Slashdot Mirror
How the Phishing Biz Works
Carl Bialik from the WSJ writes "Christopher Abad has spent much of the past six months 'stalking the phisher underground,' Lee Gomes writes in the Wall Street Journal. 'The typical phisher, he discovered, isn't a movie-style villain but a Romanian teenager, albeit one who belongs to a social and economic infrastructure that is both remarkably sophisticated and utterly ragtag. If, in the early days, phishing scams were one-person operations, they have since become so complicated that, just as with medicine or law, the labor has become specialized.' For instance, a phisher in Romania who successfully scores account information for someone in the U.S. may go on IRC to seek out a 'casher' to withdraw money from the target's account, and send a cut back to the phisher."
Looks like I caught a big one! A 12-lb FP!
I think it involves 3. ??? somewhere
Will wash cars for karma
But not as prettyful as... This Technology
http://www.sandstorming.com
If the Harvard Business School types who descended like vultures on the former eastern bloc countries haven't worked so hard to savagely gut the social protection systems that were in place, there would not be so many criminals in those countries nowadays...
Remember that that cold soldering iron "Cold Heat" you see advertised on TV late night was invented by Romanian immigrants.
Yeah, and before you diss Americans, that "Pocket Fisherman" you see advertised on TV late night was invented by Americans...
What's your damage, Heather?
To state the obvious i'd suggest substituting "suckers" for "Americans".
Not trying to be funny, but it's people innocence/ignorance that causes these problems. You don't have to be American to be stupid (despite some peoples feelings on the matter).
Take the phrase "it's on the internet, it MUST be true" for example.
Life is like a box of chocolates, you never know when your gonna get food poisoning.
I always thought that only old people would fall for these phishing and scam emails. The problem is, here in Brazil it's not like Korea: it is not so common to see old people using computers, specially for online banking. Then one day I met this beautiful, smart and young lady who lost a big sum of money when she got phished. I was surprised to see a real person that got phished. I think she could get it back from her bank, though. It was probably a national phisher, I don't believe it was a teenager from Romania.
"'The typical phisher, he discovered, isn't a movie-style villain but a Romanian teenager"
A Romanian teenager is a typical movie style villain. Haven't they ever seen Blade?
Maybe you guys are getting these all the time, but i don't email much and just received my first phishing email. I never read or open anything if it looks even remotely sketchy, but this one was pretty good. i believed it for a few seconds, until i logged in to paypal through a separate browser and verified no changes had been made to my account. I then forwarded the email to spoof@paypal.com as paypal requests. they wrote back to verify that the email was a scam. Another giveaway was that every link in the email, including the phony email address, had the following url behind them (i never clicked it- don't know whats there): h t t p ://linux.fal.pt/fundicao/img/cmd/index.html
u n
original message (i added spaces to urls so they wouldn't be links):
From : PayPal Inc.
Sent : Tuesday, June 14, 2005 3:58 PM
To : my_email@hotmail.com
Subject : Unauthorized Access: (Routing Code: P101-K001-Q-P090)
You have added funstuff12@aol.com as a new email address for your
PayPal account.
If you did not authorize this change or if you need assistance with
your account, please contact PayPal customer service at:
h ttps://www.paypal.com/cgi-bin/webscr?cmd=_login-r
Thank you for using PayPal!
The PayPal Team
Please do not reply to this e-mail. Mail sent to this address cannot be
answered. For assistance, log in to your PayPal account and choose the
"Help" link in the header of any page.
PROTECT YOUR PASSWORD
NEVER give your password to anyone and ONLY log in at
h ttps://www.paypal.com/.Protect yourself against fraudulent websites
by opening a new web browser (e.g. Internet Explorer or Netscape) and typing
in the PayPal URL every time you log in to your account.
PayPal Email ID PP1507
So those who don't know exactly how their highly-computerized car works should not operate one? Should everyone who doesn't have a medical degree and fully understand the human body avoid medical care? Should everyone who doesn't fully understand the intricacies of their local, regional and national economies not participate in them?
You should know your enemy. http://honeynet.org/papers/phishing/
no, the problem is that when you put a person at a computer their intelligence drops 10 fold. they just seem to lose all common sense when a computer is involved.
for example, if a random stranger walked up to you on the street and said that they were a representative from your bank and said that they must verify your account information otherwise they will have to close down your account, you would tell them to fuck off, walk away, and maybe even call the police on them. now, that same person gets an email stating the same thing that the stranger on the street said, and suddenly they worry that "OMG i need to give this strange person all my data or they might close down my account."
they just need to learn to delete and ignore their email, similar to how they would have walked away from the stranger on the street.
It's one thing to insist that people bend over backwards to work within the constraints of poorly designed systems, but I think it requires a leap in logic to insist that the fault is entirely upon the user for not interfacing properly with those poorly designed systems.
People have difficulty learning technology because there is a tiered system of knowledge in anything computer/IT based, and understanding the technology at one level does not necessarily inspire one to learn the technology at a deeper level.
To use your analogy, there are users that know how to start and drive the car, there are users that know how to drive and also that they should be changing the oil once in a while, and finally there are users that can drive/race/fix/build their cars. The vast majority of the population would fall between the first two drivers. All know how to operate the vehicle, most probably know that they should be thinking about their oil, but about ¼ of them forget to do it on a regular basis.
There is very little encouraging the average driver to learn anything more about their engine then how to start it. The same is true in computers.
As soon as someone knows how to start up their PC, log-on to the internet and install applications, there isn't much need to dive deeper in the technology. The difference between a PC and a car is that the auto industry is required to provide easy to use protection to a driver. There is nothing similar in the PC world to protect Joe Average from himself and from others.
In my mind, this would be akin to auto-manufacturers requiring that a driver turn on their airbag every time they wanted to use it. It's just stupid design.
What the computer industry needs to realize is that they've got two choices in this scenario. They can take it upon themselves to provide active and easy protection to the average user on their own terms, or they can wait for the Government to mandate a solution.
With the rash of consumer data theft recently, it's obvious that vast expanses of industry are not protecting data to a satisfactory level. It's only a matter of time before the government starts throwing its weight around.
:::: the insomniac's digest
I've always thought that we could use some sort of slashdot effect to curb phishing. When you get a phishing email, report it to some kind of website, once it gets verified as a phishing website, you can kind of just DDOS it. Maybe we could all help out by installing a folding@home type client where phishing urls are DDOSed by a bunch of people. With 100,000 people on such a network, each person would only need a to send out a few requests to each site to make it work. There would be problems with the network hacked for bad uses, but limiting the client to only listening to messages that are properly signed would be a good start.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
It didn't became financially unsustainable after the change, it was it well before. In fact, it was a major part of the countries failing economy, and this failing economy was the underlaying cause of the collapse of the soviet systems.
Red Leader Standing By!
Yeah, phishing scams sound surprisingly like wallet inspectors, only on the internet.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
This is a vast exaggeration. The image of an eastern europe, 'ragtag' social and economic infrastructure is, for example, in complete contrast to the well-dressed, hip, bling-bling superstars that make up my crew.
We call it Fly Phishing.
If the bank sends you a letter asking for personal account information, most people would follow up (especially if it contained bank logos and stuff).
And cluless people tend to associate email with letters. So its not unexpected that an email complete with official looking bank logos and graphics (and wording specifically designed to trick unsuspecting people into believing its genuine) would trick people into falling for it.
Here is a scheme that (if implemented) would almost completly stamp out phishing (for the bank that has implemented it anyway):
Each account that is enabled for online banking has a unique number generated for it, stored in the bank secure online banking database alongside the username and password. (call it S)
The customer is given a little device that would probobly look like a little calculator. This device contains an embedded copy of the number generated in step 1 along with simple logic to implement a hash algorthim and a keypad.
When you access the internet banking site, the bank displays the login and password prompt plus a randomly generated number and a box to put the output hash into.
The number is stored by the bank systems in a way that directly links it to the IP address of the machine logging in and also so that it is no longer valid after a very short period of time (e.g. 20 minutes or something). Refershing the login page would get a new different number.
You would input the number from the login page into your "calculator" thing which would combine it with the secret number inside the "calculator".
Then you input your username, password and the resulting hash into the login screen.
Assuming the hash generated by the "calculator" and by the bank (using the stored copy of the secret number) match, you would be allowed into the banking system.
The hash algorthim (call it F) would be chosen so that there is no number X such that F(S,X) = S for any significant number of values for S
If the "calculator" is stolen or lost or whatever, you could request a new one (with the old secret number being removed from the bank database for good)
Even if the fake login page talked to the banks servers and retrieved a real "challenge code" (to enter into the "calculator") it wouldnt defeat the system since it (and the resulting hash) would expire long before the phisher would actually be able to make use of it.
Another option would be one-time-use values that you get from your bank and use once to access online banking. Although this option would be less safe because of this:
Philsher makes fake login page
Bank customer goes into fake login page and types in username, password and one of their one-time-use values.
Bank customer gets message back saying "system is down". Now phisher has one of the one-time-use values (error message can be written so as to convince bank customer that the one-time-use value he just used is now "used up") and can grab contents of bank account.
Myself, if my bank (The National Australia Bank) implemented the "calculator" idea, I would accept it (even if it did mean more bank fees to pay for the "calculator" device)
We destroyed their way of life
How so? Their way of life didn't work and the system imploded on itself. Granted we did all we could to speed the process, but we weren't the cause.
Do you even know anything about perl? -- AC Replying to Tom Christiansen post.
No, I'm not.
You're saying that it's the car owner's fault if they get tricked into a repair that wasn't necessary on their vehicle. I say if someone tricks them into buying new tires when the current ones are fine, the owner should have known better. But if a mechanic tells me that my timing chain is loose, should I know better? Should I know exactly how much slack there should be in a timing chain? For that matter, should I know the difference between every belt and chain under the hood? No, of course not! That's what we pay other people for. It's not realistic to expect anybody to know everything about every topic.
I'm all for doing some research before having major medical procedures done. If someone talks you into having your appendix removed for a second time, then shame on the patient. But can you honestly tell me that every patient should be able to read an x-ray and tell the difference between bronchitis and an allergy-related cough? Again, of course not. That's why we pay doctors. It's not realistic to expect everybody to know every possible medical fact and procedure.
I'm not sitting here saying knowing things is a bad idea, but I am advocating being reasonable and what level of knowledge should be expected out of the average person, especially in fields outside of their "main field." Can you honestly tell me you feel differently?
Also i have to say i doubt the notion that there are "phishers 'r us" websites/ lists/ organisattions that can a). operate for any decent lengh of time before going down by infighting and b). stay out of the public eye for however many years now?
What i'd really like to see though, is an effort by governments to curb this kind of criminal behavior first, and then going after petty internet crime like music piracy et al. Hell, if they can bust a warez ring, a phishers ring with real, tangible damage to both banks and customers would be even easier. Especially if they (supposedly) already have leaks, like Mr. Incredible here who used his massive skills to write a vague article that really doesn't tell us much.
Will wank off Linus Torvalds for fame.
I think you need to back off the elite attitude a little bit.
As far as driving goes, most of the "morons" I see on the road are those that think they know everything and they don't. (i.e., I'm the best driver in the world and everyone else is a moron). Their ability to actually handle an automobile has little to do with knowing how the innards work.
The point in computers is that they are supposed to be easy to use. While you might find it exciting to look at a URL and understand that it isn't actually pointing where you think it is, a good majority of "average" users, probably don't even look at the address bar a good majority of the time (possibly because they are so often bombarded with "junk" looking URLs, i.e. look at the average slashdot URL when browsing comments).
People want to be able to sit at a computer and have it do what they want it to do without having to worry about those mundane details. This isn't a user issue, it's a design issue. It is easy to sit around and blame stupid users, but they're only stupid because the design hasn't conformed to their needs.
Think of it in terms of Operating Systems and security. The OS should come configured to be secure already. The average user isn't going to know or want to know how to make it secure, they expect to already be secure. Are they "stupid" for not wanting to do that? No, it is the manufacturer's responsibility to make sure that takes place, so that the user doesn't have to worry about it.
We can either try to educate the world, or we can design products that conform to the world's "stupidity". The latter will probably be more successful.
What?
There are some very simple ways to solve this, en-masse...
Set up a milter that calls HTML::Strip to strip out all HTML from email. I don't want my webpages on port 25, just like I don't want my email on port 80. Users don't know or care anyway, set it up at the MTA side and they'll get clean emails.
Use a real MUA, like pine, mutt or other that allows you to see the actual content of the message, not its abstracted "rendered" equivalent. I simply hit 'h' in pine, and can see the resulting link that the phisher is trying to send me to... if it doesn't match the anchor tag, it gets deleted (and forwarded to spam-$USER, see dspam below).
Don't run Windows. Nothing need more be said here. When the same ActiveX control is used by Exchange to "render" email into your mailbox as MSIE to "render" maliscious HTML to your browser, you should be concerned.
Install and configure dspam. Problem solved after only a few phish emails come through. Simply send them back to your internal spam-$USER address and you'll never see them again, including future ones that are similar. If you want to see them again, go into the web interface and send them to your mail, which will automagically re-score them lower so they get through. My users and I haven't seen a single spam get through to any of our mailboxes in MONTHS, not a single one. Beats the pants off of anything else out there that I've used.
Education. Teach your users that they should never respond or click URLs in email, ever, period. Show them that PayPal and eBay and other companies never ask you to log back in to verify any personal information. Show them how these systems work, and reinforce it all the time by asking them questions about it. Drill it into them.
How is that "interesting" and not "-1 clueless?"
Communism did not work. Period. That's why it failed. It was our "way of life" because the alternative way of life was taken away. It was destroyed because it failed miserably. Actually, it destroyed itself. Yes, US probably helped (though proving it is hard), but the core reason why communism failed were its own inadequacies: if you destroy economic incentives, you are going downhill and there is no way around it. It does not necessarily mean the collapse of the system - you can vegetate for years on the substistence level (Cuba) or below it (North Korea). If you really helped us destroying our old way of life - big thank you, I am deeply grateful that you did so.
I don't believe the phrasing 'know exactly how [insert item] works' was ever used ... but I shouldn't have to read anything and understand before repying should I? (OK ... I'll stop being a troll/flamebait and answer the questions)
Should everyone who doesn't have a medical degree and fully understand the human body avoid medical care?
No ... but they should not blame the doctor when they don't make any effort whatsoever to educate themselves, when they don't read literature given them or follow instructions given to them by their doctor. Who's generally healthier ... those who take time to understand something about the (their) human body and to provide for it properly or those who don't?
Should everyone who doesn't fully understand the intricacies of their local, regional and national economies not participate in them?
No .. but when things do not go as they expected, then maybe they will pay more attention.
Sure ... many of us don't read the manual when picking up a new gadget, but if I don't ... I accept the consequences that come with that behavior. I agree that things should be generally easy/intuitive to use. I also understand that I am ultimately responsible for myself, my accounts, information and property. Things may happen, out of my control, but that doesn't mean I should just give up and blame someone else for not making it 'easy enough'. More and more, people are looking to blame someone else for what went wrong and seeking some sort of 'insurance' so that they don't have to 'worry' about it.
I'm not saying that those that get phished 'deserve it'. I'm saying those that educate themselves some, are less likely to get phished than others.
Que Deus te de em dobro o que me desejas
[May God give you double that which you wish for me]
Communism did not work. Period.
So I guess you prefer the Absolutist way?
Here's the apple: Communist Russia was one of the global super-powers. You are suggesting they got to that status by using a flawed system of government? It's views like yours that START COLD WARS.
The only flaw in Communism is that it can be corrupted and the greedy. But the same can be said about capitalism and democracy.
The dangers of knowledge trigger emotional distress in human beings.
I don't get HTML email, actually, because its automatically stripped at the MTA, same for all of my users, and I've never heard a single complaint yet.
I was being simplistic when I suggested using HTML::Strip. The full milter uses a lot of other modules, including ::Strip, HTML::TableExtractor, and others... to make sure that the actual content of the email isn't lost, even if fonts and colors and images are.
But like I said... webpages go on port 80, email on port 25. Period.
Actually, I should reconfigure all outgoing HTML email to be sent as DocBook XML instead. What? You can't render DocBook XML? Oh, you should upgrade your mail client then. Maybe I'll use PostScript for HTML-based email instead, and blame those Outlook users who can't read standards-compliant attachment types.
See the problem here? I don't like email senders dictating what tools I use on my end to read their email. I shouldn't have to turn my mail client into a browser to read email, just like they shouldn't have to load OpenJade/DSSL or Ghostview to read my emails.
I see plenty of comments qualifying people who fall for these scams as "stupid people", "being ignorant by choice" or worse. I think we should remember a few things here:
Recently, there's a new, similar scam going on where I live: it's kind of real-world fishing. People install small cameras on those ATMs, and they glue little pass-through card readers on top of the slot where you insert the card. If you use such an ATM to get money, they can read out your card data using the reader and get your pin code using the camera. These things are made in such a way that they "blend" into the ATMs interface and look like they were actually part of the ATM. Do you honestly believe that you would notice this? Do you even think of checking for something like this before getting money? Do you think that everyone should know how the different ATMs look so that they notice it when such a device is installed on them? No? Then why do you expect non-geeks to be able to discern a real mail from Pay Pal from a scam mail? Legitimate mails from many money-related web sites contain clickable links.
Even if you accept that it's the person's own fault if he gives his data to a scam artist, you should grok that you simply can't solve the problem by educating people. That's simply impossible. This is a problem that must be solved using technology. Banks should sign their mails, and mail apps should clearly notify you if a mail is not from where it purports to be. Maybe it shouldn't let the user click on links if the user doesn't have the public key for the mail. Maybe there are entirely different solutions for this problem. But one thing is clear: Educating people won't work, no matter whose fault it is.
Oh, you're mistaken. Our unemployment is higher because we actually KEEP TRACK of people not working. ;-)
Tom
[I'm just messing around here, no "wanna fight about it" please...]
Someday, I'll have a real sig.
I got a phishing attack today. They ask me to log in to https://www.paypal.com/ Note the extra s. Non-obviously, it's fake. How does this redirection work?
This scam is huge. It got me. Not sure if you'd call it phishing, maybe just unscrupulous activity by the shopping cart provider, but this will rob you just by supplying an email address. http://adam.rosi-kessel.org/weblog/the_man/webloya lty_aka_wli_reservations_is_a_scam.html
I purchased movie tickets from Fandango.com two years ago. Evidently a popup appeared after my transaction offering a discount for filling in a survey (must have been using the girlfriend's Windows box w/ IE). I gave my disposable email address and that became authorization to start charging me a monthly fee. I did not provide my credit card number, other than to Fandango to buy movie tickets. Fandango was nice enough to forward my credit card to this company Reservation Rewards aka Webloyalty. That's all it took.
Read the link above. It's unbelievable that this kind of thing could happen, but these crooks are operating to this date. They have quite a few other names. I've called, complained, and in theory I'm getting completely refunded. When/if I do, I'm going to contest the last two monthly charges ($7 each) and see if I can make them eat a service charge. Just getting my money back wouldn't be enough because probably only a small percent catch what this company does, and those who do may not catch it quickly. If you're the type who doesn't scrutinize your debit card transaction statements, they might be robbing you. At $7 per month, this amount is small enough that it could fly below the radar.
I wonder if http://www.webloyalty.com/ could withstand the slashdot effect? These people need it bad.
I received a very clever phishing email the other day. It was good enough to make one want to click the link and make sure everything was OK. I receive lots of email from the "admins" of eBay concerned that someone is using my account nefariously. Those are always bogus, so not a problem. This one, however, had the following text (I saved it cause it was that good :):
"Dear eBay member, Yes, i can ship to your location, and i accept escrow for payment.
Thank you,cowboyup618"
Then, in a boxed message there was a button with the text "Please respond to the question on eBay by clicking the button below. You'll have the option to display your response directly on the listing."
If you notice, this simple message looks like it was from a seller and he had a bid from me. If I were an active bidder on eBay, I would be concerned that I had won a bid that I had forgotten about. It would be very easy for someone in this position to click on the button.
As phishing emails go, it was a pretty good try.
The NSA: The only part of the US government that actually listens.
"Hello, I am a Nigerian 'phishing' hacker who steals money. But I have no way to withdraw the money from the accounts I've collected. I will give you an account number containing $50,000 in exchange for $1000 pre-paid into my account. Once I verify the money is in my account, you will receive instructions for how to access the $50,000."
E pluribus unum
I don't think it is fair to just pick on the Romulans...wait a second...this isn't the STNG forum? What the hell are ROMANIANS anyway?
Interestingly, Derren Brown, a fellow specialising in psychological manipulation and stuff like that, did a stunt in a seaside resort (the clip isn't to be found at the link I gave unfortunately) where he 'simply' went up to people, asked them for directions to somewhere, and then asked them for their wallet/purse.
He was successful about 60% of the time (IIRC) and walked off with the person's cash. The victims all then stood about a little while later, wondering if something wasn't amiss, and then, realised something and chased Derren down (who had only sauntered a little distance down the road) to ask him if they hadn't given him their cash.
One poor chap was given his wallet back, and then Derren took it away from him again, there and then!
Don't be too sure that the internet is to blame. People have been conned in the real world since time began.
Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
I hope no one has posted this yet, but The University of Phoenix Online now has a one year introductory course on phishing (along with 739 other degrees in great careers.) A Master's program will be introduced next year if there is enough interest!
I read the article with interest, hoping to find an account of how the Romanian teenagers organized themselves into a sofisticated network of phishers. Instead all I found was a reference about how the typical phisher is Romanian but without any explanation of how they arrived at this conclussion. So why Romanian? I guess it sounds exotic and that's enough to make it interesting. Another load of crap about chat rooms, following other articles with IRC==bad && foreigners==scary in the subject line. How about some info describing what level of sofistication can be achieved in a country where dial-up is the norm and moving out of the city means not having a landline at all, hence no Internet.
keyboard not found! press any key to continue...
BTW, you should also add a fingerprint or retina scan.
authentication:
Something you know: Your password
Something you have: Your secret key
Something you are: Your fingerprint/retinal blood vessel pattern.
The technical aspects of security are not the problem. They've been solved many times in many ways long ago. The problem is getting people to follow good security practices.
It's not going to happen to me.
Even if it does, the consequences won't be that great.
It's too much trouble to protect myself.
Solve those problems and you'll have information security. Don't and you won't.
"Reality is that which, when you stop believing in it, it doesn't go away." - Philip K. Dick
Phishing is a job? Wow, finally a new sort of tech job and it is immediately shipped oversees.... can't even buy a break these days.
Here's the WebLoyalty online demo.. This is triggered after checkout from some other store. All the customer provides is an E-mail address, or at least a click on the big red button below the E-mail address form. Their credit card information is taken automatically from the previous transaction.
The key to WebLoyalty is that it's embedded in VirtualCart, a popular shopping cart program, and is on by default. It's quite possible for a merchant to be serving the WebLoyalty scam without even being aware of it. The merchant can't even turn it off directly. From the VirtualCart WebLoyalty FAQ:
And there you have it, the world's most successful phishing scam, run by a Harvard MBA.
If you need to sue those guys, look them up at the Secretary of State of Connecticut , web site, which has their real address and the names and addresses of the corporate officers. Their actual business name is "WebLoyalty.com, Inc."
they just need to learn to delete and ignore their email, similar to how they would have walked away from the stranger on the street.
The main identifying feature that people use when someone would come up to them on the street is how they appear. How they come across to the person being targetted, which may be heavily based on first impressions.
If this looks legit, (just like an email might look legit) then the target may well think, "well, he looks like the right person", and hand over what is being asked for.
Then again, if they guy is standing there in the fake plastic glasses, big nose and moustache and the person still hands over the info, well, people still need to take responsibility for their actions.
Common sense isn't.