Slashdot Mirror
Phishing In The Channel
Rick Zeman writes "A Washington Post story details the relationships between phishers, IRC, plug-and-play phishing toolkits, and phantom web sites. 'For the past few months we've started to see phishing attacks from subcontractors, people who buy and use ready-made phishing toolkits and e-mail lists,' Orad said. 'It's gotten to the point where you don't need to know anything about spamming or computer programming to pull this off.'"
Now we have phishkiddies
It's gotten to the point where you don't need to know anything about spamming or computer programming to pull this off.'
So phishing is just as easy as using Windows... Think about it.
Now people who know nothing about ripping people off can rip off people who know nothing about being ripped off.
There was a system crash this month. You may have noticed our system has been running slowly. If you are receiving this email, we have lost some of the information for your account. Please click on the following link and fill in all of your information to make sure your account does not get suspended. We appreciate your time, and sorry for the trouble. Click here to fill in your info! Your friends, at Ebay/PayPal.
So, this is nothing new and people are still naive. Hopefully, though, the more it hits peoples back-pocket then more savvy they will get.
DAMN YOU OCTODOG! DAMN YOU TO HELL!
www.secure-ebay-transactions.ru is NOT ebay.
You have been warned.
Sincerely,
The Internet.
IRC is like a communication medium, its irrelevant in this discussion. As irrelevant as telephones being 'used' by thiefs to communicate. Holding IRC responsible is pointless.
While it has become easier for phishers (and now apparently nonphishers) to prey upon mom and pop internet surfer, it still comes down to personal security. Mom and pop internet surfer won't give their ATM pin or their credit card number to a guy on the street but for some reason, the authority of the Internet removes those safeguards.
Next time you see your parents or someone who is a likely phishing canidate, please, don't roll your eyes. Warn them and try to explain the difference.
-Teiresias
It amazes me that a few months after breaking up Phish is still as popular as ever. Damn you, hippies!
...small fry? Or Network Krillers?
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I have been wondering when I would start to see these alternate character set domain names that you can get now play a role in this. You know, like someone registers cnn.com, but the c is not the latin character set c but one from another character set. Or something that almost looks like a c.
Then, without even hacking DNS, you can simply make someone or a group of people think that they are on cnn.com when they are really not. This could be used for things like fake news reports, etc. that make people panic.
Has anyone seen anything like this yet?
"I can't believe that people are allowed to do this kind of thing," she said. "Why can't [the authorities] do anything about this?"
The answer may be that the economics of online fraud -- which has such low start-up costs that luring only a few victims to divulge personal financial data can turn a huge profit for the perpetrator -- are so much in favor of the criminals that, at least for now, a continued increase in phishing activity is all but certain. "
Crime pays. News at 11. </cynicism>
"A witty saying proves nothing." ~Voltaire
"d'Oh!" ~Homer
boom boom
This, along with the fact that a lot of botnets are IRC controlled, is one of the reasons I declared IRC verbotten on our LAN and am now using the bleeding-snort IRC rules. I know they won't catch all IRC traffic, but in my mind they are worth the extra cycles.
(S(SKK)(SKK))(S(SKK)(SKK))
Would someone mind explaining what a "phantom" web site is, as this term appears nowhere in TFA?
Also, why must people constantly refer to things as "plug-and-play" just because they work as soon as you run them? This is like calling a pair of eyeglasses plug-and-play because you don't need any special equipment to wear them...
I am scientifically inaccurate.
Many people complain about there not being enough cops on the street (unless they've just been pulled over), which I've been informed in my area, is due to most calls are domestic disputes. Police don't have the time to catch all the burglars and bicycle thieves because someone is slapping someone else around (IMHO the first offense should land people in a cooler for at least a month.)
Regarding the agencies which should be chasing spammers and scammers, that's probably the FBI, which is too busy being reorg'd and chasing terrorist threats.
A feeling of having made the same mistake before: Deja Foobar
I was under the impression you didn't even need to know hoe to turn on a PC to be a spammer. Slip the first guy a grand or two and promise him 5% of the profits, set up a bank account and you're done.
I mean you're already breaking the law with spam, why pass on a little fraud too?
I like muppets.
Hello!
Well, here in Mexico there are some phishing scams, the most recent it's the clone of our "Wall Street" (Bolsa Mexicana de Valores) where they asked to make a "link" with your bank and of course, they will grab our your personal info, all the banks sent email and notices in they web pages but for some reason the people still fall in that scams, they can follow the instructions of the scam but can't follow the instructions from the bank.
I want my father and my sister, i FORCE them to use Firefox and Linux, just Windows/IE for pages where they can't navigate (there are some sites that can't even serve the page).
Anyway, the misinformation on securing the Internet it's the problem, software won't do it, like Internet Security, it's so annoying than the average person just disable it.
On the other hand, the average user can make trouble to companies that try to do something like this, for example, TELMEX, our phone company (it's a monopoly) and ISP (they have more than the 60% of all internet users) they give you information about danger in the web, they even give you for free an antivirus. But then, average people install software (IE?) that dials out to long distance phones, and the average user go to PROFECO (consumer protection) and sue TELMEX because they can't control that.
So, what can a big company do? i'm not telling that TELMEX are doing their best, but how can you force users not to do stupid things? you tell "Don't install software from untrusted parties" and that's what they do and they sue?
What do we need so the people can listen? A government organization that handles this kind of security and pass laws to protect users and providers?
Avergae user won't listen, and in that way the phishing will be around the corner, just like viruses.
Got an email client which displays HTML email or launches a browser to handle it? I get many spoofs of paypal, ebay and various banks each day, HTML constructed to pull images from valid sources or a coopted server somewhere in the world, which look exactly like or reasonable enough to the untrained to fool you into entering account numbers, passwords, etc., which are actually intercepted and emailed to a box somewhere in the world. Phishers usually just hang around long enough to collect a few ID's and scram.
A feeling of having made the same mistake before: Deja Foobar
I wonder if i could phish for credit card details by sending out email advertising my ub3r l33t ph1$in kit.
Wonder if they'd fall for it, or if the average phisher is just as stupid as the phish.
Online carder sites and IRC channels also offer phishing tutorials and lists of so-called "cardable" Web sites that allow the buyer to bill items bought with stolen cards to one address and ship them to another.
Why are there not systems in place to nab these guys when they pick up their purchased goods?
Or, is it that we cannot identify the fraud before the goods are already picked up from some anonymous P.O. Box?
It's the battle of the minds, and everyone's unarmed.
You still need to know enough about money laundering and electronic transactions to not get caught!
-- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
You get the idea. Not to mention that nobody will shop at a site that requires a secureID card number to be entered.
$7.95/mo, 200 GB disk, 2TBxfer, MySQL, PHP, RoR.
[sorry, couldn't resist]
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Domain names must consist of only roman characters A-z, numbers 0-9 and hyphen -
Nothing else.
Right?
[an error occured while processing this directive]
Here in Holland online banking is almost that.
My bank card has a smart card on it, which not only can I use for "instant" money purchases at vending machines and such, but also as a security feature for my online banking.
You get a little device the size of a small calculator that you put the card in, punch in your pin code, and then enter an 8 didget number from the online banking web page (that you get after you sign in with your bank card number). The little gadjet then returns a response code that you use to log in to your online banking.
So for someone to use your online banking, they not only require your pin, but they also have to phyically have your bank card.
...don't give them your credit card number.
You know, this could work. Scam the phisher-wannabe's!
Then again, they might just try to use a stolen credit card number to pay for their brand new ready-made phishing kit...
Sig cancelled due to lack of interest
Aye you, always wit da matches... You F*$Q my wife? You F*$Q my wife?
given that a secureID license costs a pretty penny and the tokens cost a decent quantity of coin each, could you see a bank forking over the motza required to get their customers one of these? They wouldn't like paying for it? ok, what about their customers shelling out for that, i can't see them being too keen on it either.
Then again being a technologically unimpaired user i'd consider taking the option if it was available and would happily take the cost to get one.
It's the uneducated users that are the biggest problem in all respects.
Life is like a box of chocolates, you never know when your gonna get food poisoning.
Listen to this one then; you open a company called the Arse Tickler's Faggot Fan Club. You take an advert in the back page of some gay mag, advertising the latest in arse-intruding dildos, sell it a bit with, er... I dunno, "does what no other dildo can do until now", latest and greatest in sexual technology. Guaranteed results or money back, all that bollocks. These dills cost twenty-five each; a snip for all the pleasure they are going to give the recipients. They send a cheque to the company name, nothing offensive, er, Bobbie's Bits or something, for twenty-five. You put these in the bank for two weeks and let them clear. Now this is the clever bit. Then you send back the cheques for twenty-five pounds from the real company name, Arse Tickler's Faggot Fan Club, saying sorry, we couldn't get the supply from America, they have sold out. Now you see how many of the people cash those cheques; not a single soul, because who wants his bank manager to know he tickles arses when he is not paying in cheques!
Zagreus sits inside your head, Zagreus lives among the dead, Zagreus sees you in your bed and eats you in your sleep.
Of course online fraud doesn't end with merely collecting credit card numbers.
: : :
:)
Next, a network of illdoers must convert this stolen cash into something much less traceable. They enlist the help of folk running a variety of instant messenging programs.
Why, just this morning I received this gem on ICQ:
268-919-230 (9:13 AM)
Hi there! where you disappeared?!
268-919-230 (9:13 AM)
yes, I haven't been here for long, too - was busy working on Alfa Trans
268-919-230 (9:14 AM)
by the way, I'd recommend you to check it, too. You can find company url in my about info.
The URL in this guy's (bot's) info is http://www.alfa-trans.com which appears to be an elaborate money laundering and courier service masquerading as a legit business. They "hire" "managers" to distribute this stolen stuff around the globe and pay them a percentage of runs completed, or money transferred. Very crafty, and sometimes very appealing to the poor college student who has no balls to apply for a local McJob.
Of course the joke's on the hapless student when the guys in black suits come a'knockin'.
Greed will always prevail, and I feel that it will be impossible to educate everyone about this kind of stuff... after all, as long as one or two suckers buy into every mass mailing, spam will continue, because there's money to be made.
Does anyone know of any type of employment I could pursue involving tracking online fraud? It fascinates me immensely.
[an error occured while processing this directive]
You forgot to mod "off-topic".
Really? How so?
Identity theft has as much to do with the **AA's as bank robbing has to do with child abduction.
I consider my personal information to be personal property. The thief is using something that is "mine" as "their own".
Why is it referred to as "theft" if the stolen "stuff" isn't "property"?
What a bizarre lunge for the bandwagon, points for effort I guess.
Not really.
This woman had something stolen that belonged to her. Now that information is being shared online without her being able to do much about it.
The RIAA and MPAA represents artists (I didn't say represents "well") who have personal information (songs, movies) that are being shared online without them being able to do much about it.
Although the information contained in the bits and bytes is different in content, it is still stolen information.
"Rocky Rococo, at your cervix!"
and yes i know i was generalising, but then again this is just "experience" talking here.
Life is like a box of chocolates, you never know when your gonna get food poisoning.
Just between you and me, I wouldnt be buying any phishing kits with my own credit card :-)
Even easier method:
Register an E-mail address with the credit card company. When an on-line purchase is made, a verifiaction mail is sent to you. Click on the link in the mail and the purchase goes through, othervise call customer relations...
They're not phishkiddies, they're phish-heads.
"Phish-heads
rolly polly phish-heads,
phish-heads, phish-heads,
eat 'em up yuummmmmmmmmmm
phish-heads in tha morning
phish-heads in the morning,
phish-heads in your soup! "
...as quoted from Lock, Stock and Two Smoking Barrels (1998).
Thank you for telling me. I don't usually click on links, but since you're from Ebay/PayPal, I trust you, and will send you the information you requested.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Though there doesn't seem to be a reason to add the "[example.com]" when someone links a URL with ""
This post written under Gentoo-linux with an SCO IP license.
You surely don't refer to THIS, do you?
it might actually be profitable to banks who insure their users against online fraud (like halifax in the uk)
The correct url is:
www.secure-ebay-transactions.ru.stupid
Marcus Sachs, a former cyber-security adviser to the White House who now directs the Bethesda, Md.-based SANS Internet Storm Center, said that if the information posted by the IRC channel operators is legitimate, then they are likely working with people on the inside at the major credit card issuers.
But Sachs said he suspects that by "verifying" credit card information posted by other chat room members, those running the IRC channels are more interested in scamming the phishers. "As evil as it all sounds, the people who know what they're doing in this area operate their phishing scams like a business," Sachs said. "They learn from their mistakes, they outsource, they consolidate, and they cut costs by automating things. But most of all, they profit by any means available."
...because you never know who you're dealing with.
At what point in the article was there the slightest illusion to her being an illegal filesharer?
None. But you can bet that there are people sitting in their homes, complaining about being a victim of phishing, with thousands of dollars in music they didn't pay for.
Same difference
Contradiction.
And this immediately caused you to believe she was a file sharer and was therefore ignorant and morally devoid to make the comment quoted in the article?
Nope. I thought it strange that someone who had grown up in a culture that praises theft of personal property would be shocked at being a victim of personal property theft.
Get it?
Interesting.
It sure is boodaman.
It sure is.
"Rocky Rococo, at your cervix!"
You are forgetting the cost of all the people that will lose the card. Also, the cost to pay the op for people having to call. Then bext thing, in my opinion is better education. If a program was available/required, or they have an information sheet when you get your new ATM card, Bank account, what not, it would help to curb the fraudulent activity. I know most people are just naive, but, if you had the choice, take this class to be trained to not give your money away, or we won't give you fraud protection, so on and so forth. I know putting the burden on the sholders of the consumer is not what people want. However, I should not have to pay higher bank fees and what not for other's willing ignorance.
Yes, SecureID costs a fair amount now, but I suspect more people then you think would be willing to pay for it. (I would have no problem paying $50/yr to know someone can't steal my CC number or PIN.) Not to mention the price would decrease if millions of Americans had one as opposed to the somewhat limited usage right now. And considering how many millions of dollars banks and credit companies lose to such scams, they might be getting to the point where it is cheaper to issue ScecureIDs (or something similar) then lose the money due to ID thefts.
When somebody posts pirated serial numbers or cracks for my software, I am annoyed. When somebody stole my wallet, I was extremely pissed off. Taking money from somebody's bank account isn't on the same level as downloading an MP3, and I say this as somebody who makes a living writing software.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
Hey there, I am interested in the site you have in your sig - could you email me at niloc132@spymac.com so i could ask you about it? thanks much!
I recently had some homeless fellow steal my trash before garbage day. Normally this wouldn't concern me, but one of bags was full of credit card receipts that I was not able to shred because my shredder stopped working. Many merchants here in Canada still print the full credit card number of the receipt, so I thought it would be best if I canceled the card. I called up my bank manager and somehow we got to talking about phishing. She told me that there is an inverse correlation between the frequency of armed bank robberies and incidents of money stolen through successful phishing scams. I googled for some web site with this information, but could not anything. Apparently bank robbers are starting to realize that it is easier to phish than to rob a bank. I think it is going to get much worse before it starts getting better.
That's the point at which it becomes clear that phishing (or anything else) isn'y a computer problem, but a people problem, or a banking/business/whatever problem. Though computers might offer some tech solutions. But tech solutions dialectically bring their own new tech problems - which are usually really still people problems. That's why we have laws, police and courts. Engineers just work for them, on these problems. Those law nerds have to take the blame when the problems don't stop.
--
make install -not war
Taking money from somebody's bank account isn't on the same level as downloading an MP3, and I say this as somebody who makes a living writing software.
Yes, but you are not the artist who lost the sale of a song.
"Rocky Rococo, at your cervix!"
Jeez, read the rest of my message. I am the programmer who lost the sale of a program. If you don't consider that to be equivalent, then I don't know what else to tell you, but it sure seems the same to me.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
It's easy for consumers to buy. It's easy for a retailer to set up a recurring charge. The sales process involves only the retailer.
There are many other ways this could work. When you attempted to buy something online, your bank would contact you in some online way, showing you the transaction details and requiring you to confirm them. Preferably using a hardware authentication token. That would bring online credit card fraud to a dead stop.
It would put a bank/consumer interaction in every sale. No more "One Click" purchases. It would also kill "automatic renewal" of services. Retailers would hate it.
Technically, what's needed is a very user friendly token. Something like an keyless entry remote. But there's no easy to interface such a thing to the existing installed base of computers.
One way MS could suddenly make explorer half decent is integrate some smartcard authentication system in which a user supplied smartcard is needed to log in to banks and optionally for card purchases.
If you live in a country with smartcard-on-visa (most of EU, I think), all you need is a card reader, which costs a few $ at most (its just a variant of a serial port and a new connector). For the US, you can have USB keys which contain a smartcard.
The banks have to play in this; they need to give all their users the smartcards or USB equivalents, and encourage you to use it for login/purchase.
If MS wont do it for the masses, we could do it in mozilla for the few, but it'll be harder to get the broad bank/vendor support we need.
Comment removed based on user account deletion
Comment removed based on user account deletion
Comment removed based on user account deletion
While there's been plenty of talk about responsible protection of one's personal data (being careful about supplying information to an online site, for example), it sure seems like there are two areas of responsibility that are being overlooked.
First, it's about time for the financial services industry to step up and take responsibility for designing a payment infrastructure that can accomodate the current threat environment. A sixteen-digit reuseable number isn't the answer, even when coupled with real-time billing address and CVV2 tests. Payments need to be authorized individually by the accountholders, and these authorizations need to be tied to a specific date, time, merchant, and amount (or in the case of recurring payments, a time span, number of payments, and maximum aggregate amount). In this scheme, leakage of an account number doesn't connote authorization for payment--and leakage of a payment authorization doesn't enable re-use by others.
It will be hugely difficult and very expensive to make this change, of course, as it involves replacing a great deal of infrastructure. But ultimately it will be required due to the simplicity of fraud using today's technology. It's gotten to the point where most of the difficulty and expense isn't the technology for payment authorization; it's instead the cost associated with the changeover itself and with retraining consumers and merchants.
So, from where I sit, it looks like the costs of fraud being absorbed by the financial services industry (and, of course, being passed on to consumers in the form of higher fees) aren't being offset by a decrease in the eventual cost of making the system secure. It's time for the financial services community to take responsibility, then: accept the fact that it will be difficult and expensive to make the change, but also accept its necessity and inevitability.
Second, it's time for the users of Internet connections to take responsibility for the devices they connect. While I'm sympathetic to the fact that grandma probably isn't a PC administrator, and isn't aware that her machine was 0wn3d two years ago and has been a spam zombie ever since, I don't think we as an Internet-age society should simply absolve users of any responsibility for the health of their machines. One reasonable parallel is a burglar alarm. In the locality where I live, you're allowed one or two false alarms per year, then you start racking up fines. This makes sense to me: it's not good to penalize the innocent and ignorant unwittingly, but those that continue to consume resources (in this case, police time) are given an economic incentive to improve their infrastructure. It would have to be done carefully, but treating long-term spam zombies as civil infractions might provide the incentives necessary for users (and, of course, the vendors that serve them) to improve their security profile. Just as with the institutional changes in the financial services arena discussed above, this would be really difficult to do, particularly given the borderless nature of the Internet. But I'm not sure that difficulty is a good enough reason to avoid requiring computer owners take reasonable responsibility for their use.
Thoughts and constructive criticism are welcome.
Phil
Comment removed based on user account deletion
Actually, this reminds me.... Not too long ago, I was on Undernet IRC chat and out of boredom, requested the complete list of active channels. A couple channels caught my attention as being places to actively trade (or buy/sell) credit card numbers. I forget the exact channel names right now, but I suppose they may change names every so often to avoid detection anyway? They were names something like #ccard though...
The slightly scary part is, they seemed to be populated with at least 50 or 60 users each. Even if these were mostly just "bots", it stlll surprised me that this activity could be carried on this blatantly in a public chat room. I guess the authorities are still focused too strictly on "the web" and haven't fully realized what goes on in other areas of the net.
Something where you hold the token up to a barcode on the screen is more like it. Users would understand that as "signing" something.
In most cases, the operator responds instantaneously with the requested data, notifying the poster whether the card is still active, its spending limit...
The author of the article doesn't seem to understand the concept of bots operating channels too well...
So for someone to use your online banking, they not only require your pin, but they also have to phyically have your bank card.
See, this attitude is the opening for crime. That's the *goal* of the fancy secure-token card, but that's not necessarily the result.
To get at the money in your online banking account, a bad guy doesn't need the card. He merely needs to convince you to type the confirmation code into a web site under his control. As long as he's prompt, he can still seize control of your bank account and send your money off.
Using a secure token like this doesn't eliminate the opportunity for phishing scams to work; it just requires more cleverness in doing them. That's a step forward for sure, but just a step.
Phishing is so microsoft now...
"(fishing) (n.) The act of sending an e-mail [...]"
http://www.webopedia.com/TERM/p/phishing.html
Phishing was always social engineering rather than programming. It's more like phoning up and asking for the password while posing as someone you're not, than poking holes in the Operating System.
Environmentalism is the new Victorianism. Everyone ties on a green corset and pretends we're virtuous.
Anybody remember this (I doubt there are many AOL users here, but maybe). It was a collection of utilities to mess with AOL like a tool to spam chat rooms, a way to fake like you are someone else in a chat room, and a phishing tool to send an IM to everyone in the chat room that said something along the lines of "I am an administrator. Please verify your password." You would be amazed at the number of people who would respond with a password. I now realize how much of an a**hole I was being by using clueless people's accounts, but back then it was just good fun...I think there's still newer versions of AOHell out there, but I got of AOL a long time ago so I don't know if its really much of a problem anymore.
Just supply the Western Union wire transfer information
Transaction number 10 digit
Secret Question such as "What is my favorite book?"
Secret Question Answer such as "Gone with the Wind"
Hint, your money will match the book title.
The truth shall set you free!
My bank (coutts) uses securid for online banking. I just laugh every time I get a phish-mail!
If you don't consider that to be equivalent, then I don't know what else to tell you...
I understand your position, but not *everyone* feels the same about this particular issue as you do.
"Rocky Rococo, at your cervix!"
ya just gotta be careful - like everything in life
$7.95/mo hosting, 2.4GB disk, 120GB
I take it you are one of them. Can you explain to me the difference between pirating an MP3 and pirating a piece of software and how it applies to this discussion?
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
Can you explain to me the difference between pirating an MP3 and pirating a piece of software
...and how it applies to this discussion?
I believe there is no difference. That was the point of my post.
The woman's comment made me think about how ironic it is that someone would feel defenseless against the onslaught of groups who use the internet to steal personal information, while they are simultaneously using the internet to steal personal property.
Whether you agree with my thesis or not, I would think you would agree that the **AA probably had the same reaction as the one I quoted at the start of this thread. I was extending the argument to make the point that this woman is probably just becoming aware of the risks involved in using the internet. Many of her generation have taken an unrealistic attitude about how the personal property of the **AA and the artists they represent are treated, at least in the realm of file sharing.
I don't think this is an unfair characterization. The people who trade files illegally are also often the victims of phishing expeditions. I don't pity those people who download music and movies from P2P networks and then get burned by electronic thieves. Their willingness to share copyrighted material means that they are already willing to break the law to serve their own personal intersts. This is equivalent to people who deal drugs who subsequently get shot by competing drug dealers. The drug dealer should expect that getting shot is an occupational hazard for the lifestyle they have chosen.
And I do draw a distinction between the type of song trading that may go on between close friends and the exchange of personal mix CDs. These activities, I believe, are already covered under fair use doctrines. These fair use principles are being undermined, however, by large-scale file trading operations that have nothing to do with friends and colleagues trading movies and music.
"Rocky Rococo, at your cervix!"
The RIAA _want_ you to have that data. They run adverts telling you to get that data. They pay to _give_ you that data by having it played on the radio.
Yes, they do. But they don't engage in these activities in order to give it all away for free. They expect to make money from the exchange.
The RIAA *does* indeed want you to have the data. They just want you to *pay* for the data.
The remaining portion of your argument is based on a faulty premise and is, therefore, irrelevant.
"Rocky Rococo, at your cervix!"
And so we come full circle. I think you may have misunderstood my point, which was thus:
I have been the victim of both actual theft (bicycle, wallet, etc.) and copyright infringement (pirated serial numbers, cracked applications). I personally consider the former to be much, much worse than the latter. I don't believe that copyright infringement is anywhere near as bad as actual theft, and the fact that the theft takes place over the internet doesn't change a thing. I don't think that people who infringe on copyright, not even the ones who copy the things I have created and earn money on, deserve to be phished any more than anybody else.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!