Slashdot Mirror

← Back to Stories (view on slashdot.org)

How the Phishing Biz Works

Posted by Zonk on from the sad-state-of-affairs dept.

Carl Bialik from the WSJ writes "Christopher Abad has spent much of the past six months 'stalking the phisher underground,' Lee Gomes writes in the Wall Street Journal. 'The typical phisher, he discovered, isn't a movie-style villain but a Romanian teenager, albeit one who belongs to a social and economic infrastructure that is both remarkably sophisticated and utterly ragtag. If, in the early days, phishing scams were one-person operations, they have since become so complicated that, just as with medicine or law, the labor has become specialized.' For instance, a phisher in Romania who successfully scores account information for someone in the U.S. may go on IRC to seek out a 'casher' to withdraw money from the target's account, and send a cut back to the phisher."

4 of 321 comments (clear)

  1. Almost as informative... by sandstorming · · Score: 5, Informative

    But not as prettyful as... This Technology

    --
    http://www.sandstorming.com
  2. Beats this article by far... by CABAN · · Score: 4, Informative

    You should know your enemy. http://honeynet.org/papers/phishing/

  3. Lots of easy ways to solve this... by hacker · · Score: 4, Informative

    There are some very simple ways to solve this, en-masse...

    1. Set up a milter that calls HTML::Strip to strip out all HTML from email. I don't want my webpages on port 25, just like I don't want my email on port 80. Users don't know or care anyway, set it up at the MTA side and they'll get clean emails.

    2. Use a real MUA, like pine, mutt or other that allows you to see the actual content of the message, not its abstracted "rendered" equivalent. I simply hit 'h' in pine, and can see the resulting link that the phisher is trying to send me to... if it doesn't match the anchor tag, it gets deleted (and forwarded to spam-$USER, see dspam below).

    3. Don't run Windows. Nothing need more be said here. When the same ActiveX control is used by Exchange to "render" email into your mailbox as MSIE to "render" maliscious HTML to your browser, you should be concerned.

    4. Install and configure dspam. Problem solved after only a few phish emails come through. Simply send them back to your internal spam-$USER address and you'll never see them again, including future ones that are similar. If you want to see them again, go into the web interface and send them to your mail, which will automagically re-score them lower so they get through. My users and I haven't seen a single spam get through to any of our mailboxes in MONTHS, not a single one. Beats the pants off of anything else out there that I've used.

    5. Education. Teach your users that they should never respond or click URLs in email, ever, period. Show them that PayPal and eBay and other companies never ask you to log back in to verify any personal information. Show them how these systems work, and reinforce it all the time by asking them questions about it. Drill it into them.

  4. How the WebLoyalty scam really works by Animats · · Score: 4, Informative
    Now, a patented phishing scam! The CEO of WebLoyalty, Vincent D'Agostino, has two patents on the technology, both titled "Method and system for cross-marketing products and services over a distributed communication network".

    Here's the WebLoyalty online demo.. This is triggered after checkout from some other store. All the customer provides is an E-mail address, or at least a click on the big red button below the E-mail address form. Their credit card information is taken automatically from the previous transaction.

    The key to WebLoyalty is that it's embedded in VirtualCart, a popular shopping cart program, and is on by default. It's quite possible for a merchant to be serving the WebLoyalty scam without even being aware of it. The merchant can't even turn it off directly. From the VirtualCart WebLoyalty FAQ:

    • Q. How can webloyalty.com afford to offer Special Rewards and not get paid?
    • A. webloyalty.com ultimately generates its revenue from the customer. Each customer who claims the Special Reward is offered the chance to join a discount shopping and protection service (Reservation Rewards), discount travel service (Travel Values Plus), shopping protection service (Buyer Assurance), or credit card and identity protection service (Wallet Shield). Although there is never an obligation for the customer to continue after the 30-day free trial, many customers choose to continue a service for its valuable benefits. This subset of consumers provides revenue to webloyalty.com.
    • Q. Why allow the customer the opportunity to transfer his information as opposed to re-entering it?
    • A. We believe the customer is always right. And after chatting with hundreds of customers, we heard one thing loud and clear... they want convenience. Most consumers believe allowing them to transfer their personal and financial information with their express permission is much more convenient than re-entering it. Just ask Amazon.com's customers!
    • Q. How do I opt-out of this program?
    • A. Send us an e-mail to support@vcart.com with your cart ID and we will be more than happy to review your account for removal from this program. virtualCART reserves the right to require all merchants to participate in the program.

    And there you have it, the world's most successful phishing scam, run by a Harvard MBA.

    If you need to sue those guys, look them up at the Secretary of State of Connecticut , web site, which has their real address and the names and addresses of the corporate officers. Their actual business name is "WebLoyalty.com, Inc."