Slashdot Mirror
How the Phishing Biz Works
Carl Bialik from the WSJ writes "Christopher Abad has spent much of the past six months 'stalking the phisher underground,' Lee Gomes writes in the Wall Street Journal. 'The typical phisher, he discovered, isn't a movie-style villain but a Romanian teenager, albeit one who belongs to a social and economic infrastructure that is both remarkably sophisticated and utterly ragtag. If, in the early days, phishing scams were one-person operations, they have since become so complicated that, just as with medicine or law, the labor has become specialized.' For instance, a phisher in Romania who successfully scores account information for someone in the U.S. may go on IRC to seek out a 'casher' to withdraw money from the target's account, and send a cut back to the phisher."
But not as prettyful as... This Technology
http://www.sandstorming.com
Remember that that cold soldering iron "Cold Heat" you see advertised on TV late night was invented by Romanian immigrants.
Yeah, and before you diss Americans, that "Pocket Fisherman" you see advertised on TV late night was invented by Americans...
What's your damage, Heather?
I always thought that only old people would fall for these phishing and scam emails. The problem is, here in Brazil it's not like Korea: it is not so common to see old people using computers, specially for online banking. Then one day I met this beautiful, smart and young lady who lost a big sum of money when she got phished. I was surprised to see a real person that got phished. I think she could get it back from her bank, though. It was probably a national phisher, I don't believe it was a teenager from Romania.
"'The typical phisher, he discovered, isn't a movie-style villain but a Romanian teenager"
A Romanian teenager is a typical movie style villain. Haven't they ever seen Blade?
The transition to a more free economy in these countries was anything but graceful. But most of the social protection systems were not savagely gutted, as you put it. Often they were left in place but became financially unmaintainable, or they failed to deal with rampant inflation. Pensioners in Russia still get their state pension; the only problem is that it isn't worth anything these days.
In these countries, a lot of shady property deals went down, people got screwed over, there was profiteering, extortion, and theft on a grand scale, but many of these crimes of greed were perpetrated by people who were already criminals, or former socialist potentates (or both). 'Harvard Business school types' had very little to do with it.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
Uh, yeah, because under Ceausescu all these Romanian computer owners (with their free communications with the rest of the world) used their luxurious lifestyles for the betterment of the less fortunate...
What I'm listening to now on Pandora...
You should know your enemy. http://honeynet.org/papers/phishing/
no, the problem is that when you put a person at a computer their intelligence drops 10 fold. they just seem to lose all common sense when a computer is involved.
for example, if a random stranger walked up to you on the street and said that they were a representative from your bank and said that they must verify your account information otherwise they will have to close down your account, you would tell them to fuck off, walk away, and maybe even call the police on them. now, that same person gets an email stating the same thing that the stranger on the street said, and suddenly they worry that "OMG i need to give this strange person all my data or they might close down my account."
they just need to learn to delete and ignore their email, similar to how they would have walked away from the stranger on the street.
It didn't became financially unsustainable after the change, it was it well before. In fact, it was a major part of the countries failing economy, and this failing economy was the underlaying cause of the collapse of the soviet systems.
Red Leader Standing By!
This is a vast exaggeration. The image of an eastern europe, 'ragtag' social and economic infrastructure is, for example, in complete contrast to the well-dressed, hip, bling-bling superstars that make up my crew.
We call it Fly Phishing.
If the bank sends you a letter asking for personal account information, most people would follow up (especially if it contained bank logos and stuff).
And cluless people tend to associate email with letters. So its not unexpected that an email complete with official looking bank logos and graphics (and wording specifically designed to trick unsuspecting people into believing its genuine) would trick people into falling for it.
Here is a scheme that (if implemented) would almost completly stamp out phishing (for the bank that has implemented it anyway):
Each account that is enabled for online banking has a unique number generated for it, stored in the bank secure online banking database alongside the username and password. (call it S)
The customer is given a little device that would probobly look like a little calculator. This device contains an embedded copy of the number generated in step 1 along with simple logic to implement a hash algorthim and a keypad.
When you access the internet banking site, the bank displays the login and password prompt plus a randomly generated number and a box to put the output hash into.
The number is stored by the bank systems in a way that directly links it to the IP address of the machine logging in and also so that it is no longer valid after a very short period of time (e.g. 20 minutes or something). Refershing the login page would get a new different number.
You would input the number from the login page into your "calculator" thing which would combine it with the secret number inside the "calculator".
Then you input your username, password and the resulting hash into the login screen.
Assuming the hash generated by the "calculator" and by the bank (using the stored copy of the secret number) match, you would be allowed into the banking system.
The hash algorthim (call it F) would be chosen so that there is no number X such that F(S,X) = S for any significant number of values for S
If the "calculator" is stolen or lost or whatever, you could request a new one (with the old secret number being removed from the bank database for good)
Even if the fake login page talked to the banks servers and retrieved a real "challenge code" (to enter into the "calculator") it wouldnt defeat the system since it (and the resulting hash) would expire long before the phisher would actually be able to make use of it.
Another option would be one-time-use values that you get from your bank and use once to access online banking. Although this option would be less safe because of this:
Philsher makes fake login page
Bank customer goes into fake login page and types in username, password and one of their one-time-use values.
Bank customer gets message back saying "system is down". Now phisher has one of the one-time-use values (error message can be written so as to convince bank customer that the one-time-use value he just used is now "used up") and can grab contents of bank account.
Myself, if my bank (The National Australia Bank) implemented the "calculator" idea, I would accept it (even if it did mean more bank fees to pay for the "calculator" device)
We destroyed their way of life
How so? Their way of life didn't work and the system imploded on itself. Granted we did all we could to speed the process, but we weren't the cause.
Do you even know anything about perl? -- AC Replying to Tom Christiansen post.
There are some very simple ways to solve this, en-masse...
Set up a milter that calls HTML::Strip to strip out all HTML from email. I don't want my webpages on port 25, just like I don't want my email on port 80. Users don't know or care anyway, set it up at the MTA side and they'll get clean emails.
Use a real MUA, like pine, mutt or other that allows you to see the actual content of the message, not its abstracted "rendered" equivalent. I simply hit 'h' in pine, and can see the resulting link that the phisher is trying to send me to... if it doesn't match the anchor tag, it gets deleted (and forwarded to spam-$USER, see dspam below).
Don't run Windows. Nothing need more be said here. When the same ActiveX control is used by Exchange to "render" email into your mailbox as MSIE to "render" maliscious HTML to your browser, you should be concerned.
Install and configure dspam. Problem solved after only a few phish emails come through. Simply send them back to your internal spam-$USER address and you'll never see them again, including future ones that are similar. If you want to see them again, go into the web interface and send them to your mail, which will automagically re-score them lower so they get through. My users and I haven't seen a single spam get through to any of our mailboxes in MONTHS, not a single one. Beats the pants off of anything else out there that I've used.
Education. Teach your users that they should never respond or click URLs in email, ever, period. Show them that PayPal and eBay and other companies never ask you to log back in to verify any personal information. Show them how these systems work, and reinforce it all the time by asking them questions about it. Drill it into them.
I see plenty of comments qualifying people who fall for these scams as "stupid people", "being ignorant by choice" or worse. I think we should remember a few things here:
Recently, there's a new, similar scam going on where I live: it's kind of real-world fishing. People install small cameras on those ATMs, and they glue little pass-through card readers on top of the slot where you insert the card. If you use such an ATM to get money, they can read out your card data using the reader and get your pin code using the camera. These things are made in such a way that they "blend" into the ATMs interface and look like they were actually part of the ATM. Do you honestly believe that you would notice this? Do you even think of checking for something like this before getting money? Do you think that everyone should know how the different ATMs look so that they notice it when such a device is installed on them? No? Then why do you expect non-geeks to be able to discern a real mail from Pay Pal from a scam mail? Legitimate mails from many money-related web sites contain clickable links.
Even if you accept that it's the person's own fault if he gives his data to a scam artist, you should grok that you simply can't solve the problem by educating people. That's simply impossible. This is a problem that must be solved using technology. Banks should sign their mails, and mail apps should clearly notify you if a mail is not from where it purports to be. Maybe it shouldn't let the user click on links if the user doesn't have the public key for the mail. Maybe there are entirely different solutions for this problem. But one thing is clear: Educating people won't work, no matter whose fault it is.
I received a very clever phishing email the other day. It was good enough to make one want to click the link and make sure everything was OK. I receive lots of email from the "admins" of eBay concerned that someone is using my account nefariously. Those are always bogus, so not a problem. This one, however, had the following text (I saved it cause it was that good :):
"Dear eBay member, Yes, i can ship to your location, and i accept escrow for payment.
Thank you,cowboyup618"
Then, in a boxed message there was a button with the text "Please respond to the question on eBay by clicking the button below. You'll have the option to display your response directly on the listing."
If you notice, this simple message looks like it was from a seller and he had a bid from me. If I were an active bidder on eBay, I would be concerned that I had won a bid that I had forgotten about. It would be very easy for someone in this position to click on the button.
As phishing emails go, it was a pretty good try.
The NSA: The only part of the US government that actually listens.
"Hello, I am a Nigerian 'phishing' hacker who steals money. But I have no way to withdraw the money from the accounts I've collected. I will give you an account number containing $50,000 in exchange for $1000 pre-paid into my account. Once I verify the money is in my account, you will receive instructions for how to access the $50,000."
E pluribus unum
Here's the WebLoyalty online demo.. This is triggered after checkout from some other store. All the customer provides is an E-mail address, or at least a click on the big red button below the E-mail address form. Their credit card information is taken automatically from the previous transaction.
The key to WebLoyalty is that it's embedded in VirtualCart, a popular shopping cart program, and is on by default. It's quite possible for a merchant to be serving the WebLoyalty scam without even being aware of it. The merchant can't even turn it off directly. From the VirtualCart WebLoyalty FAQ:
And there you have it, the world's most successful phishing scam, run by a Harvard MBA.
If you need to sue those guys, look them up at the Secretary of State of Connecticut , web site, which has their real address and the names and addresses of the corporate officers. Their actual business name is "WebLoyalty.com, Inc."