Slashdot Mirror
How the Phishing Biz Works
Carl Bialik from the WSJ writes "Christopher Abad has spent much of the past six months 'stalking the phisher underground,' Lee Gomes writes in the Wall Street Journal. 'The typical phisher, he discovered, isn't a movie-style villain but a Romanian teenager, albeit one who belongs to a social and economic infrastructure that is both remarkably sophisticated and utterly ragtag. If, in the early days, phishing scams were one-person operations, they have since become so complicated that, just as with medicine or law, the labor has become specialized.' For instance, a phisher in Romania who successfully scores account information for someone in the U.S. may go on IRC to seek out a 'casher' to withdraw money from the target's account, and send a cut back to the phisher."
They have the public hook, line and sinker because the public is overly uneducated on secure computing practices.
If only Macroshaft or any of the other major companies spent some money in educating the public about simple security measures (`format c:`, Pull out network cable, etc.), then maybe these guys wouldn't have as many people in the sea to phish.
If the Harvard Business School types who descended like vultures on the former eastern bloc countries haven't worked so hard to savagely gut the social protection systems that were in place, there would not be so many criminals in those countries nowadays...
To state the obvious i'd suggest substituting "suckers" for "Americans".
Not trying to be funny, but it's people innocence/ignorance that causes these problems. You don't have to be American to be stupid (despite some peoples feelings on the matter).
Take the phrase "it's on the internet, it MUST be true" for example.
Life is like a box of chocolates, you never know when your gonna get food poisoning.
So those who don't know exactly how their highly-computerized car works should not operate one? Should everyone who doesn't have a medical degree and fully understand the human body avoid medical care? Should everyone who doesn't fully understand the intricacies of their local, regional and national economies not participate in them?
"What?" shriek the Slashbots, "If hot Brazilian chicks can't view the message HTML, traceroute the links and the redirects and WHOIS the resulting information, they shouldn't be allowed to use computers!" Perhaps, and perhaps me neither, but it doesn't surprise me that people get burned.
What I'm listening to now on Pandora...
I actually get them quite a bit, but unlike you, I actually follow the links and fill in bogus information...usually supplemented with a lot of profanity.
I figure someone, somewhere, must read the info, and at the very least, they get an earful (or an eyeful)
It's one thing to insist that people bend over backwards to work within the constraints of poorly designed systems, but I think it requires a leap in logic to insist that the fault is entirely upon the user for not interfacing properly with those poorly designed systems.
People have difficulty learning technology because there is a tiered system of knowledge in anything computer/IT based, and understanding the technology at one level does not necessarily inspire one to learn the technology at a deeper level.
To use your analogy, there are users that know how to start and drive the car, there are users that know how to drive and also that they should be changing the oil once in a while, and finally there are users that can drive/race/fix/build their cars. The vast majority of the population would fall between the first two drivers. All know how to operate the vehicle, most probably know that they should be thinking about their oil, but about ¼ of them forget to do it on a regular basis.
There is very little encouraging the average driver to learn anything more about their engine then how to start it. The same is true in computers.
As soon as someone knows how to start up their PC, log-on to the internet and install applications, there isn't much need to dive deeper in the technology. The difference between a PC and a car is that the auto industry is required to provide easy to use protection to a driver. There is nothing similar in the PC world to protect Joe Average from himself and from others.
In my mind, this would be akin to auto-manufacturers requiring that a driver turn on their airbag every time they wanted to use it. It's just stupid design.
What the computer industry needs to realize is that they've got two choices in this scenario. They can take it upon themselves to provide active and easy protection to the average user on their own terms, or they can wait for the Government to mandate a solution.
With the rash of consumer data theft recently, it's obvious that vast expanses of industry are not protecting data to a satisfactory level. It's only a matter of time before the government starts throwing its weight around.
:::: the insomniac's digest
I've witnessed an otherwise normal 18 year old man give out his credit card details over the phone and then proceed to exclaim with joy to all in the room that he had just won a free scholarship.
Another classic that hits my old neighborhood in st. louis every now and then. They put a letter on the doors of every house in the neighborhood proclaiming that their house represents a normal suburban dwelling and some movie producer in hollywood would like to do a test shoot to determine if they could use it for a movie. Just send $40 to this address, so we can set up the apointment. I know of 1 neighbor who fell for it, and another neighbor who only barely prevented his wife from falling for it.
One that hit my college recently. Someone had a list of names and addresses of college students. Home addresses that is. So they sent a phone bill for about a hundred bucks to several hundred parents. The parents, being used to getting bills from the college, often just paid the bill out of habit, afraid that if they don't pay promptly, it will cause problems.
There is no shortage of suckers in america.
It didn't became financially unsustainable after the change, it was it well before. In fact, it was a major part of the countries failing economy, and this failing economy was the underlaying cause of the collapse of the soviet systems.
Red Leader Standing By!
Cool number, I guess that would make the US's unemployment rate about 38%.
Take note, take note, O world,
To be direct and honest is not safe.
We destroyed their way of life
How so? Their way of life didn't work and the system imploded on itself. Granted we did all we could to speed the process, but we weren't the cause.
Do you even know anything about perl? -- AC Replying to Tom Christiansen post.
No, I'm not.
You're saying that it's the car owner's fault if they get tricked into a repair that wasn't necessary on their vehicle. I say if someone tricks them into buying new tires when the current ones are fine, the owner should have known better. But if a mechanic tells me that my timing chain is loose, should I know better? Should I know exactly how much slack there should be in a timing chain? For that matter, should I know the difference between every belt and chain under the hood? No, of course not! That's what we pay other people for. It's not realistic to expect anybody to know everything about every topic.
I'm all for doing some research before having major medical procedures done. If someone talks you into having your appendix removed for a second time, then shame on the patient. But can you honestly tell me that every patient should be able to read an x-ray and tell the difference between bronchitis and an allergy-related cough? Again, of course not. That's why we pay doctors. It's not realistic to expect everybody to know every possible medical fact and procedure.
I'm not sitting here saying knowing things is a bad idea, but I am advocating being reasonable and what level of knowledge should be expected out of the average person, especially in fields outside of their "main field." Can you honestly tell me you feel differently?
Also i have to say i doubt the notion that there are "phishers 'r us" websites/ lists/ organisattions that can a). operate for any decent lengh of time before going down by infighting and b). stay out of the public eye for however many years now?
What i'd really like to see though, is an effort by governments to curb this kind of criminal behavior first, and then going after petty internet crime like music piracy et al. Hell, if they can bust a warez ring, a phishers ring with real, tangible damage to both banks and customers would be even easier. Especially if they (supposedly) already have leaks, like Mr. Incredible here who used his massive skills to write a vague article that really doesn't tell us much.
Will wank off Linus Torvalds for fame.
Lycos, the popular (sort of) internet portal, once tried this, launching a screensaver that would, when activated, essentially DDoS spamming/phishing sites and other such nasties. It got pulled pretty quickly because of, amongst other things, fear that the network could get hacked (or the phishers pointing their DNS records back to Lycos, essentially reflecting the DDoS back onto them) and doubts over the legality of such an attack, especially with someone with as deep pockets as Lycos to sue if it all came out on top - it was a hacker's and a lawyer's wet dream and it was duly pulled.
Remember, a DDoS is a DDoS is a DDoS, no matter how unsavoury the target. (though if you're feeling mischevious, you could try the LadVampire site, which pretty much does the same thing, only it's on the web rather than on your computer.
Dealing with lawyers would be a lot less tedious if they all looked like Casey Novak.
I think you need to back off the elite attitude a little bit.
As far as driving goes, most of the "morons" I see on the road are those that think they know everything and they don't. (i.e., I'm the best driver in the world and everyone else is a moron). Their ability to actually handle an automobile has little to do with knowing how the innards work.
The point in computers is that they are supposed to be easy to use. While you might find it exciting to look at a URL and understand that it isn't actually pointing where you think it is, a good majority of "average" users, probably don't even look at the address bar a good majority of the time (possibly because they are so often bombarded with "junk" looking URLs, i.e. look at the average slashdot URL when browsing comments).
People want to be able to sit at a computer and have it do what they want it to do without having to worry about those mundane details. This isn't a user issue, it's a design issue. It is easy to sit around and blame stupid users, but they're only stupid because the design hasn't conformed to their needs.
Think of it in terms of Operating Systems and security. The OS should come configured to be secure already. The average user isn't going to know or want to know how to make it secure, they expect to already be secure. Are they "stupid" for not wanting to do that? No, it is the manufacturer's responsibility to make sure that takes place, so that the user doesn't have to worry about it.
We can either try to educate the world, or we can design products that conform to the world's "stupidity". The latter will probably be more successful.
What?
We're hardly an empire (don't own any land that want's to be separate).
Stop thinking it's cool to trash America. Pick through the FUD, and you'll see blame lies on both sides of the line in almost any problem.
How is that "interesting" and not "-1 clueless?"
Communism did not work. Period. That's why it failed. It was our "way of life" because the alternative way of life was taken away. It was destroyed because it failed miserably. Actually, it destroyed itself. Yes, US probably helped (though proving it is hard), but the core reason why communism failed were its own inadequacies: if you destroy economic incentives, you are going downhill and there is no way around it. It does not necessarily mean the collapse of the system - you can vegetate for years on the substistence level (Cuba) or below it (North Korea). If you really helped us destroying our old way of life - big thank you, I am deeply grateful that you did so.
I don't believe the phrasing 'know exactly how [insert item] works' was ever used ... but I shouldn't have to read anything and understand before repying should I? (OK ... I'll stop being a troll/flamebait and answer the questions)
Should everyone who doesn't have a medical degree and fully understand the human body avoid medical care?
No ... but they should not blame the doctor when they don't make any effort whatsoever to educate themselves, when they don't read literature given them or follow instructions given to them by their doctor. Who's generally healthier ... those who take time to understand something about the (their) human body and to provide for it properly or those who don't?
Should everyone who doesn't fully understand the intricacies of their local, regional and national economies not participate in them?
No .. but when things do not go as they expected, then maybe they will pay more attention.
Sure ... many of us don't read the manual when picking up a new gadget, but if I don't ... I accept the consequences that come with that behavior. I agree that things should be generally easy/intuitive to use. I also understand that I am ultimately responsible for myself, my accounts, information and property. Things may happen, out of my control, but that doesn't mean I should just give up and blame someone else for not making it 'easy enough'. More and more, people are looking to blame someone else for what went wrong and seeking some sort of 'insurance' so that they don't have to 'worry' about it.
I'm not saying that those that get phished 'deserve it'. I'm saying those that educate themselves some, are less likely to get phished than others.
Que Deus te de em dobro o que me desejas
[May God give you double that which you wish for me]
I don't get HTML email, actually, because its automatically stripped at the MTA, same for all of my users, and I've never heard a single complaint yet.
I was being simplistic when I suggested using HTML::Strip. The full milter uses a lot of other modules, including ::Strip, HTML::TableExtractor, and others... to make sure that the actual content of the email isn't lost, even if fonts and colors and images are.
But like I said... webpages go on port 80, email on port 25. Period.
Actually, I should reconfigure all outgoing HTML email to be sent as DocBook XML instead. What? You can't render DocBook XML? Oh, you should upgrade your mail client then. Maybe I'll use PostScript for HTML-based email instead, and blame those Outlook users who can't read standards-compliant attachment types.
See the problem here? I don't like email senders dictating what tools I use on my end to read their email. I shouldn't have to turn my mail client into a browser to read email, just like they shouldn't have to load OpenJade/DSSL or Ghostview to read my emails.
I see plenty of comments qualifying people who fall for these scams as "stupid people", "being ignorant by choice" or worse. I think we should remember a few things here:
Recently, there's a new, similar scam going on where I live: it's kind of real-world fishing. People install small cameras on those ATMs, and they glue little pass-through card readers on top of the slot where you insert the card. If you use such an ATM to get money, they can read out your card data using the reader and get your pin code using the camera. These things are made in such a way that they "blend" into the ATMs interface and look like they were actually part of the ATM. Do you honestly believe that you would notice this? Do you even think of checking for something like this before getting money? Do you think that everyone should know how the different ATMs look so that they notice it when such a device is installed on them? No? Then why do you expect non-geeks to be able to discern a real mail from Pay Pal from a scam mail? Legitimate mails from many money-related web sites contain clickable links.
Even if you accept that it's the person's own fault if he gives his data to a scam artist, you should grok that you simply can't solve the problem by educating people. That's simply impossible. This is a problem that must be solved using technology. Banks should sign their mails, and mail apps should clearly notify you if a mail is not from where it purports to be. Maybe it shouldn't let the user click on links if the user doesn't have the public key for the mail. Maybe there are entirely different solutions for this problem. But one thing is clear: Educating people won't work, no matter whose fault it is.
Oh, you're mistaken. Our unemployment is higher because we actually KEEP TRACK of people not working. ;-)
Tom
[I'm just messing around here, no "wanna fight about it" please...]
Someday, I'll have a real sig.
Yes, and I do believe that you can become an absolute power with a flawed economic system and a flawed system of government. The problem is you cannot stay an absolute power. Here is how it worked: heavy industry was the way to go in the 20s and 30s. Let's invest all we have in coal, steel and whatever else we can think of. That does work, the system is not efficient but we put so much resources into it that it's going to show results. The problem is though that world changes, technology changes and without capitalist incentives you will not be able to make the right decisions. It's actually quite simple: in capitalism everyone has an influence on where the system is going through their pockets. In communism, it is only the "elite" that does and the elite does not have full information and will not be able to make all the right decisions.
The only flaw in Communism is that it can be corrupted and the greedy. But the same can be said about capitalism and democracy.
I have never understood how people who have never seen communism in action feel free to make these kinds of statements. Taking away freedom and destroying hope for a better tomorrow is not a flaw for you? I am sure you have never waited in line for 10 hours to get a piece of meat, right? Have you seen how towns designed by communist planners look like? Did you know that pollution magically fell after collapse of communism? What about the fact that the average lifespan in countries like Hungary, Czech Republic and Poland increased by more than 5 years since 1989? None of these was because of corruption or greediness, they were due to some (often highly educated) nitwits in the government thinking that they make the right decisions
Yeah, because commuting to an office 2 hours each way and sitting in a cubicle isn't soul destroying at all.
What does your commute have to do with capitalism?
Capitalism is almost as much a lie as communism. The people at the top completely get to screw over the ordinary worker.
In capitalism, there is no such thing as "the ordinary worker." If you're fed up with doing menial, unsatisfying work, then start your own business or find a job elsewhere that you like better. That's capitalism.
It may not look entirely bad in the US, but have you seen capitalism in action in places where people (including kids) work half the day (12hrs+) in appalling conditions for pittance?
Yes. And have YOU seen the other 3rd world countries where there is no capitalist enterprise, and people slave a way and don't even make a pittance? Without capitalism, what would those people be doing? Most likely their leaders are corrupt, which is why their countries are destitute. Don't blame how fucked up some countries are on capitalism.
They're coming to places like the UK and Ireland (full work permitted by new EU members there) where for now they can get better paying jobs, but it's a system in decline. Wages will have to continue to decline in the West too - and wages will only go up slowly and to a lower plateau elsewhere.
Uhhh, what exactly are you basing these highly insightful claims on? Capitalism is not a zero-sum game. Capitalism is like a pie. You can always make a bigger pie and feed more people from that pie. Making a bigger pie doesn't mean someone else has to make a smaller pie.
Ultimately, capitalism and the Western system will fall too. It is a lie (look at the US deficit - an entire economy running on a gaping overdraft).
Again, you are blaming capitalism for something it had nothing to do with. Our fucked up deficit is based on the stupidity of our elected officials, who spend more money on bullshit than they take in. They use the money to buy votes through pork-barrel spending.
It will just take longer - and may be propped up for more than a century through the continued exploitation of the rest of the world.
Yes, the terrible exploitation performed by America.
Do you really want me to list all the billions in AID we give the rest of the world? It's convenient to leave that part out when you want to pillory the US, isn't it?
Ironically, the word ironically is often used incorrectly.
You say there is no shortage of suckers in America like there aren't just as many per capita in every other country.
I don't understand why people think people in other countries are somehow fundamentally different.
People are people. Stupid, brilliant, funny, boring, fat, scrawny, beautiful, ugly etc, nationality doesn't enter into it.
Go pick up A Perfect Circle's eMOTIVe and become a dreamer.
Question everything
I've always thought that we could use some sort of slashdot effect to curb phishing.
Just fill in bogus info. Given the small rate of return they work with it wouldn't take much before they had more fake replys then real ones. Once the majority of the info they got didn't work the time needed to sort thought it all might put a few out of business.
The problem with trying to DoS the phishers with bad information (other than *any* contact with compromised servers being risky) is that the "signal-to-noise" ratio seen by the phisher is still pretty damn good.
The reason being is that "signal" = "people falling for a con" is much larger than "noise" = "wise people, who have enough spare time to be actively hostile to complete strangers." In the same way that "stupid" is much more common than "clever."