Phishing In The Channel

Rick Zeman writes "A Washington Post story details the relationships between phishers, IRC, plug-and-play phishing toolkits, and phantom web sites. 'For the past few months we've started to see phishing attacks from subcontractors, people who buy and use ready-made phishing toolkits and e-mail lists,' Orad said. 'It's gotten to the point where you don't need to know anything about spamming or computer programming to pull this off.'"

Great

Now we have phishkiddies

Re:Great

[Rie+Beam]

Pguppies sounds more appropriate if you ask me.

Re:Great

[Have+Blue]

That just sounds like people who hit Page Up way too much.

So what you are say is:

[Neil+Blender]

Now people who know nothing about ripping people off can rip off people who know nothing about being ripped off.

Dear Ebay/PayPal user

[x.Draino.x]

There was a system crash this month. You may have noticed our system has been running slowly. If you are receiving this email, we have lost some of the information for your account. Please click on the following link and fill in all of your information to make sure your account does not get suspended. We appreciate your time, and sorry for the trouble. Click here to fill in your info! Your friends, at Ebay/PayPal.

Re:Dear Ebay/PayPal user

[lordkuri]

xxx.edu

pr0n college??? such a thing exists??? DAMMIT!

Dear world,

www.secure-ebay-transactions.ru is NOT ebay.

You have been warned.

Sincerely,
The Internet.

IRC?

IRC is like a communication medium, its irrelevant in this discussion. As irrelevant as telephones being 'used' by thiefs to communicate. Holding IRC responsible is pointless.

Prevention starts at home

[teiresias]

While it has become easier for phishers (and now apparently nonphishers) to prey upon mom and pop internet surfer, it still comes down to personal security. Mom and pop internet surfer won't give their ATM pin or their credit card number to a guy on the street but for some reason, the authority of the Internet removes those safeguards.

Next time you see your parents or someone who is a likely phishing canidate, please, don't roll your eyes. Warn them and try to explain the difference.

Re:Prevention starts at home

[Billly+Gates]

Phishing works in numerous ways like creating fake websites like www.payypal.com which is a close of replica of paypal to trick mom and pop.

Also many malware type apps which install themselves through javascript exploits may install a keyboard logger, or even change the address bar when a user types "www.amazon.com". IE will display the correct URL but will go to a hacked copy of the site while the user is unaware.

Also most stolen credit cards are from legitimate businesses which their minimium wage employees steal and post to the net for profit. I use to work at Staples and a former supervisor was caught doing this with over 50 credit card holders.

Last, its not the user who compromises but rather the merchant who compromises. IIS is the default most popular web software for corporate America and ecommerce sites. A hacker who gain infiltrate a database with thousands of email addresses and credit numbers has a potential gold mine.

Its more complex than just protecting yourself.

The internet today is getting worse and worse and is turning into the wild west. Its a dangerous place where new pc's can get infected within 3 to 4 minutes, billions of spams go out each day, to phishing.

I was reading an older story here about the google archive of usenet including the first spam and how everyone was so shocked the internet could turn into a profit making scheme. Boy, the old internet users had no idea what was coming.

Has anyone seen alternate character domains?

[suso]

I have been wondering when I would start to see these alternate character set domain names that you can get now play a role in this. You know, like someone registers cnn.com, but the c is not the latin character set c but one from another character set. Or something that almost looks like a c.

Then, without even hacking DNS, you can simply make someone or a group of people think that they are on cnn.com when they are really not. This could be used for things like fake news reports, etc. that make people panic.

Has anyone seen anything like this yet?

Re:Has anyone seen alternate character domains?

[Richard+W.M.+Jones]

Browsers could be modified to highlight characters outside the usual 7 bit ASCII range. For example, those characters could be displayed in red, or in reverse video.

In fact, this would make sense right now. A heuristic could be used to highlight the '1' in paypa1.com.

Rich.

Familiar?

[nicklott]

'It's gotten to the point where you don't need to know anything about spamming or computer programming to pull this off.'

Hey sounds like IT management to me!

boom boom

Slow Law Enforcement

[ackthpt]

This underscores the problem with these schemes, laws don't mean a thing if there's no enforcement. Most of the spam I see phishing should be able to be tracked down quickly enough to catch perps, but either law enforcement is bogged down with other things or it's just not really much of a priority.

Many people complain about there not being enough cops on the street (unless they've just been pulled over), which I've been informed in my area, is due to most calls are domestic disputes. Police don't have the time to catch all the burglars and bicycle thieves because someone is slapping someone else around (IMHO the first offense should land people in a cooler for at least a month.)

Regarding the agencies which should be chasing spammers and scammers, that's probably the FBI, which is too busy being reorg'd and chasing terrorist threats.

Re:Let's implement some ideas

[sedna]

Even easier method:

Register an E-mail address with the credit card company. When an on-line purchase is made, a verifiaction mail is sent to you. Click on the link in the mail and the purchase goes through, othervise call customer relations...

Re:Classic Phishing Scam

[lysander]

you'll look like less of a punk if you cite your references.