Slashdot Mirror
Gone Phishing?
Zastrossi writes "According to the Anti-Phishing Working Group, phishing sites--the practice of making sites that look and act like popular sites such as banks in order to steal personal information from customers--rose from 543 sites in September to 1,142 sites in October. Gartner reports that phishing scams cost banks and credit-card companies $10.2 billion."
ING Direct's logon page has an interesting feature where it asks for an extra piece of info beyond the username and PIN such as your account's ZIP code or a piece of your SSN on each logon, with the extra question changing every time.
However, this security method has a fatal flaw... if an attacker knows the answer to any one of the questions, the attacker can just keep reloading until they get the question they want to come up and then answer it. Still, it's better than doing nothing at all.
This can only continue to rise. I'd imagine this is a good way to make money that won't be stopping soon. Consumer ignorance is high, and this is just another way of exploiting it. Make sure to educate your friends and families and check out the Anti-Phishing Working Group.
people should watch out for sites that seem at all phishy. i hope the govt. phish out who these bastards are so they can't phish anymore.
:(
this is one phucked up crime
If anyone believes this, it justifies fairly extraordinary investment to combat it. When you are talking billions then enormous infrastructure projects are possible. For instance, imagine the kind of systematic surveillance activity that could be mounted on the internet with a multi-billion dollar budget.
Tired of Political Trolls? Opt Out!
1. Make certain the site name is not all numeric.
2. Make certain it is spelled correctly.
3. If they write to you unsolicited, just type the website in directly that you normally use for the service and you can be certain where you are going.
I can think of more things to tell her, but the more I say the less I fear she will remember. So I boiled it down to the above list.
So far so good....
She is as clueless as anyone on the net, so I figure if it works for her that's a good litmus test....
is that banks themselves are guilty of perpetuating this stuff.
got an email from Network Solutions the other day, complete with HTML graphics, etc. It said, Dear Customer, we periodically ask our customers to update their whois information....click here to access your account information....
then it said failure to keep your account info up to date could result in the suspension of your domain. turned out this was a legitimate email from NetSol, but it had all the signs of a phish - addressing me with no indication they knew who I was, a la "dear [fill in bank or company here] valued customer"; it urged me to click on a link - which by the way was a dotted IP address; and it threatened negative consequences unless I acted quickly.
Same thing happened to me with Citibank. I am a citibank customer, and the other day I received an email urging me to transfer my balances from other cards, blah, blah. Anyhow, it had all the right logos, and urged me to click on a link. When I did (with some trepidation), I was brought to a site called "accountonline.com", which as it happens, is in fact owned by Citibank.com. Again, turns out this was a legit email from Citibank (or its marketing dept.)
Yes, it is sad that we have gotten to the point where companies cannot use email as a legitimate means of marketing and communications with thier customers (and prospective customers), but banks and other major companies need to heed their own advice, and as far as I'm concerned, as long as these companies keep doing that sort of thing, they have only themselves to blame when their customers expect this sort of communication.
...because you never know who you're dealing with.
Phishing is a big problem for those who may be too old or too busy to remember what their bank's URL should be. with URL spoofing in IE, it's an even bigger problem.
I think the most important thing is education. Anti-phishing technology will only be a stop gap measure. Phishing techniques will just become more advanced. I think an agressive advertising campaign, including information when you sign up for a bank account, information when you log on to your account or receive your bill will also be helpful. the previous author mentioning the example of additional login info is correct, the phisher will just reload until the information requested is available to them.
Banks, Ebay, PayPal, and all the other popular phish targets should have rewards programs for customers who aren't gullible and don't fall for scams. And maybe a "congratulations on not being an ignorant gullible fool" reward would motivate more customers to actually care. Most folks don't, they assume the government will protect them. I think we should stop foiling natural selection and let it do its job.
we will end no whine before its time
Hmmm ... the number of "sites" found doubled just when Google doubled its index size...
Tangentially related. I just had an interesting conversation with CDW. I ordered some toner from them for my laser printer. Set up an account and gave my credit card number through the website. Very typical online experience. We've all done it hundreds of times.
A day later I get a call from them asking for the security code on the back of my credit card as well as the phone number for my credit card. Odd, I thought. I've been ordering online for years with this credit card and never been asked after the fact for that info. Additionally the card was a Discover card and there is only one number for that which I'm quite sure CDW knows.
While I doubt there was anything malicious going on I had them cancel the transaction. They explained that it was for extra security but the could have easily asked for that information in the online transaction. I have no way of knowing if this rep was acting on her own so I don't see any added security for me. My only criticism of CDW is that I don't think this was a very professional way to handle this transaction.
I don't really think there was anything malicious going on but its a good idea to be very careful when something is out of the ordinary, even a little bit.
I read recently that phishing scams have reached such a ridiculous level that UK banks are seriously considering making the victims 100 percent responsible for them.
Whereas at the moment a phishing victim can reasonably expect their bank to to give back any money that's lost from their account(s) as a result of being scammed, in future the same victim could well be told that they're responsible so they're liable.
Personally, whilst I would prefer that banks do the right thing, I find it hard to argue with a policy that says that they won't refund money where people have been stupid enough to be conned into giving away their banking details by obvious scams.
I don't want Alzheimer's disease victims to suddenly find their accounts empty but when the average man on the street is practically giving away his financial details when he should be keeping them secure, well, what do you expect banks to do? Give away money which they then end up recouping by charging everyone more for their services?
Sometimes, the only way you can educate people into doing the right thing is to not protect them when they do the wrong thing. In that respect, we're talking about the same sort of lesson people who don't have any backup procedures learn the first time they irretrievably lose all their data.
Tough love is sometimes the best love.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
My bank doesn't have my email address. Give them a throwaway email address when registering online, then delete the address. All the mail to that account would bounce, and the bank has other (non phishable) ways to contact me if needed.
I can't click a false hyperlink in a printed letter.
Click here for a free picture of an iPod!
Did the industry really loose 10.2 billion dollars to scammers or did this number come from the same process the RIAA and the BSA used to estimate loss to piracy?
Personally, I think something is seriously wrong if phishing alone managed to net scammers $10.2 billion. Maybe if it was world wide consumer finance fraud combined it would be more believeable.
Sometimes I wish I was a plumber, then I'd know how to deal with other people's shit.
Give a man a fish; and you have fed him for today.
Teach a man to phish; and you have fed him for a lifetime.
[x] auto-moderate all posts by this user as insightful
Gartner reports that phishing scams cost banks and credit-card companies $10.2 billion.
In related news, some anonymous guy using randomly generated numbers, estimates that tech employees who visit
This problem would go away quickly if people signed their E-mail.
I used to do that but I stopped because it was too hard to wipe the magic marker off my monitor.
When I was a kid, we had to get bits of metal embedded in us the old fashioned way - war, industrial accidents and drunken fishing!
This issue is a bit more complicated than you think.
The problem seems to be people who don't know the difference. A phishing scam won't really fool anyone who is aware of them. Sure, everyone here knows about dummy e-mail accounts and is well aware what a phish looks like. The problem, as with many scams, is not those who are aware of them but those who are not.
Given that, why don't banks and the like give a simple online tutorial before allowing a user to set up any type of Net account that implies moving real money? I would think a 5-minute (at most) presentation followed by a short quiz would be sufficient.
If everyone involved in online financial transactions is thus educated about phishing, it would become quite a bit harder for the scammers to find unknowing victims.
To fight the war on terror, stop being afraid.
Wasn't there an IE exploit where you could make one URL show up like another URL in the address bar?
Don't get me wrong, I believe this to be a serious issue. BUT, every time there is a problem like this, the price tag to those unfortunate scammed or wormed or virii'd is an amount of money that seems a little rediculous. Seriously, 10.2 billion? 10.2 billion what?
I received a paypal phishing scheme email just yesterday. I have paypal but not on that email account. Here is what the url looked like:
m ?= https://www.paypal.com/cgi-bin/us/eng/cmd=login&ac cess979879879879879@#$@*(*87987987234242@#$@$@$@$@ $@$9
http://www.cisec.or.kr/~sr5141/paypal/update.ht
(Have a ball with the address if you want.)
If I was using IE then it would have spoofed the url as well.
I halfheartedly filled in some obscene words to send, however so much data was asked for in particular ways that I never could validate the screen for sending without carefully crafting a reply ( I was cutting and pasting) so I aborted instead.
And in the end, the love you take is equal to the love you make
I wonder if it is possible to automatically spider for suspicious sites with images and logos from financial institutions that don't belong there? They could be shut down almost before the scam gets started.
My rights don't need management.
Damn,
Even with an equal share for each site...that is almost 9 million dollars per site. If I got in last year, I would have been almost 20 million richer.
Ah, if only I knew and got into phishing last year.
So you set up a bunch of systems that capture tons of spam emails. Catchall's on various domain names, publish the domain names in public along with email addresses (websites, newsgroups, etc).
After your stupid phishing scams hit, eBay, Suntrust, Citibank, Paypal and BOA start hitting them with a few marked accounts. These marked accounts are setup with the purpose of dropping the information to the phishing scam people.
From that point, the phishing scammers will try to use this information for their benefit. At that point, it should be easier to build a path back to them.
That would require effort, it's easier for the banks to tack another dollar onto ATM fees and write off the losses. Has anyone checked to see if banks are actually writing off these losses and reporting them to shareholders?
Just like spam emails, the money goes somewhere. Just follow the money.
Southeastern Virginia REPRESENT!
I received a very well done paypal phish recently. It was sent to my paypal email address (different from my ebay address and never used for anything else).
i st erEnterInfo
There was a link that claimed to go to:
https://scgi.ebay.com/saw-cgi/eBayISAPI.dll?Reg
But mousing over revealed that it actually went to:
http://signin.ebay.com-ogi-bin.tk/_eBaydll.php
Note the com-ogi-bin.tk rather than com/cgi-bin
Most phishing sites link you into your bank's website at some point or include graphics directly from them. Banks should carefully monitor their image referrers and investigate when they all of the sudden have a high number from http://citibank.com@1.2.3.4/.
Another thing to do is to hack the phishing sites. Phishers are typically terrible coders. This means that many standard web attacks can be used to divulge information about them. Even if the site is hosted in a remote nation, they typically forward information elsewhere. Typically they rely on javascript to check for valid input. Disabling javascript and adding some extra ' and " can sometimes give you a PHP error which will also dump the host name of their mysql server, sometimes it's hosted on a US site. Another simple attack is to save the form, edit the form target to be absolute, and then experiment with the hidden values in the data. Typically they do not check to make sure id fields are numeric before creating sql strings out of them. Adding a letter to a numeric id field or using -1 instead can sometimes cause a phishing site to dump useful debug information.
Typically if one of these phishing emails slips by spamassassin I'll try to hack it and forward information to the banks and ISPs involved. I have yet to receive a response, so I assume they either don't care or are way ahead of me. I would think if they were ahead of me they would take less than 10 hours to shut the site down however.
I personally have a bet that, if FireFox gets popular, hackers will start using its open source nature to phish Firefox itself.
Ie, they'll hand out fake Firefox download links in e-mails or HOST file hack mozilla.org. Then, when you download, you get Firefox - plus add-on code that sniffs your keystrokes or credit card numbers.
Mind you, this has been my big problem with using Firefox from the beginning: the distribution might contain that kind of thing anyway. At least MS, with their existing millions, are unlikely to be interested in my card number.
I too have been getting quite a few more of these lately, but there is a pretty easy way to combat them:
If you recieve an email about company bla bla bla, needing bla bla bla, open your brower and :::type::: the known, valid address in and see if they mention it. If you're still curious...call.
It's really that simple folks.
-Chris
--an unbreakable toy is useful for breaking other toys--