Slashdot Mirror
Fishing for Phishers
mleachpdx writes "This blog entry probes into the details of an online banking phishing scam and suggests some fraud deterrence and detection measures."
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
Full article mirror here: .org article
mirror.slashdot
Theres currently a problem with our server, you will have to login again to see the details.
(yes this is only a joke)
liqbase
From the article: "The home page of the phishing site looked identical to the actual online banking site. I was impressed. Someone had spent a considerable amount of time mirroring the entire look and feel."
Or they just used the Spiderzilla extension for FireFox and downloaded the entire site. Wow, that scammer went to a lot of work. I have gotten these scams before though, and it is no laughing matter that they go to a lot of trouble to look legit. And I bet the estimate of 15% of people who fall for it listed in the article is actually a little low.
When you sign up, the bank asks you for your 'personalised code', and that will be displayed in every email you recieve from the bank.
If you dont see that code in your email, or it's wrong, you know its fraudulent.
The FA didn't give any reason for why he thought the phish was targeted at him. Without an explanation, I'm sceptical that it was targeted in any way. I get phishing mails all the time - most commonly aimed at Citibank or Paypal, neither of which I do business with. I don't know why the phisher would bother to target them. Seems like more effort than it is worth.
Limit access to customer records. This is pretty much standard practice in the banking industry anyway, but I found it eerie that my phisher knew what institution I did banking with. How did they know this?
Well, I've received several of these mails, but I do not really think they go by any kinda cue -- I've received mails from various banks from around the US, so I think these guys randomly see where you are, make a wild guess at the likely bank and send you one.
For instance, several students at GTech (where I study) have their bank accounts in a certain bank (which we shall call W) -- and a lot of these scams are directed at GT students pretending to be from W.
However, that said -- I'd not be surprised if they acually did some dumpster diving and found out these kinda details. Spooky, man.
I must have got a dozen or so of these in the last few days, my spam appears to go in phases... either I'm in dire need of sexually-enhancing drugs, about to die from malnutrition, or they're all just after my CC details...
It's just a blanket 'attack'. Email is cheap, and they're not trying to be smart because they don't need to be.
Simon
Physicists get Hadrons!
why not give consumers one time access (through pads)?
This is done in Japan and works well there. Maybe consumers here would lose their card? The card isnt electronic its just card with pin numbers that you scratch off each time you use the PIN number.
Banks should STRONGLY educate consumers to never expect emails from the bank that contain links.
I reckon banks could do something similar too. Create some honeypot accounts, and track how the criminals attempt to access it. I'm sure they could play a few tricks with a seemingly big fat balance that could make the criminals reveal their hand.
Check out antiphising.org
The EBay request to verify account information. I've received this several times. Perhaps the financial institutions don't do much because a small country in Africa isn't going to let U.S. law enforcement take care of the problem. Too much corruption is usually the case.
The maxim I always use is: The company that holds your account never needs to ask you for your password since they already have it.
Something many probably don't know is that your local police dept. probably has a high tech crimes unit. They will investigate and prosecute illegal activites like snooping around your company network. They can be very helpful.
Enough already with this "a blog entry says" stuff. Can we please get some ACTUAL news on this site and not just someone's rantings on a BB? Is that too much to ask?
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
I agree with you here.
Its just aiming at the big players to maximise your audience.
Currently, more people will fall for something like a Citibank scam than a LocalYokelTownBank scam.
Yes, there will be gullible people in both groups, but a lot more with the larger bank.
Hook, line, sinker.
liqbase
Probably that message is sent from hacked/owned/not patched windows machines that send the entered info to the real criminal. I suppose that for really knowimg who is him that "infected" machines should be hacked back or that the provider of that internet connection contacts/gives the address of the owner, and check the programs there.
Could be, yea, that he just feels "special" 'cause these cunning Zimbabweans just happened to guess his bank.
Which could also mean that they are netting fewer people than he thinks...except that there are really not that many small banks anymore.
With only a group of maybe five or six major banks in the US, I am sure it isn't too hard to snag some morons every now and again.
sig not found
I still don't understand, do these banks just give their customers a login/password for their account?
The bank I use gave me a little authentication device which combined with my bank card, my personal code and a random code provided by the bank site can generate digital signatures. In order to login and in order to make all transactions final I must provide the right code.
I've been using this system for about 10 years now, if those exploitable banks still use a normal password protection it's their fault they're exoploited this way and there's no way customers should be responsible for it.
Phishing schemes and junk mail go hand in hand. China is the king in terms of generating the most junk mail targetting North American Internet users.
The only way to stop the problem is the encourage American vigilantes to enter China and to go on a hunting expedition -- if you get my drift.
P.S.
The vigilantes could also kill a couple of Chinese thugs in Tibet. The Tibetans would certainly appreciate the help.
The scammer went to alot of work because the Return on Investment was so high. For a few hours of work, he probably a substantial amount of cash.
I have used the same bank for over 15 years for my personal checking account.
I have not gotten one email from that bank (either legitimate email or a phishing scam with that bank's name or fake url.
That bank does have my email address.
I have gotten phising scams that have ebay in them (I do have an ebay account). I have also gotten phising scams with the names of other banks in my area.
I think they go by geographical data for banks. For ebay, it's no problem. They can scan ebay's pages and get seller's ebay account names with no problem.
Cleara
The only way to stop the problem is the encourage American vigilantes to enter China and to go on a hunting expedition -- if you get my drift.
P.S.
The vigilantes could also kill a couple of Chinese thugs in Tibet. The Tibetans would certainly appreciate the help.
I misread the subject line on this article, thought it read Fisting for Phishers.
Now that is a punishment that would work pretty good, once word got out!
Glonoinha the MebiByte Slayer
I work for a company that attempts to protect its customers from this kind of fraud. We monitor domain registrations to locate potential phishing scams. It's interesting to see that it's not only banks that are hit with this kind of scam. These guys will set up an entire shopping cart taking credit cards that mimick an online store like Dell. It's a pretty interesting scam that only seems to be gaining popularity.
It's not a major concern in the 3rd world so these guys have no reason to stop. We've seen scams like this based out of Russia, Brazil, China, and several African countries. It will be interesting to see how this all pans out.
In order for them to get their ill gotten gains, they have to eventually withdraw some money from somewhere. It seems it would be trivial for INTERPOL or some other agency to set up a bunch of bank accounts with a few thousand dollars/euros in them and then start responding to all the phishers. Then just follow the money to the crooks. What's the big deal? Is there just no will to do this or am I missing something?
Cheers,
I fell for a phishing scam once. I just hope when Mr Hitler tried to get a new password from tech support they didn't give one out.
I'm a consultant - I convert gibberish into cash-flow.
Amen Brother Ben. Stupid fuckers, all of em.
Has anyone else noticed that the folks at Gmail have added a "report phishing" feature? When you view a message, click "More Options" and you'll see it.
Then again, maybe it's been there for some time and I just haven't noticed (it definitely wasn't there when I first got my Gmail account though and it doesn't appear to be listed as a new feature).
On a related note:
The lad vampire needs your help
Irene KHAAAAAAN!
They could use the techniques suggested here but that's too much like real work. Or they could just stick it to their customers and make them prove it was fraud and even then just screw the customers over. As long as the banks aren't out any money, they have no incentive to do anything.
Honestly how stupid are you people to fall for any of this. Absolutely do not respond to any request from anyone to provide any information for any reason whatsoever. Not even from someone who purports to be from the government. If anyone needs to get in touch with me that badly they can send a letter registered mail or have their attorney contact me.
Artists against 419 is also interesting. They are working against the phising sceems of 419 scammers.
If you've got bandwith to spare, be sure to check out The Lad Vampire
Please modify the news post and add one of those links. They could use the help of a lot of slashdotters, I think.
Irene KHAAAAAAN!
In every case getting cash out of my account involves paying a bill (to an authorized agent like VISA), or emailing money or transferring money to a 3rd party acct. All of these leave a trail that banks can recognize and plug.
I once changed my buying habits with my VISA card and had to confirm my identity before the transaction could be authorized. Since fradulent VISA transactions cost VISA, it appears that when it affects the bottom line, banks can and do put checks in to stop fraud, but there is no incentive for banks to stop fraudulent bahviour on behalf of their customers. (Of course we are no longer the banks customers, shareholders are the real customers)
Pressure needs to be applied to the banking industry to minimize the average person's exposure to fraud! It is easy to do, for example I should be able to lock transactions from my online banking account to a specific set of recipients and require a face-face visit with a banking representative to change this... Would-be fraudsters that obtained access to my account might be able to overpay my utility bill but that would be about it.
Just like spam, can we @ /. take any countermeasures? I'm not up on this stuff, so if I make a few silly suggestions, please give me a break.
Pick a phisher /spammer and: /. them
Send a reply with the name of a pop tune or movie in the title.
Send a reply with a big attachment
Send a reply with a virus attached
If it's possible, think of all of on one day, sending an email with "White Houses" on the title, and a 4 Mb attachment to a spammer / phisher. A toasted server, maybe?
Republican leadership = Idiocracy
How is it possible to make money, knowing the login name and password for a bank's customer? The only actions allowed are transferring money from one account to another, ordering new checks, and finding the check amounts and account balance.
Funny you mention that because just the other day I got a scam email posing as Citibank. About 30 seconds later, I got one from some local bank in North Carolina. I guess they are trying to cover all the bases.
I'm not drunk, I just have a speech impediment. And a stomach virus. And an inner ear infection.
You can ONLY transfer money from one of your own accounts to another of yours.
It's amazing what people will do for you for some cash.
My friend's paypal account was ripped off. A 3rd party bought a camera and shipped it to Russia, because the auction's shipping was only avalible in the US and the Russian wanted the deal. The Russian supplied my friend's paypal and a $20.
The camera is safe in Russia while the idiot who bought it had a chat with the police.
~~~
Click here, you know you wanna!
I am the recent victim of a scam.
OK, not a victim. Let me restate: I am the recent victimizer of a scammer looking for a victim.
And I have a new $3000 to prove it. Sent to me directly from an "honest businessman" from Nigeria. Really. It was FedEx'd from Nigeria. From a guy named Walter Nabanu.
OK, I don't have a new $3000. But I have a check that says it is worth $3000. But I'm not going to cash it.
How much does it cost to Fedex an envelope from Nigeria to the US?
At least FedEx made out on this deal.
What would be the best way to protect yourself against this? Is it possible to set up caching DNS to pool from multiple independent sources and either alert on conflict or resolve by majority rule?
This is not true:
>a Gartner analysis is quoted as saying "What's
>really scary about it [phishing] is right now there
> are no back-end fraud detection solutions for it."
Corillian Corporation provides an effective back end solution that is capable of detecting phishing sites as they are being built:
Corillian Fraud Detection System
I only ignore them if I don't have enough time to fill out one of their forms with some incredibly bogus and insulting information.
http://www.rootstrikers.org/
I have about a hundred email aliases that I use on a regular basis (for spam control - so I can see if any of my vendors divulge my address).
I have made numerous postings to Usenet and public email lists with some of those addresses.
I have a few email addresses in mailto: links on web pages.
I have about five times as many credit cards and bank accounts as the average person.
Some of my email aliases are six years old -- I don't think that any of my email addresses from > six years ago still forward to me.
I never get any of these phishing emails. I can't remember the last time I received an email virus/trojan/worm. I get a fair bit of spam, but it's manageable.
Am I living in a different universe from the technology journalists?
There's almost zero chance the phishers knew the author had an account at his bank. They use spamming techniques and count on getting lucky.
Some financial institutions already do this but it is very expensive. Despite the dire headlines, current levels of fraud are not high enough to justify the cost in many (or most) cases. This is also why financial institutions in North America do not use two-factor authentication such as token cards. I've seen some clever ideas for cheap two-factor auth. that might work out.
I think it would be more effective if consumers put pressure on browser and email client software suppliers to fix the security holes in their applications.
I find it very doubtful that phishers would ever have an account at the instituion whose clients they are attempting to defraud. First, there is no need to get access to authenticated pages to create a "highly sophisticated phishing site". Second, the act of opening an account requires providing proof of identity and would create evidence that could lead to finding the real identity of the phisher.
This is bang on. Not following up on the author's email is a pretty big mistake.
Based on this experience, I now honestly believe that 5-15% of all recipients of this email could easily have fallen prey to the scam. I documented all the information collected and emailed the scam hotline of my bank .
Yeah, it happened to me many times.. The first time (way back in 2003), I too documented everything, even went so far to do a reverse IP, full e-mail headers, checking the geographical location of the IP address (turns out to be Korea, land of mass broadband penetration) and even incl. a snapshot of the display output. What do I get in return?
The bank e-mailed me back advising not to click nor believe the mail that I got originally. Hello?? I've done half of the work for you trying to assist in catching these bast**ds, and I know that it's a clear blatant fraud case.. What do you take me for? Sometimes I don't believe the kind of idiots they employ.. Can't they understand english? And these guys are supposed to be the country's largest commercial bank!!
From that moment on, I'm not gonna do their work for them, I find it easier to press the delete key/include in my shit list/configure my spamfilter.. Well, at least not for these idiots anyway..
Peace of mind
PS - I noticed that since most of the scams (at least on my side) originates from Korea, I wonder whether it is the work of North Korean agents trying to scam money in order to generate cash in order to funnel it back to ol' Kim?? Nah... I've been watching too many kung-fu movies..
Will sys-admin for food
clamav will find and bust a lot of the phising e-mail as viruses. - works great.
draz
http://shit.slashdot.org/article.pl?sid=04/11/07/1 519251
Every time I get a phishing scam, I contact the affected bank's security department providing them all of the information that I've developed. In many cases this is made extra difficult because the only method they provide of contacting is a web-form. With these, I have to cut and paste the headder info and so on. It really sucks.
Usually, no matter what the method of contact, all I get is an email reply with boilerplate info telling me how to protect myself against these scams. This is utterly stupid, I've already taken action that shows them I am aware of what is happening!
After a week or two I always follow up. On the few occasions where I recieve a human reply from this follow up, I am told they can't provide me with information on an on-going investigation. I know BS when I see it and these replys are BS.
I'm trying to do the banks a favor yet apparently they view this as more hassle then help. Apparently they don't do anything unless someone actually loses something (and maybe not even then, I wouldn't know - I've never fallen victim).
I'd suggest that the banks rotate their images in a public folder changing the real image with ones that say You are visiting a scam site if you are seeing this image. That would slow the phishers down or make them do some real work at least.
I'd say that I see at least 3 financial institution phishing scams each week. I have never had a single scam in the name of my bank. Over all, I think I have seen phishing for information for about 10-15 banks. Seems likely to me that the blogger simply got unlucky with having his own bank targeted (or maybe the phisher just got lucky).
1) Generate fake credit card numbers that pass as "valid"
Easy: Business::CreditCard - Validate/generate credit card checksums/names.
I think there is a simple solution to this. If you are fishing for phisherman and as soon as you find one, fire off a script that will insert bogus (but legit looking) information. Say they had a DB with 90% of the entries were valid info from their victims, you could poison their database down to 20% correct quite easily, and they will either have to scrap the whole thing or risk getting nailed by International authorities for fraud when they try to use the false info, repeatedly (which they will of course, criminals are hardly the smartest people out there).
A lowly consumer may not have much clout in getting this scum off the bottom of their shoe, but the banking industry itself has a helluva lot more leverage.
Pardon me for saying this... Because it is absolute flamebait, but... Tracing a lot of these e-mails show that they are hosted on Russian websites... Between the Possibility of Sobig coming from a Russian company... The fact Coolwebsearch is from a Russian company... And these phishing e-mails... Why DON'T we delink them?
Despite what's written in the First Amendment, you still say this country was founded on "Christan morals", which supposedly includes denigrating people who don't fall within your narrow little worldview, and making them INFERIOR from a LEGAL perspective?
Whatever happened to "love the sinner, hate the sin"? By putting such things as anti-gay-marriage rhetoric into public policy, you are FORCING YOUR RELIGIOUS BELIEFS ON EVERYONE. You are doing the exact OPPOSITE of what God teaches, by taking away the free will that He gave us. If a person doesn't have FREE WILL to choose or not choose to believe in God (and that also includes morals that boil down to a solely religious belief, with no legitimate secular reasoning behind them), then any choice that person makes is worthless.
I'm a Christian, and I support legal rights for gay couples, that are equal to the legal rights of a straight couple. Whether you actually call it 'marriage' or not, I could give a fuck less. We have no right to prevent someone else from doing something just because "God said it was wrong". Make that decision for yourself, not someone else, dickhead.
You are right. It is possible to ask the bank to turn off bill pay, but it is normally on.
And if the code is used once then it can be compromised because you have to view it.
Someone could have a camera pointed at your monitor and they would then know your Seeecrreet code.
On line banking is not and never has been safe.
It is dangerous. But so are a lot of other things too.
I don't think the risks are worth it for on line banking.
A particularly funny statement given that the founding fathers of the U.S. were, for the most part, not Christians as we currently think of Christians.
and if you don't know I won't tell you
It's a slim chance, but if enough people get irritated enough from having to re-send enough email, then perhaps we can still get rid of this idiotic idea.
_O_
.|< The named which can be named is not the true named
it's a matter of scale. The hundreds of people who don't respond are made up by the few who do. In a couple of days, a decent site can collect 4 or 500 sets of information.
Those of you who wonder "what the hell can someone do with my online banking information" are not thinking creatively enough. The scammer doesn't care about being able to login to your online account (although that is a tasty extra). What he cares about is the other information you provide which enables him to call your credit card company up, change the address and phone number associated with your card, and either order a new card to the new address, or simply use your number to order products. This is the time tested method, and it continues to work well while banks continue to allow this level of access to accounts with only a mother's maiden name and social security number. The phisher collects more than enough information to do this.
The thing is, these people don't "drain your bank accounts." That process is impossible for all but the most stupid banks (such as citi, which allows online wire transfers). Instead, they use your account as you would, to make purchases of goods for resale.
It's all pretty simple if you think about it a little bit. Or know those who do it themselves...
But that's not what I really want to tell you. There are ways to (at least partially) "authorise" your bank (or anyone else) to send you mail). I gave my bank a SneakEmail address that forwards the bank's mail to me, so any email from my bank has to come through this address, that is not published. The probability that a phisher can randomly produce it is very low. The only thing you need is an unpublished address that's very unlikely to be forged, and you can then have a reasonable level of sender authentication.
Now if this is not enough, consider VarA ("Verified And Recipient Authorized"). The details are not really important. The idea is that existing sender identification schemes can be used with unique recipient addresses: so say your bank published an SPF record (not that I endorse SPF as an anti-spam technique...). Then you can give the bank a unique email address, and then whenever email is received for that recipient address your server makes an SPF query on the bank's doamin name: the receiving address triggers a check that the email came from the allowed sender's domain. To be able to do that you'd need server software that does it, but then it's all doable on the recipient's side, no need for sender's cooperation. The sender just sends email to the address the intended recipient provided. No interoprerability issues. Anyone who wants to implement it on their servers can do it now, and there's no need for unifirmity: in fact, diversity in the way it is implemented is an advantage, as a uniform implementation is a bigger target for those who would want to circumvent it.
One critical thing to do about Phishing is to get Banks, E-Bay, e-gold, etc. to publish SPF codes for their email servers. That would permit any ISP or end user whose spam filters support SPF to discard most of the Phishing mail unseen, rather than depend on the user to notice that it's fake. Digitally signing email is also important, but at the moment SPF is more useful for most people, since Joe Gullible isn't going to validate signatures anyway.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
1) Configure all e-commerce sites you do business with to send you ONLY PLAINTEXT EMAIL--NO HTML!
2) Filter out ALL HTML email sent to your e-commerce contact point email address. I use my own program to do this automatically for me.
Without the cover of HTML, phishers CANNOT use it to fascilitate their desception.
I used to enter bogus info at the phish sites but I gave up as they seemed to be keeping records and I cannot use a particulare (presumably) 'bogus' credit card number against them. Now I just delete all HTML email (phishing included) that is sent to my e-commerce contact email address.
Some banks get fancy and use SecureID or similar access tokens, but most US banks seem to only use login and password, and it's not uncommon for the password to be your ATM PIN.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I'm pretty sure 9111 1111 1111 1111 works as well
$ perl -MBusiness::CreditCard -e 'print cardtype("9111 1111 1111 1111"), "\n"'
Unknown
$ perl -MBusiness::CreditCard -e 'print validate("9111 1111 1111 1111"), "\n"'
0
There are more efficient ways to implement this - a script that keeps doing "wget options > /dev/null" could suck down as much bandwidth without wasting CPU and memory on having your browser render it, but this one's really a no-brainer to use. One of my computers gets a bit clunky running this (the 2.4GHz running XP has more trouble than the 1.1GHz running Win2K.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Turns out the 419ers have a fair amount of practice gang-banging on their own.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks