Slashdot Mirror
Phishing In The Channel
Rick Zeman writes "A Washington Post story details the relationships between phishers, IRC, plug-and-play phishing toolkits, and phantom web sites. 'For the past few months we've started to see phishing attacks from subcontractors, people who buy and use ready-made phishing toolkits and e-mail lists,' Orad said. 'It's gotten to the point where you don't need to know anything about spamming or computer programming to pull this off.'"
Now we have phishkiddies
It's gotten to the point where you don't need to know anything about spamming or computer programming to pull this off.'
So phishing is just as easy as using Windows... Think about it.
Now people who know nothing about ripping people off can rip off people who know nothing about being ripped off.
There was a system crash this month. You may have noticed our system has been running slowly. If you are receiving this email, we have lost some of the information for your account. Please click on the following link and fill in all of your information to make sure your account does not get suspended. We appreciate your time, and sorry for the trouble. Click here to fill in your info! Your friends, at Ebay/PayPal.
So, this is nothing new and people are still naive. Hopefully, though, the more it hits peoples back-pocket then more savvy they will get.
DAMN YOU OCTODOG! DAMN YOU TO HELL!
www.secure-ebay-transactions.ru is NOT ebay.
You have been warned.
Sincerely,
The Internet.
IRC is like a communication medium, its irrelevant in this discussion. As irrelevant as telephones being 'used' by thiefs to communicate. Holding IRC responsible is pointless.
While it has become easier for phishers (and now apparently nonphishers) to prey upon mom and pop internet surfer, it still comes down to personal security. Mom and pop internet surfer won't give their ATM pin or their credit card number to a guy on the street but for some reason, the authority of the Internet removes those safeguards.
Next time you see your parents or someone who is a likely phishing canidate, please, don't roll your eyes. Warn them and try to explain the difference.
-Teiresias
It amazes me that a few months after breaking up Phish is still as popular as ever. Damn you, hippies!
...small fry? Or Network Krillers?
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I have been wondering when I would start to see these alternate character set domain names that you can get now play a role in this. You know, like someone registers cnn.com, but the c is not the latin character set c but one from another character set. Or something that almost looks like a c.
Then, without even hacking DNS, you can simply make someone or a group of people think that they are on cnn.com when they are really not. This could be used for things like fake news reports, etc. that make people panic.
Has anyone seen anything like this yet?
"I can't believe that people are allowed to do this kind of thing," she said. "Why can't [the authorities] do anything about this?"
The answer may be that the economics of online fraud -- which has such low start-up costs that luring only a few victims to divulge personal financial data can turn a huge profit for the perpetrator -- are so much in favor of the criminals that, at least for now, a continued increase in phishing activity is all but certain. "
Crime pays. News at 11. </cynicism>
"A witty saying proves nothing." ~Voltaire
"d'Oh!" ~Homer
boom boom
Dont forget to block port 80 too, a lot of scary stuff goes on there...
Many people complain about there not being enough cops on the street (unless they've just been pulled over), which I've been informed in my area, is due to most calls are domestic disputes. Police don't have the time to catch all the burglars and bicycle thieves because someone is slapping someone else around (IMHO the first offense should land people in a cooler for at least a month.)
Regarding the agencies which should be chasing spammers and scammers, that's probably the FBI, which is too busy being reorg'd and chasing terrorist threats.
A feeling of having made the same mistake before: Deja Foobar
Got an email client which displays HTML email or launches a browser to handle it? I get many spoofs of paypal, ebay and various banks each day, HTML constructed to pull images from valid sources or a coopted server somewhere in the world, which look exactly like or reasonable enough to the untrained to fool you into entering account numbers, passwords, etc., which are actually intercepted and emailed to a box somewhere in the world. Phishers usually just hang around long enough to collect a few ID's and scram.
A feeling of having made the same mistake before: Deja Foobar
You get the idea. Not to mention that nobody will shop at a site that requires a secureID card number to be entered.
$7.95/mo, 200 GB disk, 2TBxfer, MySQL, PHP, RoR.
Here in Holland online banking is almost that.
My bank card has a smart card on it, which not only can I use for "instant" money purchases at vending machines and such, but also as a security feature for my online banking.
You get a little device the size of a small calculator that you put the card in, punch in your pin code, and then enter an 8 didget number from the online banking web page (that you get after you sign in with your bank card number). The little gadjet then returns a response code that you use to log in to your online banking.
So for someone to use your online banking, they not only require your pin, but they also have to phyically have your bank card.
Of course online fraud doesn't end with merely collecting credit card numbers.
: : :
:)
Next, a network of illdoers must convert this stolen cash into something much less traceable. They enlist the help of folk running a variety of instant messenging programs.
Why, just this morning I received this gem on ICQ:
268-919-230 (9:13 AM)
Hi there! where you disappeared?!
268-919-230 (9:13 AM)
yes, I haven't been here for long, too - was busy working on Alfa Trans
268-919-230 (9:14 AM)
by the way, I'd recommend you to check it, too. You can find company url in my about info.
The URL in this guy's (bot's) info is http://www.alfa-trans.com which appears to be an elaborate money laundering and courier service masquerading as a legit business. They "hire" "managers" to distribute this stolen stuff around the globe and pay them a percentage of runs completed, or money transferred. Very crafty, and sometimes very appealing to the poor college student who has no balls to apply for a local McJob.
Of course the joke's on the hapless student when the guys in black suits come a'knockin'.
Greed will always prevail, and I feel that it will be impossible to educate everyone about this kind of stuff... after all, as long as one or two suckers buy into every mass mailing, spam will continue, because there's money to be made.
Does anyone know of any type of employment I could pursue involving tracking online fraud? It fascinates me immensely.
[an error occured while processing this directive]
Even easier method:
Register an E-mail address with the credit card company. When an on-line purchase is made, a verifiaction mail is sent to you. Click on the link in the mail and the purchase goes through, othervise call customer relations...
you'll look like less of a punk if you cite your references.
GET YOUR WEAPONS READY! --DR.LIGHT
Marcus Sachs, a former cyber-security adviser to the White House who now directs the Bethesda, Md.-based SANS Internet Storm Center, said that if the information posted by the IRC channel operators is legitimate, then they are likely working with people on the inside at the major credit card issuers.
But Sachs said he suspects that by "verifying" credit card information posted by other chat room members, those running the IRC channels are more interested in scamming the phishers. "As evil as it all sounds, the people who know what they're doing in this area operate their phishing scams like a business," Sachs said. "They learn from their mistakes, they outsource, they consolidate, and they cut costs by automating things. But most of all, they profit by any means available."
...because you never know who you're dealing with.
Yes, SecureID costs a fair amount now, but I suspect more people then you think would be willing to pay for it. (I would have no problem paying $50/yr to know someone can't steal my CC number or PIN.) Not to mention the price would decrease if millions of Americans had one as opposed to the somewhat limited usage right now. And considering how many millions of dollars banks and credit companies lose to such scams, they might be getting to the point where it is cheaper to issue ScecureIDs (or something similar) then lose the money due to ID thefts.
I recently had some homeless fellow steal my trash before garbage day. Normally this wouldn't concern me, but one of bags was full of credit card receipts that I was not able to shred because my shredder stopped working. Many merchants here in Canada still print the full credit card number of the receipt, so I thought it would be best if I canceled the card. I called up my bank manager and somehow we got to talking about phishing. She told me that there is an inverse correlation between the frequency of armed bank robberies and incidents of money stolen through successful phishing scams. I googled for some web site with this information, but could not anything. Apparently bank robbers are starting to realize that it is easier to phish than to rob a bank. I think it is going to get much worse before it starts getting better.