Slashdot Mirror
How the Phishing Biz Works
Carl Bialik from the WSJ writes "Christopher Abad has spent much of the past six months 'stalking the phisher underground,' Lee Gomes writes in the Wall Street Journal. 'The typical phisher, he discovered, isn't a movie-style villain but a Romanian teenager, albeit one who belongs to a social and economic infrastructure that is both remarkably sophisticated and utterly ragtag. If, in the early days, phishing scams were one-person operations, they have since become so complicated that, just as with medicine or law, the labor has become specialized.' For instance, a phisher in Romania who successfully scores account information for someone in the U.S. may go on IRC to seek out a 'casher' to withdraw money from the target's account, and send a cut back to the phisher."
Looks like I caught a big one! A 12-lb FP!
They have the public hook, line and sinker because the public is overly uneducated on secure computing practices.
If only Macroshaft or any of the other major companies spent some money in educating the public about simple security measures (`format c:`, Pull out network cable, etc.), then maybe these guys wouldn't have as many people in the sea to phish.
I think it involves 3. ??? somewhere
Will wash cars for karma
But not as prettyful as... This Technology
http://www.sandstorming.com
Remember that that cold soldering iron "Cold Heat" you see advertised on TV late night was invented by Romanian immigrants.
And yeah i use the product it beats the shit out of older soldering irons.
If the Harvard Business School types who descended like vultures on the former eastern bloc countries haven't worked so hard to savagely gut the social protection systems that were in place, there would not be so many criminals in those countries nowadays...
To state the obvious i'd suggest substituting "suckers" for "Americans".
Not trying to be funny, but it's people innocence/ignorance that causes these problems. You don't have to be American to be stupid (despite some peoples feelings on the matter).
Take the phrase "it's on the internet, it MUST be true" for example.
Life is like a box of chocolates, you never know when your gonna get food poisoning.
I think the whole thing smacks of a kind of strange Soviet irony that is somehow like Mother Russia's revenge on America. We destroyed their way of life and now they are stealing from our grandparents.
Karma has a strange way of working itself out. Phishing still needs to be stopped and I think the best way to try and stop it is to start building systems that don't add links to emails. Use copy/paste form validation instead. Designing smart systems sometimes means taking the convenience out of it, but no matter what you do, there will always be dumb people who are fooled.
The dangers of knowledge trigger emotional distress in human beings.
I always thought that only old people would fall for these phishing and scam emails. The problem is, here in Brazil it's not like Korea: it is not so common to see old people using computers, specially for online banking. Then one day I met this beautiful, smart and young lady who lost a big sum of money when she got phished. I was surprised to see a real person that got phished. I think she could get it back from her bank, though. It was probably a national phisher, I don't believe it was a teenager from Romania.
"'The typical phisher, he discovered, isn't a movie-style villain but a Romanian teenager"
A Romanian teenager is a typical movie style villain. Haven't they ever seen Blade?
This comment reminds me of the many europeans that were scammed by being convinced that they needed to "exchange" their old faulty currency before the "end of the day" with Euros.
Sadly, trusting people are often preyed upon.
Maybe you guys are getting these all the time, but i don't email much and just received my first phishing email. I never read or open anything if it looks even remotely sketchy, but this one was pretty good. i believed it for a few seconds, until i logged in to paypal through a separate browser and verified no changes had been made to my account. I then forwarded the email to spoof@paypal.com as paypal requests. they wrote back to verify that the email was a scam. Another giveaway was that every link in the email, including the phony email address, had the following url behind them (i never clicked it- don't know whats there): h t t p ://linux.fal.pt/fundicao/img/cmd/index.html
u n
original message (i added spaces to urls so they wouldn't be links):
From : PayPal Inc.
Sent : Tuesday, June 14, 2005 3:58 PM
To : my_email@hotmail.com
Subject : Unauthorized Access: (Routing Code: P101-K001-Q-P090)
You have added funstuff12@aol.com as a new email address for your
PayPal account.
If you did not authorize this change or if you need assistance with
your account, please contact PayPal customer service at:
h ttps://www.paypal.com/cgi-bin/webscr?cmd=_login-r
Thank you for using PayPal!
The PayPal Team
Please do not reply to this e-mail. Mail sent to this address cannot be
answered. For assistance, log in to your PayPal account and choose the
"Help" link in the header of any page.
PROTECT YOUR PASSWORD
NEVER give your password to anyone and ONLY log in at
h ttps://www.paypal.com/.Protect yourself against fraudulent websites
by opening a new web browser (e.g. Internet Explorer or Netscape) and typing
in the PayPal URL every time you log in to your account.
PayPal Email ID PP1507
So those who don't know exactly how their highly-computerized car works should not operate one? Should everyone who doesn't have a medical degree and fully understand the human body avoid medical care? Should everyone who doesn't fully understand the intricacies of their local, regional and national economies not participate in them?
sooo your only supposed to open emails from people you know now?
I wan' to see the IRC-network, wehre one can "post" things.....
You should know your enemy. http://honeynet.org/papers/phishing/
The point was that many of us get viruses in emails from random people who we have never heard of.
Go to the w3.org and put Slashdot.org through the validator.
A little note to all you Romanian phishers:
Bagamiasi pula in gaturile voastre pentru denumirea tarii noastre! pupici si pumni
The Digital Couture Collection
Are you advocating ignorance?
Honestly give a deep look at what you're saying. You're saying people should buy 30,000$ cars without looking into them. They should spend 1000s of dollars on medical treatment without reviewing the facts....
What next, buy a $250K house without first stepping into it?
I think a little knowledge in the respective fields [even if just for the purchase] could be a very GOOD IDEA.
Besides, if you knew how your car works you'd probably get more out of it. For instance, what's the tire pressure of all four tires? What's your current highway mpg? What are your emissions ratings? Are there any dents or damages to the car? etc...
Why would knowing those things be a bad idea?
As for medicine, if you knew how nutrition works you'd probably live longer and better. You wouldn't be at the doctors as often, etc...
So what? Should we all eat bigmacs all day because "knowing things sucks".
As for economies, if you're investing money why not just give it to me. I'll handle it for you. Why bother doing research. Why bother supporting local economies over foreign ones [e.g. walmart], etc, etc, etc.
You're seriously sitting there and saying "knowing things is a bad idea"...
Tom
Someday, I'll have a real sig.
I would like to add, that in an increasingly complex world, it's becoming more and more difficult to be an informed consumer and citizen. The latter, I think, was the reason for AM radio's comeback. A lot of folks needed someone to boil the issues down to soundbites for quick consumption - like it or not.
As for me, I find that simplfying my life, as much as I can, is helping me to cope. It also helps me live below my means.
I don't get your post.
... that's another story.
What I said is people who CHOOSE to be ignorant deserve what they get.
If you get ramrodded on some obscure piece of information that a reasonable person who attempted to cover their bases misses
If you're just too lazy to take a semester of "outlook for dummies" at your local state college... then why bother using a computer at all?
By your logic, anyone should be able to hop into a plane and fly around. Afterall, forcing training and knowledge on people is the act of a zealot crazy person.
Hell why stop there, let's give children weapons unsupervised because safety regulations [and knowing of them] is for chumps!
A lot of people simply are wilfully ignorant about how the tools they take for granted actually work.
What the fuck do they spend their time doing? I mean I go out and have fun [and do road trips, etc] yet I still managed to figure out how computers work.
I guess you're right, I must be a geniOUS.
Tom
Someday, I'll have a real sig.
It's one thing to insist that people bend over backwards to work within the constraints of poorly designed systems, but I think it requires a leap in logic to insist that the fault is entirely upon the user for not interfacing properly with those poorly designed systems.
People have difficulty learning technology because there is a tiered system of knowledge in anything computer/IT based, and understanding the technology at one level does not necessarily inspire one to learn the technology at a deeper level.
To use your analogy, there are users that know how to start and drive the car, there are users that know how to drive and also that they should be changing the oil once in a while, and finally there are users that can drive/race/fix/build their cars. The vast majority of the population would fall between the first two drivers. All know how to operate the vehicle, most probably know that they should be thinking about their oil, but about ¼ of them forget to do it on a regular basis.
There is very little encouraging the average driver to learn anything more about their engine then how to start it. The same is true in computers.
As soon as someone knows how to start up their PC, log-on to the internet and install applications, there isn't much need to dive deeper in the technology. The difference between a PC and a car is that the auto industry is required to provide easy to use protection to a driver. There is nothing similar in the PC world to protect Joe Average from himself and from others.
In my mind, this would be akin to auto-manufacturers requiring that a driver turn on their airbag every time they wanted to use it. It's just stupid design.
What the computer industry needs to realize is that they've got two choices in this scenario. They can take it upon themselves to provide active and easy protection to the average user on their own terms, or they can wait for the Government to mandate a solution.
With the rash of consumer data theft recently, it's obvious that vast expanses of industry are not protecting data to a satisfactory level. It's only a matter of time before the government starts throwing its weight around.
:::: the insomniac's digest
As for economies, if you're investing money why not just give it to me. I'll handle it for you. Why bother doing research. Why bother supporting local economies over foreign ones [e.g. walmart], etc, etc, etc.
You're seriously sitting there and saying "knowing things is a bad idea"...
The parent's point was that you don't need to know the intricate working details of everything in order to be able to effectively use it. That's the whole point of technology, we put enough layers on top of all the nitty-gritty so that what was once a complex task because simple.
You don't need to know how an internal combustion engine works to effectively drive a car. Someone purposefully put a lot of effort into making a car simple to drive so that almost anyone could do it without needing to be a mechanical engineer.
So, what we really have here is the original poster went a little too far with his hyperbolic examples, and you went too far the other way with yours.
Yes, knowing a little bit about what you are buying before you buy it is important, but you don't need to review the schematics and understand everything that went in to building it in order to use it. Otherwise, why didn't you just make it yourself?
What?
I hope you check replies to your posts. Your journal is archived, which is teh ghey, cause I have all the GIS episodes, including the supplimental ones. I'm currently 7-zipping them, and I'll upload them to my website soon, please check back.
If you need to get in touch with me re: this, you can email spam(a)dunnclan*net
sig?
I've always thought that we could use some sort of slashdot effect to curb phishing. When you get a phishing email, report it to some kind of website, once it gets verified as a phishing website, you can kind of just DDOS it. Maybe we could all help out by installing a folding@home type client where phishing urls are DDOSed by a bunch of people. With 100,000 people on such a network, each person would only need a to send out a few requests to each site to make it work. There would be problems with the network hacked for bad uses, but limiting the client to only listening to messages that are properly signed would be a good start.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
It didn't became financially unsustainable after the change, it was it well before. In fact, it was a major part of the countries failing economy, and this failing economy was the underlaying cause of the collapse of the soviet systems.
Red Leader Standing By!
"The parent's point was that you don't need to know the intricate working details of everything in order to be able to effectively use it. That's the whole point of technology, we put enough layers on top of all the nitty-gritty so that what was once a complex task because simple."
... that's sad.
If you call knowing how to decode a URL "nitty-gritty"
"You don't need to know how an internal combustion engine works to effectively drive a car. Someone purposefully put a lot of effort into making a car simple to drive so that almost anyone could do it without needing to be a mechanical engineer."
That's a sales ploy. Having the average idiot drive a car is not a good thing. Look at all the morons on the road today. You think if they had some knowledge of how their cars worked and a working knowledge of the rules of the road w.r.t. safe driving that we'd see people doing 90mph on the Long Island expressway?
And I never said you have to look over the schematics.
But knowing how to use windows and email [e.g. why not to use HTML, how to decode a URL, etc] can let you make way better use of your tool. Let's not forget that computers are tools.
If you want something to make noise that is easy to use buy a furby.
Tom
Someday, I'll have a real sig.
This is a vast exaggeration. The image of an eastern europe, 'ragtag' social and economic infrastructure is, for example, in complete contrast to the well-dressed, hip, bling-bling superstars that make up my crew.
We call it Fly Phishing.
Canada has 40% unemployment?
/ lfs-en.htm
Do a google search you xenophobic fucking idiot.
http://www.statcan.ca/english/Subjects/Labour/LFS
Wow it's 7% in Canada.
What's it in the USA?
http://www.bls.gov/
It's 5%.
Yeah, we're SOOO WORSE off here in Canada....
Tom
Someday, I'll have a real sig.
Ok, here you go:
http://elvis.netmar.com/~will/geeks.7z
I can't host that forever, I do have a limit on my bandwidth, but I'll leave it there for a week or two. It's going to take about 35 more minutes to finish uploading, but it should be done by 10:30 EST June 20.
~Will
sig?
Let's not be so quick to summarize people who fall for Phishing emails as idiots. These emails are designed to look like they are coming from the institution they claim to be, are often very sophisticated, and go not promise unreasonable riches in return.
What do you know I wrote a novel
Why is this modded insightful?
No one would require that people understand all the ins and outs of a car before using one. But a TINY bit of knowledge would go a long way. Many people don't know that they need to change the oil in their car, many people don't know where to put windshield washer fluid in their car. (A friend of mine is a mechanic and he does see this kind of thing.)
The problem is a lack of basic knowledge, a few simple tidbits would go a long way. For many people the inner workings of their car, or computer, may as well be magic.
Cool number, I guess that would make the US's unemployment rate about 38%.
Take note, take note, O world,
To be direct and honest is not safe.
If you look at a computer like any other tool, then you'd realize why people need to be trained to use them properly. You'd never see someone operating a chainsaw, an arc welder, or a jackhammer, in industry, without first taking the proper courses in safety and operation. A computer is many times more complicated than any of those tools. People need to understand how things work so that bad things don't happen to them.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
I received last week two phising emails. I followed the hidden URL in the HTML, got an IP and later trace it. The server was located in India.
No, I'm not.
You're saying that it's the car owner's fault if they get tricked into a repair that wasn't necessary on their vehicle. I say if someone tricks them into buying new tires when the current ones are fine, the owner should have known better. But if a mechanic tells me that my timing chain is loose, should I know better? Should I know exactly how much slack there should be in a timing chain? For that matter, should I know the difference between every belt and chain under the hood? No, of course not! That's what we pay other people for. It's not realistic to expect anybody to know everything about every topic.
I'm all for doing some research before having major medical procedures done. If someone talks you into having your appendix removed for a second time, then shame on the patient. But can you honestly tell me that every patient should be able to read an x-ray and tell the difference between bronchitis and an allergy-related cough? Again, of course not. That's why we pay doctors. It's not realistic to expect everybody to know every possible medical fact and procedure.
I'm not sitting here saying knowing things is a bad idea, but I am advocating being reasonable and what level of knowledge should be expected out of the average person, especially in fields outside of their "main field." Can you honestly tell me you feel differently?
Actually the term IDIOT fits perfectly. Anyone who responds with vital information to an e-mail is in fact a class A idiot. Especially considering that MOST institutions state that they will NOT ask for that info through e-mail.
Also i have to say i doubt the notion that there are "phishers 'r us" websites/ lists/ organisattions that can a). operate for any decent lengh of time before going down by infighting and b). stay out of the public eye for however many years now?
What i'd really like to see though, is an effort by governments to curb this kind of criminal behavior first, and then going after petty internet crime like music piracy et al. Hell, if they can bust a warez ring, a phishers ring with real, tangible damage to both banks and customers would be even easier. Especially if they (supposedly) already have leaks, like Mr. Incredible here who used his massive skills to write a vague article that really doesn't tell us much.
Will wank off Linus Torvalds for fame.
I think you need to back off the elite attitude a little bit.
As far as driving goes, most of the "morons" I see on the road are those that think they know everything and they don't. (i.e., I'm the best driver in the world and everyone else is a moron). Their ability to actually handle an automobile has little to do with knowing how the innards work.
The point in computers is that they are supposed to be easy to use. While you might find it exciting to look at a URL and understand that it isn't actually pointing where you think it is, a good majority of "average" users, probably don't even look at the address bar a good majority of the time (possibly because they are so often bombarded with "junk" looking URLs, i.e. look at the average slashdot URL when browsing comments).
People want to be able to sit at a computer and have it do what they want it to do without having to worry about those mundane details. This isn't a user issue, it's a design issue. It is easy to sit around and blame stupid users, but they're only stupid because the design hasn't conformed to their needs.
Think of it in terms of Operating Systems and security. The OS should come configured to be secure already. The average user isn't going to know or want to know how to make it secure, they expect to already be secure. Are they "stupid" for not wanting to do that? No, it is the manufacturer's responsibility to make sure that takes place, so that the user doesn't have to worry about it.
We can either try to educate the world, or we can design products that conform to the world's "stupidity". The latter will probably be more successful.
What?
There are some very simple ways to solve this, en-masse...
Set up a milter that calls HTML::Strip to strip out all HTML from email. I don't want my webpages on port 25, just like I don't want my email on port 80. Users don't know or care anyway, set it up at the MTA side and they'll get clean emails.
Use a real MUA, like pine, mutt or other that allows you to see the actual content of the message, not its abstracted "rendered" equivalent. I simply hit 'h' in pine, and can see the resulting link that the phisher is trying to send me to... if it doesn't match the anchor tag, it gets deleted (and forwarded to spam-$USER, see dspam below).
Don't run Windows. Nothing need more be said here. When the same ActiveX control is used by Exchange to "render" email into your mailbox as MSIE to "render" maliscious HTML to your browser, you should be concerned.
Install and configure dspam. Problem solved after only a few phish emails come through. Simply send them back to your internal spam-$USER address and you'll never see them again, including future ones that are similar. If you want to see them again, go into the web interface and send them to your mail, which will automagically re-score them lower so they get through. My users and I haven't seen a single spam get through to any of our mailboxes in MONTHS, not a single one. Beats the pants off of anything else out there that I've used.
Education. Teach your users that they should never respond or click URLs in email, ever, period. Show them that PayPal and eBay and other companies never ask you to log back in to verify any personal information. Show them how these systems work, and reinforce it all the time by asking them questions about it. Drill it into them.
I'm guessing he pulled that number out of the orifice where he keeps his brain.
Must be dark and smelly in there
"I'm not a procrastinator, I'm temporally challenged"
"What I said is people who CHOOSE to be ignorant deserve what they get."
Then it's reassuring to know you'll get yours, unless you're honestly stating that you're fully aware and informed about every aspect of your life, including those aspects you're probably unaware of.
"If you're just too lazy to take a semester of "outlook for dummies" at your local state college... then why bother using a computer at all?"
Hahahahahahaha, that's funny. Really. Here's one for you: True or False, the PC Revolution would have happened if everyone had first been required to attend a semester course on PCs.
"By your logic, anyone should be able to hop into a plane and fly around. Afterall, forcing training and knowledge on people is the act of a zealot crazy person."
By your logic, everyone should be required to take a semester-long course before operating a PC. And only an IDIOT would compare operating a PC with operating a plane to make their point.
<snip a whole bunch of snide, logically fallacious garbage>
"I guess you're right, I must be a geniOUS."
No, but you are arrogant, aloof, spectacularly bad at creating metaphors and comparisons, and you misspelled retARD.
Chuck
A little bit of an addendum to this, in case it wasn't clear...
If you want to sell a product, you adapt to your target audience. If you make your product so that they have to expend too much effort versus the potential gain from using it, they're not going to use it.
It's Linux' fatal flaw at the moment (with the "target audience" variable being debatable).
What?
Whatever, you think learning is bad. I can't convince you otherwise.
...].
Should people take computer courses? Hell yes. Welcome to 2005. If you're not retired and plan to work for a living chances are you're gonna touch a computer.
You'll then tell me that many jobs don't use computers [short order clerks, clowns, prostitutes,
Well, they also don't use math.
Tom
Someday, I'll have a real sig.
The rule for determining whether you should use "someone and I" or "someone and me" is simple: rewrite the sentence with you on your own, and then use the same form. So you would say "Tom and I are going fishing" {I am going fishing}, but "Would you like to come fishing with Tom and me?" {Would you like to come fishing with me}.
s/clerks/cooks/
Stupid replying to zealots is taking up too much time...
Tom
Someday, I'll have a real sig.
One day late last year, Mr. Abad was on the Internet Relay Channel, or IRC, a global online chat system that is best known as the lair of various digital bad guys.
I know i'm just being a nazi, but please can we not start to think of IRC as a place only for the bad? Next thing and you'll have the RIAA and MPAA trying to outlaw IRC (with an argument in the same context as BitTorrent.. 'it can, therefore it is').
Hey Tom... I think I know you from somewhere....
To Joe Computer User, looking at a URL that says something other than http://www.google.com/ might be considered "nitty-gritty." Just like to a heart surgeon picking the right knife to make that first cut with might seem to make perfect sense, I wouldn't have a clue what to do.
What?
Comment removed based on user account deletion
to strip out all HTML from email. I don't want my webpages on port 25,
And what is wrong with sending formatted text as email? Maybe all the HTML email you get is spam, but people actually use HTML email for real work (messages including tables, images, etc.). HTML email sure beats Microsoft Word attachments, which is what people would be using otherwise.
With a decent mail reader, this is not a problem either, since they disable remote images and render HTML in a way that prevents phishing attacks.
If we could replace most Word attachments with HTML mail messages, the world would be a lot better off.
I thought you knucks were a light hearted people, Santa is from canada right? I forgot during christmas season when all the elves are working you only have unemployment rate of 7% but during the offseason it's more like 40%.
Knowledge = Power
P= W/t
t=Money
Money = Work/Knowledge so the less you know the more you make
I don't believe the phrasing 'know exactly how [insert item] works' was ever used ... but I shouldn't have to read anything and understand before repying should I? (OK ... I'll stop being a troll/flamebait and answer the questions)
Should everyone who doesn't have a medical degree and fully understand the human body avoid medical care?
No ... but they should not blame the doctor when they don't make any effort whatsoever to educate themselves, when they don't read literature given them or follow instructions given to them by their doctor. Who's generally healthier ... those who take time to understand something about the (their) human body and to provide for it properly or those who don't?
Should everyone who doesn't fully understand the intricacies of their local, regional and national economies not participate in them?
No .. but when things do not go as they expected, then maybe they will pay more attention.
Sure ... many of us don't read the manual when picking up a new gadget, but if I don't ... I accept the consequences that come with that behavior. I agree that things should be generally easy/intuitive to use. I also understand that I am ultimately responsible for myself, my accounts, information and property. Things may happen, out of my control, but that doesn't mean I should just give up and blame someone else for not making it 'easy enough'. More and more, people are looking to blame someone else for what went wrong and seeking some sort of 'insurance' so that they don't have to 'worry' about it.
I'm not saying that those that get phished 'deserve it'. I'm saying those that educate themselves some, are less likely to get phished than others.
Que Deus te de em dobro o que me desejas
[May God give you double that which you wish for me]
Communism did not work. Period.
So I guess you prefer the Absolutist way?
Here's the apple: Communist Russia was one of the global super-powers. You are suggesting they got to that status by using a flawed system of government? It's views like yours that START COLD WARS.
The only flaw in Communism is that it can be corrupted and the greedy. But the same can be said about capitalism and democracy.
The dangers of knowledge trigger emotional distress in human beings.
Hi- chris abad hangs out as aempirei on #research on undernet.org check us out, help us figure some shit out.
I see plenty of comments qualifying people who fall for these scams as "stupid people", "being ignorant by choice" or worse. I think we should remember a few things here:
Recently, there's a new, similar scam going on where I live: it's kind of real-world fishing. People install small cameras on those ATMs, and they glue little pass-through card readers on top of the slot where you insert the card. If you use such an ATM to get money, they can read out your card data using the reader and get your pin code using the camera. These things are made in such a way that they "blend" into the ATMs interface and look like they were actually part of the ATM. Do you honestly believe that you would notice this? Do you even think of checking for something like this before getting money? Do you think that everyone should know how the different ATMs look so that they notice it when such a device is installed on them? No? Then why do you expect non-geeks to be able to discern a real mail from Pay Pal from a scam mail? Legitimate mails from many money-related web sites contain clickable links.
Even if you accept that it's the person's own fault if he gives his data to a scam artist, you should grok that you simply can't solve the problem by educating people. That's simply impossible. This is a problem that must be solved using technology. Banks should sign their mails, and mail apps should clearly notify you if a mail is not from where it purports to be. Maybe it shouldn't let the user click on links if the user doesn't have the public key for the mail. Maybe there are entirely different solutions for this problem. But one thing is clear: Educating people won't work, no matter whose fault it is.
Oh, you're mistaken. Our unemployment is higher because we actually KEEP TRACK of people not working. ;-)
Tom
[I'm just messing around here, no "wanna fight about it" please...]
Someday, I'll have a real sig.
There's a much easier method (which I haven't seen anyone discuss, and which I describe on http://poromenos.blogspot.com/2005/06/authenticati on.html. It involves PGP/GPG to authenticate a user without having them send their password over the wire. It more or less involves the user just signing a random number the site gives him and sending it back to the server. The server then knows beyond a doubt that the person is the one whose public key they have, and the phisher can't steal their password (the person would know they're not supposed to give the password to any sites or anyone except PGP/GPG). Even if they stole one hash, it's still useless.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
I got a phishing attack today. They ask me to log in to https://www.paypal.com/ Note the extra s. Non-obviously, it's fake. How does this redirection work?
Phish email schemes would not succeed if braindead email programs reported the ACTUAL source of the email, instead of the meaningless From line in the body of the email. If you knew that the source of the email you received was dialup.158.97.202.fai.ro and not accounting.citibank.com, wouldn't you be a tad more suspicious? Its in the headers. SPF would work for well-known sites, although changing one character in a domain name can still get by that.
Intron: the portion of DNA which expresses nothing useful.
This scam is huge. It got me. Not sure if you'd call it phishing, maybe just unscrupulous activity by the shopping cart provider, but this will rob you just by supplying an email address. http://adam.rosi-kessel.org/weblog/the_man/webloya lty_aka_wli_reservations_is_a_scam.html
I purchased movie tickets from Fandango.com two years ago. Evidently a popup appeared after my transaction offering a discount for filling in a survey (must have been using the girlfriend's Windows box w/ IE). I gave my disposable email address and that became authorization to start charging me a monthly fee. I did not provide my credit card number, other than to Fandango to buy movie tickets. Fandango was nice enough to forward my credit card to this company Reservation Rewards aka Webloyalty. That's all it took.
Read the link above. It's unbelievable that this kind of thing could happen, but these crooks are operating to this date. They have quite a few other names. I've called, complained, and in theory I'm getting completely refunded. When/if I do, I'm going to contest the last two monthly charges ($7 each) and see if I can make them eat a service charge. Just getting my money back wouldn't be enough because probably only a small percent catch what this company does, and those who do may not catch it quickly. If you're the type who doesn't scrutinize your debit card transaction statements, they might be robbing you. At $7 per month, this amount is small enough that it could fly below the radar.
I wonder if http://www.webloyalty.com/ could withstand the slashdot effect? These people need it bad.
I received a very clever phishing email the other day. It was good enough to make one want to click the link and make sure everything was OK. I receive lots of email from the "admins" of eBay concerned that someone is using my account nefariously. Those are always bogus, so not a problem. This one, however, had the following text (I saved it cause it was that good :):
"Dear eBay member, Yes, i can ship to your location, and i accept escrow for payment.
Thank you,cowboyup618"
Then, in a boxed message there was a button with the text "Please respond to the question on eBay by clicking the button below. You'll have the option to display your response directly on the listing."
If you notice, this simple message looks like it was from a seller and he had a bid from me. If I were an active bidder on eBay, I would be concerned that I had won a bid that I had forgotten about. It would be very easy for someone in this position to click on the button.
As phishing emails go, it was a pretty good try.
The NSA: The only part of the US government that actually listens.
"Hello, I am a Nigerian 'phishing' hacker who steals money. But I have no way to withdraw the money from the accounts I've collected. I will give you an account number containing $50,000 in exchange for $1000 pre-paid into my account. Once I verify the money is in my account, you will receive instructions for how to access the $50,000."
E pluribus unum
Sorry replying to stupid people make my brain hurt and do stupid things.
And im a Physicist not a damned dirty Writer.
What if I told you that those semester long courses wouldn't teach you jack shit? Or you would be left behind quicker then you raise youre hand.
I don't quite think so ... to quote ... from the original reply ...
It's just like the occasional garage or two that will break or "fix" additional things to raise up the bill just because the average car user doesn't know **** about how a car works let alone the current state of their car.
Being ignorant by choice is not intelligent. Sure you can't learn everything there is but honestly how much training does it take to learn how to use a web browser effectively [e.g. learn how to properly login to a website and check a CA cert]....?
I don't see anyting about it being the owner's faultseem to want to flag me as advocating ignorance
I never said people shouldn't learn something. I'm simply saying that it's not reasonable to blame the average person for not knowing everything about topic X.
See .. that's the issue though ... everyone is worrying about 'blame' (or not worrying/acting on something at all), instead of their own accountability, actions and the final results. That's why we vote against candidates instead of for them. That's why folks don't actually take time to learn something and be responsible themselves. That's why people pay for rental car insurance even though their company credit card already covers that.
It's also about "I don't have time for that" syndrome. I had a faculty member tell me that the other day ... and "that" was going through a proper security measure to secure his data. Guess what ... if you admit you don't have time for it and you have been given the opportunity .. you still maybe don't 'deserve' to get phished or cracked ... but it's a lot likelier to happen. I think that's what the original post you were replying to meant.
We don't have time to learn about everything. But this is obviously a big enough issue in our society. If you choose to ignore it and not edcuate yourself ... well .. it was your choice.
Que Deus te de em dobro o que me desejas
[May God give you double that which you wish for me]
I don't think it is fair to just pick on the Romulans...wait a second...this isn't the STNG forum? What the hell are ROMANIANS anyway?
How the hell the parent got moderated as insiteful I don't know...
So those who don't know exactly how their highly-computerized car works should not operate one?
I haven't noticed many cases of car computers steering you into the path of oncoming traffic automatically. However, to operate a motor-vehicle in most countries they do tend to require this thing called a "license," for which you must first prove that you have an adequate amount of knowledge and training/experience in the use of said motor vehicle. Gee, imagine that.
Should everyone who doesn't have a medical degree and fully understand the human body avoid medical care
Well, if the internet were a passive receiving medium you could compare there. However as the internet is a bidirectional medium this would be more like saying that anyone who can get a checkup should also be able to whip out a scalpel and give the guy next door his vasectomy. Hmmm... I think doctors generally need licenses and training too.
Should everyone who doesn't fully understand the intricacies of their local, regional and national economies not participate in them?
To some extent this might be true. You can buy milk at the nearby store, but this doesn't mean you'd be well off to start your own store. Generally even if you do local regulations will help restrict you from doing anything that hurts people other than yourself, not so online...
Comment removed based on user account deletion
These are some other names Webloyalty operates under: Reservation Rewards, WalletShield, Travel Values Plus, and Buyer's Assurance. http://www.webloyalty.com/success_stories.asp These are some companies that they deal with: 1-800-flowers.com, americangreetings.com, classmates.com, coolsavings.com half.com (part of eBay), hotels.com, joann.com, kingsizedirect.com, lillianvernon.com, movietickets.com, myfamily.com, onetravel.com, orbitz.com, priceline.com, riverdeep.com, smartbargains.com, webstakes.com, Brylane Home, Chadwick's, Lane Bryant, MapBlast, MyLotto, MyPoints, SandBox, Time-Life, Walter Drake, ZDNet.
I hope no one has posted this yet, but The University of Phoenix Online now has a one year introductory course on phishing (along with 739 other degrees in great careers.) A Master's program will be introduced next year if there is enough interest!
I read the article with interest, hoping to find an account of how the Romanian teenagers organized themselves into a sofisticated network of phishers. Instead all I found was a reference about how the typical phisher is Romanian but without any explanation of how they arrived at this conclussion. So why Romanian? I guess it sounds exotic and that's enough to make it interesting. Another load of crap about chat rooms, following other articles with IRC==bad && foreigners==scary in the subject line. How about some info describing what level of sofistication can be achieved in a country where dial-up is the norm and moving out of the city means not having a landline at all, hence no Internet.
keyboard not found! press any key to continue...
No, no, and....no
There are limits. To drive a car, you need a license. To practice medicine, you need a license. To run a business, you need a license.
Same should be with a computer (IMHO).
hey tard, try that search again with quotes. slightly less than 24 million hits this time.
I had no idea whom I was messing with on the IRC !
The difference between truth and fiction is that fiction has to be plausible.
There is no such thing as "secure Internet."
Every phishing scam I've received has been either for a bank or service I've never used or sent to an account I've never used for the service in question. I rarely use eBay and when I do, I use an email address I reserve for that purpose only. I've never received a phishing email at that address, but I receive at least 10 a week at addresses I've never used at eBay. Same thing for PayPal. I've also received many for banks I've never heard of. At least they could try to target the scams a little better, like sending one for a service I actually use and to the email address I use for that service.
BTW, you should also add a fingerprint or retina scan.
authentication:
Something you know: Your password
Something you have: Your secret key
Something you are: Your fingerprint/retinal blood vessel pattern.
The technical aspects of security are not the problem. They've been solved many times in many ways long ago. The problem is getting people to follow good security practices.
It's not going to happen to me.
Even if it does, the consequences won't be that great.
It's too much trouble to protect myself.
Solve those problems and you'll have information security. Don't and you won't.
"Reality is that which, when you stop believing in it, it doesn't go away." - Philip K. Dick
4 of those are not really viable for any medium-large business.
None of them are simple for anyone other than a reasonably competant unix admin.
Point 5 is a good one. It will ultimately fail for the same reason phishing/scams work in the first place, human nature.
Comment removed based on user account deletion
-notext-
Please, for the good of Humanity, vote Obama.
All the phishing site would have to do is display a random number of the correct length of digits, then accept whatever number the person enters from their bank-issued "calculator." The form is served, and the user dutifully enters all their personal info.
Phishing sites don't have to break bank security, they just have to emulate it and get the user to submit data. They make their money from selling data, not from cracking accounts.
Besides, the phishers would have the initial number and the final hash--theoretically they could then deduce the algorithm for that person.
"No, people who shouldn't be allowed to use computers are the ones who can't read and or listen."
What about scams over the phone, or bogus door-to-door salesmen, or panhandlers with sob stories? The only difference is that phishing is automated so as to hit up millions of potential victims with very little effort.
No amount of education will reach everyone. Can we teach 90% of the population to not respond to these things? Probably. 99%? - I doubt it. 99.99%? Not a chance in hell.
I really think that turning off clickable links in email by default would do more to protect the gullible than anything else. Make the user go through a screen saying "Do not turn this on unless you want to become a victim of identity theft".
So those who don't know exactly how their highly-computerized car works should not operate one?
I don't know if you're noticed, but approximately everyone is a terrible driver. The world would be a better place if people understood at least a little about how their cars work.
Should everyone who doesn't have a medical degree and fully understand the human body avoid medical care?
You should know enough to not go to some quack. If Dr. Stupid tells you that he's going to remove your liver-bone and you just nod your head in agreement, then you are the victim of your own ignorance.
Should everyone who doesn't fully understand the intricacies of their local, regional and national economies not participate in them?
Maybe people should understand a little more than they do? Then, perhaps, the businesses of spammers wouldn't be sustained by people who actually buy their products.
Any other dumb questions?
Phishing is a job? Wow, finally a new sort of tech job and it is immediately shipped oversees.... can't even buy a break these days.
True. But one reason I don't drive is because I haven't yet gotten round to learning how to fix a car. I only use a computer because at least I know how to fix it when it gets borken (let's say, by reinstalling). OTOH when our cellphone breaks, I know the only fix is to buy a new one.
I'm a sci-fi vegan: I don't want the aliens to think we have as much right to live as the fried chickens we eat.
You're equating knowing how to drive well with knowing how your car works, and you have the nerve to call my questions dumb?
Although I doubt they would be able to deduce the algorithm, they would be able to perform a Man-in-the-middle attack and get the user to decrypt the bank's generated number and send it back to them, effectively logging them on.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
Your money is fine until the banks and credit card companies give it to someone they are not supposed to. Security is the vendors responsibility.
They could provide you with endless measures to secure their systems. But because they are big and powerfull, they have convinced the people that they are the ones that have to "monitor their credit". Thats ridiculous!
When was the last time your bank or credit card company offered you special security features? Like the ability to restrict your account from access from WesternUnion. I never use that, so I would like to blacklist that from accessing my account. Some chance of that!
Or they could create a callback system that would ring your phone when a charge came through. Automated, it would say press one to approve and two to cancel. Three would say, this is a trusted vendor and you dont need to call me back for purchases made here.
Anyone wanna try to make their bank do that? Of course not. They dont have to do anything...Where else are you going to keep your money?
But that's distorting the argument a little bit. Having a working knowledge of something is not the same as being an expert in it.
No, you shouldn't be expected to know the slack of your timing chain, but you should know how to operate your wipers, turn signal, proper pressure of your tires, what the warning lights mean, road signs, etc.
Similarly, using a computer does not mean you need to know how to program a database, or set up an authentication relay to a secondary domain. But you should know the peripheral functions of the tools you use everyday. And you should be familiar with the safegaurds that ARE in place to protect you, imperfect as they may be. I don't think there is a way to prevent scamming other than educating the user (security holes are another matter entirely).
Slashdot: News for nerds. Stuff tha-- MICRO$OFT IS THE DEVIL!!1
You're equating knowing how to drive well with knowing how your car works, and you have the nerve to call my questions dumb?
Precisely correct. I don't think I've ever known a very good driver who didn't also have a pretty good idea of how a car works. I realize that's only anecdotal evidence -- I also present some questions that, if people were able to answer, would lead to a better driving experience:
Why it it bad to 'ride' the brakes when descending a hill?
While slowing down (when approaching a stop light, etc.), is more fuel saved by shifting to neutral or leaving the car in gear?
How does ABS work?
What are the problems caused by under- or over-inflated tires?
There are a lot of reasons to know more about your car.
http://gallery.dmuz.angrypacket.com/albums/deathgu ild/sIMG_6010.sized.jpg
It suceeds because the players act as a distributed network.
No. It succeeds because it brilliantly taps into a huge fear people now have (rightly) that their service will be withdrawn for some arbitrary reason/incident and that they are utterly powerless unless they immediately comply with whatever the company's procedure for dealing with that reason/incident is.
And I have to say people like eBay and especially PayPal, must take their share of the responsibilty for this climate which they and others have deliberately created. Totally unaccountable, totally not giving one shit how they treat customers and how they handle complaints and hiding behind a wall of silence and mystery and inaccessabilty.
They are really the ones to blame for phishing. As are various online banks, the 'War against Terror' and any other sort of similar bullshit.
Yes it's a real nasty shame that some innocent people are getting scamed out of their money, but if this was actually hurting ebay/paypal/online banks etc I very much doubt ANYBODY would have one drop of sympathy for them. Indeed, they deserve everything they get.
Here's the WebLoyalty online demo.. This is triggered after checkout from some other store. All the customer provides is an E-mail address, or at least a click on the big red button below the E-mail address form. Their credit card information is taken automatically from the previous transaction.
The key to WebLoyalty is that it's embedded in VirtualCart, a popular shopping cart program, and is on by default. It's quite possible for a merchant to be serving the WebLoyalty scam without even being aware of it. The merchant can't even turn it off directly. From the VirtualCart WebLoyalty FAQ:
And there you have it, the world's most successful phishing scam, run by a Harvard MBA.
If you need to sue those guys, look them up at the Secretary of State of Connecticut , web site, which has their real address and the names and addresses of the corporate officers. Their actual business name is "WebLoyalty.com, Inc."
Nodding like an idiot while your doctor or auto-mechanic baffles with his trades' jargon is one extreme. Garnering the knowledge of their trades is another.
A wise man questions what he does not understand and keeps his bullshit detector turned on...
Hell, my 70+ YO mom knows how to look at email headers and recognize bent URLs. It's not rocket science. I mean, if a chicken can learn to play the piano, why can't an old geezer remember to look at an email header?
Yes, there are plenty of reasons to know more about how your car works. And exactly how does knowing the answer to any of the above questions keep you driving at or lower than the speed limit, maintaining a proper following distance, obeying all traffic signals, merging correctly in construction zones, and not driving on the sidewalk? I think you're confusing being an efficient driver with being a good one. Both are important, but one does not have the slightest thing to do with the other.
No, not at all. Step right in, drive with your parking brake on, don't ever change oil, etc. If the car fails, it's not your fault.
Should everyone who doesn't have a medical degree and fully understand the human body avoid medical care?
No, of course not! Go on, smoke your favorite cigarettes, eat whatever you like, drink as much as you want. If you get sick, it's not your fault.
Should everyone who doesn't fully understand the intricacies of their local, regional and national economies not participate in them?
Absolutely not! Vote for any candidate that appeals to you based on his looks or on the amount of advertisement he puts on TV without trying to understand his message. If the government fucks up it's not your fault.
See, it's your responsibility to learn at least the basics of how things work before you try to use them. After all, it's your own survival at stake.
It is 40% as all Americans presume that other countries must use their children and slave labor to make ever more exorbitant products to consume. If you are not forcing people to stand for 8 hours with our a bathroom break you can't be our top trade partners.
An Education is the Font of All Liberty
I'd be quite surprised if the large banks in conjunction with large ISP's (and other owners of very big dynamically assigned IP address blocks) aren't doing this already. If nothing else, the phishers might start preferentially ignoring submissions from those IP blocks because of the likelyhood they contained poisoned data which would lite up a law enforcement alarms if ever used.
No, but, just as in your examples, they should get professional advice and training before operating one. A computer is not a toaster; it is unreasonable to expect they should be as simple to operate as an appliance.
Comment removed based on user account deletion
Eastern countries did not choose comunism. They did: http://en.wikipedia.org/wiki/Yalta_Conference
For people actually interested on what or who is Romania: http://en.wikipedia.org/wiki/Romania
I come from Romania, I was a teenager and I never phished.
Did I mention that I don't like general statesment and that I am a bit nationalist?
Anyone ever talked to the guy? Completely arrogant wanker. The last time I spoke with him, he was really excited to be able to get 0day 'sploits from IRC. I guess that was, perhaps, the genesis for this project.
Yay. He managed to infiltrate some script kiddies. Neat.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
And exactly how does knowing the answer to any of the above questions keep you driving at or lower than the speed limit, maintaining a proper following distance, obeying all traffic signals, merging correctly in construction zones, and not driving on the sidewalk? I think you're confusing being an efficient driver with being a good one.
You've just selected aspects of driving that don't show any overlap between "being a good driver" and "being an efficient driver". There are, however, lots of apsects that do show this overlap. For example, you shouldn't brake hard at the last second when coming up to an intersection. Doing so will (a) make people waiting at the intersection nervous because it's hard to determine your intentions, and (b) wear your brakes much faster.
There are other examples, too. People in areas with frequent flooding often stall or hydrolock their engines because they don't understand how intake and combustion work (so they'll try to ford a washed-out road or something; no pun intended.)
About adhering to the speed limit: I think you'll agree that staying around the speed limit is something a 'good' driver does, but it's also something an efficient driver does. Speed limits are typically close to the point where the efficiency of a car's engine and the aerodynamics of a car's body come into balance and the best fuel mileage is attained.
As for maintaining the proper following distance, I think it's pretty clear that people wouldn't gas-brake-gas-brake-gas-brake 15 feet behind the car in front of them if they knew that the material their pads and rotors are made from will last only a fraction as long as if they followed at a distance where they didn't need to use them.
The basic functioning of cars is really pretty simple. It's not a lot to ask to throw a few technical how-it-works questions on the written portion of the driver's exam.
Would be so much more effective if they made a concerted effort. I receive 2 or 3 emails a day from people claiming to be ebay's account verification department or similar. Problem is they're all so different in appearance, from address, language and everything else - It's just laughable. Or maybe that's just me.
DDoS, post it no /. problem solved, no need to install anything either.
Anyone who sends money to a stranger because of an e-mail deserves to be bankrupt. In fact, hopefully their newfound poverty will render them unable to find a suitable mate, thus preventing the spread of the (apparently) dominant RETARD gene.
There is no excuse for being phished, EVER,no matter how legitimate the e-mail looks. I don't know a single person in my personal or professional life that has been successfully phished. If you have ever been phished, perhaps you are not qualified to use the internet, computers, or sharp objects. Please unplug your CPU and throw it out the nearest window, or if you like, box it up and send it to your good friend Professor Habjeet of the Nigerian Mineral Protection Society. It'll look great in the living room of the Spanish hacienda he built with the remains of your 401k.
no they wouldnt, the hash value (and results typed in by the user) would time out and be useless very quickly. Plus (as others have said) you would need to use it again to transfer money to people not on your "approved payee" list (or to add people to that list)
You missed the 3. ?????? step.
Banks and credit card companies could do a much more effective job of faking the data - they can set up their own bogus accounts that are flagged as fraudulent, so when the phisher tries to spend the credit card at a store they get busted, or when they try to use a fake ATM card they get photographed and located (and the card gets eaten if it's the kind of machine that you put your card into.) At minimum, the phisher's transactions get rejected.
EBay and PayPal could do some of the same thing, though they don't have a mechanism to do more than trace the IP and mailing addresses of the perp. The IP address isn't very reliable, since it could easily be a zombie (though at least it can cut down on the less intelligent eBay phishers and help locate and blacklist some zombies.) Mailing address requires a bit more work for eBay to fake, and it's likely to be some maildrop somewhere, but they could do it.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I'll be damned. After complaining to Webloyalty last week, I actually got a complete refund this morning ($175). I guess if you complain a little, they reimburse the last month, but if you're a real pain in the ass, they actually do the right thing and reimburse all charges--probably to keep that squeaky-clean image with BBB. I still think they need to be punished, but I'm not sure how...
The thing that gives most of these fishing emails away are the egregious spelling errors. I mean, I know the Citibank call center is run by sub-literate Indians these days but I at least expect their emails to be in English.
The BBC Money Program went on the trail of phishers and botnetters last week. Only they seemed to be in Russia. One guy phoned up the institution he was attacking taunting them about how he was out of reach in Russia.
Next thing he knew Scotland Yard and Russian Spetznatz troups were kicking his front door in, lobbing in a few stun grenades and restraining Ivan by standing on his throat. They didn't give details of how they tracked him down.
Hey anal twat, people use different phrasing, so just typing in the plain sentence without quotes (and avoiding boolianising like hell) does a reasonable job.
besides how often do you look past page ten anyhow?
Life is like a box of chocolates, you never know when your gonna get food poisoning.
Webloyalty sent me an example survey/charge authorization as a Word document. I'd like to post it, or paste the text here, but haven't yet been able to copy the text. I may resort to manually transcribing it as a separate post. This particular example seems to make it pretty clear that your credit card information will be exchanged for your e-mail address and that opting out before 30 days will prevent the charges. So I guess if you pretend this is a brick-and-mortar store, it's like a store allowing parking lot vendors soliciting your e-mail address and presenting you with fine print saying that your e-mail address will be exhanged for your credit card number from the store you just walked out of. ............
I really don't see this as a service or convenience for the victim/customer. In general, when providing your email address (your junk email address at that), you don't expect that action to result in charges, just more spam for breast enlargement/penis enhancement/etc. To continue my analogy, it's like a business' land owner requiring them to allow parking lot salespeople hiding behind fine print to access their customer information. Not all web merchants (the brick and mortar store, in this example) are even aware of the agreement and are not aware that their customers' credit card information is being accessed like that. Apparently some are and share in the recurring revenue. ..................
To summarize, giving out your spam e-mail address after an online purchase is like giving your phone number to that ugly chick at the bar just to get her off your ass. Except that she doesn't have a cute friend (and she has herpes). They both have your phone number.
On second thought, this is Slashdot...we don't have social lives and meet actual chicks.
Here is the letter I just received:
We are sorry if you experienced concern about the Reservation Rewards membership offer as we strive to make our offer clear and informational to consumers. I have attached a copy of the offer page to demonstrate that we provided full disclosure of the offer details.
If you review the attached screenshot of the offer, you will see that we allow the consumer to make educated choices regarding the products and services they purchase. For this reason, we put the most significant details of our offer in a prominent location - immediately next to the acceptance button (so that a consumer will have those details in front of him or her before joining the service).
Moreover, we go an extra step and also require consumers to provide us their email address twice, to make them pause and take the time to read and understand our offer. To accept the Reservation Rewards trial membership registration we require a consumer to enter their email address into two required fields on the trial membership application page and then click the "Yes" button (see attached Exhibit One - this is the form of the page responded to). Immediately above the boxes where a consumer would enter their email address is the statement:
"By entering my email address and clicking YES, I have read and agree to the Offer Details and authorize Fandango to securely transfer my name, zip code and credit card information to Reservation Rewards for benefit processing."
The offer for a $10.00 Cash Back Award and a Reservation Rewards trial membership is meant as a bonus to Fandango's valued customers. Even if a consumer accepts the trial membership and then cancels the membership, the $10.00 Cash Back Award is still redeemable.
When a misunderstanding such as this one occurs, we willing to cancel the membership and provide a refund to the consumer as we have done for you. As you requested, your Reservation Rewards membership is cancelled and we have issued twenty-five refunds of $7.00 each for the membership fees incurred. These refunds should appear as credits in your account.
I hope this letter answers your questions about the Reservation Rewards offer and also assures you that there was no unauthorized billing to
In any case: shoot for simple outcomes. 'Funny' mods should cancel down mods. -25 on a single post is so obviously unfair that it really shouldn't happen.
Wikileaks, no DNS