Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phishing Steals Spotlight at MIT Conference

Posted by ryuzaki0 on from the beware-of-pork dept.

Bob Brown writes "Companies are coping with spam, but phishing is another matter altogether, according to researchers at the annual MIT Spam Conference this week. From the article: "The response rate for phishing e-mails is much higher than for spam, says Paul Judge, CTO of messaging security maker CipherTrust. So while spammers have to send more and more unsolicited e-mail these days, as anti-spam filters get better at identifying and blocking spam, phishing attacks are well enough disguised that a higher percentage get through such filters, and more recipients click on them, he says."

74 comments

  1. Two words by Slash+Veteran · · Score: 0, Troll
    So what.

    If you're stupid enough to fall for these scams, tough shit.

    Unlike viruses which waste bandwidth, further spam via spam zombies, and endangers the internet due to their destructive nature, phishing is one thing I really could give two rats' asses about.

    Next you're going to want me to get all up in arms about Nigerian 419 emails. Fuck it, I've got important things to worry about.

    1. Re:Two words by Anonymous Coward · · Score: 1, Funny

      Yeah, tell me that when your mother's Chase Manhatten retirement account is wiped out because somebody managed to steal her password. Tough shit, deal with it.

    2. Re:Two words by Anonymous Coward · · Score: 2, Insightful

      If you need cash in an unfamiliar city, how can you make the difference between a real ATM machine and a machine which just stores your PIN and eats your card? You can't. You rely on people to quickly identify scams like this and have the local police take the scam machine down.

      Phishing fighting is the Internet equivalent of this.

    3. Re:Two words by Anonymous Coward · · Score: 0

      Maybe in your socialist paradise. In real world it's every man for himself. That's why capitalism works.

    4. Re:Two words by hazah · · Score: 1

      Socialist = government

      Capitalist = economy

      Further more, where, on this planet, have you found a purly Capitalist society?

  2. Uh, duh? by Siberwulf · · Score: 4, Insightful

    The response rate for phishing e-mails is much higher than for spam, says Paul Judge, CTO of messaging security maker CipherTrust.

    Gee, I wonder why...

    Which would you click on? (Under the assumption you're a BoA customer)

    Cl1ck H33RE F0R S|0ft V1A_GR_A!!!!!

    or

    Click here to update your account information.

    Its a matter of logic. You can expect people to fall for things that look legitimate, not the things that just look utterly retarded, like most spam these days.

    1. Re:Uh, duh? by Anonymous Coward · · Score: 0

      It is sad that people actually falls for both.

    2. Re:Uh, duh? by RajivSLK · · Score: 2, Interesting

      The purpose of a well crafted spam email is to market something or convey a message. Our filters are getting pretty good at indentifying this kind of thing. But the whole point of a phising email is to look as much as possible like a legitimate peice of mail. That's the scam and it's fooling the filters too.

    3. Re:Uh, duh? by BACPro · · Score: 3, Insightful

      Other than the obvious differences pointed out by the PP, I always click the phishing emails and seed them with false data.

      The value of the database must go down where there is invalid info in it...

    4. Re:Uh, duh? by arrrrg · · Score: 1

      People must click on the "Cl1ck H33RE F0R S|0ft V1A_GR_A!!!!!" bullshit or the spamming fuckers would stop sending me this shit 10 times an hour. In general I think eugenics is a bad idea ... but really ... I think each and every person who orders from a spam like that should receive a bomb in the mail instead of penis pills. This solution would go a long way towards solving not only spam, but many of the other problems faced by our country today.

    5. Re:Uh, duh? by Siberwulf · · Score: 1

      Agree with you, sadly.

      Forgot the comedian who said it, but let Darwin work. Take the caps off the bleach bottles.

    6. Re:Uh, duh? by emurphy42 · · Score: 1
      People must click on the "Cl1ck H33RE F0R S|0ft V1A_GR_A!!!!!" bullshit or the spamming fuckers would stop sending me this shit 10 times an hour.
      Alternate theory: the spammers just think they're gonna make money ; the real money is made by the folks selling mass-mailers and address lists to to the spammers.
    7. Re:Uh, duh? by njchick · · Score: 1

      If you want to play games with the phishers, you can as well seed their database with the real data and sue the suckers if they try to use it.

    8. Re:Uh, duh? by nevernamed · · Score: 0

      Yeah, it's sad, but a lot of people are stupid. People will enter their eBay passwords anywhere where there is an eBay logo. As one technique becomes inaffective, the spammers think of new ones. It's really a loosing battle that we are all trying to fight.

    9. Re:Uh, duh? by arrrrg · · Score: 1

      I think you may have missed my point. You (I'll give you the benefit of the doubt) and I are NOT really fighting the battle ... we are simply caught in the crossfire. If we could get rid of either of the fighting parties (spammers and stupid people), the problem would by and large sort itself out. Now, which group would be easier to eliminate .....

    10. Re:Uh, duh? by nevernamed · · Score: 0

      lol. Right. Well, I certainly understand what you are trying to say. I think that both spammers and stupid people are both going to be forever part of life. However, seeing as spammers are aleady intelligent people, it is merely a matter of effectively educating those who the tech savvy would consider stupid. How's that for an effective course of action?

    11. Re:Uh, duh? by Thing+1 · · Score: 1

      Congratulations, your leader has instilled in you a fervent sense of others-destruction. Double-plus good.

      --
      I feel fantastic, and I'm still alive.
    12. Re:Uh, duh? by Anonymous Coward · · Score: 0

      one technique becomes inaffective

      "ineffective".

      a loosing battle

      "losing".

  3. Geez. Will it never end? by BigZaphod · · Score: 4, Funny

    First phishing steals identities and now its stealing spotlights, too? And not just any spotlights, either - but MIT spotlights! This has got to stop...

    --
    Hexy - a strategy game for iPhone/iPod Touch
  4. Phishers are a buncha rats ... by Hulkster · · Score: 1

    I rank 'em right up there with the spyware guys - send all the rats to this site

  5. Log-in to Slashdot to Post by slashbob22 · · Score: 1

    Username: [-----------]
    Password: [-----------]

    [Submit]

    --
    Proof by very large bribes. QED.
    1. Re:Log-in to Slashdot to Post by fortinbras47 · · Score: 1

      I guess that's another way to get an account with good karma!

  6. Help stop them, by reporting them by WyrdOne · · Score: 5, Informative

    http://reportphish.org/

    Also, those of you who use GMail, there is a "Report Phishing" option under "More Options"

    1. Re:Help stop them, by reporting them by The+Outbreak+Monkey · · Score: 4, Interesting

      Alternatively you can help stop them by flooding them with usless information by using this site: http://www.phishfighting.com/. Check it out. It is bad ass.

    2. Re:Help stop them, by reporting them by Anonymous Coward · · Score: 0

      does the gmail link interface with reportphish? or are they doing they're own thing?

    3. Re:Help stop them, by reporting them by BadlandZ · · Score: 1

      "GMail, there is a "Report Phishing" option under "More Options" I must be blind, I don't see it. Has anyone actually shown reporting these to be of benifit to anyone? Have people been arrested for fraud recently? Does Interpol deal with it?

    4. Re:Help stop them, by reporting them by IceFoot · · Score: 1

      My GMail doesn't even have "More Options". It has "More Actions" but the actions don't include report phishing.

      What WERE you thinking?
      --
      Mission drift is a hazard in all pursuits.

  7. Phishing emails look legit by Nightspirit · · Score: 2, Interesting

    I keep getting chase banking emails, even though I don't have an account with chase.

    The emails say something to the effect of "bla bla, because of recent security issues, you have to reset your password or your account will be closed within 24 hours."

    The thing is, these emails I've been getting lately look professional and legit. If I was a grandma or ininformed parent I would have clicked on them and likely have my credit account wiped. The email address states "blabla@chase.com" and even the spoofing address looks legit.

    Don't know what we can do about it other than educate people to call their banks and confirm, log onto the banks real address, and not click on any address in an email.

    1. Re:Phishing emails look legit by Anonymous Coward · · Score: 1, Insightful

      If a real bank sent me an e-mail stating that my account would be closed in 24 hours I would have them on the phone in no time and closing all accounts and move to another bank.

      I know people do not think but does it really take that much?

    2. Re:Phishing emails look legit by klenwell · · Score: 1

      I've been getting these Chase emails, too, and my Visa account recently was switched to Chase! I suspected a phisher, so I went to the site and entered some choice obscenities for the user name and password. The login page still sent me to the next page as if I had been logged in.

      So for a certain subset of phishing sites, one check might be to enter incorrect login info and see if it admits you. This should identify sites that are illegit. However, if the site doesn't log you in -- don't then assume that this makes it legit.

      --
      Innovation makes enemies of all those who prospered under the old regime... -- Machiavelli
    3. Re:Phishing emails look legit by iabervon · · Score: 1

      Actually, what could be done is to tell people to view the certificate for the site, and verify that the SHA1 fingerprint matches what's printed on the back of their card. Of course, there's no way to get Chase's certificate without using your password, so it's presently hopeless.

      With browser support, you would identify the certificate when you originally set up your account, and you'd mark the certificate in your browser as belonging to your bank, and no other site could make the greeting look like your bank, because your browser wouldn't recognize the certificate (and it would therefore pop up message saying "This is an ecommerce site that you don't have an existing relationship with", instead of "This is your bank").

    4. Re:Phishing emails look legit by Thing+1 · · Score: 1
      I always right-click and "View Source". Generally, the legitimate-looking email addresses and links turn out to actually be a URL with numbers, i.e., .

      --
      I feel fantastic, and I'm still alive.
  8. Temporary e-mail by Dekortage · · Score: 4, Informative

    From the article: Among these were a proposal to improve Bayesian filter accuracy, a system for generating temporary e-mail addresses so that a person's preferred address doesn't have to be given out, spam filters based on adaptive neural networks, a new message-verification platform. (emphasis added)

    This is called "keyed e-mail". I have used a keyed email system from Zoemail in the past and it works very, very well for this purpose. There is some extra time required for managing the keys, but the idea works great for me. (and no I do not work for them... I just think the technology works.)

    --
    $nice = $webHosting + $domainNames + $sslCerts
    1. Re:Temporary e-mail by Dekortage · · Score: 1

      Oh... if you want to test out how a spammer might e-mail me, go ahead and e-mail me.

      --
      $nice = $webHosting + $domainNames + $sslCerts
    2. Re:Temporary e-mail by Anonymous Coward · · Score: 0

      https://sneakemail.com/ will also allows you to create "throwaway" email addresses.
      They have a free service, and a very inexpensive pay service (like $2/mo or something).

    3. Re:Temporary e-mail by Xshare · · Score: 1

      Now to DIY, this *is* Slashdot after all, get yourself a domain and some hosting (if you already have one, you're ahead of the curve). Then, create a catch-all that will forward anything@yourdomain.com to yourrealaddress@yourdomain.com . When you sign up for a new message board, mbname@yourdomain.com . For some mailing list, listname@yourdomain.com. Now, when you start getting spam to an email address, you'll see that it is to a certain address. If it's to listname, you know that mailing list has either sold your address or gotten it stolen, and you go into your hosting account create an alias for listname@yourdomain.com routing to :NULL:, or whatever your hosting provider suggests as a blackhole. Hope that helps!

  9. Charity Confusion? by ztransform · · Score: 1

    I guess one thing phishing sites get is accurate information. After all, if you're computer-savvy you might not enter information into the site. But if you're not, you're likely to enter correct information.

    Perhaps someone can create a charity web site, where you submit the URL of a phishing site, and then it goes and submits millions of randomly generated username/password combinations to the phishing site?

    Would be relatively simple to create, just web-scrape for the words /user(name)?/ and /pass(word)?/ and submit values accordingly.

    At least then the phishers won't altogether have a super simple ride.

    Perhaps a bunch of volunteers could run such a website for counter-attacking phishers.. at least until the feds shut each phisher down.

    1. Re:Charity Confusion? by The+Outbreak+Monkey · · Score: 1

      You mean like this one?

      http://www.phishfighting.com/

    2. Re:Charity Confusion? by cpeikert · · Score: 1

      Ask and ye shall receive:

      phishfighting.com

  10. Best Cure for Phishing by Anonymous Coward · · Score: 2, Insightful

    The cure for phishing is very simple - Don't use an email client that supports HTML in email. Read all emails as text only.

    This has the following advantages:

    1) There's no clicking on links - if you want to go to a referenced website, you have to think a little.
    2) Links to phishes are very obvious when you see the whole URL.
    3) Most Phishes sent as multipart alternative don't even have a
    phish attempt in the text-only part.

    In addition, because you're not loading any images referenced in HTML, the whole WebBug thing doesn't work.

    HTML in email was a terrible idea. It's time to stop.

  11. Phishing is no joke... by random_amber · · Score: 3, Insightful

    Especially if they catch you off guard. I consider myself as savvy as most on /. but even I've done double-takes on some of the better phishing schemes...esp when they catch me at a particularly hectic moment AND the email comes from some place I had been dealing with that very day.

    I've never fallen for one obviously, but just the fact I have to stop and check things out for Kosherability shows how insidious phishing has become. There is just no way someone like my wife who is just savvy enough to browse the web and read email could spot the difference (which is why i severely restrict her browsing/email habits, but not every newbie is so lucky to have the surf-nazi on their back!)

    There is a LOT of potential here for the unscrupulous. I don't even think phishing has even remotely reached its peak yet.

    Random_Amber

    1. Re:Phishing is no joke... by Thing+1 · · Score: 1
      Actually, a simple addition to the Bayesian filtering should defeat many, many phishing attempts.

      As I said in another post to this story, I generally right-click and "View Source" when I'm unsure. The presence of the numbers in the URLs, like "http://10.30.1.42/chase_login.html", give it away to me.

      So, the easy answer is that any time an email arrives which is in HTML format and has at least one link whose URL is numeric, then it should be flagged with "[PHISH]" (or "[SPAM - phishing attempt]", or something the user specifies).

      Another method would be to look for links whose displayed text looks like a URL, and the actual URL is different. This might get some false positives, but that's why I would look for a link that looks like a URL, not just "click here".

      --
      I feel fantastic, and I'm still alive.
  12. Web page of the conference by migarg · · Score: 1

    Web page of the conference

  13. Why not cryptographically authenticate e-mail? by fortinbras47 · · Score: 4, Informative
    The technology is there (PGP etc.. etc...) but as far as I can tell, hardly anyone besides comp security lists use it.

    If you visit a website and initiate an SSL session, the public-private key cryptography (along with the public root certificates imbedded in your browser) will verify that the website you're visiting is really who they say they are. (Or at least that Verisign thinks they are legit.)

    I don't see why companies don't make a similar effort to cryptographically authenticate their e-mail. People use PGP for security advisories etc......, but I don't understand why all e-mail coming from my bank, coming from Paypal etc... shouldn't be signed.

    If there was a portion of your e-mail window at the bottom right hand of your screen that said stuff like:
    "This is an authentic e-mail from BankOfBlanBlah signed on 3/31/06 at 3:52PM" or "This is an unsigned e-mail. It is possible that this e-mail is fraudulent." or "This e-mail has an incorrect signature. It is highly possible that its contents are fraudulent."

    My rough guess that e-mail authentication isn't done because (1) programmers are lazy and sending plain text is easier to program and (2) The way you do e-mail auth in e-mail clients is all different and a huge mess from a usability standpoint.

    It might put at least a dent in some of this phishing stuff if people expected all e-mail from e-bay, paypal, their bank, amazon etc... to be signed.

    1. Re:Why not cryptographically authenticate e-mail? by jonniesmokes · · Score: 2, Interesting

      Obviously, this is where email as a whole is headed. In fact all IP services should eventually be encrypted. The government won't like it because it'll be harder to eavesdrop, but its the only solution to the problem.

      I'm surprised that Microsoft didn't lead the pack with a feature in MS Outlook, and work directly with all the certificate issuers or even directly with the financial companies. But maybe they were under pressure from Washington, DC not to implement encrypted email. If they had done it, it'd be a pretty compelling feature. Redmond, are you listening? Google, are you working on this? Yahoo, want to steal my heart?

      The weak point is the mail client. Hotmail, gmail, and yahoo could be changed fairly simply, but getting everyone to configure their Thunderbird, Outlook and others would be a bit of work. In order to avoid spoofed financial identities, the best would be for all clients of financial institutions to have a financial public key they only give out to banks and such. That way even if you get an email from Ch4s3 B4nK, with a valid looking certificate, you aren't fooled into thinking you have done business with them. Because only the real Chase Bank would have your financial public key. There are still exploits and there will always be, but what we have right now is completely unprotected.

      Having a high fidelity database of public keys from your financial institutions would also accomplish the above, but its hard not to be fooled from a look-alike bank. I want to avoid relying too much on any certificate company's honesty. A semi-private financial public key would accomplish a lot - sort of like giving out a unique email to your bank so that they know to send you email only at that address - but its better when you can keep it secret.

    2. Re:Why not cryptographically authenticate e-mail? by Wesley+Felter · · Score: 1

      Most email clients support S/MIME, but there are several problems here. There are too many CAs, and it's too easy for bad guys to get a bogus (but mostly real-looking) cert. It's also somewhat difficult to make the signature chrome unspoofable.

    3. Re:Why not cryptographically authenticate e-mail? by vinn01 · · Score: 1

      You expect "normal" people to read a window at the bottom right hand of the screen?

      It would have to be 30 point font for most people. People don't even read pop-up messages, centered on the screen, that have to be closed by user action.

      Besides, the phishers would just add to their e-mail: ""This is not an unsigned e-mail. This e-mail is not fraudulent." "This e-mail has a correct signature. It is impossible that its contents are fraudulent."

      Which do you think users would read?

    4. Re:Why not cryptographically authenticate e-mail? by JesseMcDonald · · Score: 2, Insightful
      In order to avoid spoofed financial identities, the best would be for all clients of financial institutions to have a financial public key they only give out to banks and such. That way even if you get an email from Ch4s3 B4nK, with a valid looking certificate, you aren't fooled into thinking you have done business with them. Because only the real Chase Bank would have your financial public key.

      I think you're missing the point of having a public encryption key: it's supposed to be, you know, public. In other words, you assume that everyone has access to it. Treating it as a private key defeats the whole point of public-key encryption. Your system would require every user to have a separate public key for every financial institution, unless you're willing to risk allowing all of them to be compromised by a single security breach. In other words, N users and M banks would require N * M secret keys. Ordinary public-key systems, however, would only require one public/private key pair for each individual (N + M key pairs).

      What you need here is a local database of trusted public keys, one of which would be the one for Chase Bank (added from their (SSL) web site when you set up the account, for example). When you get an e-mail from "Ch4s3 B4nK", it will have a perfectly valid public key, but that key will not be trusted for authentication purposes because it isn't in the database (it will only ensure that the message was not altered during transit). This is exactly the way that GPG's "web of trust" system works, and it wouldn't be all that difficult (technically speaking) to make SSL certificates work the same way. All it needs is better integration with the various e-mail clients and web browsers.

      --
      "The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
    5. Re:Why not cryptographically authenticate e-mail? by cotu · · Score: 1

      what a great idea! try http://www.dkim.org/ for more information
      on the best bet for getting a deployable protocol out there for
      authenticating email. It's currently going through IETF standarization,
      but the -allman-01 draft is stable and has multiple interoperable implementations
      including a sourceforge sendmail milter.

    6. Re:Why not cryptographically authenticate e-mail? by Jim+Fenton · · Score: 2, Interesting

      The biggest problem with the classic signature systems (e.g., PGP, S/MIME) is that they don't have quite the right key management model. Anyone can create a PGP key with any mail address they want, and sign messages. Similarly, anyone can get a certificate for an email address they have (perhaps an employer), but when they leave the company, does the certificate get revoked? No; the employer may not even know of its existence.

      Signature schemes designed for this purpose, like DKIM, are actually a signature from the domain owner, not the author. While the domain owner may delegate a signing key to an individual in certain cases, they retain the ability to revoke the key at any time.

    7. Re:Why not cryptographically authenticate e-mail? by grahammm · · Score: 1

      And it does not help that many financial institutions use third parties for mailshots. Even having the institutions always send email from their own domains and using SPF and DKIM would help. I know that not many mail (receiver) programs check these but if the financial institutions started using them for outgoing mail then I am sure that this would accelerate the implementation in user mailers.

    8. Re:Why not cryptographically authenticate e-mail? by grahammm · · Score: 2, Interesting

      Yet the banks and other institutions could send their key signature/digest, by snail mail, as part of the account opening process. Or even have it either on display or available on CD from the branches. That way the user could be confident of the key used to sign the email.

    9. Re:Why not cryptographically authenticate e-mail? by jonniesmokes · · Score: 1

      The hard part becomes the local database of keys/CERTS. You say you should trust some SSL website to add the key - something a spoofed email or malicious link might accomplish easily. I say, have a 'public' key thats meant for just the bank. In this case, your're right its not really all that public. However, its still serves a functional purpose of encrypting and validating the email. I'm dubious of systems that rely on CERT authorities or webs of trust (not that I don't think they're useful). I like systems that just rely on a person giving the bank a unique key to talk back with. If you get a bogus email using said unique key, you also know who's been compromised. Having N*M keys doesn't seem like such a difficult problem to overcome if it really gives you better security (each user only has M keys, not N*M). Financial institutions routinely ask me for my social security number to make sure that its me over the phone. I feel I should be able to ask them for a number when they talk to me to make sure they are who they say they are. Using a single financial key or multiple is simply a matter of preference on how secure you want to be.

      The hard part always comes back to a local database. In your system, there's a local database of trusted banks; and in my system there's a local database of unique keys that you sent out to your trusted banks (M banks, so M local pieces of data at most). Whenever you have this kind of local storage there are problems for software clients - ie. how do I validate my mail from both work and home? Do I have to carry a flash card with the CERTS/keys?

      Regardless of the best solution, wouldn't it be great if we could move forward on this issue somehow. We're still using circa 1982 email technology. What's stopping adoption of newer validation technologies?

    10. Re:Why not cryptographically authenticate e-mail? by JesseMcDonald · · Score: 1

      There's just as much trouble ensuring that you gave your "secure" public key to the right recipient at there is ensuring that you've just added the correct public key to the local database. With the public-key system you can at least check that the key they gave you matches the one in someone else's database; you can't do that with a random key you just generated. Furthermore, the truly paranoid can get the bank's public key from the bank in person; there's no need to rely on the security of their web site. The remote-access issues are the same for either system, and can be solved by using a secure (signed) communications channel to transfer the public keys from home to work or visa-versa. If the keys are actually secret (your system) you'd need to encrypt the channel as well, of course. It is assumed that you trust the system you're using the keys on, whether that system is at home or at work.

      I agree that we need to move forward. The thing is, there isn't really an incentive for the average person to change yet. Most consumers see identity theft as a rare inconvenience, not a present danger. The tools needed to end ID theft have existed since the beginning, but banks shield their customers from the effects of identity theft, while simultaneously pushing most of the costs back onto the retailers by refusing to honor the fraudulent payments. As a result there is little incentive amongst either consumers or banks to fix the system.

      --
      "The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
  14. Fear is more effective the greed by imkonen · · Score: 3, Interesting

    I've gotten a few phishing emails, and man...when they guess a bank/credit card I actually use, my heart just jumps. I mean...I'm aware of phishing, and I know how to safely confirm whether the email is legit or not if I can't tell by looking at it, but there's always that second or two of real panic when I read the part about "problem with my account" and worry that it could be real. Spam I can safely ignore: even if some spam offers are legitamately good deals, they're still mostly just trying to sell me things I don't need to buy. I can safely ignore a regular spam and not worry I'm going to regret it later. But I can't do that if the message says my bank account has a problem. I have to deal with it right then and there...even if dealing with it just means proving to myself the email is bogus. So putting myself in the shoes of a less internet savy type who may not have heard of "phishing", I'm not the least bit surprised phishing emails get more hits.

    1. Re:Fear is more effective the greed by arminw · · Score: 1

      .......But I can't do that if the message says my bank account has a problem.......

      I'd lay the blame with the banks and other financial institutions for sending out e-mail with links embedded. My banks do not send out e-mails, but send a message when I log in to my accounts. An e-mail from a bank could also be a plain text message with NO links that instructs the customer to log in to their account if there REALLY is a problem. Asking a customer to type a link into the browser or using the bank's bookmark is a small price to pay for safety from phishers. If ALL banks would abide by this simple rule, these crooks would be thwarted. Maybe there should be a law that prohibits businesses from e-mailing log-in links to their customers, although the banks should not need to be forced by such a law. A short text link that the user actually has to TYPE into the browser should be OK.

      --
      All theory is gray
  15. Worst part about phishing... by Mr.+Underbridge · · Score: 1
    ...is my idiot coworkers who get a phishing email and are barely savvy enough to recognize it for what it is. These people seem to think 1) these emails make the rounds like viruses, and 2) no one else will figure it out. So when one of these idiots gets a phish, I get an email like

    DON'T CLICK ON BANK OF AMERICA EMAIL! ITS A SCAM!!!!

    because the moron sent their warning out to the entire company. It's like an idiot test.

    1. Re:Worst part about phishing... by T-Ranger · · Score: 1

      I guess people like that are the reason why I will never be the CTO of a large corporation. Within 5 minutes of some asshat sending out a message like that, I would be at their desk, with security: "You have to leave the building now. You no longer work here. No, it would seem that it is impossible for me to explain it to you".

  16. We simply aren't doing enough to stop phishing by StevenMaurer · · Score: 4, Insightful
    Sure, phishers are more clever than spammers. There's more money involved, so it attracts organized crime. Still, there are some pretty basic things both Mozilla Thunderbird and MS could do to combat the problem:
    1. Bring up a warning dialog whenever you click on an email link whose body goes to a different domain than the text.
    2. Make that warning dialog in large RED LETTERS talking about the likelihood that it is a SCAM - if the referenced text is formatted like a hyperlink and points to a different address
    3. Hardcode in the top 100 sites subject to phishing, with a comparative of the hypertext links to known addresses. References to the site name in the text will cause the email client to check all embedded hyperlinks against their official published versions
    4. Set up a cooperative site for email clients that have direct internet access to automatically check against w/o hardcoding.

    Phishing is easier than spam to combat because it is constrained by the requirement to look authentic. And that can be used to virtually eliminate it.
  17. Companies could do more to prevent phishing by lorcha · · Score: 5, Insightful
    You have to admit that the companies themselves are making it as difficult as possible to spot phishing. For instance, look at the Citibank valid list of URLs:

    1. web.da-us.citibank.com
    2. www.citi.com
    3. www.citibank.com
    4. www.myciti.com
    5. www.citibankonline.com
    6. www.citibank.com/us/cards
    7. www.accountonline.com
    8. www.citicards.com
    9. www.thankyouredemptions.com
    10. www.studentloan.com
    11. studentloan.citibank.com
    12. citibusinessonline.di-us.citibank.com
    13. citibusinessonline.com
    14. citibusiness.com
    15. www.citimortgage.com
    16. www2.citimortgage.com
    17. www.smithbarney.com
    18. www.benefitaccess.com

    Well, excuse me if I can't keep all your fscking domains straight, Citibank! How am I supposed to spot a phishing attack when you have 18 URLs on your list of valid ones? I think you could do a lot to help folks spot phishing emails if you would restrict yourself to your citibank.com domain. Then folks could remember, "You want citibank? Go to citibank.com."

    --
    "Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
    1. Re:Companies could do more to prevent phishing by Beryllium+Sphere(tm) · · Score: 1

      And not including citibank-visa.com, citibank-security.com, citisecurity.com, all of which a scammer could get an SSL certificate for.

    2. Re:Companies could do more to prevent phishing by AME · · Score: 1
      To be fair, five of the eighteen domains that you listed are, in fact, citibank.com:

      1. web.da-us.citibank.com
      2. www.citibank.com
      3. www.citibank.com/us/cards
      4. studentloan.citibank.com
      5. citibusinessonline.di-us.citibank.com

      While it may be true that CitiBank has too many domains, you don't help your own argument much by exagerating your evidence.

      --
      "I have a good idea why it's hard to verify programs. They're usually wrong." --Manuel Blum, FOCS 94
  18. SmokedSalmon by SashaM · · Score: 1

    Again, I shall plug my own anti-phishing Firefox extension: http://www.maryanovsky.com/sasha/smokedsalmon/.

    It currently does the following:

    • The host's originating country is displayed as a flag in the address bar.
    • The hostname is displayed clearly in a monospaced font.
    • On known phishing websites show, the hostname is blinking red.
    • On known good websites (paypal.com etc.), the hostname is green.
    • Users can report phishing.

    It's not particularly useful at the moment though, because the database is empty :-)

  19. Newsflash: people are stupid by mabu · · Score: 2, Interesting

    The phishing scam works because people are stupid. There is no amount of technology you can employ to save an idiot from himself. This is the sad reality.

    The best way to deal with this is to promote a healthy dose of cynacism amongst the populace.

    Well, another way is to force ISPs to filter port 25 traffic on broadband and eliminate the value of zombie PCs being part of the scam network.

    1. Re:Newsflash: people are stupid by peektwice · · Score: 1

      Let the problem take care of itself. Screw protecting stupid people from themselves. If some freaking soccer mom clicks a link that tells her to put in the number for her already maxxed out credit card, no angel is gonna lose her wings.
      But I wholeheartedly agree with your assessment of human intelligence. People are stupid. Like sheep. Dumber than a box of hammers.

      --
      Other than this text, there is no discernible information contained in this sig.
  20. Publish Phisherman's web site name and email adrs by MrLinuxHead · · Score: 1

    I just got the third in a week. First two were from the same Phisherman posing as an eBay buyer (precisionlaptops4u).
    Got another yesterday posing as a paypal email.
    To try to expose these clowns, I do a reverse DNS lookup, a WHOIS lookup, and Google on key words, and publish the results on my Blog. http://mrlinuxhead.blogspot.com/
    The IP address, port scans, who the domain owner is, the street address, email address and phone numbers, whatever I can find out about them I publish for the local authorities to deal with.
    Even if the web server administrator is blameless, they will get enough attention to take action. One common infection I have notice across all of the servers is a W32.MyDoom infection. Anyone else see that?

    --
    I may be bad with names, but I'll never forget your IP address
  21. Banks/EBay/Paypal not even using SPF/DKIM by billstewart · · Score: 1
    Sure, phishers can try sending mail from mycitibank.com and c1t1bank.com, and occasional suckers will fall for it, and the general public doesn't understand digital signatures well enough for those to help. But most of the major phishing targets, such as banks, eBay, Paypal, eGold, etc. aren't even doing simple passive stuff like advertising SPF for their domains so your spam filter can at least discard the emails claiming to be from citibank.com at random zombie IP addresses.

    Aside from the email-protection activities, what the banks, paypal, etc. also ought to be doing are active poisoning attacks on phishers - when somebody gets an obvious phish from examplebank.phishersite.com and forwards, Examplebank ought to click on the links in the mail, put in a fake credit card number, and then nail anybody who tries to use the card. Once phishers start getting 99% of their phished credit card numbers being invalid and 1% leading to successful prosecutions, there'll be a lot less phishing. It won't kill it all, but if you get rid of the low-hanging fruit, you can at least cut back on a lot of the spam and discourage the dumber half of the phishing business.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
  22. My first phishing experience... by antdude · · Score: 2, Interesting

    It was related to my Yahoo! account. It was like 3:30 AM in the morning and I was half asleep. A friend of mine IM'ed me to check out his Web site. It took me to some Yahoo! looking site. Stupid me wasn't paying attention to the URL and stuff. It required me to log in like Yahoo! always does. So I did and it didn't work. I tried again. Then, I got disconnected from Yahoo! Messenger. I couldn't log back in. At first, I thought it was just a mainteance time.

    In the day time, I tried to connect, but failed. Then, it hit me. I got TRICKED! Damn social engineering. I also found out my other friends got the same IMs from my friend and me. Damn phishers.

    So pay attention even if you're super tired. They're getting you at your weakness! Good thing this account was only for IM and Launch.com.

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  23. Worse when the Login ID is Your SSN - Thanks Army! by schwit1 · · Score: 1
    The Army's civilian job site REQUIRES you provide your SSN and REQUIRES it as the login ID.

    https://cpolst.belvoir.army.mil/public/resumebuild er/builder/Logon

  24. usability: must work like ssh by r00t · · Score: 1

    When I ssh to an unknown host, I get a minor warning. (could be a typo) When I ssh to a supposedly known host and get a crypto response that doesn't match up with the past, I get a major warning. I don't have to screw around with keys. The server admin doesn't have to screw around with a certificate authority.

    Porting this to the email protocols...

    When somebody emails me, the headers should include both a signature and their public key. At first it means nothing. If they email me again with the same public key and a good signature, I see a green check mark next to the email. If I get an email claiming to be from them but with a wrong or missing signature, then I get a warning that there might be a forgery or that they just got a different account. Once I verify the truth (make them pass a Turing test), I'll know what to do.

    The bigger problem is that infected Windows boxes are untrustworthy. They'll sign phishing spams! This is where lots of neat security ideas break down. Spam is coming from your friends and family members. Spam comes from your boss. Spam comes from your customers and suppliers. Spam can be signed as well as any other email coming from those systems.

  25. Why not just arrest people? by Anonymous Coward · · Score: 0

    Phishing is fraud, the consequences of it are severely negative for individuals victimized and for the web of trust on which society depends, and the penalty for it should be about 1000 years in jail.

    Why is this not a high priority of the FBI, Interpol, etc.? Does anyone really believe they couldn't catch some of these bastards if some resources weren't applied to the task?