Slashdot Mirror
Gone Phishing?
Zastrossi writes "According to the Anti-Phishing Working Group, phishing sites--the practice of making sites that look and act like popular sites such as banks in order to steal personal information from customers--rose from 543 sites in September to 1,142 sites in October. Gartner reports that phishing scams cost banks and credit-card companies $10.2 billion."
ING Direct's logon page has an interesting feature where it asks for an extra piece of info beyond the username and PIN such as your account's ZIP code or a piece of your SSN on each logon, with the extra question changing every time.
However, this security method has a fatal flaw... if an attacker knows the answer to any one of the questions, the attacker can just keep reloading until they get the question they want to come up and then answer it. Still, it's better than doing nothing at all.
This can only continue to rise. I'd imagine this is a good way to make money that won't be stopping soon. Consumer ignorance is high, and this is just another way of exploiting it. Make sure to educate your friends and families and check out the Anti-Phishing Working Group.
1. Make certain the site name is not all numeric.
2. Make certain it is spelled correctly.
3. If they write to you unsolicited, just type the website in directly that you normally use for the service and you can be certain where you are going.
I can think of more things to tell her, but the more I say the less I fear she will remember. So I boiled it down to the above list.
So far so good....
She is as clueless as anyone on the net, so I figure if it works for her that's a good litmus test....
is that banks themselves are guilty of perpetuating this stuff.
got an email from Network Solutions the other day, complete with HTML graphics, etc. It said, Dear Customer, we periodically ask our customers to update their whois information....click here to access your account information....
then it said failure to keep your account info up to date could result in the suspension of your domain. turned out this was a legitimate email from NetSol, but it had all the signs of a phish - addressing me with no indication they knew who I was, a la "dear [fill in bank or company here] valued customer"; it urged me to click on a link - which by the way was a dotted IP address; and it threatened negative consequences unless I acted quickly.
Same thing happened to me with Citibank. I am a citibank customer, and the other day I received an email urging me to transfer my balances from other cards, blah, blah. Anyhow, it had all the right logos, and urged me to click on a link. When I did (with some trepidation), I was brought to a site called "accountonline.com", which as it happens, is in fact owned by Citibank.com. Again, turns out this was a legit email from Citibank (or its marketing dept.)
Yes, it is sad that we have gotten to the point where companies cannot use email as a legitimate means of marketing and communications with thier customers (and prospective customers), but banks and other major companies need to heed their own advice, and as far as I'm concerned, as long as these companies keep doing that sort of thing, they have only themselves to blame when their customers expect this sort of communication.
...because you never know who you're dealing with.
Phishing is a big problem for those who may be too old or too busy to remember what their bank's URL should be. with URL spoofing in IE, it's an even bigger problem.
I think the most important thing is education. Anti-phishing technology will only be a stop gap measure. Phishing techniques will just become more advanced. I think an agressive advertising campaign, including information when you sign up for a bank account, information when you log on to your account or receive your bill will also be helpful. the previous author mentioning the example of additional login info is correct, the phisher will just reload until the information requested is available to them.
The current system is shitty, and it's being exploited like gangbusters.
Right, in my country (Australia) the banks coerce us into using internet banking by charging us for the 'privilege' of speaking to a teller.
If they can't make internet banking safe then there should not be a charge for doing banking with a teller.
I received a paypal phishing scheme email just yesterday. I have paypal but not on that email account. Here is what the url looked like:
m ?= https://www.paypal.com/cgi-bin/us/eng/cmd=login&ac cess979879879879879@#$@*(*87987987234242@#$@$@$@$@ $@$9
http://www.cisec.or.kr/~sr5141/paypal/update.ht
(Have a ball with the address if you want.)
If I was using IE then it would have spoofed the url as well.
I halfheartedly filled in some obscene words to send, however so much data was asked for in particular ways that I never could validate the screen for sending without carefully crafting a reply ( I was cutting and pasting) so I aborted instead.
And in the end, the love you take is equal to the love you make
If anyone believes this, it justifies fairly extraordinary investment to combat it.
It sure is a stunning number. However, the credit card industry is a huge rip off. They charge consumers interest rates in the 12 - 23% range. (This us during a time in history where interests rates are at historic lows). They charge the merchant fees from 1.5 - 7% on each transaction. The ever increasing fees are adding more profit. They are changing due dates to Sundays hoping to increase late fees. Telemarketing their customers. Trying to sell stuff when you call with the customer support lines.
Last year the credit card industry profits were nearly $30 billion dollars. My guess is that they just write off the fraud and then pass those costs onto the consumer. The average credit card debt keeps increasing so it seems they can pass these costs along and the customer is so reliant on credit card debt for daily life that they don't fight it. What a sham, what a shame.
I think this is an example of how poorly regulated capitalism doesn't work. Despite the appearance of hundreds of credit card competitors and so many cards to choose from, the industry is extremely anti-consumer. The better business bureau reports that the credit card agencies are number one when it comes to consumer complaints.
Most phishing sites link you into your bank's website at some point or include graphics directly from them. Banks should carefully monitor their image referrers and investigate when they all of the sudden have a high number from http://citibank.com@1.2.3.4/.
Another thing to do is to hack the phishing sites. Phishers are typically terrible coders. This means that many standard web attacks can be used to divulge information about them. Even if the site is hosted in a remote nation, they typically forward information elsewhere. Typically they rely on javascript to check for valid input. Disabling javascript and adding some extra ' and " can sometimes give you a PHP error which will also dump the host name of their mysql server, sometimes it's hosted on a US site. Another simple attack is to save the form, edit the form target to be absolute, and then experiment with the hidden values in the data. Typically they do not check to make sure id fields are numeric before creating sql strings out of them. Adding a letter to a numeric id field or using -1 instead can sometimes cause a phishing site to dump useful debug information.
Typically if one of these phishing emails slips by spamassassin I'll try to hack it and forward information to the banks and ISPs involved. I have yet to receive a response, so I assume they either don't care or are way ahead of me. I would think if they were ahead of me they would take less than 10 hours to shut the site down however.