Slashdot Mirror
Netcraft: 5,600 Phishing Sites Since December
miller60 writes "Netcraft has tracked and blocked 5,600 known phishing sites since the December launch of its anti-phishing toolbar, which it has now updated with a risk rating feature that warns users about new sites with phishy characteristics, based on trends observed in known phishing scams. It has also started a service that makes the full list available of phishing sites as a continuously updated feed for service providers and companies to use in mail servers and web proxies." One bad sign: the phishing attacks I see are getting (on average) more professional in their phrasing -- it used to be easy to toss out the trawlers based on their spelling alone.
One could say the same for the /. trolls.
Netcraft confirms... Sorry, I couldn't resist.
Funny thing, I submitted a phishing site to Netcraft and was notified that it was a new one to their database, and what do they do?
They ask me to reply to their email address with my full name, street address so that they can send me a "gift". I don't know what it is (haven't received it yet), but thought it ironic that they were soliciting information in a phishing-style.
I sent them the address so they can send me a gift (t-shirt? who knows) since I knew I had contacted THEM about the particular phishing URL, and the info they requested could be gleaned by someone who wanted to find out, but found it humorous nonetheless.
Anybody know what is this "reward" they mail you? I'm curious.
I only post comments when someone on the internet is wrong.
Is anybody proactively going after these sites with their "l33t sk1llz" when they run across them in their own mailbox?
--Justin Wondering
The phishing community will learn to read an write in a professional manner. When that day comes, the world will end
no wait.... only those gullables will find themselves in trouble.
Phishing is only a problem when you aren't paying attention.
--
The great crime in this phishing system is at the Patent and Trademark Office. We fund the office, subsidizing corporate IP owners by defending their IP. But when the PTO could enforce trademark IP to protect the consumer, they do little or nothing. How come Citigroup isn't spending billions to protect its trademark, which is used to con thousands of people a day into phishing scams?
--
make install -not war
I'm going to get paid $2 million to transfer $14,000,000 worth of money from the All-Super Bank of Nigeria to an undisclosed location? Sounds too good to be true! Oh, wait...
Is there any toolbar available for firefox? This would be a great thing to install on my relatives computers or anyone's computer for that matter.
Is that list being provided to law enforcement?
Why should people have to pay for this list, when it is submitted for free by netizens? Or is the "gift" supposed to be your payment?
The only problem that I see is that those people with the Netcraft toolbar are probably already in the low-risk category for this type of scam (although I guess the fact that they install toolbars at all makes it a slightly more at risk group) since they're reasonably aware of the problem. Still, Netcraft continues to impress me with excellent tools and insight on web traffic and secuirty trends. A daily must-read for webmasters, far more so than Alexa.
=======
Science -- Sealed, Delivered.
One of the factors that goes into the risk rating is the age of the site. That's a good insight: phishers tend to create new sites often, as the old ones get closed down or are simply dropped.
But man, wouldn't it suck to open a new site only to have Netcraft scare off all your customers?
I wonder what "new" means. How long do phishing sites stay around? And how badly would this kill the buzz of the initial marketing effort?
Time isn't the only tool they have in the toolbar, so hopefully novelty as the only warning sign won't ring any alarm bells.
Eventually, phishers will work around this by creating sites and only activating the phishing attack after the requisite time period has elapsed. But that's work, which weeds out the laziest phishers. Watching the escalation of tactics is going to be fascinating.
From the contents of your post, you seem to be doing quite well, but ...
I can't figure out an effective way to do it in only three posts.
Yes, indeed, I think you haven't figured out one very important small detail...
What would you do?
Hmmm, ..., maybe log in?
Can anyone help me?
You're welcome!
Comment removed based on user account deletion
who said you can't make money from phishing !
I'm not admiring them. I'm not trying to understsnd them. I just look at it like "what an utter waste of a mind."
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
The historical phrase everyone's looking for is "Cold War".
it used to be easy to toss out the trawlers based on their spelling alone.
I've always detected the trawlers by the fact that they're asking me to give them information via email.
Pulp Audio Weekly - Geek News and Reviews
Let me get this straight - you've got a great account with lots of karma, and you'd love to transfer it to me, but you first need to get the password. This will take $400US to do that... But, out of the goodness of your heart, and because you found my name on a reputable list, you're willing to share this account with me if I can help with half the $400US fee.
Great!
No, wait, wrong post - my bad. My account's karma is having problems, and SlashDot can't confirm some of my details. So, quick, go log into http://slashdt.org/login and give all your personal information before all your past posts are DELETED!!
Thanks - I'll check up on that.
--LWM
We regret to inform you that our subscription database was lost in a major crash. In order to continue your advertising-free dupe ridden news service, we require you to verify your account details. Please have your credit card handy and head on over to Slashdot Subscription Verification to verify your account. Once again, we apologize for the mis-hap.
Sincerely, teh Taco.The obvious responce will be more laws. Laws that will take away the freedom of the non-criminal. The RIAA is forcing ISP's to hand over IPA's. Commercial websites track customers. How long until the web requires authentication just to do anything?
I hope the government really hurts the first people it catches. But until the laws change, I doubt it will be that bad. If you could rip off 1,000 people for $1,000,000, would you? What if it meant 5 years in prision, and you could hide the money so it was there when you were released?
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
Comment removed based on user account deletion
There's no point in this "encryption" since the toolbar client obviously knows how to "decrypt" it without a passphrase or anything. Probably just some lame encoding scheme like the script kiddies use to obscure their hidden password files.
Force the people who register URL's to have proof of who is buying the domain. Force them to have a credit card to buy, and force them to give a phone number and address that must be verified prior to making the URL go live. Banks do this, they check your social security number, they check your home address. Why can't we do that with URL's?
Then when a central government agency see's domain after domain from the same person going down, they can track him. If the person uses others to buy the domain, once the government tracks them all down and threatens them with jail time, chances are one of them will give away the guy.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
I actually looked into making a Firefox extension that worked with the netcraft phishing list. that you get from using their toolbar. I'm still just learning to code Firefox plugins, so I thought it would be a fun exercise. I put it aside for now since there is a big "DO NOT REVERSE ENGINEER OUR SOFTWARE" type notice in the install license, and I still have a long ways to go in learning to program Firefox extensions. I figured out how it works by reading the log file, is that reverse engineering these days?
Anyway, how the blocker works is pretty nifty, the toolbar creates an MD5 hash of each the url you visit, then compares it to a file that the toolbar auto-updates with the MD5 hashes of the bad urls. To figure out where info is coming from, take a look at "blocked.log" in the Toolbar directory, you'll see the lines that update "blocklist.dat". The only problem I saw is that www.badsite.com/bleh.html might be in there, but www.badsite.com itself might not be, even if both are really the same page.
I still think the best anti-phishing software would be a program that just notices when you are doing something really boneheaded. It would do things like shout "Hey, that's your ebay username and password and this isn't ebay! Are you sure you want to do this?" and "This page isn't posting to an encrypted page and that is a credit card number! Are you sure about this?". Just my little idea, I'm sure there are plenty of problems with it.
There are many ways to get burned.
A friend of mine was asking about this Korean Tech company that was looking for a European sales rep. Wanted to know if I knew the company.
Had a look at the site, and it looked extremly legit. No Phishing about it. However I didn't reconise the company and further checking realised it didn't exist (wasn't easy).
Show some checking around here is how the scam worked.
You would be employed as a sales rep that is required to move cash to the main company. You have to give them a whole load of details, and then they ask you to set up a bank account (with a certain bank). When sales are made you are supposed to send it via western union (minus the 10 percent cut).
However there were no sales, instead phished bank accounts would get emptied and transferred to the employees account. When the cops come looking the guy sending the cash gets nabbed and the thieves disappear.
To be honest I don't get caught out by the stupid phish attempts, but if it wasn't for the Western Union part of the job no alarm bells would of sounded in my head.
Netcraft has tracked and blocked 5,600 known phishing sites
Yes, but how many unknown phishing sites have they tracked and blocked?
"I'm not admiring them. I'm not trying to understsnd them. I just look at it like "what an utter waste of a mind.""
I get the same feeling everytime I read a copyright thread.
The biggest problem is the inability to email a person who cares at a lot of these places. In the past two weeks I've tried to find contacts for domains that were hosting ebay phishing pages. Emails to 'support', 'webmaster', internic domain contacts all go unanswered and the sites remain. I reported this one a week ago, its still up: http://210.0.213.115/~homepage/Secure/eBay/cgi-bin /index.php
With a staggering 1 out of 14 websites in Syria categorized as a phising site, I'd like to congratulate Syria for doing a staggeringly good job...
Eh, I can't even think of a joke. One out of every 14 sites? Jeez.
Perhaps it's time for a little liberation?
--
RumorsDaily
Comment removed based on user account deletion
"it used to be easy to toss out the trawlers based on their spelling alone."
while true, they all still contain some form of 'verification' and urgency to the request. I see 'verify' or 'confirm' and I didnt recently sign up for a forum or ask for a password reset, I get rid of it
By reading this, you have given me brief control of your mind.
I've visited Phishing sites before, but I just don't get it. You'd have to be stoned or something to appreciate their music.
Why are they so hard to catch?
Comment removed based on user account deletion
She's friggin paranoid and doesn't give out ANY info unless you're standing right there in front of her and you'd better not be planning to go anywhere cause she'll take her info back before you do.
:-)
She uses FireFox and ThunderBird, (fuck IE and Outlook,) despite knowing barely enough to switch on the machine.
My wife... I think I'll keep her.
As for me... She's taught me well.
CNet's site been mined for addresses so I got that crap from them (maybe CNet is in worse financial shape that they're letting on,) but its done the phishers no good.
If I don't already know you, you're going to end up in my Mac's 'Junk Mail' folder.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Known unknown or unknown unknown?
On the positive side of things, a lot of companies (ebay, paypal, citibank, amazon, etc, etc) are now publishing spf records to help detect forgeries.
"There are class action lawsuits to go after companies who behave this way. There is no recourse against an individual with no significant assets."
Doesn't stop the RIAA/MPAA from trying though.
warning you that they're having problems and would you please confirn your SSN and bank account number.
Bwahahaha.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
"Secondly, who the hell is subsidizing anything? The Patent Office takes in more in user fees than it spends - It's a yearly budget battle for them to keep more of what they bring in, not to get more money from congress. They've been totally user fee supported for at least 12 years now."
Explains the explosion in patents, and copyright, doesn't it?
it used to be easy to toss out the trawlers based on their spelling alone.
And it still is. I don't have an account with the First Whatever Bank, so it must be spam. I know that neither paypal or ebay will send me mail asking for my password. I know that my bank doesn't even know my e-mail address.
What is wrong with you people?
Assorted stuff I do sometimes: Lemuria.org
is not making the list publically available ? *shrug* I couldn't find it in any of those links.. lotta good this will do the community.
Comment removed based on user account deletion
I have an account with amazing karma,
no you dont. everyone has been capped at 50 for over 3 years now. a moron can hit the 50 cap within 3 weeks, but now cince they removedthe number you have no idea what you are at.
call me when you have a SlashId less than 5 digits.
otherise you're just a poser wannabe with no clue.
i'm betting the latter.
oh and hi troll!
I got a newer one just a short while ago that said:
- Subject:*** Your eBay Bid was Cancelled ***
-
5 83&BidCancelled=1 [original link removed]
Now, if I had bid on anything at ebay within the last year, I might have panicked and started clicking on links without stopping to think about it. Fortunately, I knew I hadn't bid on anything, so I (as I've learned to do) hovered my cursor over the links and saw that they went to www.kminsectcontrol.com (insect control? interesting).Dear eBay Community Member,
The bid that you entered for the item ( 5569407583[original link removed] ) has been cancelled. You can view the reason provided for the cancellation by selecting the link bellow[sic].
http://cgi.ebay.com/ws/eBayISAPI.dll?Item=5569407
Regards,
eBay
I just forwarded it to spoof@ebay.com which, sadly, I have in my address book because I have forwarded several suspicious emails to them. They always get back to me quickly and confirm that, yes, it was a spoof and to ignore it. Then they investigate the forwarded email take any actions they can against whoever sent it.
And every ebayer should have this page bookmarked: http://pages.ebay.com/help/policies/id-account-th
I agree, the phishers are getting better. Phishers like these try to trigger a knee-jerk emotional response and I bet it works way too often.
Sig cancelled due to lack of interest
Comment removed based on user account deletion
Just curious, is there actually a karma level called "Amazing"?
cince netcraft is whoring the community for their free data and then selling it to people. Can we make a nice firefox version that reports to FREE servers (ala freeDB style) that we can get going?
or did netcraft patent it?
I personally would trust a OPEN list that is under the eyes of many than a closed and encrypted secret list that can have sites or ip addresses secretly added to serve an agenda.
Forward the message (with all headers -- I do this by forwarding as attachment in Thunderbird) to spoof@ebay.com. An automated service checks whether the email came from ebay. They claim to report phished emails to the proper authorities -- it's in their best interest if they do, although I don't know for sure what they do with the email. Still, forwarding an email is pretty darn easy. What have you got to lose?
"The phishing community will learn to read AN write in a professional manner. When that day comes, the world will end
no wait.... only those gullables will find themselves in trouble. Phishing is only a problem when you're aren't paying attention."
Gullible is an adjective, not a noun. Writing is only a problem when you're not paying attention.
Yes, Gullible is an adjective, and gullables isn't a word. Also, "and" does generally take a 'd' at the end of it. Congratulations. You caught the irony. Sharp as a tack they say. Misusing words, dropping letters, etc tends to be sign that a message could be phishing, especially if they are asking for your social security number.
--
proactive Main Entry: proactive
Pronunciation: (")prO-'ak-tiv
Function: adjective
The filesystem is the package manager
Wait, I thought the sole purpose of Netcraft was to confirm us all that BSD is dead? Has /. betrayed my trust?
I would recommend AmavisNew+ClamAV+SpamAssassin, it's a killer combo!
Most of the Phishing is detected as virus by ClamAV on my servers, and the few that escapes from it are stopped by SpamAssassin.
I administrate a small server, with only a few hundred accounts. But it's still amazing how it effectively stops virus/spans/phishing.
Funny thing is, we're behind a SymantecAV server... as required by the company "secure policy". But most of the new virii passes through it... and in the end AmavisNew and ClamAV are the real protectors of my network.
IMHO Symantec/Norton is good for nothing, but the managers refuse to replace it completely, and save a good few bucks. They just cant trust ClamAV to do the job, since it's OpenSource...
---- You know how some doctors have the Messiah complex - they need to save the world? You've got the "Rubik's" complex
However, I also think that if everyone were just a little more careful, the profitability would not be there.
It's the same principle as spamming. It costs next to nothing to send out the e-mail and you need only a small handful of people to fall for the scam in order to make the whole endeavour worthwhile.
Hell, it's even better than spamming; at least spammers have some sort of product to sell. Scammers don't have to provide anything. They just empty out your bank account for pure profit.
One bad sign: the phishing attacks I see are getting (on average) more professional in their phrasing -- it used to be easy to toss out the trawlers based on their spelling alone.
i'll be worried when i start seeing attacks imitating places that i actually have accounts at. other than paypal, i don't think a single one out of the thousands of phishing attacks i've received has tried to imitate a bank or institution that i actually do business with.
maybe it's just me, but i would think that when people see hundreds of emails coming from places they've never done businesss with in their life, they might be a little suspicious when they see one that's almost exactly the same except with their bank's logo on it, no matter how well written. or am i expecting too much of the average person?
If I don't put anything here, will anyone recognize me anymore?
For me, it's still easy. If it says it is from any sort of "phinancial institution", it's a phishing exercise. Email is one thing that I do NOT give to banks, credit card companies, or other companies that deal with my money. If a bank ever tells me that I authorized something to be transfered via electronic means, they damn well better be ready to provide restitution, because I do not and will not authorize any such transfer, except while standing in a bank officer's office with photo ID and a signature check.
The two exceptions to the "no email" rule are eBay and PayPal... but they each have an unpublished, only-for-them address, so anything claiming to be from them that doesn't come to their special address is automatically tagged & bagged.
I also monitor our mail servers, and 90% of the time, as the phishers try a new bank (Regions.com is currently the most popular), their first target are several spam traps we have. So, we can add them to our "soft bounce" list within minutes, and very little gets through.
However, I will say that I've stopped reporting such emails to banks, eBay and PayPal, since they rarely seem interested. Most of the reports are bounced by their systems as spam!
Anyone know a better place to report phishing scams other than to registrars? I have seen many that are coming from china, japan, chile, and various others. But since my emails are in english, they may not be understood. Is there a better/another place to report them to help them get shut down? Typically I get the ip and look up the information on http://www.dnsstuff.com/ and then report to their registrar. Any other tips? Thx! -Just doin my part to stop scammers and spam.
Netcraft confirms it!
Problem solved.
It is then IMPOSSIBLE to camouflage links to phish sites as legitimate links.
The next best thing would be to not click links in received HTML email--navigate directly to the site instead with a new browser window.
Often, the sites even have Jen-You-Whine graphics from the banks/institutions being scammed, because the real site owners don't even take the precaution of checking the brower referrer header. If you request (say) a Citibank.com graphic and the referring page isn't one one that belongs to Citibank, then it should come up with a graphic that includes "NOT A LEGITIMATE CITIBANK SITE" across it. In many cases, the scammers creating the site would have the graphic cached, and never notice the difference themselves.
Sure, it's easy to fake a referrer, but why would an innocent user do so? They would simply be visiting the link in an email, not trying to hide their identity. The site itself couldn't cause your browser to send fake a referrer header, so it would at least make the scammers work harder.
has to be these pricks
Never click a link in your email. Ever.
If you follow this simple procedure, you're not going to get scammed (unless you're also stupid enough to respond with your credit card details or something)
Places like paypal and such now don't even put clickable links in their emails because that's what scammers use. If they want you to visit a URL they'll either tell you to type it in or simply put it in as a non-clickable URL that you have to copy and paste in.
It's mildly inconvenient, but no matter how legitimate the email looks if you do not reply and do not click any links in it for any reason, you will not be scammed.
There are two classes of scam IPs, in my experience. Those in SE Asia (Korea, China, etc), and those that are compromised machines here in the U.S. In March I found one of the latter - a church organization in Virginia's webmail server had had an extra script inserted into it, hidden in the graphics directory. It was a hosted service, from a big-name ISP, according to ARIN's records. I reported it to their security people, with details of what directory the script was in, which customer's site had been compromised, etc.
Just over a month passed, and I got an angry email from NaviSite.com's security department, claiming the company I'd sent the message to (dellhost.com) "is not a navisite company nor is it one of our customers nor is the ip address ... assigned to, hosted by, routed by, or used in any way by NaviSite or any of the companies that we are affiliated with." They followed that with, "Misdirected spam complaints are not much better than actual spam."
Even though I'd not sent the complaint to NaviSite in the first place, I sent back, "Oh? You better tell ARIN (copy of ARIN record attached) and your own DNS servers (copy of reverse-DNS from their server, announcing that it was one of their customers) that it isn't your subnet, because they disagree with you!"
Let's see, I should get their "timely response" in about 20 more days...
About the most productive thing you can do with a scam mail like this is to find a convenient open proxy to hide behind, disable java and javascript in your browser so they can't use it to filter out bad entries, load the link, and start pumping fake information in. PINs with letters are great. If everyone did this, giving them 10 or 100 fake entries for every valid one, it would at least increase the chances of them getting caught, as they try to run scams with the bad info!