Honeynet Revealing Actual Phishing Techniques

edsonie writes "CircleID is reporting on the recent Honeynet Project, 'Know your Enemy: Phishing', aimed at discovering practical information on the practice of phishing. The study reports on a number of real world examples of phishing attacks and the typical activities performed by attackers during the full lifecycle of such incidents. The research also suggests that phishing attacks "are becoming more widespread and well organized". Also with regards to the speed of such attacks, "phishing attacks can occur very rapidly, with only limited elapsed time between the initial system intrusion and a phishing web site going online with supporting spam messages to advertise the web site, and that this speed can make such attacks hard to track and prevent." Check out the full report here presenting actual techniques and tools used by phishers."

Now the Honeynet

[Psionicist]

Now the honeynet will reveal how an actual DDoS attack work.

Anyone have a mirror?

Re:Now the Honeynet

Well check here instead to see how they do.

Phishing!

I move that all 13 year old Hackers now be referred to as 'Tom Sawyers' and that at any time there is a severe lack of 'Tom Sawyers' it is to be referred to as 'playing hookey'.

Re:Phishing!

[Ralin_JM]

And when a "Tom Sawyer" steals your identity, he "gets high on you".

Re:Phishing!

[lbmouse]

I move that all 13 year old Hackers be strung up by their genitals.

Re:Phishing!

[DrinkingIllini]

Mod parent up quick, I actually laughed out loud. Rush rules!

Netcraft: Trust is dead.

"The research also suggests that phishing attacks "are becoming more widespread and well organized". Also with regards to the speed of such attacks, "phishing attacks can occur very rapidly, with only limited elapsed time between the initial system intrusion and a phishing web site going online with supporting spam messages to advertise the web site, and that this speed can make such attacks hard to track and prevent." "

Anyone for a good round of "Back in the good old days"?

Actual techniques

I've discovered that these Phishers ask questions and stupid people give them answers.

Lets not make it into brain surgery. Do we need honeynets to tell us there are stupid people out there? And there always will be stupid people out there.

Re:Actual techniques

[NanoGator]

"Do we need honeynets to tell us there are stupid people out there?"

Good god. You use a computer a lot, and that makes a lot of people stupid BUT you? Question: Did you believe in Santa Claus growing up? Would you appreciate me calling you stupid about it?

Yeesh. Anyway, to answer your question: If Honeynets are revealing specific ways of screwing people, then specific warnings can be given out to help minimize the risk. You've never noticed how Paypal tries to very clearly explain to people not to click on paypal links in their email?

Re:Actual techniques

[snorklewacker]

Good for you, you identified that there are stupid people in the world. Boy what an insightful analysis. The paper happens to do a wee bit more than say "we got some phishing messages, so heads up folks, phishing exists", it also offers some pretty good overview analysis (though short on raw source data) into the network structure of phishers.

Your non-solution leaves a whole lot to be desired if you're a bank. Do you suggest banks administer an I.Q. test before they allow people to open accounts? Do you suggest that banks just accept that phishers are out there somewhere and can't ever be tracked or caught or that their techniques can't be countered? I don't know what you suggest, because you don't want to "make it into brain surgery" by actually looking into the problem in any depth other than a dismissive "people are stupid".

Part of security is protecting institutions against their own stupid users. Get used to it.

Re:Actual techniques

I've discovered that these Phishers ask questions and stupid people give them answers.

Oh how I long for the -1 Idiot moderation. And while we're at it, give me a meta-mod option Unfair, N/A, Fair, and Idiot for when you could understand why the moderator modded it as such, but he was an idiot for doing so, thus you should not give hime points again.

Oh well, a fool and his dreams...

Re:Actual techniques

[jonadab]

> Good god. You use a computer a lot, and that makes a lot of people stupid
> BUT you?

Susceptibility to phishing has virtually NOTHING to do with how much you do or do not use a computer. It is a function of your general level of naivete. Giving out your bank password in response to an email request is fundamentally no different from giving out your credit card number to a sleazy telemarketer who says he's from the local police charity. In both cases, somebody contacts you and claims to represent a certain organization, and you just believe he is whoever he represents himself as, without wondering whether someone could be faking those credentials. No amount of computer-technical knowledge will prevent you from making that mistake, and no amount of *ignorance* of technical computer and network details will *prevent* you from seeing through the ruse.

Granted, technical knowledge helps you to see the *details* of the ruse, e.g., to expose it; an end user is unlikely to be able to analyze email headers and do whois lookups and whatnot to track down the sender's real identity, for instance. But that won't stop a sensibly sceptical end user from saying to himself, "Hey, how do I know this message is really from Citibank and that what it says is true? Maybe I'll call the bank and check..." A network admin won't have to call the bank, obviously, because he can analyze the headers and stuff, but he'll only do that under the same circumstances that an end user would call the bank, i.e., if he doesn't immediately believe that the message must certainly be reliable just because he received it.

> Question: Did you believe in Santa Claus growing up?

No. My parents taught me discernment, not lies.

What the honeynets are doing is good, and it's worth doing, and they should keep on doing it, but it is nevertheless true that a large amount of gullibility is required to fall for a phishing scheme of any kind. Basically you have to be the kind of person who just assumes any random person you've never met before is probably telling you the truth whenever he's talking, unless you have a specific reason to believe otherwise. That's fundamentally dumb, because if you live in a world populated by human beings, at least 50% of what people tell you is wrong. If you don't put at least some thought into evaluating the probably veracity of each and every thing that you hear or read, you're stupid.

Internet Darwinism

[Nytewynd]

Anyone that falls for a phishing scam is too dumb to have their money anyway.

At work, the security guys put together a phishing test. It looked exactly like our normal web page, they made is sound official by calling it some kind of Task Force, and then they emailed everyone a link to the password checker. It supposedly tested your password for security difficulty. You enter your ID and password and it would email you back the results.

I sent the link to the security guys and got an "Attaboy". About half of the people ended up on the list of idiots that handed out their secure passwords over the internet.

What goes through someone's head to enter passwords, bank account info, or personal identity information over the Internet? Don't people consider that the companies supposedly asking for this stuff should already have it. You bank is never going to ask you for your account number over email. They already have it!

Re:Internet Darwinism

Phishers rely on the fact that on the Internet(tm), you're a retard until proven innocent.

So few are acquitted.

Re:Internet Darwinism

[nickptar]

How do you know those were the actual passwords? (All right, probably most were, but that is a severe problem with this kind of study.)

You know the survey where people were offered a pen or something in exchange for their password? I would have gone "Sure... my password is 'gull1ble'". Free pen, no security risk.

Re:Internet Darwinism

What goes through people's heads? The desire to help that poor Nigerian widow with $50million.

Seriously, though, I wonder why all the phishing attacks use the same old stories (ebay account, nigerian money) when there are so many other hotbuttons out there.

Why no "i need your bank account to help in the war against obscene pornography" or "need your password to upload starwars to your computers"

Re:Internet Darwinism

[Taladar]

Perhaps the 'security guys' at work have access to the password hashes?

Re:Internet Darwinism

> Anyone that falls for a phishing scam is too dumb to have their money anyway.

http://survey.mailfrontier.com/survey/quiztest.htm l

(use IE, not the Fox)

Did you get 100% correct on the first try (I didn't, I only got 9 out of 10)? Educating the internet population to be aware of the varied and increasingly sophisticated scamming variants is a hopeless proposition in my opinion.

Re:Internet Darwinism

[99BottlesOfBeerInMyF]

You bank is never going to ask you for your account number over email. They already have it!

Part of the reason this social engineering is successful is that companies, banks, large organizations are so lousy at keeping accurate records. Have you never had a bank screw up your name, or your balance, or some other company you do business with charge you for something you never ordered or fail to charge you for something you have ordered? I've had all these things happen, and it makes it completely unsurprising that a bank would lose your information or even have a policy of verifying your account password via e-mail. It is ridiculous and insecure and generally a really stupid idea, which is why it seems plausible that some lumbering bureaucracy would do it. Obviously, I would never give out sensitive information via e-mail, but I would actually not be surprised if some company requested it via that method. Just because it looks like phishing, does not mean it is, it could just be someone being really dumb. There is plenty of blame to go around here.

Re:Internet Darwinism

[NetSettler]

Anyone that falls for a phishing scam is too dumb to have their money anyway.

I would venture a guess that among the vulnerable are the parents and/or grandparents of most of the people who read Slashdot. You don't see an ethical obligation on the party of the technically savvy to care about and protect the technically unsavvy? Shame on you.

Software can be anything we make it be. The technologists who have shaped the world have made many choices and will continue to make choices about what our programs will and won't do, how information will be presented, etc. They make those choices on behalf of the public, and they cannot simply shirk responsibility in this way.

Almost all technological problems of this kind reduce to our desire to get as far as possible as fast as possible, and damn any ill side-effects. If browsers required you to know and approve each site before you connected to it, this wouldn't happen. "But that would slow us all down," I can hear you say. The world needs this now, now, now. Indeed, we get benefits by not holding back. But we get ill effects, too, and we can't just poo poo those as not our responsibility. They follow directly from the design decisions we make on behalf of our parents and friends, people who often don't know we're making them nor the consequences of their having been made.

If we spent half as much time, energy, and intellect solving social problems as we do solving technical ones, I suspect the world would be happier.

Re:Internet Darwinism

[elronxenu]

You bank is never going to ask you for your account number over email. They already have it!

Maybe so, but they definitely ask you for your account number and password when you login to their website.

Phishers setup a fake website to look like the bank and then all they have to do is lure the suckers to the fake website. And users have been conditioned to type their usernames and passwords into the fake website because they have been conditioned to type the same information into the real website.

What the banks should be doing is providing users with certificates (auto download to the browser) which proves the user's identity, without requiring the user to send their password to the bank. If every user authenticated using a certificate, a phisher would get nowhere, because (a) the browser won't send the certificate to the phisher, and (b) even if the browser did send the certificate, it's not usable by the phisher to authenticate to the real bank website.

Re:Internet Darwinism

100%- Simply treat them ALL as phishes. There is NO legit reason why my bank (or whatever) would be emailing me, asking me to click a link in the email.

Besides, I don't have an account with any of those companies, so I know they are all false. ;-)

.

.
To confirm you're not a script,
please type the text shown in this image: bicswns

Re:Internet Darwinism

But they have to ask YOU for it, so they can know who YOU are.

"Hi, I'd like to deposit $1000 to my account."
"Can I have your account number, please?"
"NO! You Already have it! ANd don't ask for my name either- you have that, too!!"

.

.
To confirm you're not a script,
please type the text shown in this image: pqadevz

Re:Internet Darwinism

[Nytewynd]

I would venture a guess that among the vulnerable are the parents and/or grandparents of most of the people who read Slashdot. You don't see an ethical obligation on the party of the technically savvy to care about and protect the technically unsavvy? Shame on you.

You are absolutely correct. That is why I have attempted to teach my parents about the dangers of phishing, malware, and viruses. It still doesn't stop my father from installing Gator 3 times a day, but at least I am trying.

Like I said in a previous post, this isn't a technical problem. It is a philosophical problem, using a technical vehicle. Teaching people not to disclose personal information at all is the answer. We'll never build technology that always protects people from themselves without making it overly intrusive.

Re:Internet Darwinism

[fermion]

First, not everyone knows the underlying structure of the internet, what the protocols are, and what the risks are. A good analogy is a car. Most do not know how complex a car is, and how easy it would be to die at high speeds. Most are not able to understand the physics of tire against road, and how fragile and small that contact patch is. Those who do buy cars that are stable and tires that are over engineered for the application. Those that do understand would like to say that those who have accidents or die in SUVs do so due thier own stupidty, but that would be simplistic.

Also, it took some time for the so called experts to get a line on the issue. I remember in the early days of online banking writing an email to a bank. The banks was sending out emails to customers with links to the banksite, using a third party address, and other bad security protocols. I informed them of this, and was told there was no risk. That issue has been largely soved, but today we have passwords in secure frames of unsecured pages. It builds a bad habit of entering important passwords on unsecure pages.

Security is complex, and the issue is that the people who should know what they are doing don't, and they put everyone else at risk.

Re:Internet Darwinism

[spinfire]

I did get 100% on the first try.

Also, worked fine in Firefox for me.

Re:Internet Darwinism

[Tony+Hoyle]

That site shows you gifs of actualy emails and expects you to tell the difference visually?

I looked at the first one and realized it's sophisticated enough to need to look at the source first.. Outlook is easily spoofable with links so there isn't enough information to make a determination. Plus we have no idea whether the recipient is *really* a member of the bank anyway.

Pretty useless test.

Re:Internet Darwinism

[Skim123]

I would contend that years of mandatory public schooling has "trained" most folks to be ideal worker bees: do what you're told without thought or question. Is it any surprise that this mentality has boiled over into not just face-to-face instructions, but also instructions over email?

Re:Internet Darwinism

[mcmonkey]

100%- Simply treat them ALL as phishes. There is NO legit reason why my bank (or whatever) would be emailing me, asking me to click a link in the email.

Besides, I don't have an account with any of those companies, so I know they are all false. ;-)

100% correct. Even for companies I do have an account with, no reason there would ever be a link in an email I need to click. I do have one credit card set up to send me an email when the monthly statement is ready, but when I view that statement, I'll sure use my bookmark, not a link in the email.

Of course most phishing attempts are from companies I have no association with, so that's easy to catch. And 100% of phishing emails I get are filtered by SpamBayes.

Re:Internet Darwinism

[jawtheshark]

..., banks, ... are so lousy at keeping accurate records.

In the 20 years I have had bank accounts, they screwed up exactly *once*. A few €'s on an interest calculation. I wrote a letter and got my money back. My account number, my address, my name, my birthdate were always correct. Actually, banks (at least the serious ones) are absolutely paranoid about knowing as much as they can about you. They datamine that stuff and profile you. If you didn't know that, you are being naive. To a bank, knowing the customer is one of the most important things.

Oh, don't think that I only saw banks on the outside. I actually worked for over six years in the financial world. Your data, meaning at least your name and your account number is stored on one of those famous big irons and they have numerous backups.
What can be lost, and is lost quite frequently due to some fuckups in the data-processing chain *transactions* can be lost. (Be it Buy/Sell or normal bank transfers) While very bad for the image of the bank (and they usually try to recover such fuckups as much as they can), it didn't lose *customer data*. Sure, a transaction may be two days late (which can be very sucky for many clients), but it's only the transaction.

The closest thing to "losing" customer data that I saw was when a small bank (<100 employees) had to check all it's visa files: the question was "is a photocopy of ID present in the file?". Not that they "lost" this data, they just didn't have this information in the computer and the legislation changed requiring an ID. Nothing was lost, but non-complying people had to be contacted. This was done by writing them a letter signed by the guy responsible for that department.

Also: I don't know if you realise, but banks with ebanking functionality (about all of them these days, and as I see many support Firefox and alternate browsers... at least my banks do) usually want to have an email functionality within. That is: the system has integrated webmail. Sure, you can't contact hotchicka@yahoo.com with that "email" (which goes over their secure link), but you can contact customer service over it. If they would have to need to contact *you* they would use that... and even then, they really prefer writing you a good old dead-tree letter over bit'n bytes because, frankly, if you use your ebanking once or twice a month you're going to get your messages late.

Oh, and a small anecdote: I went to the bank last week in order to get papers to open a joint account with my future wife. The guy started asking his standard question: "Why do you want to open a joint account?", but cut in the middle and remarked: "Ah, yes, you're getting married!". I was baffled that he knew. How could he know?
Very easy: a few weeks before I was there in order to get some foreign currency, they asked me why I needed (a quite rare) currency. Somehow I told them it was for my honeymoon and that was promptly marked in their system. While it may seem scary, banks (and other large companies) do this all the time.

Re:Internet Darwinism

[jawtheshark]

Maybe so, but they definitely ask you for your account number and password when you login to their website.

They *do*???? (I'm talking Banks, not PayPal) The ones I've seen are:

• Certificate installed in your browser + 4 digits of a 16 digit codecard + your password
• No certificate, but you get to enter your customer code (which is *NOT* your account, it's just and ID), plus your password, plus 3 digits of a 16 digit codecard. (This is less secure than point one, but more "customer friendly" since it doesn't require installing a certificate)
• Customer code + one of those devices that gives you a code. I don't know how these work, but I sure can't predict what the thingy is going to give me as a number (it's a similar system to what car-keys send to the car in order to open it. The modern systems don't use a fixed code)

There may be many more, but all three seem reasonable to me. All there do not identify the customer directly, because there is no account number. Besides, I'm a client: I have more than one account. What account would I need to type in, in order to log in on their system? My first account? One of the first thing you learn at banks that there is a 1:N relationship between customer and accounts.

Re:Internet Darwinism

[edx0r]

"I looked at the first one and realized it's sophisticated enough to need to look at the source first."

Exactly the point of the test, I should think. Given that the average user isn't likely to look at source, or perhaps may not even know how to look at source, asking to judge what is a phish and what isn't purely by visual inspection helps to highlight why it is these things so often work against the unsophisticated computer user.

Re:Internet Darwinism

[99BottlesOfBeerInMyF]

They datamine that stuff and profile you. If you didn't know that, you are being naive. To a bank, knowing the customer is one of the most important things.

Just because the collect a lot of data on their own or buy it from outside sources does not mean it is accurate.

Sure, a transaction may be two days late (which can be very sucky for many clients), but it's only the transaction.

I've found two different banks each to have an incorrect balance for my account because once they charged me $400 in ATM fees when I did not have a ATM card at all (they said it was a "computer glitch") and once they completely lost a check I deposited (which they did not find a month after deposit until I quoted them the transaction number). I also had an ATM card PIN number disappear completely from the system making the card unusable until I could get a new one. My girlfriend has had yet another bank screw up her balance twice (once in each direction) by seemingly random amounts of money. This is Not accurate record keeping.

Also: I don't know if you realise, but banks with ebanking functionality (about all of them these days, and as I see many support Firefox and alternate browsers... at least my banks do) usually want to have an email functionality within.

Interesting you should mention that. I've been looking to open a new money market account. There are five banks within a few blocks of my house and I figured one of them would have decent online banking. Three of them will not even load the online banking in anything but IE, one you cannot even send them e-mail to ask a question in anything but IE (no e-mail address listed just broken javascript links), none of them offer rotating passwords or PIN numbers, and none of them offer one-time passwords for online transactions. I'd say the state of technological security for online banks in the U.S. is piss poor. You mention euros in your comment and I've heard that European banks have better security track records and have required audits in some countries. (Wasn't there just a Register article about how some security companies point out the same errors twice a year to the same banks because although audits are required by law, fixing the problems isn't.)

I'm completely unconvinced the average bank is not going to do something completely stupid like send e-mail asking me for information or providing (possibly spoofed) links to their website and ask me to provide them with some information. One of the reasons I'd prefer a bank close to home is so I can walk down and take care of these things in person. So sorry, you haven't really bolstered my opinion of banks accuracy and competence, nor that of other large businesses.

Re:Internet Darwinism

[skubeedooo]

...and I suppose anyone who can't defend themselves deserves to get mugged? And anyone who hasn't done a law degree deserves to be sued? And anyone who can't grow their own food deserves to starve?

Can you not see how repulsive your statement is? Before making such broad allegations, try putting yourself in the shoes of someone who doesn't waste away their whole life reading slashdot, and doesn't have an in-depth knowledge of the internet. Maybe they're too busy growing your food to know that the locked padlock symbol at the bottom of the browser doesn't necessarily mean that they are where they want to be. Or perhaps they're too busy investigating the spate of burglaries in your neighbourhood to find out that clicking on the link to Citibank, enclosed within an email from Citibank, will actually take them to a scammer.

Please, can you show a little more respect for the other people you share the world with. They are not as stupid as you think.

Re:Internet Darwinism

[budgenator]

At work, the security guys put together a phishing test. It looked exactly like our normal web page, they made is sound official by calling it some kind of Task Force, and then they emailed everyone a link to the password checker. It supposedly tested your password for security difficulty. You enter your ID and password and it would email you back the results.
It occured to me that the phishers need some kind of transaction processing, which should deposit any money into their account; and transaction processing involves a fee, such as 30 cents per transation + 1.5% being fairly typical( or at least a bandwith fee at the hosting provider). So if they are asking for user id's passwords and credit card numbers and such; why not just write a fairly simple perl script and send them a few million? Might save the FBI some investigating, they'd just have to follow the smoking router to the source.

Re:Internet Darwinism

[Nytewynd]

...and I suppose anyone who can't defend themselves deserves to get mugged? And anyone who hasn't done a law degree deserves to be sued? And anyone who can't grow their own food deserves to starve?...

...Please, can you show a little more respect for the other people you share the world with. They are not as stupid as you think. Those are silly analogies, and don't see how they even remotely apply to my argument that teaching someone to secure their identity is the best approach.

I beleive by definition that anyone who is caught in a phishing scam is exactly as "stupid" as I think. That's why we need to teach them about how to avoid them.

Re:Internet Darwinism

[skubeedooo]

I wasn't saying anything about the merits of educating people. In fact, if you have a look at your original post, neither were you.

I was trying to illustrate the fact that our society relies upon having a large diversification of skills. This allows us to achieve much more collectively, although it also means that we have to accept that other people will not have as much knowledge as we do in our area of expertise. We do expect that everyone has a basic level of competence at general tasks, but like it or not knowing exactly how emails can be counterfeited, knowing that the 'secure' symbol in a browser refers only to the protocol, that a certificate can be self-signed, that an accented character in the domain name can send you to a malicious site etc etc constitute more than just a basic level of competence.

The very fact that half of your company fall into your category of "stupid" ought to make you wonder whether that is the best descriptor to use. No wonder (in my experience) everybody hates the guy in IT.

Finally, if your original post was about the importance of educating people, it seems odd that you titled it "Internet Darwinism".

Re:Internet Darwinism

[snorklewacker]

> 100%- Simply treat them ALL as phishes.

This is what the banks refer to as "brand damage". My bank would love to sell me a money market account and actually link to their own promotion. Maybe not right to my account page, but what stops a phisher from copying entire site structures?

I realize that you're one of the superior enlightened few that cannot be marketed to, but banks do have products to promote to the rest of the unwashed masses.

Re:Internet Darwinism

> In the 20 years I have had bank accounts, they screwed up exactly *once*. A few 's on an interest calculation.

It took one character in the email, one that's fairly hard for me to type on this keyboard, to give away why that is the case.

European banking regulations are strict. Here in the US, they used to be, but ever more competitive myopic greed has gotten the banks to destroy regulations in a very clever scheme: first, by preventing new regulation from being passed, and while the old regs become antiquated, blame the suffocating obsolete regulations for all their problems. This is hardly unique to banks, mind you, but it does have particular consequences for the customers.

Re:Internet Darwinism

[snorklewacker]

> Interesting you should mention that. I've been looking to open a new money market account. There are five banks within a few blocks of my house and I figured one of them would have decent online banking. Three of them will not even load the online banking in anything but IE

Then switch banks. Wamu, Wells, and Citi all have zero problems with firefox. Call the bank and tell them why. Don't come off like some smug platform evangelist, just say "your internet banking doesn't work with my computer and theirs does". Let them wonder why.

Re:Internet Darwinism

> So if they are asking for user id's passwords and credit card numbers and such; why not just write a fairly simple perl script and send them a few million?

Most spammers have scripts that reject multiple submissions from the same IP. You would have to make it a distributed effort.

Re:Internet Darwinism

[99BottlesOfBeerInMyF]

Then switch banks. Wamu, Wells, and Citi all have zero problems with firefox. Call the bank and tell them why.

As I mentioned two of the banks do work with Firefox (and Safari my preferred browser) but none of them offer decent online security options such as are commonly offered in many parts of Europe. as for contacting them, I e-mailed two of the bank's feedback e-mail addresses and politely mentioned why I was going with a competitor. One did not even have an e-mail or working link just broken "contact us" javascripts. I gave up on them because this is not something I want to waste my time on. If you know a good bank, preferably one with physical locations I can get to, that has rotating PIN numbers or one time passwords for online transactions I'd love to hear about them. I did not, however, mention the banking problems to complain that I can't find a good bank, merely to point out that many banks are very incompetent, especially technologically.

Re:Internet Darwinism

I've found two different banks each to have an incorrect balance for my account ... and once they completely lost a check I deposited...

My mother made a deposit at an ATM of 2 checks- a Tax Refund and a paycheck. They credited her, then deducted the amount of one of the checks. She called to find out why, and the bank said she only deposited one check. They sent her a photocopy of the check, and it was the paycheck. The top 1/4 inch of the tax xheck was clearly visible over the top of the paycheck.

Turns out the automated machinery that opens, seperates, photographs, scans, and OCRs the checks didn't separate the checks. And unfortunately the checks are destroyed after being processed. No human oversight. So she had to have the tax check re-issued.

Re:Internet Darwinism

[coopex]

It's a pretty worthless test, it doesn't allow you to actually follow the link to see if it's from the company, the 100% secure way to deal with Chase/Paypal/Ebay/etc...

Re:Internet Darwinism

[deinol]

banks do have products to promote to the rest of the unwashed masses.

So what? Why do I have to waste my bandwith and storage space downloading it? Just because it was a legitimate e-mail, doesn't mean it is a legitimate way to let me know about their product. I don't care if it is Spam or a Phish, I don't want to read it, and will delete it on sight. Unless I specifically requested information from a company, I don't feel any loss.

[/rant]

Re:Internet Darwinism

[jawtheshark]

Thanks for the informative post about the state of US banking. I assumed it, but wasn't 100% sure and didn't want to fall back to needless ameribashing.

I don't know if the friendly AC is still reading, but the Euro symbol is not a problem for your US Keyboard: I can't type it directly either on slashdot. Just use html entities. &euro; will do. Alternatively, should you need it in a normal document, choose US International Keyboard layout and type: Alt-5 ( US International English Layout )

Re:Internet Darwinism

[jafiwam]

Very, very few online banking providers (most banks don't run or write their own online banking backend) have the security that you are looking for.

You might try one of the internet only banks for that type of stuff.

It just hasn't gotten a foothold in the USA like in Europe.

Re:Internet Darwinism

[juicyfruit]

I type in my account number and password at my bank's website (over the internet!) all the time.

Calling someone stupid for doing it yet again isn't quite fair.

Re:Internet Darwinism

[snorklewacker]

Can you really not comprehend the notion that banks have customers, that they send marketing email to these existing customers, AND that these customers sometimes get phished?

Your opinions on marketing are irrelevant to the concept of brand damage.

Re:Internet Darwinism

[NetSettler]

We'll never build technology that always protects people from themselves without making it overly intrusive.

Always? No. But sometimes? Often? I wouldn't be so defeatist on those options. If you meant literally what you said, then I'd say you're speaking way too narrowly. If you just mean "sometimes" or "often", and were exaggerating, then I'd say your statement is somewhere between defeatist and outright untrue.

People don't consider food, condoms, kitchen knives, air travel, or dentistry "safe" because it's not possible for there to be materials or process errors. They are willing to call these things safe because a reasonable standard of care is applied to the associated tasks. I don't know that I see those same levels of care applied to programming, incidentally... although the level of care that goes into the corresponding legal disclaimer is often quite competent.

Re:Internet Darwinism

[elronxenu]

They *do*???? (I'm talking Banks, not PayPal)

Whether it's an account number or a customer code is irrelevant; the ones I have experience with authenticate the user completely from details which the user types in at the keyboard. No certificates used.

This makes it vulnerable to phishing attacks because the phisher needs only to fool the user into believing that they are using the legitimate website. The phisher does not need the account number, they need only enough information to login to the user's banking site.

On the other hand, if the banks used a certificate, then the user would authenticate themselves to their own browser only. There's nothing for a phisher to take advantage of.

Re:Internet Darwinism

[jawtheshark]

I think that's the whole point of asking N digit from M digits (where N < M). The banking system never asks more than N digits. When suddenly M digits are needed, the customer should be wary.
(Note: I use "digits" quite liberally. Usually it's a alphanumeric)

Re:Internet Darwinism

> Also, worked fine in Firefox for me.

The issue is not whether it works or not in FF. With IE, it is much easier to spoof URL information in the status bar, for example. That's why the OP said to use IE for the test.

Re:Internet Darwinism

[elronxenu]

Your banking experiences are obviously a bit different from mine. I have used 3 internet banking systems here in AU and they all require only a username/password or similar to login. Only one asks for an extra "internet verifier". None of them ask for "N of M" digits of any identifier - in other words, the input necessary to successfully authenticate is the same every time. None of them use a client certificate. Perhaps you can see why I place so much blame on the banks.

The scheme you referred to about the bank asking for "N of M" digits is fundamentally a challenge-response mechanism and it doesn't improve security for two reasons.

Assume that the bank is asking for 4 consecutive digits out of 16. There are only 13 combinations of those - 16 if the digits can wrap around. Not having seen any of these systems I don't know if the bank is likely to ask for non-consecutive digits; offhand I think it might be considered too confusing for old people to use.

First is the easy one - if a scammer captures everything you type, then tries to login to your online banking later, the scammer has a 1-in-13 or 1-in-16 chance of success. I would not be happy to know that only a 1-in-16 chance stood between a scammer and my money.

If the digits required are non-consecutive, then the odds of the bank asking for digits which the scammer has reduce considerably to 1-in-43680. But the scammer can improve their information gathering by getting the sucker to try to login a few times.

However the second reason that this does not improve security, and the really important one at that, is that there is no defense against a man-in-the-middle attack.

The scammer could connect to your online banking website at the same time the sucker is at the scammer's website, relaying the bank's HTML output to the sucker while relaying the sucker's input to the bank. As soon as the sucker has authenticated, the scammer can "disconnect" the sucker from the bank website, and continue with the established session.

This is the same technique that scammers use to get around captchas, those silly graphics which some websites use to deter robots. The technique goes like this: the scammer sets up a pr0n website, and anybody who wants to view the website must answer a captcha. But the captchas which are displayed for the pr0n website are obtained in realtime from a legitimate website which the scammer wants to access. The pr0n-viewing user sees the captcha, enters a code, the pr0n website has no idea whether the code is correct but it submits that input to the legitimate website and usually obtains access into the legitimate website.

Getting back to the online banking, the fatal flaw here is that the user can authenticate using only information that the user can type in. The only way to prevent man-in-the-middle attacks is to use a client certificate; this will ensure that the online bank is talking directly to the user's browser.

Re:Internet Darwinism

[jawtheshark]

If the digits required are non-consecutive, then the odds of the bank asking for digits which the scammer has reduce considerably to 1-in-43680. But the scammer can improve their information gathering by getting the sucker to try to login a few times.

Sorry that I wasn't precise enough. Yes, the digits are indeed non-consecutive. I thought that was obvious.

The thing is: customers know that after three consecutive unsuccessfull logins, they need to unlock their account by calling the helpline. A website that would allow you to try 4 times (the minimum required to get all digits), would immediately feel fishy. After all: they should have read the general conditions of their bank and I can assure you that such a thing is explicitly stated in there. Yeah, I read mine... Go figure.

To your keylogging remark: sorry, but once a computer is compromised that way, there is no way to have any secure transaction at all. Heck, what it's worth, even with a certificate, the attacker could just extract it from the browser and send it to some email address for later usage. You cannot expect banks to make sure that the customers machine is clean. I have my own certificate on 4 different machines, because I exported them myself. It's no problem at all, but a normal user wouldn't be able to do it. Again I refer to the general conditions: it's the responsibility of the client to keep his machine clean.
I worked at a bank for their webbanking (mainly server side), and I know of an instance where a client complained that he couldn't get our webbanking working. After much analysing our code, we couldn't find a solution. The bank was friendly enough to send a technician to that client (I must assume it was a big client) and guess what was the problem. The guy had a keylogger, and that broke our site. Glad to know that some keyloggers are buggy. After cleaning, our site worked just fine.

Your man in the middle attack: It's been a while since I've read into this security aspect, but don't you need a compromised machine in order to do a man in the middle attack? (See general conditions again...) Or a compromised DNS? I should pick up Tanenbaums "Computer Networks" again, because IIRC the man in the middle attack is explained there. Can this even work with https? How is the scammer going to simulate the bank without the certificate of the bank? Self-signed is pretty unlikely.

From experience I know that clients are very paranoid. I remember a bug where we generated html in a popup (a calendar, I think) on the fly. In production this ended up in showing the client that there were "both secure and nonsecure items" displayed on the page. The hotline went red when that happened. (Escaped our quality testing... bad marks for us)

Banks can do a lot to protect you. Not everything since they are not able to control the machine of the client. A certificate on the clients machine is nice, but it locks you to one browser (well, not really, since you can export as I did, but this is beyond the reach of a normal user). So doing my ebanking while on vacation is absolutely impossible. Yes, it's safer and I'm glad that my main bank account uses this system, but it is damned user-unfriendly. I told this to the bank where I worked, the client-side certificate was turned down because of this. So was my suggestion of asking the password of the user on each transaction (as my main bank does). It's a tradeoff... I agree.

It's not perfect, but it is as always a trade-off between security and user-friendlyness. I'm not saying the solutions are pefect. Of course, you can always tell me what the prefect solution is... a solution where I can do ebanking from everywhere, even from a kiosk, and having near-zero risk.

This is all very well and good,

[DoraLives]

but it's like pushing down the bubble in a waterbed. We have a slithering, morphing target, and, now that I think about it, the target isn't the target.

End users are the target and there's no way in hell ANYbody will ever change that little term in the equation.

The best defense...

[LegendOfLink]

...is still the education of users. I can't tell you how many e-mails get stuck in our company SPAM filters that mimick phony PayPal accounts. You get that one user who thinks the message is real, and there goes your identity.

Re:The best defense...

[jacksonj04]

Argh, it's "spam" not "SPAM". SPAM is a foodstuff, spam is the email variety.

Re:The best defense...

[tehshen]

One of the things e-mail clients could use from Gmail is how it handles said PayPal phishes. It lets through the message, but puts up a big red box saying:

Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information.

Which doesn't get in the way, and is startling enough to not be ignored. It makes most users think "Is this a real e-mail?", and if it's on some company network, they could ask for help and be told not to reply, then slowly learn not to by themselves.

Re:The best defense...

[jlapier]

the education of users

I used to think this way too, but after 8 years in IT, I'd rather rely on technology than users (technology isn't much to rely on, but at least it can be reasoned with).

Re:The best defense...

[mu22le]

Gmail filter does not always work. It could still be a fake, even if no warnimg come up.
Beware of false sense of security.

Re:The best defense...

[ankhank]

Nice .sig
----------
Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information.

gotta be safe, No phishing here

gotta get a http://shinyfeet.com/ account, their technology detects phishing sites and removes the threat and flags the email.

Internet Darwinism-Password passed away.

"You bank is never going to ask you for your account number over email. They already have it!"

A couple BSOD's should take care of that problem.

I'm sure Winnie the Pooh will....

[i_want_you_to_throw_]

appreciate any techniques you may want to offer on how to phish out honey. Damn bear always getting his head stuck.....

Mirrors

Europe

Greece - http://honeynet.phrapes.net/
Romania - http://honeynet.iasi.roedu.net/
Croatia - http://honeynet.lss.hr/
France - http://honeynet.startx.fr/
Germany - http://honeynet.fh.net/
Germany - http://honeynet.spenneberg.org/
Germany - http://project.honeynet.de/
Ireland - http://honeynet.heanet.ie/
Italy - http://honeynet.securityinfos.com/
Netherlands - http://honeynet.hackers.nl/
Netherlands - http://honeynet.evilcoder.org/
United Kingdom - http://honeynet.ntcity.co.uk/
Asia

India - http://honeynet.tiet.ac.in/
Phillipines - http://honeynet.opensourcecommunity.ph/
Singapore - http://www.security.org.sg/honeynet/
Korea - http://honeynet.secuwiz.com/
Malaysia - http://honeynet.0ni0n.org/
China - http://honeynet.xfocus.net/
South America

Brazil - http://mirror.honeynet.org.br/
North America

Canada - http://honeynet.ihackedthisbox.com/
USA, NY - http://www.clientbox.net/
USA, TX - http://honeynet.5dollarwhitebox.org/
USA, OH - http://mirror.clevelandhoneynet.org/
USA, VA - http://honeynet.streetchemist.com/

Re:Mirrors

[c0ldfusi0n]

Canada - http://honeynet.ihackedthisbox.com/

Am i the only one who sees some kind of irony in there?

Re:Mirrors

Is there a -1 Overkill mod?

Re:Was I the only one... ?

[AtariDatacenter]

The write-up certainly seems more threatening in the alternative context...

Also with regards to the speed of such attacks, "fisting attacks can occur very rapidly, with only limited elapsed time between the initial intrusion and a fisting..."

Ouch!

This is getting really frustrating

[AT-SkyWalker]

I've noticed that the number of messages I'm getting from Paypal and EBay are increasing dramatically.

The problem is that they are pretty organized; you get one, then a follow up, then a final warning and so on. I can imagine that a majority of Mom and Pop type of users finally succumb to theses sort of attacks since they seem to be pretty well coherent !

Re:This is getting really frustrating

[LordSnooty]

Mom and Pop type of users finally succumb to theses sort of attacks since they seem to be pretty well coherent !

All the phishers have to do is buy a dictionary, and start spelling their mails right, and I believe they'll hook a lot more victims.

Bad definition.

[Chmarr]

From the article:

The term phishing ("password harvesting fishing")...

"Password harvested fishing"??? What a crock! The 'ph' is just a 'cooler' version of an 'f'. Like 'phreaking' or 'phat'.

Someone clearly tried too figure out where the term came from, and completely missed the obvioius :)

Re:Bad definition.

[i.r.id10t]

Pretty sure phat is "pretty hot and tempting"...

Re:Bad definition.

[VE3MTM]

Wrong again. It came from Brian Phish, a con man who stole credit card numbers in the 1980s. Or at least, that's the most likely theory.

Re:Bad definition.

[mrmagos]

According to this wikipedia article, it may come from that, or it may not.
It seems unclear if Brian Phish even existed.
Though the backronym from TFA is supported as well.

Re:Bad definition.

And how do you think, this guy got his name?

Re:Bad definition.

[burns210]

But wikipedia is a joke of a reference. Anyone can edit the article prior to linking to it and change the intent or wording to fit their argument.

Re:Bad definition.

[greed]

And the 'ph' in phreaking has nothing to do with the phone? I don't think we had cool letters when phreaking first got started.

Not to deny the probability that "password harvesting fishing" is a backformation.

Re:Bad definition.

[Chmarr]

Agreed that 'phreaking' was likely from 'phone phreaking'. I wasn't exactly very exploratory with my complaint :)

But... 'password harvest fishing' is totally bogus.

Re:Bad definition.

[snorklewacker]

There was a fellow named Gully McLaren who was so credulous that his name became synonymous with his tendency to believe anything. That's where the word "gullible" comes from.

Re:Bad definition.

[Ibiwan]

Really!??

Re:Bad definition.

[coopex]

Oh c'mon, you just think we're gullible enough to believe anything.

mod parent up

I don't understand the -1 Flamebait mod. He said what the guy at +5 said, only he didn't wrap it in bullshit to make you feel good inside. The fact is that the parent is absolutely right.

not a dupe

It's not a dupe, you dupe. Your 'original' is actually a different paper altogether.

They're getting MUCH better at it

[DG]

That might have been true once upon a time, but the phishers are getting VERY good at hiding their phish.

I've seen a PayPal phish that was very sophisticated, doing things like putting bogus info into the URL bar, duplicating the layout of PayPal's site EXACTLY... it turned out to be very difficult to spot the smoking gun - I had to go look at the raw HTML to find it.

Had I not been as paranoid as I am, it could have easily suckered me.

Read the article, and follow some of the links to the actual attacks. It's amazing how good they are. (It's equally amazing that a web browser would do anything on link mouseover EXCEPT show the real target of a link!)

Yes, there are plenty of stupid people - some people actually buy products from spam, or send money to Nigeria, etc etc. But the quality of the phishers is getting so good that it is hard to tell (in some cases) what is valid or what is not.

DG

Re:They're getting MUCH better at it

but the phishers are getting VERY good at hiding their phish.

Mod Parent up. Plenty of women lately have been hiding their fish between their legs and also managed to take my money while they are up to their nefarious deceptive plans.

Re:They're getting MUCH better at it

[tomhudson]

It's equally amazing that a web browser would do anything on link mouseover EXCEPT show the real target of a link!)

it's a javascript one-liner ... or for those too lazy/dumb/whatever, just a url that goes to a referrer to bounce the click elsewhere (like a lot of goatse.cx links were using google's "I feel lucky")

Re:They're getting MUCH better at it

[Al+Dimond]

(It's equally amazing that a web browser would do anything on link mouseover EXCEPT show the real target of a link!)

Absolutely! It amazes me that webbrowsers are so willingly stupid. That's why I use something like Links or Lynx for certain browsing tasks. Unfortunately, even Links has javascript these days... so I'm probably just relying on security by obscurity to some degree.

Re:They're getting MUCH better at it

[DrEldarion]

That's the thing, though. It doesn't matter HOW official it looks, people should ALWAYS distrust anyone asking for sensitive information like that. The majority of people are FAR too trusting.

The advice I always give people is if it looks like it could be real, call the company and check. Not one has been real so far.

Re:They're getting MUCH better at it

Yes, there are plenty of stupid people - some people actually buy products from spam, or send money to Nigeria, etc etc. But the quality of the phishers is getting so good that it is hard to tell (in some cases) what is valid or what is not.

Maybe you should just admit that you are almost too stupid to be on the Internet?

Re:They're getting MUCH better at it

[CrashPoint]

In my experience, the best quick-and-easy way to spot a PayPal phish is to check the salutation at the beginning of the email. If it addresses you as "Dear Valued PayPal Customer" or some such, it's definitely a phish. PayPal always addresses you by name in their emails.

This, I have found, is not only an easy way for us geeks to spot phishers, but a way we can easily explain to non-geeks how to spot them.

Re:They're getting MUCH better at it

Dude, look at his Slashdot UID number

I think he *invented* the Internet!

Re:They're getting MUCH better at it

[mangu]

the quality of the phishers is getting so good that it is hard to tell (in some cases) what is valid or what is not.

I generally use the street metaphor. Do not give any information over the internet that you wouldn't give to a stranger that approaches you on the street.

There will always be phishers who will be able to get at least some victims. Just as there are people who commit fraud without using the internet. Some are very good at what they do, like Victor Lustig, who sold the Eiffel tower in 1925 -- twice. One of Lustig's scams, the horse betting office, inspired the 1973 movie "The Sting".

I believe that it's not the quality of the phishers that makes them dangerous. What makes the internet so particularly attractive for con artists is the fact that it works so well as a search engine for victims. Traditionally, the con artists biggest job was looking for a victim, today they send an email to thousands of people and the gullible ones come voluntarily forward.

Re:They're getting MUCH better at it

[daviddennis]

Don't rely on this.

I get spam emails addressed to "David Dennis" all the time.

It would not be difficult for someone to emulate real PayPal emails much better than is currently being done, and as the law of diminishing returns impacts this kind of attack, I'm sure it will happen.

It used to be that you could reliably identify these attacks just because of their abysmal English, but that's become less true in the past few months.

What's foolproof is this: Anything asking for you to type in your ID and password is bogus, unless you go directly to that site to type it in, or unless it's the end of an eBay auction and you're being asked for payment that you already know you owe.

D

Re:They're getting MUCH better at it

...or unless it's the end of an eBay auction and you're being asked for payment that you already know you owe.

It might be possible for those who don't play nice to first parse eBay and vacuum up winning bidders' relevant info.

So long and thanks for all the phish. -g

It can be quite difficult to resist

[what+about]

I got an email stating that an order had been placed with my name and it was being delivered. Now, I have two choices:

Do nothing and mybe allow some delivery of goods that I do not want (I am in UK, not US) and then have to return them or anyway cancel the payment (can be difficult if made by debit card) even if the crook got the numbers from looking at you at the supermarket.

Have a look and see what it is about.

The ECommerce site was a troian installer, it didn't work since I user Opera and have activeX disabled (Quite interesting all the tecnique they used)

The point is that sometime it is quite difficult to know if something is legitimate or not and to me the only solution is to have less wizybang applications and more reliable ones.

No activex, plain HTML browsing.

Banks should NOT use funny addresses for part of their pages, just one clear address.

No magic jumping between applications, no magic installing, make it painful to install something taken from the network !

Re:It can be quite difficult to resist

[Slashcrap]

I got an email stating that an order had been placed with my name and it was being delivered. Now, I have two choices:

Sorry, I fail to see why this is a problem. I mean you knew you didn't order it, right?

So fucking what if something turns up at your door? I'd be like "Great! Free stuff!".

Do you think that someone would steal your card details and then use them to order something for you? It doesn't seem likely to me.

Why couldn't you just check with your bank or credit card provider? I would expect them to be able to tell me if someone had ordered something with my card. I'd hardly waste time reverse engineering the website.

Re:It can be quite difficult to resist

[rkhalloran]

I wouldn't have bothered checking the bogus e-commerce site; I'd have checked with my bank for any fraudulent charges, put them in dispute and have them issue me a fresh card # if so, and if anything actually *did* show up at my door, keep it.

And in Thunderbird, the fake addresses on the phishing attempts that get through the spam filters show up when I hover over them. Then I nuke 'em. You're using the wrong mailer...

Re:It can be quite difficult to resist

[budgenator]

I know if someone sends you something you didn't order in the US, it's a gift, but it's not safe to assume the gift rule in other countries. By sending you something they are possibly making it appear that it was a legit order when that is not the case. If the clowns on the Infomercials can make money by sending trash, refunding the purchase price and keeping the "Shipping and Handling Fee" and then abandoming the goods on site, then selling stuff with stolen CC details should make money too.

Re:It can be quite difficult to resist

[fermion]

One of the biggest security threat is the profilieration of HTML email. All the free mail services want it so they can track email and advertising. However, if we treat email like the untrusted media it is, and ture off HTML, 99% of the threat is destroyed. Half the time the messesge is so hidden in tags that the message is not even legible. No legitimate firm would do that.

Hmm, can't be bothered to read TFA fully but...

this whole honeynet project seems really spooky to me and actually quite intrusive.

There seems to be an awful lot of people now jumping on the security bandwagon and offering security services, security auditing anti virus, anti spyware etc etc etc. I know honeynet have been around for a while and claim to be a no profit org, but who actually nominated to them to bait these people into acts of cyber crime ?

Baiting in law enforcement circles is an incredibly controversial subject, especially where things like potential sex offenders are concerned.

I'm not really sure I like the idea of honeypots to attract, spy on, record and potentially convict people.

The best way forward with all of these security maters IS education, not a pre-emptive style thought police roaming the net.

Personally I put honeynet's morals on about the same level as phishers.

Re:Hmm, can't be bothered to read TFA fully but...

[xnderxnder]

Huh?

Maybe you should read TFA, especially if you're comparing them with a bunch of criminals..

What I've read of the Honeynet projects, they set up a network of easy marks and record and examine what traffic they receive. In the case of spammers/phishers, they blast their crap across the net already - it's not like the Honeynet is their only target or its existence is influencing when a phish-run is made.

It's not entrapment. It's research.

Re:Hmm, can't be bothered to read TFA fully but...

How about a televised execution of a few caught "phishers"?

Re:Mirrors - New Zealand?

[CHESTER+COPPERPOT]

New Zealand doesn't have a mirror cause they are after a different kettle of fush - namely, phushers. Which is kinda like phishers but related to the orcs of mordor.

Speed?

[csk_1975]

this speed can make such attacks hard to track and prevent

Speed? Speed doesn't seem to be a requirement for a successful phish. I've given up complaining to ISPs who are hosting phishing sites because there seems to be no action taken against them. Sure if the site is on a compromised server in Korea or Vietnam I dont expect much, but when its a mainstream US ISP its a bit disheartening to get either an auto-responder or no response and then see that the site is still up weeks after bothering to tell them.

Re:Speed?

[sharp-bang]

Try complaining to the bank or other business being targeted, and identify the ISP in your complaint.

As papers like this one reveal the methods of phishers, it's going to be much more difficult for ISPs to claim ignorance of the problem, because knowledge of tools and methods contribute to standards of due care from which liability arises. The threat of legal action might improve the overall response.

Re:Speed?

[csk_1975]

Try complaining to the bank or other business being targeted, and identify the ISP in your complaint.

I do/did. For example here is a link to a submit form that is used in a paypal phish to collect credit card and account details. It then redirects to the real paypal logon using the phished credentials. I advised Yahoo (the ISP) and Paypal a month ago and the site is still up.

Strange Phenomenon

[Nytewynd]

One thing I don't understand about phishing is why it works so well. I imagine it is probably just the volume of the attacks, so they are more likely to catch an idiot than in the past.

Consider:

1. Most people wouldn't give out a credit card number randomly over the phone
2. Most people wouldn't return junk mail that asked for a social security number
3. Most people wouldn't walk up to a complete stranger on the street and hand them their ATM card and PIN

I think computers mystify older people to the point where they lose their mind. I see it in general. My friend's father-in-law had a "computer question" for me about ebay. He wanted me to tell him how to determine the price he should sell something for. I tried to explain to him that his question had nothing to do with ebay itself, but he was so caught up in the process of selling on ebay, he was totally confused.

Maybe phishing works so well because some people are so confused by computers in general, they simply assume that their bank would ask them for this information over email (from an account named bank_stealer@hotmail.com).

Dealing with this kind of leads to the appropriate saying:

You can give a man a fish and feed him for a day, or teach him to fish and feed him for the rest of his life.

You can't get rid of phishing by blocking sites. You have to do it by educating people not to enter their info.

Re:Strange Phenomenon

Older people, often on heavy and varied medication, and perhaps with their own mental faculties and memory are deteriorating are especially vulnerable to this sort of thing, hence they are conned out of millions every year by dodgy companies claiming they have won a million pounds/dollars/euros and if they can just send 50 pounds/dollars/euros to collect their prize.

It's really really nasty and a big problem in the UK where many eldery people really genuninely beleive they are winning all this stuff and are sending sometimes dozens of cheques a week to claim their prize.

Re:Strange Phenomenon

[Al+Dimond]

Most people don't respond to phishing e-mails, it's just really easy to send a lot of them for cheap. I don't know whether there's a higher success ratio for phishing e-mails than for analog-type scams; however, I do know that I've read of studies where people claimed to be doing a study on passwords and security and gathered many peoples' passwords in person off the street.

Re:Strange Phenomenon

[sharp-bang]

According to this Gartner study (warning: PDF), the success rates for phishing are between 3-6%, similar to those for spam. It's a volume business.

Re:Strange Phenomenon

There is one major difference - the economics of spam, specifically how cheap and anonymously junk mail can be sent out.

You are right, phishing is not a problem over the telephone, but supposed a crook had these abilities:

1. The ability to send out hundreds of thousands of phone calls daily
2. Each of these thousands of calls would be made by someone that sounds somewhat professional, specifically as professional as phishing web sites look
3. Pretty much absolute anonymity (in other words, they could not be traced to their mother's basement

If crooks had the above abilities, phishing would be just as prevalent on telephone as it is by spam.

Re:Strange Phenomenon

[Have+Blue]

It's not that simple. Consider the following situations:

1. You receive a phone call. The caller ID says it is from a firm you do business with frequently. The caller informs you that there is a problem with the credit information for your most recent order, and that you must provide it again. Maybe you really do have a most recent order with that company, and it's plausible that human error somewhere in the process resulted in your CC info getting damaged (the order was placed over the phone, or in person). Maybe this is for a pretty important item that you can't spend extra days waiting for if there really is a problem with your order.
2. You receive a letter on what appears to be official government letterhead, with a return address that could plausibly be a government office in the state capitol. The letter informs you that you are in danger of noncompliance with obscure regulations, and includes a form to fill out so that the agency will, for a small fee, send you materials you need to remain in the clear and avoid harsh penalties.
3. You are standing in line at a bank waiting to see a clerk. A person approaches you wearing the uniform of a bank employee and carrying papers that look like bank documents and offers to help you. He leads you to an empty desk and walks you through the task you would like to have performed, and tells you the process will be completed in a day or two. You leave without noting his name.

All of these situations could easily occur in real life and all of them could easily be scams. Unless you are automatically paranoid at all times or willing to go out of your way to spend time on verification, chances are you'd fall for at least one of them. We got one of the second type at work the other day- it was very convincing, and in all honesty if it was my responsibility to handle it I would have been taken in.

Re:Strange Phenomenon

[dioscaido]

1. Most people wouldn't give out a credit card number randomly over the phone

I'm going to have to disagree with you on this one. I think a phone call would have even more weight than an official looking e-mail, and naive people would happily supply their account information. Especially if you work off of the phone book, you could call and say "mr. So and So, we show we have an account with you, at XXX address. As the first step in our verification, please verify your account number. (proceeds to ask for the number)"

Re:Strange Phenomenon

[Scorchio]

It's true that most phishing attempts appear obvious to the not-so-untrained eye, following the familiar pattern of "There's a problem with your account; please log in here to verify your details".

However, I receive the occasional promotional email from my bank, and have previously used the links provided to log in, purely because getting the email reminded me about a bill I need to pay, or that I need to check if a payment has been received or something. It was only afterwards I realised what I'd done, and then made damned sure the email and links I'd used were genuine. They were, but it could so easily have not been.

My point is that not all phishing emails will come from "chase_bank_182736abc@hotmail.com" and specifically ask you to log in to verify details. Just because you can spot an obvious attempt doesn't mean you'll notice a well disguised one. The safest approach is to never use any links provided in emails, no matter how convenient they are. With that in mind, I'm surprised banks still send out genuine emails containing log-in links.

Re:Strange Phenomenon

[chuck]

You can give a man a fish and feed him for a day

Or you can teach him to phish, and he should be set for life.

Re:Strange Phenomenon

[snorklewacker]

> 1. Most people wouldn't give out a credit card number randomly over the phone

You'd be very surprised. Phishing is a variation of a scam that has been around as long as the telephone. Ever heard of the "bank examiner scam"? Hell, some brave souls were probably even doing it door to door before then, though it's easier to do charity scams that way.

Re:Strange Phenomenon

Most people wouldn't give out a credit card number randomly over the phone

mmm, I think I disagree with this. Most people will give out credit card information over the phone, or over the internet, if they think it is related to any purchase, or any of a variety of other activities which require such information.

Thats the reason the "social engineering" scams work. People are used to giving out such information.

Maybe it is time that we oppose all those businesses which require credit card numbers or SSNs for identification purposes.

Thomas

Re:Strange Phenomenon

"Unless you are automatically paranoid at all times"

looks like im safe

Re:Strange Phenomenon

[Cro+Magnon]

3. Most people wouldn't walk up to a complete stranger on the street and hand them their ATM card and PIN

Well, normally I wouldn't, but he seemed like a nice man, and he promised he'd return my card after he was finished with it.

Researchers

[Lord_Dweomer]

In other words...

HoneyNet Developers: "Holy shit, it actually WORKED! Quick, submit a story to Slashdot!"

New Phishing Technique ...

[tomhudson]

After reading TFA, it strikes me that the easiest way to get personal details is to set up a honeypot, allow it to be "compromised" by phishers, and log all the data their victims post to your honeypot (before modifying it so that the phishers don't get valid data).

This way, the phishers are doing all the hard work (mass email spam, etc), and getting none of the benefit.

The article even goes on to tell you what tools to use ... so expect this to be the next level of phishing scam.

I'm almost tempted ... must resist the dark side ... do you think we can get the phishers to offer up free pr0n? [tt]

Re:New Phishing Technique ...

[budgenator]

Well partner today's your lucky day, all of the free p()rn you can stand, from all of the best sites like goatse.cx, tubgirls and even lemonparty is yours for absolutely free! All we need is a valid credit card number, expiration date purely for age verification and your valid E-mail address!

Easier way

[int999]

What prevents someone from simply setting up an online store site, complete with pictures of items and everything, and with rockbottom prices? Run it for a week, collect credit card numbers from orders, then close shop. If you do it right, it can be untraceable.

Re:Easier way

[jeffmeden]

That's preposterous. The only thing you could usefully do is try to skim money off each card one at a time, in an inconspicuous way. Its not hard to trace credit card activity though, and you will get caught before long.

Re:Easier way

Actually, this happens all the time, along with variants (like eBay fraudsters). In the US, such activities are against "mail fraud" laws and are usually taken relatively seriously by local law enforcement. The problem is most often finding the offender's location so as to notify said law enforcement.

Real phishers getting a bad rap...

[astroman74]

All these stories that have recently surfaced, have caused grief to the innocent, the original phishers or phishheads as most are refferred to. My boss, who knows I used to go to phish shows, just asked me about all the phishing stories in the news. Was kinda funny explaining to him that a phish-head http://phish.net/ or http://phish.com/ has nothing to do with these stories.

weird coincidence

[CoffeeJedi]

i got my first phish email this morning trying to get my paypal info; the link went to an ip address in Korea

within minutes, i browsed to slashdot and saw this was the current top story

creeeeepy

Re:weird coincidence

I *know* dude!

Similar thing happened to me. I used google on, like, saturday or somthing and then I go look at slashdot today, and there's this story about google ac ouple hours ago.

SPOO0OKY!!!!!1!

gmail definitely agrees that...

[museumpeace]

"phishing attacks "are becoming more widespread and well organized"...
No s**t! The Gmail "more options" pull down originally had a "report phishing" option...I just noticed yesterday [while noting 12 notices from paypal and ebay accounts I do not have] that they changed the option to read "report NOT phishing" after you have marked one email as a phishing attempt. It looks as if the majority of spam I get is now phishing spam. If you do use the "report" options make sure you are sending the right message becuase Google may have changed it in reaction to your input.

Don't deal with eBay, PayPal, or WAMU

[Animats]

There are so many scams associated with eBay, PayPal, and Washington Mutual that it's not worth dealing with any of them. Until those big companies figure out a way to stop this stuff, take your business elsewhere. That will create political pressure to fix the problem. Let their lobbyists on K street work the problem.

Re:Don't deal with eBay, PayPal, or WAMU

[budgenator]

scams associated with eBay, PayPal, during the last/current resession, eBay was reported to account for 25% of the retail activity (not online retail but retail period) in the US which means a lot of eBay and PayPals accounts to hit by random emails

Re:Don't deal with eBay, PayPal, or WAMU

[rtechie]

Actually, this is very good advice. Just like popular opearting systems (i.e. Windows) are more likely to be the target of viruses, these popular services are more likely to be associated with fraud. I avoid PayPal and WAMU for exactly this reason.

Is E-mail Dead Yet?

[D_Lehman(at)ISPAN.or]

The question should start becoming at this point whether or not e-mail is long past its due? Spam, virii, and scams are the super-majority of inboxes now. We keep fighting the problem, but for what? I don't know about many of you, but 99% of the e-mail I do want to read is from an automated sender telling me my finances or system status or such.

These could easily be handled more securely by SSL encrypted RSS feeds. The other 1% are people who I already know how to contact outside of e-mail.

I think most (probably not all, you always find some) realize that gopher has long since retired. Maybe it's e-mail's time to retire and move from the old dot-com "push content" pipe dream that was only realized as a reality for e-mail, and move to a pull content method (read: unspammable without consent) like personal RSS feeds and GPG/PGP encrypted messages. In that model, you would simply subscribe to all your friend's feeds, and when your system detected a message encrypted to you, it would display it. Or, for automated services, a bank could use SSL RSS feeds to notify customers of immediate issues with their accounts. Certainly this is infinitely more secure than plaintext e-mail that could be a phisher or read by anyone along the line.

Re:I'm sure Winnie the Pooh will....Poor Bear...

[davidsyes]

In Soviet Russia, HONEY nets YOU!

If only banks weren't part of the problem..

[slashkitty]

Banks have been very slow at educating their users. They still have a number of problems with their email and website policies. For example:

• Chase.com lets you log in from an insecure webpage (the homepage) with a fake "security lock" image to make you think it's safe. This site is vunerable to man in the middle attacks and does not educate users to only login from a site that says https://chase.com/
• Some banks / credit cards use generic domains for loggging on. Citibank uses a domain called "accountonline.com" to login their users. Use one domain please.
• Promotional emails use 3rd party to track clicks. Bankone uses a domain called bfi0.com redirected to https://online.firstusa.com/bank/ to track clicks from email. I honestly couldn't tell if that was real or fake. It asks for SS & card number, a sure sign of phishing. It looks faker than most phishing emails I get. I honestly thought it was fake till I researched the site.

Re:If only banks weren't part of the problem..

[ArtStone]

An even more basic security issue.

In order to successfully login, you need two pieces of information - the userid and the security credential (password or PIN).... If you make either part "easy", you've compromised the value of the other part.

Many banks have set up their web sites to use either the social security number or the ATM/Debit card number as the userid. Sure, it made for fewer problems getting their customers onto the web site, but it greatly simplifies the task of breaking in.

Another issue that people without a security mindset don't understand or appreciate is to not use the same password on two different authentication schemes. If you use the same password for everything, and one of the passwords is compromised (maybe not even something you did), then all of your other accounts are now at risk. Stop the damage at the first point and prevent it from cascading. Having someone's Social Security number is a useful step for way too many future problems.

Simple Question maybe

[Stan92057]

How hard would it be for hosting company's to scan that web sites for false bank names or ebay names or ISPs to scan for them and block them?

Re:Simple Question maybe

Netcraft already does this. There may be others. Domain registrars are ideally positioned to nip this in the bud. The problem is that there are lots of phishing methods that don't rely on the domain name to spoof users.

fatigue...

[YesIAmAScript]

It works today, because you haven't seen it much before. IE's box "are you sure you want to install/download this?" used to work before, when it was new. But it becomes part of the process after a while. You click yes automatically. It's just fatigue. You can't remain vigilant all the time.

It would have been funnier...

It would have been funnier if you replaced "Damn bear" with "Silly old bear".

Rent a botnet here!

[Animats]

You, too, can run a phishing scam. You'll need a botnet, bulk-friendly hosting, and bulletproof credit card processing. And you can get them all here.

Yes, "Specialham", the spammer hangout, is back! "SpecialHam is the premier online destination for email marketing professionals." With great new topics like "What are the most anonymous ways to transfer money".

That site seems to be aimed at low end and clueless spammers.

Further up the food chain, we have Black Box Hosting. "Fully featured bullet proof dedicated server. Allows direct mailing and website hosting. All our plans allow Adult, Gambling and Pharmacy Content." They also offer "Mailing Servers". You have to supply your own list of proxies, and your own bulk mailing program. They recommend DarkMailer.

So you go on Specialham and rent some open proxies. Then order a mailing server and a web server from Black Box Hosting. Run your scam. Launder the money through an offshore credit card processor. Profit!

What we really need in honeynets is for about 10% of these support operations to be sting operations run by law enforcement. That would make phishing and spamming a much higher risk operation.

I think you are missing the point...

phishers aren't just sending the emails to customers, but anybody in their email lists. The companies that they impersonate are simply chosen because they are popular. How in the world would not doing business with PayPal help to fix the problem? Will that make them less popular? And in turn make somebody else more popular? And then they will become the new target? The problem doesn't belong to the affected companies alone, it is something that affects the whole internet.

A possible solution (not well thought out, just off-the-cuff) would be to have a distributed database of phishing URLs that gets updated via a button press in the most popular email clients (web-based and desktop). Then on the server level, emails are checked for a match and flagged as such or deleted. Now, I know that this would add a load to servers and networks, etc. But something needs to be done to stop it.

Gmail deserves a hand

I noticed today that Gmail has now started blocking the phishing emails that it already detected (putting them in the Spam folder). When you open one in the spam folder and open up more options, there is the option to report it as NOT PHISHING.

Paypal Scams

[zippthorne]

Scams involving paypal are easy to spot. They're using paypal. If the CC's don't trust someone enough to give them a point-o'-sale, why do you?

Paypal's customer list is exactly a list of people foolish enough to fall for the convenience argument. (And yes I was that foolish. I was too lazy to have myself removed. Fortunately I never actually linked it to any

Start using LYNX or quit clicking email links.

[iamcf13]

If you are HTML savvy, just compare the href URL with the displayed url, if they don't match, you are likely being phished. End of story.

Testing

txjejacl I think. Might be txjejad though. Is that a d or "cl"? Looks more like the latter, but the ugly font could mean it could be anything.

Ok, didn't work. Let's try it with a "d". That might make sense.