Slashdot Mirror
How the Phishing Biz Works
Carl Bialik from the WSJ writes "Christopher Abad has spent much of the past six months 'stalking the phisher underground,' Lee Gomes writes in the Wall Street Journal. 'The typical phisher, he discovered, isn't a movie-style villain but a Romanian teenager, albeit one who belongs to a social and economic infrastructure that is both remarkably sophisticated and utterly ragtag. If, in the early days, phishing scams were one-person operations, they have since become so complicated that, just as with medicine or law, the labor has become specialized.' For instance, a phisher in Romania who successfully scores account information for someone in the U.S. may go on IRC to seek out a 'casher' to withdraw money from the target's account, and send a cut back to the phisher."
But not as prettyful as... This Technology
http://www.sandstorming.com
Maybe you guys are getting these all the time, but i don't email much and just received my first phishing email. I never read or open anything if it looks even remotely sketchy, but this one was pretty good. i believed it for a few seconds, until i logged in to paypal through a separate browser and verified no changes had been made to my account. I then forwarded the email to spoof@paypal.com as paypal requests. they wrote back to verify that the email was a scam. Another giveaway was that every link in the email, including the phony email address, had the following url behind them (i never clicked it- don't know whats there): h t t p ://linux.fal.pt/fundicao/img/cmd/index.html
u n
original message (i added spaces to urls so they wouldn't be links):
From : PayPal Inc.
Sent : Tuesday, June 14, 2005 3:58 PM
To : my_email@hotmail.com
Subject : Unauthorized Access: (Routing Code: P101-K001-Q-P090)
You have added funstuff12@aol.com as a new email address for your
PayPal account.
If you did not authorize this change or if you need assistance with
your account, please contact PayPal customer service at:
h ttps://www.paypal.com/cgi-bin/webscr?cmd=_login-r
Thank you for using PayPal!
The PayPal Team
Please do not reply to this e-mail. Mail sent to this address cannot be
answered. For assistance, log in to your PayPal account and choose the
"Help" link in the header of any page.
PROTECT YOUR PASSWORD
NEVER give your password to anyone and ONLY log in at
h ttps://www.paypal.com/.Protect yourself against fraudulent websites
by opening a new web browser (e.g. Internet Explorer or Netscape) and typing
in the PayPal URL every time you log in to your account.
PayPal Email ID PP1507
You should know your enemy. http://honeynet.org/papers/phishing/
There are some very simple ways to solve this, en-masse...
Set up a milter that calls HTML::Strip to strip out all HTML from email. I don't want my webpages on port 25, just like I don't want my email on port 80. Users don't know or care anyway, set it up at the MTA side and they'll get clean emails.
Use a real MUA, like pine, mutt or other that allows you to see the actual content of the message, not its abstracted "rendered" equivalent. I simply hit 'h' in pine, and can see the resulting link that the phisher is trying to send me to... if it doesn't match the anchor tag, it gets deleted (and forwarded to spam-$USER, see dspam below).
Don't run Windows. Nothing need more be said here. When the same ActiveX control is used by Exchange to "render" email into your mailbox as MSIE to "render" maliscious HTML to your browser, you should be concerned.
Install and configure dspam. Problem solved after only a few phish emails come through. Simply send them back to your internal spam-$USER address and you'll never see them again, including future ones that are similar. If you want to see them again, go into the web interface and send them to your mail, which will automagically re-score them lower so they get through. My users and I haven't seen a single spam get through to any of our mailboxes in MONTHS, not a single one. Beats the pants off of anything else out there that I've used.
Education. Teach your users that they should never respond or click URLs in email, ever, period. Show them that PayPal and eBay and other companies never ask you to log back in to verify any personal information. Show them how these systems work, and reinforce it all the time by asking them questions about it. Drill it into them.
This scam is huge. It got me. Not sure if you'd call it phishing, maybe just unscrupulous activity by the shopping cart provider, but this will rob you just by supplying an email address. http://adam.rosi-kessel.org/weblog/the_man/webloya lty_aka_wli_reservations_is_a_scam.html
I purchased movie tickets from Fandango.com two years ago. Evidently a popup appeared after my transaction offering a discount for filling in a survey (must have been using the girlfriend's Windows box w/ IE). I gave my disposable email address and that became authorization to start charging me a monthly fee. I did not provide my credit card number, other than to Fandango to buy movie tickets. Fandango was nice enough to forward my credit card to this company Reservation Rewards aka Webloyalty. That's all it took.
Read the link above. It's unbelievable that this kind of thing could happen, but these crooks are operating to this date. They have quite a few other names. I've called, complained, and in theory I'm getting completely refunded. When/if I do, I'm going to contest the last two monthly charges ($7 each) and see if I can make them eat a service charge. Just getting my money back wouldn't be enough because probably only a small percent catch what this company does, and those who do may not catch it quickly. If you're the type who doesn't scrutinize your debit card transaction statements, they might be robbing you. At $7 per month, this amount is small enough that it could fly below the radar.
I wonder if http://www.webloyalty.com/ could withstand the slashdot effect? These people need it bad.
BTW, you should also add a fingerprint or retina scan.
authentication:
Something you know: Your password
Something you have: Your secret key
Something you are: Your fingerprint/retinal blood vessel pattern.
The technical aspects of security are not the problem. They've been solved many times in many ways long ago. The problem is getting people to follow good security practices.
It's not going to happen to me.
Even if it does, the consequences won't be that great.
It's too much trouble to protect myself.
Solve those problems and you'll have information security. Don't and you won't.
"Reality is that which, when you stop believing in it, it doesn't go away." - Philip K. Dick
Unfortunately the problem with this approach is the collateral damage if the scam artists do not use their own machines to host the scam. The ISP or host company gets pummelled and if they didn't know anything about the scam, they're innocent bystanders.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Here's the WebLoyalty online demo.. This is triggered after checkout from some other store. All the customer provides is an E-mail address, or at least a click on the big red button below the E-mail address form. Their credit card information is taken automatically from the previous transaction.
The key to WebLoyalty is that it's embedded in VirtualCart, a popular shopping cart program, and is on by default. It's quite possible for a merchant to be serving the WebLoyalty scam without even being aware of it. The merchant can't even turn it off directly. From the VirtualCart WebLoyalty FAQ:
And there you have it, the world's most successful phishing scam, run by a Harvard MBA.
If you need to sue those guys, look them up at the Secretary of State of Connecticut , web site, which has their real address and the names and addresses of the corporate officers. Their actual business name is "WebLoyalty.com, Inc."
I have never understood how people who have never seen communism in action feel free to make these kinds of statements. Taking away freedom and destroying hope for a better tomorrow is not a flaw for you? I am sure you have never waited in line for 10 hours to get a piece of meat, right? Have you seen how towns designed by communist planners look like? Did you know that pollution magically fell after collapse of communism? What about the fact that the average lifespan in countries like Hungary, Czech Republic and Poland increased by more than 5 years since 1989? None of these was because of corruption or greediness, they were due to some (often highly educated) nitwits in the government thinking that they make the right decisions
I did live in comunism for several years (in Romania, HA!) and the grandfather of this post is right, the basic problem with the comunism was the way it was implemented(leaders were corrupt). All the other flaws derived from this... lack of freedoms, free speach, poor economical achievements, so on. You weren't able to speak against the corruption because they were shielding the masses from the what was really going on... they were protecting their asses
So I feel obligated to mod you down because... you are simply not right and you are spreading a wrong view over what exactly went on in the communist countries...
hmmm, does this make me a little dictator? yonk!!!
Superb Hosting