Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fishing for Phishers

Posted by CmdrTaco on from the stuff-to-think-about dept.

mleachpdx writes "This blog entry probes into the details of an online banking phishing scam and suggests some fraud deterrence and detection measures."

20 of 152 comments (clear)

  1. More Info Available here by LiquidCoooled · · Score: 5, Funny

    Full article mirror here:
    mirror.slashdot .org article

    Theres currently a problem with our server, you will have to login again to see the details.

    (yes this is only a joke)

    --
    liqbase :: faster than paper
  2. Or.... by jmcmunn · · Score: 4, Informative

    From the article: "The home page of the phishing site looked identical to the actual online banking site. I was impressed. Someone had spent a considerable amount of time mirroring the entire look and feel."

    Or they just used the Spiderzilla extension for FireFox and downloaded the entire site. Wow, that scammer went to a lot of work. I have gotten these scams before though, and it is no laughing matter that they go to a lot of trouble to look legit. And I bet the estimate of 15% of people who fall for it listed in the article is actually a little low.

  3. Solution: You authorise the bank first by Anonymous Coward · · Score: 5, Interesting

    When you sign up, the bank asks you for your 'personalised code', and that will be displayed in every email you recieve from the bank.

    If you dont see that code in your email, or it's wrong, you know its fraudulent.

    1. Re:Solution: You authorise the bank first by BobTheLawyer · · Score: 4, Interesting

      Do any real banks send e-mails to customers? As far as I know, no UK bank does.

    2. Re:Solution: You authorise the bank first by legirons · · Score: 4, Insightful

      "When you sign up, the bank asks you for your 'personalised code', and that will be displayed in every email you recieve from the bank. If you dont see that code in your email, or it's wrong, you know its fraudulent."

      And this code would be sent through which secure email-delivery system exactly? Plaintext SMTP on the internet, like all the other emails from your bank?

      Hell, banks don't even sign their emails. Many of them don't even know what PGP is. How many of us have had conversations with our banks along the lines of:?

      You: I just got an email purporting to be from you

      Bank: Yes, that's right

      You: So how do I know it's real without phoning you

      Bank: Because it's got our name in the From field

      You: Did you ever consider signing your emails

      Bank: OUR INTERNET IS SECURE, WE USE HTTPS WEBSITE!!!

  4. Customer details by metlin · · Score: 4, Interesting

    Limit access to customer records. This is pretty much standard practice in the banking industry anyway, but I found it eerie that my phisher knew what institution I did banking with. How did they know this?

    Well, I've received several of these mails, but I do not really think they go by any kinda cue -- I've received mails from various banks from around the US, so I think these guys randomly see where you are, make a wild guess at the likely bank and send you one.

    For instance, several students at GTech (where I study) have their bank accounts in a certain bank (which we shall call W) -- and a lot of these scams are directed at GT students pretending to be from W.

    However, that said -- I'd not be surprised if they acually did some dumpster diving and found out these kinda details. Spooky, man.

  5. They don't know who you are by Space+cowboy · · Score: 4, Informative

    I must have got a dozen or so of these in the last few days, my spam appears to go in phases... either I'm in dire need of sexually-enhancing drugs, about to die from malnutrition, or they're all just after my CC details...

    It's just a blanket 'attack'. Email is cheap, and they're not trying to be smart because they don't need to be.

    Simon

    --
    Physicists get Hadrons!
  6. ways to prevent online fraud? by Anonymous Coward · · Score: 5, Insightful

    why not give consumers one time access (through pads)?
    This is done in Japan and works well there. Maybe consumers here would lose their card? The card isnt electronic its just card with pin numbers that you scratch off each time you use the PIN number.

    Banks should STRONGLY educate consumers to never expect emails from the bank that contain links.

  7. How to annoy phishers by DrXym · · Score: 4, Interesting
    Drown them in noise. Everytime you get one of these emails, visit the site and enter bogus information. That's what I do. It might not be enough to get the scumbags caught but it must certainly be an annoyance to them. And who knows, a few bogus logins might be enough to get alarm bells ringing at the bank.

    I reckon banks could do something similar too. Create some honeypot accounts, and track how the criminals attempt to access it. I'm sure they could play a few tricks with a seemingly big fat balance that could make the criminals reveal their hand.

  8. check out antiphishing.org by enbody · · Score: 5, Informative

    Check out antiphising.org

  9. The wrost ones are... by ScooterBill · · Score: 4, Insightful

    The EBay request to verify account information. I've received this several times. Perhaps the financial institutions don't do much because a small country in Africa isn't going to let U.S. law enforcement take care of the problem. Too much corruption is usually the case.

    The maxim I always use is: The company that holds your account never needs to ask you for your password since they already have it.

    Something many probably don't know is that your local police dept. probably has a high tech crimes unit. They will investigate and prosecute illegal activites like snooping around your company network. They can be very helpful.

  10. Enough Already. by xanadu-xtroot.com · · Score: 4, Insightful

    Enough already with this "a blog entry says" stuff. Can we please get some ACTUAL news on this site and not just someone's rantings on a BB? Is that too much to ask?

    --
    I'm not a prophet or a stone-age man,
    I'm just a mortal with potential of a super man.
  11. Is it that simple? by Sarin · · Score: 4, Interesting

    I still don't understand, do these banks just give their customers a login/password for their account?

    The bank I use gave me a little authentication device which combined with my bank card, my personal code and a random code provided by the bank site can generate digital signatures. In order to login and in order to make all transactions final I must provide the right code.
    I've been using this system for about 10 years now, if those exploitable banks still use a normal password protection it's their fault they're exoploited this way and there's no way customers should be responsible for it.

  12. ROI by Gary+Destruction · · Score: 4, Informative

    The scammer went to alot of work because the Return on Investment was so high. For a few hours of work, he probably a substantial amount of cash.

  13. Damn by Glonoinha · · Score: 4, Funny

    I misread the subject line on this article, thought it read Fisting for Phishers.
    Now that is a punishment that would work pretty good, once word got out!

    --
    Glonoinha the MebiByte Slayer
  14. The problem is much larger than just banks. by daperdan · · Score: 5, Interesting

    I work for a company that attempts to protect its customers from this kind of fraud. We monitor domain registrations to locate potential phishing scams. It's interesting to see that it's not only banks that are hit with this kind of scam. These guys will set up an entire shopping cart taking credit cards that mimick an online store like Dell. It's a pretty interesting scam that only seems to be gaining popularity.

    It's not a major concern in the 3rd world so these guys have no reason to stop. We've seen scams like this based out of Russia, Brazil, China, and several African countries. It will be interesting to see how this all pans out.

  15. Why is it so hard to catch these criminals? by Anonymous Coward · · Score: 4, Interesting

    In order for them to get their ill gotten gains, they have to eventually withdraw some money from somewhere. It seems it would be trivial for INTERPOL or some other agency to set up a bunch of bank accounts with a few thousand dollars/euros in them and then start responding to all the phishers. Then just follow the money to the crooks. What's the big deal? Is there just no will to do this or am I missing something?

    Cheers,

  16. Re:Nothing to see here... by Registered+Coward+v2 · · Score: 4, Funny

    I fell for a phishing scam once. I just hope when Mr Hitler tried to get a new password from tech support they didn't give one out.

    --
    I'm a consultant - I convert gibberish into cash-flow.
  17. Gmail vs. Phishers by igrp · · Score: 4, Interesting
    It's definitely becoming more of a "mainstream problem". Afterall, the whole identitity theft problem is perfect Dateline/60 Minutes material.

    Has anyone else noticed that the folks at Gmail have added a "report phishing" feature? When you view a message, click "More Options" and you'll see it.

    Then again, maybe it's been there for some time and I just haven't noticed (it definitely wasn't there when I first got my Gmail account though and it doesn't appear to be listed as a new feature).

  18. Slashdot this by GQuon · · Score: 4, Interesting

    On a related note:
    The lad vampire needs your help

    --
    Irene KHAAAAAAN!