Slashdot Mirror
Fishing for Phishers
mleachpdx writes "This blog entry probes into the details of an online banking phishing scam and suggests some fraud deterrence and detection measures."
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
Full article mirror here: .org article
mirror.slashdot
Theres currently a problem with our server, you will have to login again to see the details.
(yes this is only a joke)
liqbase
From the article: "The home page of the phishing site looked identical to the actual online banking site. I was impressed. Someone had spent a considerable amount of time mirroring the entire look and feel."
Or they just used the Spiderzilla extension for FireFox and downloaded the entire site. Wow, that scammer went to a lot of work. I have gotten these scams before though, and it is no laughing matter that they go to a lot of trouble to look legit. And I bet the estimate of 15% of people who fall for it listed in the article is actually a little low.
When you sign up, the bank asks you for your 'personalised code', and that will be displayed in every email you recieve from the bank.
If you dont see that code in your email, or it's wrong, you know its fraudulent.
The FA didn't give any reason for why he thought the phish was targeted at him. Without an explanation, I'm sceptical that it was targeted in any way. I get phishing mails all the time - most commonly aimed at Citibank or Paypal, neither of which I do business with. I don't know why the phisher would bother to target them. Seems like more effort than it is worth.
Limit access to customer records. This is pretty much standard practice in the banking industry anyway, but I found it eerie that my phisher knew what institution I did banking with. How did they know this?
Well, I've received several of these mails, but I do not really think they go by any kinda cue -- I've received mails from various banks from around the US, so I think these guys randomly see where you are, make a wild guess at the likely bank and send you one.
For instance, several students at GTech (where I study) have their bank accounts in a certain bank (which we shall call W) -- and a lot of these scams are directed at GT students pretending to be from W.
However, that said -- I'd not be surprised if they acually did some dumpster diving and found out these kinda details. Spooky, man.
I must have got a dozen or so of these in the last few days, my spam appears to go in phases... either I'm in dire need of sexually-enhancing drugs, about to die from malnutrition, or they're all just after my CC details...
It's just a blanket 'attack'. Email is cheap, and they're not trying to be smart because they don't need to be.
Simon
Physicists get Hadrons!
why not give consumers one time access (through pads)?
This is done in Japan and works well there. Maybe consumers here would lose their card? The card isnt electronic its just card with pin numbers that you scratch off each time you use the PIN number.
Banks should STRONGLY educate consumers to never expect emails from the bank that contain links.
I reckon banks could do something similar too. Create some honeypot accounts, and track how the criminals attempt to access it. I'm sure they could play a few tricks with a seemingly big fat balance that could make the criminals reveal their hand.
Check out antiphising.org
The EBay request to verify account information. I've received this several times. Perhaps the financial institutions don't do much because a small country in Africa isn't going to let U.S. law enforcement take care of the problem. Too much corruption is usually the case.
The maxim I always use is: The company that holds your account never needs to ask you for your password since they already have it.
Something many probably don't know is that your local police dept. probably has a high tech crimes unit. They will investigate and prosecute illegal activites like snooping around your company network. They can be very helpful.
Enough already with this "a blog entry says" stuff. Can we please get some ACTUAL news on this site and not just someone's rantings on a BB? Is that too much to ask?
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
Probably that message is sent from hacked/owned/not patched windows machines that send the entered info to the real criminal. I suppose that for really knowimg who is him that "infected" machines should be hacked back or that the provider of that internet connection contacts/gives the address of the owner, and check the programs there.
I still don't understand, do these banks just give their customers a login/password for their account?
The bank I use gave me a little authentication device which combined with my bank card, my personal code and a random code provided by the bank site can generate digital signatures. In order to login and in order to make all transactions final I must provide the right code.
I've been using this system for about 10 years now, if those exploitable banks still use a normal password protection it's their fault they're exoploited this way and there's no way customers should be responsible for it.
The scammer went to alot of work because the Return on Investment was so high. For a few hours of work, he probably a substantial amount of cash.
I have used the same bank for over 15 years for my personal checking account.
I have not gotten one email from that bank (either legitimate email or a phishing scam with that bank's name or fake url.
That bank does have my email address.
I have gotten phising scams that have ebay in them (I do have an ebay account). I have also gotten phising scams with the names of other banks in my area.
I think they go by geographical data for banks. For ebay, it's no problem. They can scan ebay's pages and get seller's ebay account names with no problem.
Cleara
I misread the subject line on this article, thought it read Fisting for Phishers.
Now that is a punishment that would work pretty good, once word got out!
Glonoinha the MebiByte Slayer
I work for a company that attempts to protect its customers from this kind of fraud. We monitor domain registrations to locate potential phishing scams. It's interesting to see that it's not only banks that are hit with this kind of scam. These guys will set up an entire shopping cart taking credit cards that mimick an online store like Dell. It's a pretty interesting scam that only seems to be gaining popularity.
It's not a major concern in the 3rd world so these guys have no reason to stop. We've seen scams like this based out of Russia, Brazil, China, and several African countries. It will be interesting to see how this all pans out.
In order for them to get their ill gotten gains, they have to eventually withdraw some money from somewhere. It seems it would be trivial for INTERPOL or some other agency to set up a bunch of bank accounts with a few thousand dollars/euros in them and then start responding to all the phishers. Then just follow the money to the crooks. What's the big deal? Is there just no will to do this or am I missing something?
Cheers,
I fell for a phishing scam once. I just hope when Mr Hitler tried to get a new password from tech support they didn't give one out.
I'm a consultant - I convert gibberish into cash-flow.
Has anyone else noticed that the folks at Gmail have added a "report phishing" feature? When you view a message, click "More Options" and you'll see it.
Then again, maybe it's been there for some time and I just haven't noticed (it definitely wasn't there when I first got my Gmail account though and it doesn't appear to be listed as a new feature).
On a related note:
The lad vampire needs your help
Irene KHAAAAAAN!
In every case getting cash out of my account involves paying a bill (to an authorized agent like VISA), or emailing money or transferring money to a 3rd party acct. All of these leave a trail that banks can recognize and plug.
I once changed my buying habits with my VISA card and had to confirm my identity before the transaction could be authorized. Since fradulent VISA transactions cost VISA, it appears that when it affects the bottom line, banks can and do put checks in to stop fraud, but there is no incentive for banks to stop fraudulent bahviour on behalf of their customers. (Of course we are no longer the banks customers, shareholders are the real customers)
Pressure needs to be applied to the banking industry to minimize the average person's exposure to fraud! It is easy to do, for example I should be able to lock transactions from my online banking account to a specific set of recipients and require a face-face visit with a banking representative to change this... Would-be fraudsters that obtained access to my account might be able to overpay my utility bill but that would be about it.
Just like spam, can we @ /. take any countermeasures? I'm not up on this stuff, so if I make a few silly suggestions, please give me a break.
Pick a phisher /spammer and: /. them
Send a reply with the name of a pop tune or movie in the title.
Send a reply with a big attachment
Send a reply with a virus attached
If it's possible, think of all of on one day, sending an email with "White Houses" on the title, and a 4 Mb attachment to a spammer / phisher. A toasted server, maybe?
Republican leadership = Idiocracy
The only actions allowed are transferring money from one account to another
Like from your account to mine...
"Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
Nonsense. Before there were computers there were credit card companies and banks. If they called you up asking you to verify information they're supposed to have you'd be an idiot to give them that info.
There is little new under the sun. Just because we give it an incredibly lame 1337 name; "PHishing" doesn't mean it's not a hundred year old con game.
Which bank does not allow you to make payments to other people? What is the point of online banking if you can only shuffle money between your own accounts.
Of the four banks with which I have bank accounts, all allow me to make payments to anyone else whose account details I know. I can also make SWIFT (i.e. international) transfers to any account worldwide, by providing branch SWIFT code and account number.
"Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
This is not true:
>a Gartner analysis is quoted as saying "What's
>really scary about it [phishing] is right now there
> are no back-end fraud detection solutions for it."
Corillian Corporation provides an effective back end solution that is capable of detecting phishing sites as they are being built:
Corillian Fraud Detection System
1) Generate fake credit card numbers that pass as "valid"
Easy: Business::CreditCard - Validate/generate credit card checksums/names.