Slashdot Mirror
Phishing In The Channel
Rick Zeman writes "A Washington Post story details the relationships between phishers, IRC, plug-and-play phishing toolkits, and phantom web sites. 'For the past few months we've started to see phishing attacks from subcontractors, people who buy and use ready-made phishing toolkits and e-mail lists,' Orad said. 'It's gotten to the point where you don't need to know anything about spamming or computer programming to pull this off.'"
Now we have phishkiddies
It's gotten to the point where you don't need to know anything about spamming or computer programming to pull this off.'
So phishing is just as easy as using Windows... Think about it.
Now people who know nothing about ripping people off can rip off people who know nothing about being ripped off.
There was a system crash this month. You may have noticed our system has been running slowly. If you are receiving this email, we have lost some of the information for your account. Please click on the following link and fill in all of your information to make sure your account does not get suspended. We appreciate your time, and sorry for the trouble. Click here to fill in your info! Your friends, at Ebay/PayPal.
So, this is nothing new and people are still naive. Hopefully, though, the more it hits peoples back-pocket then more savvy they will get.
DAMN YOU OCTODOG! DAMN YOU TO HELL!
www.secure-ebay-transactions.ru is NOT ebay.
You have been warned.
Sincerely,
The Internet.
IRC is like a communication medium, its irrelevant in this discussion. As irrelevant as telephones being 'used' by thiefs to communicate. Holding IRC responsible is pointless.
While it has become easier for phishers (and now apparently nonphishers) to prey upon mom and pop internet surfer, it still comes down to personal security. Mom and pop internet surfer won't give their ATM pin or their credit card number to a guy on the street but for some reason, the authority of the Internet removes those safeguards.
Next time you see your parents or someone who is a likely phishing canidate, please, don't roll your eyes. Warn them and try to explain the difference.
-Teiresias
1. Give customers a secureID card
2. Have a phone number customers call to retrieve a pin. Have the website require the PIN to be entered before using the site.
Surely one or both of these ideas would cost less in the long run than thousands of dollars of fraudulent charges.
It amazes me that a few months after breaking up Phish is still as popular as ever. Damn you, hippies!
...small fry? Or Network Krillers?
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
...don't give them your credit card number.
I have been wondering when I would start to see these alternate character set domain names that you can get now play a role in this. You know, like someone registers cnn.com, but the c is not the latin character set c but one from another character set. Or something that almost looks like a c.
Then, without even hacking DNS, you can simply make someone or a group of people think that they are on cnn.com when they are really not. This could be used for things like fake news reports, etc. that make people panic.
Has anyone seen anything like this yet?
"I can't believe that people are allowed to do this kind of thing," she said. "Why can't [the authorities] do anything about this?"
The answer may be that the economics of online fraud -- which has such low start-up costs that luring only a few victims to divulge personal financial data can turn a huge profit for the perpetrator -- are so much in favor of the criminals that, at least for now, a continued increase in phishing activity is all but certain. "
Crime pays. News at 11. </cynicism>
"A witty saying proves nothing." ~Voltaire
"d'Oh!" ~Homer
Thanks, The Internet!
boom boom
This, along with the fact that a lot of botnets are IRC controlled, is one of the reasons I declared IRC verbotten on our LAN and am now using the bleeding-snort IRC rules. I know they won't catch all IRC traffic, but in my mind they are worth the extra cycles.
(S(SKK)(SKK))(S(SKK)(SKK))
Now we have phishkiddies
I prefer "Phish-sticks". No, wait...
I prefer to listen to Cheap Trick.
I want to drag this out as long as possible. Bring me my protractor.
Would someone mind explaining what a "phantom" web site is, as this term appears nowhere in TFA?
Also, why must people constantly refer to things as "plug-and-play" just because they work as soon as you run them? This is like calling a pair of eyeglasses plug-and-play because you don't need any special equipment to wear them...
I am scientifically inaccurate.
Many people complain about there not being enough cops on the street (unless they've just been pulled over), which I've been informed in my area, is due to most calls are domestic disputes. Police don't have the time to catch all the burglars and bicycle thieves because someone is slapping someone else around (IMHO the first offense should land people in a cooler for at least a month.)
Regarding the agencies which should be chasing spammers and scammers, that's probably the FBI, which is too busy being reorg'd and chasing terrorist threats.
A feeling of having made the same mistake before: Deja Foobar
I was under the impression you didn't even need to know hoe to turn on a PC to be a spammer. Slip the first guy a grand or two and promise him 5% of the profits, set up a bank account and you're done.
I mean you're already breaking the law with spam, why pass on a little fraud too?
I like muppets.
"I can't believe that people are allowed to do this kind of thing," she said. "Why can't [the authorities] do anything about this?"
"Welcome to the world of information theft, ma'am". She should look carefully her hard drive and take notes of how many mp3 and mpeg files she has as she complains about theft. Perhaps she will take stock of any cavalier attitude she may have had regarding the protection of "online" property.
I don't support the abusive tactics that the RIAA and the MPAA use to secure information about thieves, but their initial reaction to file sharing was probably the same as this woman's.
"Rocky Rococo, at your cervix!"
Hello!
Well, here in Mexico there are some phishing scams, the most recent it's the clone of our "Wall Street" (Bolsa Mexicana de Valores) where they asked to make a "link" with your bank and of course, they will grab our your personal info, all the banks sent email and notices in they web pages but for some reason the people still fall in that scams, they can follow the instructions of the scam but can't follow the instructions from the bank.
I want my father and my sister, i FORCE them to use Firefox and Linux, just Windows/IE for pages where they can't navigate (there are some sites that can't even serve the page).
Anyway, the misinformation on securing the Internet it's the problem, software won't do it, like Internet Security, it's so annoying than the average person just disable it.
On the other hand, the average user can make trouble to companies that try to do something like this, for example, TELMEX, our phone company (it's a monopoly) and ISP (they have more than the 60% of all internet users) they give you information about danger in the web, they even give you for free an antivirus. But then, average people install software (IE?) that dials out to long distance phones, and the average user go to PROFECO (consumer protection) and sue TELMEX because they can't control that.
So, what can a big company do? i'm not telling that TELMEX are doing their best, but how can you force users not to do stupid things? you tell "Don't install software from untrusted parties" and that's what they do and they sue?
What do we need so the people can listen? A government organization that handles this kind of security and pass laws to protect users and providers?
Avergae user won't listen, and in that way the phishing will be around the corner, just like viruses.
Got an email client which displays HTML email or launches a browser to handle it? I get many spoofs of paypal, ebay and various banks each day, HTML constructed to pull images from valid sources or a coopted server somewhere in the world, which look exactly like or reasonable enough to the untrained to fool you into entering account numbers, passwords, etc., which are actually intercepted and emailed to a box somewhere in the world. Phishers usually just hang around long enough to collect a few ID's and scram.
A feeling of having made the same mistake before: Deja Foobar
I wonder if i could phish for credit card details by sending out email advertising my ub3r l33t ph1$in kit.
Wonder if they'd fall for it, or if the average phisher is just as stupid as the phish.
Online carder sites and IRC channels also offer phishing tutorials and lists of so-called "cardable" Web sites that allow the buyer to bill items bought with stolen cards to one address and ship them to another.
Why are there not systems in place to nab these guys when they pick up their purchased goods?
Or, is it that we cannot identify the fraud before the goods are already picked up from some anonymous P.O. Box?
It's the battle of the minds, and everyone's unarmed.
This isn't new at all.
There have been phishing kits available since 1996 at least.
You still need to know enough about money laundering and electronic transactions to not get caught!
-- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
[sorry, couldn't resist]
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Domain names must consist of only roman characters A-z, numbers 0-9 and hyphen -
Nothing else.
Right?
[an error occured while processing this directive]
Listen to this one then; you open a company called the Arse Tickler's Faggot Fan Club. You take an advert in the back page of some gay mag, advertising the latest in arse-intruding dildos, sell it a bit with, er... I dunno, "does what no other dildo can do until now", latest and greatest in sexual technology. Guaranteed results or money back, all that bollocks. These dills cost twenty-five each; a snip for all the pleasure they are going to give the recipients. They send a cheque to the company name, nothing offensive, er, Bobbie's Bits or something, for twenty-five. You put these in the bank for two weeks and let them clear. Now this is the clever bit. Then you send back the cheques for twenty-five pounds from the real company name, Arse Tickler's Faggot Fan Club, saying sorry, we couldn't get the supply from America, they have sold out. Now you see how many of the people cash those cheques; not a single soul, because who wants his bank manager to know he tickles arses when he is not paying in cheques!
Zagreus sits inside your head, Zagreus lives among the dead, Zagreus sees you in your bed and eats you in your sleep.
Of course online fraud doesn't end with merely collecting credit card numbers.
: : :
:)
Next, a network of illdoers must convert this stolen cash into something much less traceable. They enlist the help of folk running a variety of instant messenging programs.
Why, just this morning I received this gem on ICQ:
268-919-230 (9:13 AM)
Hi there! where you disappeared?!
268-919-230 (9:13 AM)
yes, I haven't been here for long, too - was busy working on Alfa Trans
268-919-230 (9:14 AM)
by the way, I'd recommend you to check it, too. You can find company url in my about info.
The URL in this guy's (bot's) info is http://www.alfa-trans.com which appears to be an elaborate money laundering and courier service masquerading as a legit business. They "hire" "managers" to distribute this stolen stuff around the globe and pay them a percentage of runs completed, or money transferred. Very crafty, and sometimes very appealing to the poor college student who has no balls to apply for a local McJob.
Of course the joke's on the hapless student when the guys in black suits come a'knockin'.
Greed will always prevail, and I feel that it will be impossible to educate everyone about this kind of stuff... after all, as long as one or two suckers buy into every mass mailing, spam will continue, because there's money to be made.
Does anyone know of any type of employment I could pursue involving tracking online fraud? It fascinates me immensely.
[an error occured while processing this directive]
What kind of news is this?? It doesn't take any computer skill to type an e-mail that asks for a username/password combination. It takes very little skill to use IE (assuming Windoze script kiddies here) to download an entire webpage, then upload it to a server or use DynDNS to use the one at home. I guess it might take 10 minutes of learning PHP/MySQL to learn how to get POST information, maybe another 10 minutes to learn how to randomly generate characters and use the Mail() function. Lets say another 20 minutes (doubtful) to learn how to set up Apache, then 5 minutes to do it. For fun, lets add in a fudge factor of 15 minutes for other small installs. So one hour of work = zero to phishing. I suppose if someone was totally clueless they might need a toolkit to do this, but my guess is any binary toolkit has a backdoor in it and a user really would have to be dumb to use it. Just my $0.02
Just about any financial transaction -- Internet or meatspace -- involves entities beyond just one county or city. However, the local police have jurisdiction in just one county/city, and will only reluctantly take a police report so you can have it on record and will just about never investigate.
If you're lucky to have all entities (buyer, seller, intermediaries, banks, lease servicer, escrow service, etc.) reside in one U.S. state, you might be able to get the state police involved if the dollar amount is, say, $2000. Otherwise, if entities are spread across multiple states, it becomes the jurisdiction of the FBI, which will not get involved unless it's tens of thousands of dollars, as they are "busy catching terrorists."
9/11 and the Internet together have made what was already a problem -- the FBI being ostensibly responsible for tracking but never actually going after small financial crimes -- into a free-for-all for common thieves. The message to thieves is: come and get it, because you won't get prosecuted even if the victim knows who you are.
The large entities -- national banks and credit card companies -- don't care. It's just a line item for them as the cost of doing business. However, individual victims bear the burden of general fear of the next attack plus the extra paperwork (it's estimated that an identity theft incurs a burdern of 160 hours of paperwork upon the victim).
A society with no prosecution for theft is a society on the brink of anarchy.
They're not phishkiddies, they're phish-heads.
"Phish-heads
rolly polly phish-heads,
phish-heads, phish-heads,
eat 'em up yuummmmmmmmmmm
phish-heads in tha morning
phish-heads in the morning,
phish-heads in your soup! "
...as quoted from Lock, Stock and Two Smoking Barrels (1998).
Thank you for telling me. I don't usually click on links, but since you're from Ebay/PayPal, I trust you, and will send you the information you requested.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Though there doesn't seem to be a reason to add the "[example.com]" when someone links a URL with ""
This post written under Gentoo-linux with an SCO IP license.
You surely don't refer to THIS, do you?
The correct url is:
www.secure-ebay-transactions.ru.stupid
Marcus Sachs, a former cyber-security adviser to the White House who now directs the Bethesda, Md.-based SANS Internet Storm Center, said that if the information posted by the IRC channel operators is legitimate, then they are likely working with people on the inside at the major credit card issuers.
But Sachs said he suspects that by "verifying" credit card information posted by other chat room members, those running the IRC channels are more interested in scamming the phishers. "As evil as it all sounds, the people who know what they're doing in this area operate their phishing scams like a business," Sachs said. "They learn from their mistakes, they outsource, they consolidate, and they cut costs by automating things. But most of all, they profit by any means available."
...because you never know who you're dealing with.
419.fcd@usss.treas.gov and UCE@FTC.GOV are two good e-mail addresses to use. Also explain how you think the scammer got your personal information, i.e. which company you signed up that ended up selling your info. Also, give the full source message of the e-mail.
Hey there, I am interested in the site you have in your sig - could you email me at niloc132@spymac.com so i could ask you about it? thanks much!
I recently had some homeless fellow steal my trash before garbage day. Normally this wouldn't concern me, but one of bags was full of credit card receipts that I was not able to shred because my shredder stopped working. Many merchants here in Canada still print the full credit card number of the receipt, so I thought it would be best if I canceled the card. I called up my bank manager and somehow we got to talking about phishing. She told me that there is an inverse correlation between the frequency of armed bank robberies and incidents of money stolen through successful phishing scams. I googled for some web site with this information, but could not anything. Apparently bank robbers are starting to realize that it is easier to phish than to rob a bank. I think it is going to get much worse before it starts getting better.
That's the point at which it becomes clear that phishing (or anything else) isn'y a computer problem, but a people problem, or a banking/business/whatever problem. Though computers might offer some tech solutions. But tech solutions dialectically bring their own new tech problems - which are usually really still people problems. That's why we have laws, police and courts. Engineers just work for them, on these problems. Those law nerds have to take the blame when the problems don't stop.
--
make install -not war
It's easy for consumers to buy. It's easy for a retailer to set up a recurring charge. The sales process involves only the retailer.
There are many other ways this could work. When you attempted to buy something online, your bank would contact you in some online way, showing you the transaction details and requiring you to confirm them. Preferably using a hardware authentication token. That would bring online credit card fraud to a dead stop.
It would put a bank/consumer interaction in every sale. No more "One Click" purchases. It would also kill "automatic renewal" of services. Retailers would hate it.
Technically, what's needed is a very user friendly token. Something like an keyless entry remote. But there's no easy to interface such a thing to the existing installed base of computers.
One way MS could suddenly make explorer half decent is integrate some smartcard authentication system in which a user supplied smartcard is needed to log in to banks and optionally for card purchases.
If you live in a country with smartcard-on-visa (most of EU, I think), all you need is a card reader, which costs a few $ at most (its just a variant of a serial port and a new connector). For the US, you can have USB keys which contain a smartcard.
The banks have to play in this; they need to give all their users the smartcards or USB equivalents, and encourage you to use it for login/purchase.
If MS wont do it for the masses, we could do it in mozilla for the few, but it'll be harder to get the broad bank/vendor support we need.
[no text I say]
Comment removed based on user account deletion
http://shit.slashdot.org/article.pl?sid=05/01/18/1 832240
Comment removed based on user account deletion
Comment removed based on user account deletion
While there's been plenty of talk about responsible protection of one's personal data (being careful about supplying information to an online site, for example), it sure seems like there are two areas of responsibility that are being overlooked.
First, it's about time for the financial services industry to step up and take responsibility for designing a payment infrastructure that can accomodate the current threat environment. A sixteen-digit reuseable number isn't the answer, even when coupled with real-time billing address and CVV2 tests. Payments need to be authorized individually by the accountholders, and these authorizations need to be tied to a specific date, time, merchant, and amount (or in the case of recurring payments, a time span, number of payments, and maximum aggregate amount). In this scheme, leakage of an account number doesn't connote authorization for payment--and leakage of a payment authorization doesn't enable re-use by others.
It will be hugely difficult and very expensive to make this change, of course, as it involves replacing a great deal of infrastructure. But ultimately it will be required due to the simplicity of fraud using today's technology. It's gotten to the point where most of the difficulty and expense isn't the technology for payment authorization; it's instead the cost associated with the changeover itself and with retraining consumers and merchants.
So, from where I sit, it looks like the costs of fraud being absorbed by the financial services industry (and, of course, being passed on to consumers in the form of higher fees) aren't being offset by a decrease in the eventual cost of making the system secure. It's time for the financial services community to take responsibility, then: accept the fact that it will be difficult and expensive to make the change, but also accept its necessity and inevitability.
Second, it's time for the users of Internet connections to take responsibility for the devices they connect. While I'm sympathetic to the fact that grandma probably isn't a PC administrator, and isn't aware that her machine was 0wn3d two years ago and has been a spam zombie ever since, I don't think we as an Internet-age society should simply absolve users of any responsibility for the health of their machines. One reasonable parallel is a burglar alarm. In the locality where I live, you're allowed one or two false alarms per year, then you start racking up fines. This makes sense to me: it's not good to penalize the innocent and ignorant unwittingly, but those that continue to consume resources (in this case, police time) are given an economic incentive to improve their infrastructure. It would have to be done carefully, but treating long-term spam zombies as civil infractions might provide the incentives necessary for users (and, of course, the vendors that serve them) to improve their security profile. Just as with the institutional changes in the financial services arena discussed above, this would be really difficult to do, particularly given the borderless nature of the Internet. But I'm not sure that difficulty is a good enough reason to avoid requiring computer owners take reasonable responsibility for their use.
Thoughts and constructive criticism are welcome.
Phil
Comment removed based on user account deletion
Actually, this reminds me.... Not too long ago, I was on Undernet IRC chat and out of boredom, requested the complete list of active channels. A couple channels caught my attention as being places to actively trade (or buy/sell) credit card numbers. I forget the exact channel names right now, but I suppose they may change names every so often to avoid detection anyway? They were names something like #ccard though...
The slightly scary part is, they seemed to be populated with at least 50 or 60 users each. Even if these were mostly just "bots", it stlll surprised me that this activity could be carried on this blatantly in a public chat room. I guess the authorities are still focused too strictly on "the web" and haven't fully realized what goes on in other areas of the net.
In most cases, the operator responds instantaneously with the requested data, notifying the poster whether the card is still active, its spending limit...
The author of the article doesn't seem to understand the concept of bots operating channels too well...
Do you know how SecurID works? Same here, only you don't need to type the code. Just push the buton on your token.
Phishing is so microsoft now...
"(fishing) (n.) The act of sending an e-mail [...]"
http://www.webopedia.com/TERM/p/phishing.html
Phishing was always social engineering rather than programming. It's more like phoning up and asking for the password while posing as someone you're not, than poking holes in the Operating System.
Environmentalism is the new Victorianism. Everyone ties on a green corset and pretends we're virtuous.
Anybody remember this (I doubt there are many AOL users here, but maybe). It was a collection of utilities to mess with AOL like a tool to spam chat rooms, a way to fake like you are someone else in a chat room, and a phishing tool to send an IM to everyone in the chat room that said something along the lines of "I am an administrator. Please verify your password." You would be amazed at the number of people who would respond with a password. I now realize how much of an a**hole I was being by using clueless people's accounts, but back then it was just good fun...I think there's still newer versions of AOHell out there, but I got of AOL a long time ago so I don't know if its really much of a problem anymore.
ya just gotta be careful - like everything in life
$7.95/mo hosting, 2.4GB disk, 120GB