Slashdot Mirror
Fishing for Phishers
mleachpdx writes "This blog entry probes into the details of an online banking phishing scam and suggests some fraud deterrence and detection measures."
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
From the article: "The home page of the phishing site looked identical to the actual online banking site. I was impressed. Someone had spent a considerable amount of time mirroring the entire look and feel."
Or they just used the Spiderzilla extension for FireFox and downloaded the entire site. Wow, that scammer went to a lot of work. I have gotten these scams before though, and it is no laughing matter that they go to a lot of trouble to look legit. And I bet the estimate of 15% of people who fall for it listed in the article is actually a little low.
I must have got a dozen or so of these in the last few days, my spam appears to go in phases... either I'm in dire need of sexually-enhancing drugs, about to die from malnutrition, or they're all just after my CC details...
It's just a blanket 'attack'. Email is cheap, and they're not trying to be smart because they don't need to be.
Simon
Physicists get Hadrons!
Check out antiphising.org
The scammer went to alot of work because the Return on Investment was so high. For a few hours of work, he probably a substantial amount of cash.
Just below this comment a poster has given a link to a phishing central source :)
:)
Looks like its already in action
http://www.antiphishing.org/
liqbase
I have used the same bank for over 15 years for my personal checking account.
I have not gotten one email from that bank (either legitimate email or a phishing scam with that bank's name or fake url.
That bank does have my email address.
I have gotten phising scams that have ebay in them (I do have an ebay account). I have also gotten phising scams with the names of other banks in my area.
I think they go by geographical data for banks. For ebay, it's no problem. They can scan ebay's pages and get seller's ebay account names with no problem.
Cleara
I would add: Often the employees of the company don't have access to the password because it is encrypted on their end. But the institution can change or reset your password without knowing the old password. This is usually preceded by a manual check performed by customer service over the phone to ensure you are really you. They might also ask you to come into the bank and provide ID.
Which bank does not allow you to make payments to other people? What is the point of online banking if you can only shuffle money between your own accounts.
Of the four banks with which I have bank accounts, all allow me to make payments to anyone else whose account details I know. I can also make SWIFT (i.e. international) transfers to any account worldwide, by providing branch SWIFT code and account number.
"Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
1) Generate fake credit card numbers that pass as "valid"
They're probably doing something trivial with Luhn numbers. Trivial to implement, trivial to spoof. Generating apparently valid but fraudulent card numbers is known as carding.
2) Do this, and be certain that no-one actually owns that particular number, and if so, still not get into trouble?
Trouble with whom? The scammers? If you aren't using the number to commit fraud, I wouldn't worry. We want to get the phishers in trouble!
This is not true:
>a Gartner analysis is quoted as saying "What's
>really scary about it [phishing] is right now there
> are no back-end fraud detection solutions for it."
Corillian Corporation provides an effective back end solution that is capable of detecting phishing sites as they are being built:
Corillian Fraud Detection System
1) Generate fake credit card numbers that pass as "valid"
Easy: Business::CreditCard - Validate/generate credit card checksums/names.
The money doesn't go to the criminals; it goes to a mule who thinks he's processing charity donations. Then it goes to another mule who thinks she's reselling computers. Then someone uses the cash to buy a plasma tv and send it to some other country. Then the recipient sells the plasma tv and wires the money to someone else..... The basic problem is money laundering, and we still don't have a good handle on that.
What I say does not represent the views of my employers, my friends, my cats, or myself.
Slashdot moderators rejected an article I sent in over a month ago about this very concept.
A lot of times, you can send a URL encoded request (GET Request) to fill in bogus data from the address line. I've happliy sent random values to these seedy servers with a small bash script using lynx.
I suggested that one or more popular websites add a new 'banner ad' whose image location is a properly formed URL to submit a random value to a known phishing server. As people come by the site, a new request is sent to the phishing server on their behalf and floods the phishing server with bogus data coming from many locations. Of course, you may get a red X in the banner image, but who cares. Maybe have it a user optional response. The banner ad could read "Fight Internet Scams, Click here to vote."
Until such a time, I usually have fun overloading the form fields with typographic or unprintable characters well over the string length coded in the form. Hopefully, I cause havoc with their databases when I do that.