Slashdot Mirror
How the Phishing Biz Works
Carl Bialik from the WSJ writes "Christopher Abad has spent much of the past six months 'stalking the phisher underground,' Lee Gomes writes in the Wall Street Journal. 'The typical phisher, he discovered, isn't a movie-style villain but a Romanian teenager, albeit one who belongs to a social and economic infrastructure that is both remarkably sophisticated and utterly ragtag. If, in the early days, phishing scams were one-person operations, they have since become so complicated that, just as with medicine or law, the labor has become specialized.' For instance, a phisher in Romania who successfully scores account information for someone in the U.S. may go on IRC to seek out a 'casher' to withdraw money from the target's account, and send a cut back to the phisher."
Looks like I caught a big one! A 12-lb FP!
They have the public hook, line and sinker because the public is overly uneducated on secure computing practices.
If only Macroshaft or any of the other major companies spent some money in educating the public about simple security measures (`format c:`, Pull out network cable, etc.), then maybe these guys wouldn't have as many people in the sea to phish.
When targeting Americans, they find it easy to catch without much bait-->after all, we are talking about people who regularly open emails from people they have never heard of.
Go to the w3.org and put Slashdot.org through the validator.
I think it involves 3. ??? somewhere
Will wash cars for karma
But not as prettyful as... This Technology
http://www.sandstorming.com
..but please login to check your account eBay
Remember that that cold soldering iron "Cold Heat" you see advertised on TV late night was invented by Romanian immigrants.
And yeah i use the product it beats the shit out of older soldering irons.
If the Harvard Business School types who descended like vultures on the former eastern bloc countries haven't worked so hard to savagely gut the social protection systems that were in place, there would not be so many criminals in those countries nowadays...
is mired in a8 Survive at all a BSD bOx (a PIII If *BSD is to
I think the whole thing smacks of a kind of strange Soviet irony that is somehow like Mother Russia's revenge on America. We destroyed their way of life and now they are stealing from our grandparents.
Karma has a strange way of working itself out. Phishing still needs to be stopped and I think the best way to try and stop it is to start building systems that don't add links to emails. Use copy/paste form validation instead. Designing smart systems sometimes means taking the convenience out of it, but no matter what you do, there will always be dumb people who are fooled.
The dangers of knowledge trigger emotional distress in human beings.
I always thought that only old people would fall for these phishing and scam emails. The problem is, here in Brazil it's not like Korea: it is not so common to see old people using computers, specially for online banking. Then one day I met this beautiful, smart and young lady who lost a big sum of money when she got phished. I was surprised to see a real person that got phished. I think she could get it back from her bank, though. It was probably a national phisher, I don't believe it was a teenager from Romania.
"'The typical phisher, he discovered, isn't a movie-style villain but a Romanian teenager"
A Romanian teenager is a typical movie style villain. Haven't they ever seen Blade?
Stupid people give their account information to losers who can't find jobs [whether through their fault or not].
... and phishing works because?
Basically it boils down to people jump on the technology bandwagon but then refuse to actually learn anything about it. Then they get taken advantage of because they are STUPID.
It's funny when people say "but tom, forcing people to learn how computers work before using them is stupid".
It's just like the occasional garage or two that will break or "fix" additional things to raise up the bill just because the average car user doesn't know shit about how a car works let alone the current state of their car.
Being ignorant by choice is not intelligent. Sure you can't learn everything there is but honestly how much training does it take to learn how to use a web browser effectively [e.g. learn how to properly login to a website and check a CA cert]....?
Tom
Someday, I'll have a real sig.
Maybe you guys are getting these all the time, but i don't email much and just received my first phishing email. I never read or open anything if it looks even remotely sketchy, but this one was pretty good. i believed it for a few seconds, until i logged in to paypal through a separate browser and verified no changes had been made to my account. I then forwarded the email to spoof@paypal.com as paypal requests. they wrote back to verify that the email was a scam. Another giveaway was that every link in the email, including the phony email address, had the following url behind them (i never clicked it- don't know whats there): h t t p ://linux.fal.pt/fundicao/img/cmd/index.html
u n
original message (i added spaces to urls so they wouldn't be links):
From : PayPal Inc.
Sent : Tuesday, June 14, 2005 3:58 PM
To : my_email@hotmail.com
Subject : Unauthorized Access: (Routing Code: P101-K001-Q-P090)
You have added funstuff12@aol.com as a new email address for your
PayPal account.
If you did not authorize this change or if you need assistance with
your account, please contact PayPal customer service at:
h ttps://www.paypal.com/cgi-bin/webscr?cmd=_login-r
Thank you for using PayPal!
The PayPal Team
Please do not reply to this e-mail. Mail sent to this address cannot be
answered. For assistance, log in to your PayPal account and choose the
"Help" link in the header of any page.
PROTECT YOUR PASSWORD
NEVER give your password to anyone and ONLY log in at
h ttps://www.paypal.com/.Protect yourself against fraudulent websites
by opening a new web browser (e.g. Internet Explorer or Netscape) and typing
in the PayPal URL every time you log in to your account.
PayPal Email ID PP1507
I wan' to see the IRC-network, wehre one can "post" things.....
You should know your enemy. http://honeynet.org/papers/phishing/
A little note to all you Romanian phishers:
Bagamiasi pula in gaturile voastre pentru denumirea tarii noastre! pupici si pumni
The Digital Couture Collection
1. Send emails to idiots.
2. Wait for their response and info.
3. Profit!!
Best part is, they'll be afraid to open their emails in the future, hence stopping the spread of virii. Social darwinism wins again!
Give a man a fish and he'll eat for a day. Teach him to fish and he'll wipe out the species.
It's one thing to insist that people bend over backwards to work within the constraints of poorly designed systems, but I think it requires a leap in logic to insist that the fault is entirely upon the user for not interfacing properly with those poorly designed systems.
People have difficulty learning technology because there is a tiered system of knowledge in anything computer/IT based, and understanding the technology at one level does not necessarily inspire one to learn the technology at a deeper level.
To use your analogy, there are users that know how to start and drive the car, there are users that know how to drive and also that they should be changing the oil once in a while, and finally there are users that can drive/race/fix/build their cars. The vast majority of the population would fall between the first two drivers. All know how to operate the vehicle, most probably know that they should be thinking about their oil, but about ¼ of them forget to do it on a regular basis.
There is very little encouraging the average driver to learn anything more about their engine then how to start it. The same is true in computers.
As soon as someone knows how to start up their PC, log-on to the internet and install applications, there isn't much need to dive deeper in the technology. The difference between a PC and a car is that the auto industry is required to provide easy to use protection to a driver. There is nothing similar in the PC world to protect Joe Average from himself and from others.
In my mind, this would be akin to auto-manufacturers requiring that a driver turn on their airbag every time they wanted to use it. It's just stupid design.
What the computer industry needs to realize is that they've got two choices in this scenario. They can take it upon themselves to provide active and easy protection to the average user on their own terms, or they can wait for the Government to mandate a solution.
With the rash of consumer data theft recently, it's obvious that vast expanses of industry are not protecting data to a satisfactory level. It's only a matter of time before the government starts throwing its weight around.
:::: the insomniac's digest
Please name one country with socialism that is doing well. Canada with all their Universial healthcare and other nonsense has 40% unemployment. I hear North Korea is doing well everyone has jobs some are just in camps. Phishers like all humans are greedy I'm glad their not looking for handouts like you knucks.
Knowledge = Power
P= W/t
t=Money
Money = Work/Knowledge so the less you know the more you make
I've always thought that we could use some sort of slashdot effect to curb phishing. When you get a phishing email, report it to some kind of website, once it gets verified as a phishing website, you can kind of just DDOS it. Maybe we could all help out by installing a folding@home type client where phishing urls are DDOSed by a bunch of people. With 100,000 people on such a network, each person would only need a to send out a few requests to each site to make it work. There would be problems with the network hacked for bad uses, but limiting the client to only listening to messages that are properly signed would be a good start.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
It didn't became financially unsustainable after the change, it was it well before. In fact, it was a major part of the countries failing economy, and this failing economy was the underlaying cause of the collapse of the soviet systems.
Red Leader Standing By!
This is a vast exaggeration. The image of an eastern europe, 'ragtag' social and economic infrastructure is, for example, in complete contrast to the well-dressed, hip, bling-bling superstars that make up my crew.
We call it Fly Phishing.
fluffy, stupid, sympering, cooing, ahhing.
The white middle class intellectual elite sipping coffee at a overpriced boudoir for gay and lesbian professionals whilst they nibble like a mouse on a nut cutlet, thinking about the enlightening wonders they are going to write in their blog that their only 2 friends in the world pretend they read.
Shall I reflect on another day in my cubicle ?
Or shall I dig up some freakshow 'souly' thing about what those in exotic places do for kicks ?
oooooooooooo...decisions..decisions...
I received last week two phising emails. I followed the hidden URL in the HTML, got an IP and later trace it. The server was located in India.
Also i have to say i doubt the notion that there are "phishers 'r us" websites/ lists/ organisattions that can a). operate for any decent lengh of time before going down by infighting and b). stay out of the public eye for however many years now?
What i'd really like to see though, is an effort by governments to curb this kind of criminal behavior first, and then going after petty internet crime like music piracy et al. Hell, if they can bust a warez ring, a phishers ring with real, tangible damage to both banks and customers would be even easier. Especially if they (supposedly) already have leaks, like Mr. Incredible here who used his massive skills to write a vague article that really doesn't tell us much.
Will wank off Linus Torvalds for fame.
Nothing new ... these people have been scam artists for centuries. Truly scum of earth.
There are some very simple ways to solve this, en-masse...
Set up a milter that calls HTML::Strip to strip out all HTML from email. I don't want my webpages on port 25, just like I don't want my email on port 80. Users don't know or care anyway, set it up at the MTA side and they'll get clean emails.
Use a real MUA, like pine, mutt or other that allows you to see the actual content of the message, not its abstracted "rendered" equivalent. I simply hit 'h' in pine, and can see the resulting link that the phisher is trying to send me to... if it doesn't match the anchor tag, it gets deleted (and forwarded to spam-$USER, see dspam below).
Don't run Windows. Nothing need more be said here. When the same ActiveX control is used by Exchange to "render" email into your mailbox as MSIE to "render" maliscious HTML to your browser, you should be concerned.
Install and configure dspam. Problem solved after only a few phish emails come through. Simply send them back to your internal spam-$USER address and you'll never see them again, including future ones that are similar. If you want to see them again, go into the web interface and send them to your mail, which will automagically re-score them lower so they get through. My users and I haven't seen a single spam get through to any of our mailboxes in MONTHS, not a single one. Beats the pants off of anything else out there that I've used.
Education. Teach your users that they should never respond or click URLs in email, ever, period. Show them that PayPal and eBay and other companies never ask you to log back in to verify any personal information. Show them how these systems work, and reinforce it all the time by asking them questions about it. Drill it into them.
One day late last year, Mr. Abad was on the Internet Relay Channel, or IRC, a global online chat system that is best known as the lair of various digital bad guys.
I know i'm just being a nazi, but please can we not start to think of IRC as a place only for the bad? Next thing and you'll have the RIAA and MPAA trying to outlaw IRC (with an argument in the same context as BitTorrent.. 'it can, therefore it is').
Comment removed based on user account deletion
to strip out all HTML from email. I don't want my webpages on port 25,
And what is wrong with sending formatted text as email? Maybe all the HTML email you get is spam, but people actually use HTML email for real work (messages including tables, images, etc.). HTML email sure beats Microsoft Word attachments, which is what people would be using otherwise.
With a decent mail reader, this is not a problem either, since they disable remote images and render HTML in a way that prevents phishing attacks.
If we could replace most Word attachments with HTML mail messages, the world would be a lot better off.
Communism did not work. Period.
So I guess you prefer the Absolutist way?
Here's the apple: Communist Russia was one of the global super-powers. You are suggesting they got to that status by using a flawed system of government? It's views like yours that START COLD WARS.
The only flaw in Communism is that it can be corrupted and the greedy. But the same can be said about capitalism and democracy.
The dangers of knowledge trigger emotional distress in human beings.
Hi- chris abad hangs out as aempirei on #research on undernet.org check us out, help us figure some shit out.
I see plenty of comments qualifying people who fall for these scams as "stupid people", "being ignorant by choice" or worse. I think we should remember a few things here:
Recently, there's a new, similar scam going on where I live: it's kind of real-world fishing. People install small cameras on those ATMs, and they glue little pass-through card readers on top of the slot where you insert the card. If you use such an ATM to get money, they can read out your card data using the reader and get your pin code using the camera. These things are made in such a way that they "blend" into the ATMs interface and look like they were actually part of the ATM. Do you honestly believe that you would notice this? Do you even think of checking for something like this before getting money? Do you think that everyone should know how the different ATMs look so that they notice it when such a device is installed on them? No? Then why do you expect non-geeks to be able to discern a real mail from Pay Pal from a scam mail? Legitimate mails from many money-related web sites contain clickable links.
Even if you accept that it's the person's own fault if he gives his data to a scam artist, you should grok that you simply can't solve the problem by educating people. That's simply impossible. This is a problem that must be solved using technology. Banks should sign their mails, and mail apps should clearly notify you if a mail is not from where it purports to be. Maybe it shouldn't let the user click on links if the user doesn't have the public key for the mail. Maybe there are entirely different solutions for this problem. But one thing is clear: Educating people won't work, no matter whose fault it is.
There's a much easier method (which I haven't seen anyone discuss, and which I describe on http://poromenos.blogspot.com/2005/06/authenticati on.html. It involves PGP/GPG to authenticate a user without having them send their password over the wire. It more or less involves the user just signing a random number the site gives him and sending it back to the server. The server then knows beyond a doubt that the person is the one whose public key they have, and the phisher can't steal their password (the person would know they're not supposed to give the password to any sites or anyone except PGP/GPG). Even if they stole one hash, it's still useless.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
I got a phishing attack today. They ask me to log in to https://www.paypal.com/ Note the extra s. Non-obviously, it's fake. How does this redirection work?
Phish email schemes would not succeed if braindead email programs reported the ACTUAL source of the email, instead of the meaningless From line in the body of the email. If you knew that the source of the email you received was dialup.158.97.202.fai.ro and not accounting.citibank.com, wouldn't you be a tad more suspicious? Its in the headers. SPF would work for well-known sites, although changing one character in a domain name can still get by that.
Intron: the portion of DNA which expresses nothing useful.
This scam is huge. It got me. Not sure if you'd call it phishing, maybe just unscrupulous activity by the shopping cart provider, but this will rob you just by supplying an email address. http://adam.rosi-kessel.org/weblog/the_man/webloya lty_aka_wli_reservations_is_a_scam.html
I purchased movie tickets from Fandango.com two years ago. Evidently a popup appeared after my transaction offering a discount for filling in a survey (must have been using the girlfriend's Windows box w/ IE). I gave my disposable email address and that became authorization to start charging me a monthly fee. I did not provide my credit card number, other than to Fandango to buy movie tickets. Fandango was nice enough to forward my credit card to this company Reservation Rewards aka Webloyalty. That's all it took.
Read the link above. It's unbelievable that this kind of thing could happen, but these crooks are operating to this date. They have quite a few other names. I've called, complained, and in theory I'm getting completely refunded. When/if I do, I'm going to contest the last two monthly charges ($7 each) and see if I can make them eat a service charge. Just getting my money back wouldn't be enough because probably only a small percent catch what this company does, and those who do may not catch it quickly. If you're the type who doesn't scrutinize your debit card transaction statements, they might be robbing you. At $7 per month, this amount is small enough that it could fly below the radar.
I wonder if http://www.webloyalty.com/ could withstand the slashdot effect? These people need it bad.
I received a very clever phishing email the other day. It was good enough to make one want to click the link and make sure everything was OK. I receive lots of email from the "admins" of eBay concerned that someone is using my account nefariously. Those are always bogus, so not a problem. This one, however, had the following text (I saved it cause it was that good :):
"Dear eBay member, Yes, i can ship to your location, and i accept escrow for payment.
Thank you,cowboyup618"
Then, in a boxed message there was a button with the text "Please respond to the question on eBay by clicking the button below. You'll have the option to display your response directly on the listing."
If you notice, this simple message looks like it was from a seller and he had a bid from me. If I were an active bidder on eBay, I would be concerned that I had won a bid that I had forgotten about. It would be very easy for someone in this position to click on the button.
As phishing emails go, it was a pretty good try.
The NSA: The only part of the US government that actually listens.
"Hello, I am a Nigerian 'phishing' hacker who steals money. But I have no way to withdraw the money from the accounts I've collected. I will give you an account number containing $50,000 in exchange for $1000 pre-paid into my account. Once I verify the money is in my account, you will receive instructions for how to access the $50,000."
E pluribus unum
I don't think it is fair to just pick on the Romulans...wait a second...this isn't the STNG forum? What the hell are ROMANIANS anyway?
How the hell the parent got moderated as insiteful I don't know...
So those who don't know exactly how their highly-computerized car works should not operate one?
I haven't noticed many cases of car computers steering you into the path of oncoming traffic automatically. However, to operate a motor-vehicle in most countries they do tend to require this thing called a "license," for which you must first prove that you have an adequate amount of knowledge and training/experience in the use of said motor vehicle. Gee, imagine that.
Should everyone who doesn't have a medical degree and fully understand the human body avoid medical care
Well, if the internet were a passive receiving medium you could compare there. However as the internet is a bidirectional medium this would be more like saying that anyone who can get a checkup should also be able to whip out a scalpel and give the guy next door his vasectomy. Hmmm... I think doctors generally need licenses and training too.
Should everyone who doesn't fully understand the intricacies of their local, regional and national economies not participate in them?
To some extent this might be true. You can buy milk at the nearby store, but this doesn't mean you'd be well off to start your own store. Generally even if you do local regulations will help restrict you from doing anything that hurts people other than yourself, not so online...
Comment removed based on user account deletion
These are some other names Webloyalty operates under: Reservation Rewards, WalletShield, Travel Values Plus, and Buyer's Assurance. http://www.webloyalty.com/success_stories.asp These are some companies that they deal with: 1-800-flowers.com, americangreetings.com, classmates.com, coolsavings.com half.com (part of eBay), hotels.com, joann.com, kingsizedirect.com, lillianvernon.com, movietickets.com, myfamily.com, onetravel.com, orbitz.com, priceline.com, riverdeep.com, smartbargains.com, webstakes.com, Brylane Home, Chadwick's, Lane Bryant, MapBlast, MyLotto, MyPoints, SandBox, Time-Life, Walter Drake, ZDNet.
I hope no one has posted this yet, but The University of Phoenix Online now has a one year introductory course on phishing (along with 739 other degrees in great careers.) A Master's program will be introduced next year if there is enough interest!
I read the article with interest, hoping to find an account of how the Romanian teenagers organized themselves into a sofisticated network of phishers. Instead all I found was a reference about how the typical phisher is Romanian but without any explanation of how they arrived at this conclussion. So why Romanian? I guess it sounds exotic and that's enough to make it interesting. Another load of crap about chat rooms, following other articles with IRC==bad && foreigners==scary in the subject line. How about some info describing what level of sofistication can be achieved in a country where dial-up is the norm and moving out of the city means not having a landline at all, hence no Internet.
keyboard not found! press any key to continue...
I had no idea whom I was messing with on the IRC !
The difference between truth and fiction is that fiction has to be plausible.
There is no such thing as "secure Internet."
Every phishing scam I've received has been either for a bank or service I've never used or sent to an account I've never used for the service in question. I rarely use eBay and when I do, I use an email address I reserve for that purpose only. I've never received a phishing email at that address, but I receive at least 10 a week at addresses I've never used at eBay. Same thing for PayPal. I've also received many for banks I've never heard of. At least they could try to target the scams a little better, like sending one for a service I actually use and to the email address I use for that service.
BTW, you should also add a fingerprint or retina scan.
authentication:
Something you know: Your password
Something you have: Your secret key
Something you are: Your fingerprint/retinal blood vessel pattern.
The technical aspects of security are not the problem. They've been solved many times in many ways long ago. The problem is getting people to follow good security practices.
It's not going to happen to me.
Even if it does, the consequences won't be that great.
It's too much trouble to protect myself.
Solve those problems and you'll have information security. Don't and you won't.
"Reality is that which, when you stop believing in it, it doesn't go away." - Philip K. Dick
4 of those are not really viable for any medium-large business.
None of them are simple for anyone other than a reasonably competant unix admin.
Point 5 is a good one. It will ultimately fail for the same reason phishing/scams work in the first place, human nature.
Comment removed based on user account deletion
-notext-
Please, for the good of Humanity, vote Obama.
All the phishing site would have to do is display a random number of the correct length of digits, then accept whatever number the person enters from their bank-issued "calculator." The form is served, and the user dutifully enters all their personal info.
Phishing sites don't have to break bank security, they just have to emulate it and get the user to submit data. They make their money from selling data, not from cracking accounts.
Besides, the phishers would have the initial number and the final hash--theoretically they could then deduce the algorithm for that person.
"No, people who shouldn't be allowed to use computers are the ones who can't read and or listen."
What about scams over the phone, or bogus door-to-door salesmen, or panhandlers with sob stories? The only difference is that phishing is automated so as to hit up millions of potential victims with very little effort.
No amount of education will reach everyone. Can we teach 90% of the population to not respond to these things? Probably. 99%? - I doubt it. 99.99%? Not a chance in hell.
I really think that turning off clickable links in email by default would do more to protect the gullible than anything else. Make the user go through a screen saying "Do not turn this on unless you want to become a victim of identity theft".
Phishing is a job? Wow, finally a new sort of tech job and it is immediately shipped oversees.... can't even buy a break these days.
True. But one reason I don't drive is because I haven't yet gotten round to learning how to fix a car. I only use a computer because at least I know how to fix it when it gets borken (let's say, by reinstalling). OTOH when our cellphone breaks, I know the only fix is to buy a new one.
I'm a sci-fi vegan: I don't want the aliens to think we have as much right to live as the fried chickens we eat.
Although I doubt they would be able to deduce the algorithm, they would be able to perform a Man-in-the-middle attack and get the user to decrypt the bank's generated number and send it back to them, effectively logging them on.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
Your money is fine until the banks and credit card companies give it to someone they are not supposed to. Security is the vendors responsibility.
They could provide you with endless measures to secure their systems. But because they are big and powerfull, they have convinced the people that they are the ones that have to "monitor their credit". Thats ridiculous!
When was the last time your bank or credit card company offered you special security features? Like the ability to restrict your account from access from WesternUnion. I never use that, so I would like to blacklist that from accessing my account. Some chance of that!
Or they could create a callback system that would ring your phone when a charge came through. Automated, it would say press one to approve and two to cancel. Three would say, this is a trusted vendor and you dont need to call me back for purchases made here.
Anyone wanna try to make their bank do that? Of course not. They dont have to do anything...Where else are you going to keep your money?
http://gallery.dmuz.angrypacket.com/albums/deathgu ild/sIMG_6010.sized.jpg
It suceeds because the players act as a distributed network.
No. It succeeds because it brilliantly taps into a huge fear people now have (rightly) that their service will be withdrawn for some arbitrary reason/incident and that they are utterly powerless unless they immediately comply with whatever the company's procedure for dealing with that reason/incident is.
And I have to say people like eBay and especially PayPal, must take their share of the responsibilty for this climate which they and others have deliberately created. Totally unaccountable, totally not giving one shit how they treat customers and how they handle complaints and hiding behind a wall of silence and mystery and inaccessabilty.
They are really the ones to blame for phishing. As are various online banks, the 'War against Terror' and any other sort of similar bullshit.
Yes it's a real nasty shame that some innocent people are getting scamed out of their money, but if this was actually hurting ebay/paypal/online banks etc I very much doubt ANYBODY would have one drop of sympathy for them. Indeed, they deserve everything they get.
Here's the WebLoyalty online demo.. This is triggered after checkout from some other store. All the customer provides is an E-mail address, or at least a click on the big red button below the E-mail address form. Their credit card information is taken automatically from the previous transaction.
The key to WebLoyalty is that it's embedded in VirtualCart, a popular shopping cart program, and is on by default. It's quite possible for a merchant to be serving the WebLoyalty scam without even being aware of it. The merchant can't even turn it off directly. From the VirtualCart WebLoyalty FAQ:
And there you have it, the world's most successful phishing scam, run by a Harvard MBA.
If you need to sue those guys, look them up at the Secretary of State of Connecticut , web site, which has their real address and the names and addresses of the corporate officers. Their actual business name is "WebLoyalty.com, Inc."
No, not at all. Step right in, drive with your parking brake on, don't ever change oil, etc. If the car fails, it's not your fault.
Should everyone who doesn't have a medical degree and fully understand the human body avoid medical care?
No, of course not! Go on, smoke your favorite cigarettes, eat whatever you like, drink as much as you want. If you get sick, it's not your fault.
Should everyone who doesn't fully understand the intricacies of their local, regional and national economies not participate in them?
Absolutely not! Vote for any candidate that appeals to you based on his looks or on the amount of advertisement he puts on TV without trying to understand his message. If the government fucks up it's not your fault.
See, it's your responsibility to learn at least the basics of how things work before you try to use them. After all, it's your own survival at stake.
I'd be quite surprised if the large banks in conjunction with large ISP's (and other owners of very big dynamically assigned IP address blocks) aren't doing this already. If nothing else, the phishers might start preferentially ignoring submissions from those IP blocks because of the likelyhood they contained poisoned data which would lite up a law enforcement alarms if ever used.
Comment removed based on user account deletion
Eastern countries did not choose comunism. They did: http://en.wikipedia.org/wiki/Yalta_Conference
For people actually interested on what or who is Romania: http://en.wikipedia.org/wiki/Romania
I come from Romania, I was a teenager and I never phished.
Did I mention that I don't like general statesment and that I am a bit nationalist?
Anyone ever talked to the guy? Completely arrogant wanker. The last time I spoke with him, he was really excited to be able to get 0day 'sploits from IRC. I guess that was, perhaps, the genesis for this project.
Yay. He managed to infiltrate some script kiddies. Neat.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Would be so much more effective if they made a concerted effort. I receive 2 or 3 emails a day from people claiming to be ebay's account verification department or similar. Problem is they're all so different in appearance, from address, language and everything else - It's just laughable. Or maybe that's just me.
DDoS, post it no /. problem solved, no need to install anything either.
Anyone who sends money to a stranger because of an e-mail deserves to be bankrupt. In fact, hopefully their newfound poverty will render them unable to find a suitable mate, thus preventing the spread of the (apparently) dominant RETARD gene.
There is no excuse for being phished, EVER,no matter how legitimate the e-mail looks. I don't know a single person in my personal or professional life that has been successfully phished. If you have ever been phished, perhaps you are not qualified to use the internet, computers, or sharp objects. Please unplug your CPU and throw it out the nearest window, or if you like, box it up and send it to your good friend Professor Habjeet of the Nigerian Mineral Protection Society. It'll look great in the living room of the Spanish hacienda he built with the remains of your 401k.
no they wouldnt, the hash value (and results typed in by the user) would time out and be useless very quickly. Plus (as others have said) you would need to use it again to transfer money to people not on your "approved payee" list (or to add people to that list)
Banks and credit card companies could do a much more effective job of faking the data - they can set up their own bogus accounts that are flagged as fraudulent, so when the phisher tries to spend the credit card at a store they get busted, or when they try to use a fake ATM card they get photographed and located (and the card gets eaten if it's the kind of machine that you put your card into.) At minimum, the phisher's transactions get rejected.
EBay and PayPal could do some of the same thing, though they don't have a mechanism to do more than trace the IP and mailing addresses of the perp. The IP address isn't very reliable, since it could easily be a zombie (though at least it can cut down on the less intelligent eBay phishers and help locate and blacklist some zombies.) Mailing address requires a bit more work for eBay to fake, and it's likely to be some maildrop somewhere, but they could do it.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I'll be damned. After complaining to Webloyalty last week, I actually got a complete refund this morning ($175). I guess if you complain a little, they reimburse the last month, but if you're a real pain in the ass, they actually do the right thing and reimburse all charges--probably to keep that squeaky-clean image with BBB. I still think they need to be punished, but I'm not sure how...
The thing that gives most of these fishing emails away are the egregious spelling errors. I mean, I know the Citibank call center is run by sub-literate Indians these days but I at least expect their emails to be in English.
The BBC Money Program went on the trail of phishers and botnetters last week. Only they seemed to be in Russia. One guy phoned up the institution he was attacking taunting them about how he was out of reach in Russia.
Next thing he knew Scotland Yard and Russian Spetznatz troups were kicking his front door in, lobbing in a few stun grenades and restraining Ivan by standing on his throat. They didn't give details of how they tracked him down.
Webloyalty sent me an example survey/charge authorization as a Word document. I'd like to post it, or paste the text here, but haven't yet been able to copy the text. I may resort to manually transcribing it as a separate post. This particular example seems to make it pretty clear that your credit card information will be exchanged for your e-mail address and that opting out before 30 days will prevent the charges. So I guess if you pretend this is a brick-and-mortar store, it's like a store allowing parking lot vendors soliciting your e-mail address and presenting you with fine print saying that your e-mail address will be exhanged for your credit card number from the store you just walked out of. ............
I really don't see this as a service or convenience for the victim/customer. In general, when providing your email address (your junk email address at that), you don't expect that action to result in charges, just more spam for breast enlargement/penis enhancement/etc. To continue my analogy, it's like a business' land owner requiring them to allow parking lot salespeople hiding behind fine print to access their customer information. Not all web merchants (the brick and mortar store, in this example) are even aware of the agreement and are not aware that their customers' credit card information is being accessed like that. Apparently some are and share in the recurring revenue. ..................
To summarize, giving out your spam e-mail address after an online purchase is like giving your phone number to that ugly chick at the bar just to get her off your ass. Except that she doesn't have a cute friend (and she has herpes). They both have your phone number.
On second thought, this is Slashdot...we don't have social lives and meet actual chicks.
Here is the letter I just received:
We are sorry if you experienced concern about the Reservation Rewards membership offer as we strive to make our offer clear and informational to consumers. I have attached a copy of the offer page to demonstrate that we provided full disclosure of the offer details.
If you review the attached screenshot of the offer, you will see that we allow the consumer to make educated choices regarding the products and services they purchase. For this reason, we put the most significant details of our offer in a prominent location - immediately next to the acceptance button (so that a consumer will have those details in front of him or her before joining the service).
Moreover, we go an extra step and also require consumers to provide us their email address twice, to make them pause and take the time to read and understand our offer. To accept the Reservation Rewards trial membership registration we require a consumer to enter their email address into two required fields on the trial membership application page and then click the "Yes" button (see attached Exhibit One - this is the form of the page responded to). Immediately above the boxes where a consumer would enter their email address is the statement:
"By entering my email address and clicking YES, I have read and agree to the Offer Details and authorize Fandango to securely transfer my name, zip code and credit card information to Reservation Rewards for benefit processing."
The offer for a $10.00 Cash Back Award and a Reservation Rewards trial membership is meant as a bonus to Fandango's valued customers. Even if a consumer accepts the trial membership and then cancels the membership, the $10.00 Cash Back Award is still redeemable.
When a misunderstanding such as this one occurs, we willing to cancel the membership and provide a refund to the consumer as we have done for you. As you requested, your Reservation Rewards membership is cancelled and we have issued twenty-five refunds of $7.00 each for the membership fees incurred. These refunds should appear as credits in your account.
I hope this letter answers your questions about the Reservation Rewards offer and also assures you that there was no unauthorized billing to
Here is a Priceless photograph of the article writer Chris Abad.
http://inkee.org/lol/abadachbar.jpg/
Yes the guy with the funny hat is really him.
In any case: shoot for simple outcomes. 'Funny' mods should cancel down mods. -25 on a single post is so obviously unfair that it really shouldn't happen.
Wikileaks, no DNS