Whats scary is Verizon wont even acknowledge the problem and its been going on for months. I eventually left them. My guess is they are afraid of being sued.
http://saveie6.com/
go nuts
Where did this term Phishing come from?
Whenever I see it I think of the Band Phish who are now retired as a band. And weren't at all about attacks or fraud. Heck they probably hold a trademark on Phish, and should sue everyone for using it in this manner. This is a lot differnt then the spam and hormel thing. Spam ala hormel was bad ala mail spam. Phish ala the band isn't nearly as relatable to this "phishing" stuff.
Phishing will go away when identity theft goes away. What's the easiest way to get information? Ask.
What I say does not represent the views of my employers, my friends, my cats, or myself.
Phishing schemes and scams are based upon taking advantage of people's ignorance.
Proper education is key to solving this problem. All the techonology in the world isn't going to prevent someone from passing their info to some criminal.
Think about this, this scam could have been conducted for regular brick and mortar bank by having a scam artist walk door to door asking people to update on a paper form their account information. Of course no one will do this because we all know better than to just give our information to a stranger knocking on our door.
The same applies to email. Once people realize this is not an acceptable method to update or pass information, then these scams fall out of favour.
Education of the internet is a must for everyone that uses it. Sort of like financial management education when you get your first credit card, the same should be applied to those getting internet access.
Live forever, or die trying.
So far I've read multiple 'stupid user' accounts. It amazes me that so many people are so arrogant because they see this type of stuff day in and day out that they'd expect every person out there to think of people this evil to come up to them with this type of attack.
People genuinely trust folks, that's why they call it social engineering. You can walk just about anywhere with a clipboard and a pen and get access to just about anything in a standard business environment.
Working for a vendor I've had many 'seasoned sysadmins' rattle off a password to me like it was nothing. Granted I've never once used them outside the context that they were given but the fact that some of them would affect the bottom line of the company with a few simple commands would not be the best thing.
Do I call those admins stupid? no, not really. Guess that is where I differ. I don't find the BOFH and similar things funny either though.
As a rock-in-roll Physicist once said, No matter where you go, there you are.
I suggest a new sign-up form:
Name:_____
Email:____
Other stuff:
__________
Repeat the following three times:
"We will not ask for your passwords via email."
__________
__________
__________
"We will not ask for your credit card number via email."
__________
__________
__________
The World Wide Web is dying. Soon, we shall have only the Internet.
short for password harvesting fishing
Last week I got an email from a friend of mine warning me about a new nasty virus and that I shouldn't open up an email with such an such title. Obiously right away I know this is a hoax. I get pissed off at her and send a reply message to her bitching her out about contributing to the conjestion of the internet by sending that junk through. I get a response from her. "If you tried to email me back from the last email it did not come through because of spam blocker (inbound virus hoaxes)." I guess it's all about education. As much as I had to say it people should be required to take a class on using the internet properly. hey. I've managed to teach her to use BCC when she decides to send a message to her entire address book. Got to start somewhere.
Gmail now will mark suspicious email with a banner that says something to the effect of "This email does not appear to be from who it claims. Learn More...", with a link to information about phishing scams.
Well, if you think you are, then why not see if your prone to phishing scams, or if it's a legitimate e-mail offer! Take the Mail Phishing Test
;)
Enjoy!
So security types...
Who among your vendors do you expect to stop the phishing attacks?
It seems to me that the most likely candidate is SPAM filtering, since this is the first line of defense, stop the email before it gets to the user.
Content filtering could help but given the fact that these are list driven products, the list will probably be late in delivery (nightly updates,) and will ultimately be a list of dead links (here today gone tommorow.)
Of course there is the best defense, educated users. But, good luck finding an accountant that reads emails about security threats. Or even worse, an account executive that doesn't click on every link in every email received.
Those who can do... Those who can't get a certification from Cisco or Microsoft.
What does a phisher do with Ebay info? Create a lot of auctions in your name using your good feedback? Seems like if I have good feedback, I'm using my Ebay account a lot, and I'd notice if someone starts messing with it.
Does anyone else think that the only real problem here is HTML email? It's good for nothing, wastes resources, and enables pretty much every kind of annoying spam, hidden redirect, tracking bug--it just keeps coming. Why do we have to build all these widgets to help users see that URLs aren't what they say they are, and such? Do we really want to wait for the spammers to start building javascript messages that alter the url after/when clicking, or whatever next becomes really annoying to people?
Isn't this enough of a problem yet to get the asinine companies that forced HTML down our throats (I'm looking at you AOL, MS, etc) to reconsider? Make the common clients block/ignore the HTML by default and *never* send HTML messages, instead of the current tactic of trying to trick or force users to send as HTML (maybe with an additional text version, if we're lucky), to just drown out the people asking for plain text.
Maybe I'm just bitter. It's always so difficult to watch stupid obvious mistakes blossom so thoroughly predictably. At least I can filter most all the spam by dumping HTML messages.
I wonder if anyone has thought about using a similar method to audit their own user base for inexperienced users who might fall for E-mail scams. I.e. send a message from a bogus domain registerred to "CompanyX Email Audits" requesting private data. Anyone who responds gets their account suspended until properly re-verified and a followup E-mail about how to avoid phishing attacks.
It might upset a few customers, but my guess is those customers might be a security liability that the company could live without...
but that's the point, the problem is that people think something is official just because it looks like it.
You do the intelligent (or lazy) thing: Go to their site and log in normally. If they want your attention, it'll prompt you. That's what I do if I get one that is legit. I just go log in as normal. If it's really legit, the site will then prompt me for what it wants. If not, no problem.
Somewhere, I have a bug in a perl script I wrote that "hijacks" emails containing files with certain extensions so that I can make sure they aren't viruses. The bug...which I'm considering a good bug...is somehow "hijacking" about 40 to 50 phishing emails a day...all claiming to come from Citibank, SunTrust, Smith Barney, etc.
% 30:38/%63%69%74/%69%6E%64%65%78%2E%68%74%6D ... which translates to http://207.236.159.100:38/cit/index.htm.
;-)
From all the ones I have seen, the email body is HTML used to show an attached image. There are <A> tags around the image that generally point to a webserver running on port 38. They are ALL port 38. As an example, the one I'm looking at right now points to http://%32%30%37%2e%32%33%36%2e%31%35%39%2e%31%30
These emails are annoying, but at least I'm managing to block these from getting to users who probably don't understand. I'm sure I'm missing others though.
I'm writing the bug off as a feature though.
I very recently complained to Schwab IT about their online statement delivery. It comes in an email, contains an html doc that contains a java app that directly asks for my account and password info. I wrote them a letter saying how bad an idea that was, and that it encourages less sophisticated users to trust the sender too much.
:)
...blah blah...
...blah...
Their response indicated they didn't even understand what I was talking about. Should I have called it "Phishing"? I doubt it would have helped. How can a customer educate these people, and why should I have to? (Maybe someone in their IT dept reads slashdot
Here is my letter:
To Director of Technology,
I am disappointed in the security offered by the transaction statement I receive each month. I am required to save an html file, which when opened presents me with an account/pin dialog.
- I have no way of knowing where that information is going to be sent.
- I cannot verify the originator of *any* email. How can I be sure that *this* email is definitely from schwab.com? (one b or two?) If the email is spoofed, the contents of the html document are suspect, putting my password etc at risk.
- Since this arrived by email, I did not initiate the connection. It is generally a bad practice to give out personal information when one did not initiate the transaction (even in a phone call).
- The process required by your system encourages less sophisticated users to develop poor security habits, such as responding to emails (of unknowable origins) with personal information.
- I would feel *much* more secure if I initiated an https connection to a web address that *I* know is legitimate. It is significantly less likely an https connection mechanism would be exploited than a simple email message.
Until something changes about this process, I have no alternative but to consider these emails SPAM, and am in fact getting no benefit out of receiving them.
And their response...
I appreciate your concerns regarding your request of electronic statements. In regards to your concerns, PostX technology sends an "HTML envelope" that contains the encrypted payload. This "HTML envelope" opens to present the user with a prompt for the users password. Once the password is entered the local javascript or java applet accepts the user password and decrypts
the payload.
Documents sent through the PostX platform are encrypted with highly secure, industry standard algorithms. Symmetric encryption defaults to ARC4 but AES encryption algorithm is available as well. End to end encryption between users or firms assures the highest levels of confidentiality for critical, sensitive or personal data on public networks. The password is hashed with 160 bit encryption (SHA1) with a large random number. This hash is then used along with the chosen encryption algorithm to encrypt the payload. The encryption is very secure. The most venerable part of the process is the password itself.
If you still have further concerns regarding the security of the contents that you have chosen to have delivered via email, then you may want to elect to cancel this request. You may do so by following these simple steps:
Sincerely,
"A fool and his money are soon parted."
Crushing my karma one post at a time.
Perhaps the best way to handle these is to get even.
Write a script which will go to the size and fill in bogus name/account/credit card info. Let's slashdot the phishers!
"-1 Troll" is the apparently the same as "-1 I disagree with you."
Usually, the successful phisher will create only one or two auctions offering something pricy (cars, boats, expensive electronic gear...) with a solicitation to "Contact seller for payment information." Photographs and text are typically lifted from previous successful auctions of the same item. When you contact the seller, he spins an elaborate story about being based in the UK but temporarily visiting some Eastern European hellhole (and therefore unreachable by any means other than email). He then requests a Western Union transfer to sell the item immediately at a "bargain" price.
If you express skepticism, he offers to send the item first and provide you with a tracking number.
This just happened to an acquaintance in Hong Kong. He paid $6,000 for a high-end Agilent signal generator that was listed on eBay by an account with lots of positive feedback... and received a package containing three pieces of wood.
The two defenses against these scams are (1) escrow services -- legitimate ones like escrow.com, not bogus ones set up by the scammer; and (2) looking at the seller's last few auctions. If they sold Beanie Babies last week, they are probably not really selling microwave spectrum analyzers today.
Dahlmann tightly grips the knife, which he may have no idea how to use, and steps out into the plain.
> I've actually recieved one of these emails. It looked legit.
> Really legit.
But it can't look legit. It's impossible to look legit. eBay state they will never ask for your details like this.
How then can a phishing email look 'legit'?
It's like getting an email from your dead grandmother. you *KNOW* beforehand that she's not going to be sending you email, so how could an email purporting to be from her look 'legit'?
> I mean, they look _really_ official
It sounds like you want to be scammed.
RST
Is there way to find out how many fraud clains a CC company has processed in raw numbers and percentage of recently active cards?
What about the merchants? How carefully do they screen their merchants for cluefulness about validating signatures and matching a photo ID for a purchase?
How much does it tell us about the CC company with the fewest? Better anti-fraud detection or a more clueful customer base.
If these metrics are not availble, they should be.
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
I've been worried about my dad and this for awhile...he's very trusting and has been an "easy sell" for years (to the point where I have to go with him to electronic stores, etc., lest he walk out with a ton of stuff he doesn't need but was sold to him by the "nice salesperson."
So it was to my relief that he says he never opens his email account (AOL) because it's just full of spam. I checked and sure enough he had about 200 unread messages, all but one was straight spam. The other was a 419 scam, which I deleted just in case...
It is interesting how personal information became a form of capital in the modern age, and people want to have it.
In the past, when we were paying with actual money in person and banks were not widespread, someone who knew our personal info could not hurt us much.
When banks were invented and remote transfer of money became a reality, and especially after the introduction of credit cards, a person knowing your signature and personal details can destroy you.
And now some people are trying to create a personal criminal empire by collecting information and especially personal information.
In that sense personal info has value and people want to have it, so it's a form of capital.
Perhaps this (the malicious collection of information) is the negative side of the transformation of the economy into a knowledge/information-driven model.
It is sure that a solution must be found, otherwise people who have access to vast amounts of personal info and also have malicious intends, might endanger the modern economy.
Technological solutions can help, but I think the answer should be a cultural solution and especially education. i.e. netsurfers should be trained to not give away any personal information to anyone if they don't think about it very carefully. Giving away personal info in today's Internet is very much like giving away your money.
To be fair, slashdot has an established history of posting physorg.com articles so perhaps this really wasn't a "let's post on slashdot and earn a lunch!". But it probably was. Shenanigans.
Speak truth to power.
but that's the point, the problem is that people think something is official just because it looks like it.
8 8.html
Hey, uh can you help me out? I drove my family to the city from new jersey and blew out my tires, then we ran out of gas and I lost my wallet. Could you spare $20.00 so I can get my family back home to new jersey. I will send the money back to you if you give me your address.
How many times have you heard a similar spiel? People fall for this kind of bullshit all the time. A scam is a scam, whether perpetrated online or offline. One time i saw one of those elaborate story telling scammers, then saw him the next week. He started in on me again, and I mentioned how bad his luck must be to have it happen twice in one week. He looked surprised, so I repeated his whole story back to him pretty much verbatim. He didn't wait for me to finish before striding off to find another victim.
My other favorite con that my sister's ex boyfriend fell for hook line and sinker. These suburban rocker types drive around and tell of how they bought some KICK ASS speakers and when they went around to the loading dock, they accidentally gave them two pairs. Of course they cost about $800 new (yeah right). Anyway, they rope you in with this story and you end up forking over $250 (or however much they can clean you out of) for some ultra crappy speakers that belong in the city dump. Apparently this scam even made it on to "The OC". I googled speaker scam and came up with 'the white van speaker scam'.. check out this url to see how many pigeons they got:
http://forum.ecoustics.com/bbs/messages/1/3
music lover since 1969
the url of the latest phishing scam i got and the site is still up
http://83.148.74.76/www.paypal.com/us/cgi-bin/
We need to get this link passed on to more people. Mod it up if you can. I took it and scored a 100% as I am sure most /. folks would. I then passed it on to my father and mother-in-law. Both semi-technical folks and both very intelligent. They both scored 3/10. Scared them enough to take the emails like that they get much more seriously. We need to pass this along to the folks "under our wings" and show them how strong this treat is.
GREAT LINK.
Knightfall
The lesson to learn is that when an account is online, you have to KEEP YOUR OWN LINKS. That way, (1) if you don't have an account with an institution, ignore the mail, or (2) if you do, use the front door you've used before.
This guideline is all anybody needs to protect themselves from these scams.
Identity theft is only a problem because we attach so much weight and importance to our individual histories. If we would stop screwing people over for life after things like bankrupcy, or when they fall ill, there wouldn't be a need to get other people's "clean" identities.
As someone who can't even get health insurance because of some mysterious "red flag" in my past, I can see why someone could get desperate enough to try to become someone else! I can't even imagine a scenario where I couldnlt open a checking account because I made a few mistakes as a young adult.
Identity theft won't stop until this "you are your credit score" mentality goes away!
I agree, the one I got from "citi-bank" looked ALMOST EXACTLY like citi-bank's REAL site, but I knew immediately it was bogus when it "needed me to update my account info" due to the fact that I have NEVER owned a credit card, but I could see where people used their bank online could be caught if they were not paying close attention. On the other hand, I "won" 8 seperate lotteries in UK this morning! LOL
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
why dont banks just set up 'monitored' accounts and put a little bit of money in it, then follow the trail :)
Phisher thinks theyve caught someone out, logs in and transfers money away ( im guessing to a relay account unless they`re REAL stupid ) , which relays on and on until it eventually gets somewhere the phisher can do something with
the money ( or goods they might buy with it online ) have got go to somewhere, right?
I tell people who ask me how to tell the real sites from the fakes sites to put in "dickfer" for the user name and "topeewith" for the password. If it logs in, they know it's fake and are free to fill in a proper name and address that the spammer may freely use.
LOAD "SIG",8,1
LOADING...
READY.
RUN
I just got scammed out of a thousand dollars from a crook who used a stolen "verified" Paypal account to pay me. When I saw the payment to be legit I let the guy pick up the merchandize from my house.
A few hours later the item was charged back by Paypal saying it was unauthroized.
Have a question for you guys. What are my chances to find Paypal liable for the loss if I can't find this crook?
Here's my take:
One is that Paypal sees themselves as an escrow service. If such is the case they have the right to intervene and take back funds from transactions that are deemed illegitimate. However if so, then they also have an obligation to ensure that account charges are in fact legit. The only reason I accepted the payment was that it was from a "verified paypal user". Therefore Paypal is liable.
The other argument would be that Paypal isn't an escrow service, but only a payment transfer service. If this is the case, once the money is in my account it belongs to me (like a cash exchange). They have no right to take it out of my account and put it back.
eTrade SUCKS
"It's impossible to look legit. eBay state they will never ask for your details like this."
And eBay is the only phishing target?
I once almost called my bank to tell them that their email had all the elements of a phishing scheme, and they might want to revise it to be less phishy. Then I figured out how they obfuscated the URL (which finally killed Outlook Express for me; Thunderbird shows the URL correctly), so I just called the bank and told them that it looked like someone was phishing (and confirmed that there were no problems with the account).
Now, I was never in danger of actually putting my password in on the site (I never even clicked on the link), but I did seriously think my bank had sent the email. Most people are less paranoid than me.
... so can we actually type out "legitimate" instead of using "legit?" I mean, I realize we all miss the days of "I checked it out and its legit, Microsoft will send you a zillion dollars if you forward this email to 10 people..."
If we don't use the word legit, it will serve as a spam flag.
Trying to use sarcasm in text-based forums does not work.
I see a lot of people blaming stupid people for this. And stupidity, naivete, etc. are definitely part of it.
But the fact is, some of the phishing emails look really good. I got one last week that was identical to a legit Citibank email, except that it went to http://citibankgroup.biz instead of https://citibank.com. Given all the weird URLs and bulk mailing companies banks use (and the fact that a lot of normal users view URLs to be voodoo), it not surprising to me at all that people fall for this stuff.
In the end, this is just a special case of spam. Verifying the sender using SPF or any of the other systems being adopted right now, will solve this problem. And disabling HTML email (among the worst design decisions ever made, IMHO), would also help a lot.
-Esme
http://shit.slashdot.org/article.pl?sid=04/10/18/1 717210
One answer to phishing scams would be to retaliate that other scourge... spam. Spam their databases! If everyone who got the phishing scam replied with junk information, the phisher's database would go from 100% signal to something significantly less. I'm not sure how expensive it is timewise for phishers to pursue junk information, other whether they could filter out the junk by cross-checking the supplied data automatically. I bet, currently, they just assume all of the data they get s correct. If we could sink that assumption, and make them work harder for their ill-gotten gains, it may slow them down while more conventional means are used to prosecute them. You probably shouldn't submit more than once to any given phisher's site, since they could easily capture your IP and filter out multiple submissions.
SPF would help users identify phishing. (See http://spf.pobox.com.)
I've written an extension for Mozilla Thunderbird that checks the From: address in emails against SPF records:
http://taubz.for.net/code/spf
If people use the extension and if domains start publishing SPF records, we might find ourselves with a solution.
warning :
"hi everybody, i'm looking at gay porno!"
We need an open source, community based, distributed solution to this problem.
Here is what I suggest:
1. Open source software is created for windows and linux (at least) that redirects browsers to an informational page (possibly at localhost) when they click on a link in a phishing email.
2. Phishing links are submitted by the community, and reviewed by peers. Links that are confirmed as phishing links are added to a list of known bad URL's.
3. The client software lives in the system train (on windows) and updates itself with a new list of known bad URL's at least daily, at most hourly.
Using this solution, you could install this software on grandmas computer once and feel relatively confident that she won't fall pray to a phishing scam.
At the very least it is a far better solution than what is available now: nothing.
Lose Weight and Feel Great with Isagenix
I'm going to state the obvious because I'm bored at work.... As the "People in the Know", it is our responsibility to inform our grandmothers, friends, co-workers, etc. of all the pitfalls of the online world. For each person close to us that we can warn, that's one more person who will learn the "easy" way. The rest will have to learn the "hard" way by getting burned. Eventually everyone will learn. Unfortunately, there will always be new and more creative scams. "Fool me once - shame on you! Fool me twice - shame on me!"
Algorithms don't keep time as well, but at least they're spelt correctly.
</pedant>
Pretend that something especially witty is here. Thanks.
Need I say more?
If every email you received from your bank had a big happy green bar at the top saying "this email appears to be valid", and one day you received one without it, you might be suspicious. Even if it merely reduces the occurence of such fraud, it's an improvement.
One nice thing about this is that it benefits the bank to use the system, even if only a few customers use it, it benefits the customer to use it, even if others don't, and it doesn't break the use of customers who can't read signed mail. (Unless your mailreader is rather screwed up. Maybe it could be a settable option.)
...I just hope the font people have set in the status bar is legible enough to catch the trickier ones. Look at these three characters: "I" "l" "1". In some fonts they are identical (uppercase i, lowercase L and the number one).
Paypal was one of the earliest business victims of phishing scams, which were successful becasue of the unfortunate last character in the name. The scammers registered paypai.com (shown in the url as paypaI.com) and paypa1.com (number one at the end) and set up convincing, secure sites to scam people.
I applaud the Mozilla people for giving users the tools to help spot scams, but people still have to use their heads.
- I posted an item for sale
- I realized I owed eBay about $40 in back listing fees
It was just before I was going to get into bed, and I skimmed over the message as I usually do before deleting it. My usual thinking: "Sure", I thought, "I'll get back to it tomorrow and pay them." This time around, I clicked the link and got the "standard" eBay login screen. Being tired and lazy, at this point I didn't even glance at the URL. I entered my login and password for eBay, and as it was redirecting I glanced at the address bar, and in horror I saw "cgi2.eb4y.com" or something munged like that.
In a panic, I immediately changed my eBay password, and all is once again well on my happy little computing planet. That being said, had I not caught that and gone straight to bed, who knows what I would've woken up to. The moral of the story is that you really have to be on your toes. The circumstances surrounding this dodged-bullet really were a perfect setup for me: owed eBay money, just posted a new item for sale that day, fatigue...
Common sense is the key!
"This is your poor slacker Son. I'm broke again, and in jail again. Please send money to ....."
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
He was right!
zosxavius photography
E-mail scam plays on US elections3 714944.stm
By Alfred Hermida
Published: 2004/10/05 08:50:43 GMT
BBC News Online technology editor
http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/
People are being warned about a scam e-mail which uses the US presidential poll to con them out of their money.
A junk e-mail invites people to dial a premium rate number to express their support for President George W Bush or rival John Kerry.
E-mail filtering firm BlackSpider estimates that almost a quarter of a million are being sent out every day.
In the past, net fraudsters have tried to use the 9/11 attacks and the tragedy in Beslan to get money.
900 number
At first glance, the presidential election message appears to be legitimate, saying it was sent from a Lycos.com address.
But BlackSpider Technologies said it had traced some of the e-mails to a server in the Czech Republic.
No doubt we will be seeing some messages like this in the next general election in the UK John Cheney, BlackSpider Technologies The mail reads: "Fellow Citizen: The extremely jubilant crowds in Baghdad appeared to vindicate President George Bush's belief that the military action in Iraq was the right move.
"But many questions still remain over the lack of hard evidence of Saddam's weapons of mass destruction. With these tough times before us, let us know."
It goes on to ask readers if they support President Bush, prompting them to call a 900 premium rate number.
It says votes will be sent to the Bush and Kerry campaigns.
In an effort to convince people it is a genuine message, the e-mail says who commissioned the poll.
The mail adds that the calls will cost $1.99, saying this is "a little price to pay for a better democracy".
"This is a relatively new scam," said BlackSpider CEO, John Cheney.
"The question is, are they breaking the law? In the UK they are, in the US they are not."
Sending unsolicited messages to personal e-mail is barred in the UK. But in the US, people have to opt out of receiving these sorts of messages.
Hotbed of scams
BlackSpider estimates that 240,000 of the presidential scam e-mails are being sent out worldwide a day.
The lack of any spelling mistakes and its resemblance to a genuine message means that it could slip through the spam filtering of home users.
This latest scam reflects how the nature of spam is changing.
In the past, spam was dominated by pornography. These days spam is a hotbed of financial scams, as well as a black market for fake pharmaceuticals and software.
E-mail scams known as phishing have tried to trick customers into giving away confidential bank details.
Other scams known as 419 try to part people from their cash by telling them they in line for millions from a deposed African leader.
The US presidential mail is just the latest trick used by spammers to part the unwary from their money.
"No doubt we will be seeing some messages like this in the next general election in the UK," said Mr Cheney.
Very good. You have correctly identified the method crooks used before phishing technology was possible.
Copyrights, Patents, Trademarks: temporary loans from the Public Domain, not real property ("intellectual" or otherwise)
There are no quick ways to explain to an 'average joe' how to check an email for legitimacy. The only hard and fast rule should be:
Do not EVER enter personal financial or identification information on a website you reach by using a 'link' in an email.
Instead open a new instance/tab/window of your webbrowser (It also helps to avoid using the browser most well known for its vulnerabilities, cough), and hand enter the original known address for the site belonging to the organization that you beleive is contacting you. If you dont *KNOW* the correct address, call them and *ASK*. If they need information from you, they will confirm the requirement there.
If you are not 100% certain of both the legitimacy of the request and your ability to tell, *CALL* the organization (IGNORE any suggestions given in the email not to call) and *ask* them if it is legitimate. (*NOT* using a phone number given in the email, use one you obtained when you established the relationship with the organization, or one you looked up yourself from a phonebook or directory assistance line)
Obviously, if you dont *HAVE* an existing online relationship with the bank/company/etc that the email comes from, then assuming it *IS* a fraud.
As others have so astutely mentioned here, there's no way we're going to be able to prevent a dumbass from shooting himself/herself in the foot. There have been scams since the dawn of time; no reason why they're going to be solved simply because of the computer age.
Phishing is just hacking a human's computer; wait, so is advertising, so is ... Some humans are easier to hack than others.
i was checking email last night before bed and got a paypal email that said my account being suspended and asked me to reactivate.
remembering paypal was having problem lately and also being sleepy, i clicked on that link without hesitation. and only to find out that it's a link to some other site and apparently it has been taken down.
then I REALIZED this is yet another phishing scam. luckily the site was not available. I am telling this story to show that even if a computer geek like me could be tricked. so be aware..
The thing that always tipped me off was that I don't have an ebay account...
... haven't I seen this article posted on slashdot before?
... you get attacked through their lyrics! Yeah, the band sucked anyway, but I think the non-techies might get a slightly distorted perception of this article.
In the good old Netscape 3.x days, there was a very visible colored bar separating the navigation buttons and menus from the webpage if you were on a secure server. Of course, https sites weren't nearly as common back then, so it really stood out when you were on one.
I have a great (and true) anecdote about a Professor who inadvertantly splashed pr0n up on a 4m x 4m screen before an audience of MBA students, managers and Execs, but I don't have good anecdotes for the spyware and phisching parts of the series.
Have you (or do you know anyone) who has been caught out by (i) a keylogger or similar spyware or (ii) a phisching attack, either of which caused some quantifiable loss (ie: $$$ got pinched from their online back account, identity re-used somewhere else, etc, etc)
All I need is a short email description so that I'm quoting a valid/verifiable source instead of making things up.
I'd appreciate an email from an actual victim please, I'm happy to cite your name or be anonymous as required. Thanks.
about:me I'm a geek who works at university, becoming increasingly frustrated at the last year or so's worth of worms, phishing and general microsoft-induced hell and I'd had some degree of success at getting myself published on a range of geek topics. By no means a journalist or anything like that though!
I find your ideas intriguing and I wish to subscribe to your newsletter.
I've had one purportedly from a major bank with which I do have accounts, and it had precisely the same graphics as the bank's site. It urged me to go to that site, and gave a link whose text said "majorbank.com"...of course, the URL it actually linked to was something else.
rj
Any large company that permanently stores your credit card information, especially banks, DON'T send out spam for exactly that reason. When was the last time you got an e-mail from your bank to tell you now is the perfect time to get a home equity loan?
Unless of course by "spam" you mean those solicited e-mails from my bank's tech support. That's where these heinous fiends are getting their templates from! Really they might as well. It's just as easy to rip your template from solicited mail as from "real spam."
The problem is, losing a vital piece of information like an account or credit card number sounds like one of those rare situations in which you might expect your bank to contact you directly. It seems more urgent and is more effective in spurring a rush response if you have very little online contact with your bank - i.e. they are not sending you spam.
It doesn't take an original document for something to look official. Have you even gotten a CitieBanq e-mail? Neither the spam nor their mockup page looks anything like the real CitiBank page. The idea is to make your phishhook look official. You don't need to clone an original e-mail to do that - just cook up something that looks vaguely authoritative. Somehow, I doubt that phishers wait around for some other company to just hand them a template. They just cook up their own e-mail. If it's the only e-mail victims ever get from the bank, which is likely, what other sources will they have to contradict it?
A strain of paranoid prevention can be worse than the disease, whate'er the intention.
For Schwab.
:)
Schwab knows for sure the information typed into their neato appi was not altered in transit.
Too bad the users of the appi lose security(dont know who the info is going to).
They probably even realize this now, after its too late, but have spent X million dollars on the system and all have their jobs on the line if it were found that a bad decision was made.
So what does a Schwab CEO type do?
What all the other CEO types are doing these days... play stupid and pass the blame.
And as for the company that sold the system to Schwab...
Thats just plain greed. There is no way they couldnt have realized the flaw. And there is no way Schwab would have bought the system had they known of it.
Back to my bridge I go...
To make laws that man cannot, and will not obey, serves to bring all law into contempt. --E.C. Stanton
Hey, uh can you help me out? I drove my family to the city from new jersey and blew out my tires, then we ran out of gas and I lost my wallet. Could you spare $20.00 so I can get my family back home to new jersey. I will send the money back to you if you give me your address.
Where is your car? Where are the 'blown' tires? Where is the gas gauge in the car, and is it really pointing to 'E'? Would it be acceptable if I paid for a tank of gas instead of handing you the money?
It's trivial to protect yourself from scams like this. The fact that many people don't show just how dumb they really are.
The same company (PostX) that provided this solution also has a completely on-line solution that users would access just like webmail; however it's not as convenient. The customer (Schwab) choose to use the off-line method because they thought it would be more acceptable to customers.
All you two-bit Slashdot pundits act like the IT industry and decision makers are idiots and some how a bunch of shiftless websurfers are some how more qualified to run multi-billion dollar companies.
It probably never occurred to you that the people in charge made well-informed decisions that 95% of their customers love. It's the totally anal-retentive less than 5% of people who have issues with it.
If you guys got your way, you would have a system so completely over-engineered that no one could manage to use it. Just the attitude of everyone ridiculing phishing victims for being victimised, that's ridiculous. The target user audience is not technically adept and you need to take that into account when you design a system.
If good security was all you needed, every e-mail sent today would use S/MIME encryption and signing, but guess what, your encryption actually has to be USEABLE and manageable. I've seen a few posts in this thread along the lines of "use PGP: problem solved". Sure, that solves the identity problem but who's going to teach millions of luddites how to use it? Are Slashdot readers going to start hosting free community seminars on how to install and use PGP? I'll believe that when I see it.
In the mean time, the push delivery systems are a good compromise.
Someone is WRONG on the Internet!
aww gross
sicko
I mean, they look _really_ official......
No matter how official it looks, just feed them garbage.
All theory is gray
It's especially annoying that E-Gold doesn't use them, because they're phished almost as heavily as Citibank, in spite of being much much smaller.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Ideally you want to give them credit card numbers that aren't real but pass a basic validity checksum, just in case the phishers are bright enough to check. Obviously enough, credit card companies don't have a service to auto-generate those for you, but I'm told there are crime tools out there that will (used to be popular for getting free-trial AOL-coaster accounts, because they wouldn't validate the credit card until you'd used your free month and it was time to start charging you.) But generating a large number of invalid transactions (e.g. the card number doesn't match the expiration date, and neither one matches the name) ought to be a red flag when the phisher tries to use it. The problem is how to avoid real people's credit card numbers (you're highly likely to not get a matching name or ZIP code, but if a matching date is enough, you'll hit lots of those at random.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Yeah, I like Phish the band too. But Phone Phreaks were one of the ancestors of hackers and crackers, and the PH in Phishing probably came from there.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
There are URL spam-block lists now, and SpamAssassin 3.0 seems to be able to use them as well as using SPF rules. Time to get them widely updated with phisher-spam addresses.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Hotmail (and possibly other web-based services, I don't know) makes the problem far worse: every web link from an email being read in Hotmail goes through a Hotmail server, with the actual address garbled at the end (with % codes in place of actual /:. etc.) Often it's extremely difficult to tell where the link actually leads to.
What's the one thing that all the phishes have in common?
They rely on the graphics from the original site - those that do not change. If you inspect the code of these emails, most of the links are to the legitimate site, pointing to graphics that the targetted company uses themselves.
The company doesn't change the graphics, the phishes are relatively immortal.
What would happen if the images were renamed, say, weekly? Well, the phishes could break because the links would point to defunct image names.
But instead of merely breaking them, how about putting them to work? Turning the email themselves into warnings?
Rename the old graphics with new graphic names AND put new graphics in their place that work together to create stark, colorful warnings that tell people, without a doubt, that 'this email is bogus - forward it to 'spoof@.com and delete it quickly!'.
There are technical issues to work out - like how a weekly name change can eventually make for a lot of old graphics sitting around. Obviously, legitimate emails would 'expire' after a week, too - and unless there was some means for them to be aware of the name changes, the emails would start looking like phishes.
But the idea is that phishing wouldn't be able to use the company images as bait.
Years ago, when I was on AOL, I almost fell for this scam (password phish)--it was so convincing! At the time, I was brand-new to the internet and was a total neophyte.
At the end before I left AOL, I was just using them as an ISP, nothing more, nothing less. By then, their 'proprietary content' meant nothing to me.
Nowadays, I'm getting authentic-looking phishes from 'banks' via Outlook I don't do business with. LOSERS!!! (>_<);;;
I would filter out the phishes with my POP3 email checker automatically but I can't as I get other important email at this address as well and can't risk deleting any of it.... =/
Looks like when the domain's machine name listed link text and the underlying href are 'the same' you may still get scammed.
Looks like the best way to avoid any problems is to open a brand new browser window and go to the email senders website that way--it is much safer.
The Feds won't like it, but this is aproaching the last straw! Encrypted email in the RSA style should put a stop to this nonsense. How could a phisher impersonate a big bank via RSA encrypted email unless they got ahold of the bank's secret key? But then again, browsing the site manually as explained above will solve the problem of going to a phish site unless the bank's webserver itself got 0wned or compromised by a 'dirty' employee....
Remember that the Phishing spam arrives in email - so rather than building the checker into browsers for people who've already clicked on it, you can solve the problem by junking the email before it's read, and reduce the spam problem as well as the phishing risks. I suppose that implementing it in the browser could help people whose email programs use their browsers to fetch URLs, but remember that most of the target population uses IE, not Firefox.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
For purely domain-based blocking, you can implement it as a host file on your PC (like some adblockers), or somebody could easily implement a DNS server that points known evil domains to 127.0.0.100 or fraudtracker.example-bank.com or whatever. A big ISP could implement it centrally for all their users, but it could be handled just as well as a distributed service. To the extent that you can identify evil sites by IP address range, you could even use IP routing to block them, though that's mainly useful for a small number of targets or for whole countries like Korea or ISPs like China Netcom, if you want to (e.g.) block all IP traffic from there including stuff you initiated on purpose. (If you're running BGP as a routing protocol, you could even get a BGP feed of evil IP addresses.) This sort of thing is more useful for individual businesses than for ISPs, because a given ISP might have _some_ customers who want to see web sites in Korea or China even if most of them don't.
That'll cut back on phishing from misspellled.exammmple-bankk.com, but won't help of the phisher's web page is at http://big-free-hosting-company.example.net/users/ 31337ph1sher/example-bank.html. To handle that, you need a URL-based checker, though it could be implemented as a web proxy if somebody wanted it centralized.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Personally, I see the fact that it would be built into Firefox as one of the major selling points of Firefox.
It's just one more very compelling reason in a long list of reasons to help our friends and family switch to Firefox.
Eventually, people are going to get sick of being screwed by Microsofts lack of security. It might as well be sooner than later.
But thanks for the heads up on URIBL, I'll look into it.
Perhaps I should just put my coding where my mouth is and write an extension to Firefox that does this...
Lose Weight and Feel Great with Isagenix
This idea, which occurred to me the other day in a different context is so simple I am sure it has been discussed before (just not around me) but just in case, why wouldn't this work? You get a spam or a phish. You launch a reply that sends thousands of apparently correct (but phony)replies back (automated completion of forms may be needed here) from anonymous sources. The spammer has to find the real response in the counter spam. If only a few percent of each spam mailing got a countermeasure like this, their needles would get buried in haystacks.