A Tour of the Google Blacklist

WienerPizza writes "Michael Sutton takes us on a tour of the Google blacklist, a list of suspected phishing sites. He finds that eBay, PayPal and Bank of America combined account for 63% of the active phishing sites. Amusingly, he also reveals that Yahoo! has a nasty habit of hosting phishing sites that harvest — you guessed it — Yahoo! credentials!"

But it's not a problem

[syousef]

Try telling Ebay or Paypal that there's a problem. All they do is flood you with propaganda about how they're keeping you safe.

After a bad experience I closed my Paypal account and only use Ebay for small purchases.

Re:But it's not a problem

[AoT]

PayPal is annoying.I can't start a new account with them because I never verified my old account which was connected to a bank account I no longer have. Not that I really want to, I wouldn't trust those guys any further than I could throw them.

Re:But it's not a problem

[Jonnty]

Or define the type of scam you're trying to report. (Scroll down, it's in black, indented courier.)

Re:But it's not a problem

[mhokie]

Grace: Well, with your bad knee Ed, you shouldn't throw anybody... Its true.

Question do Sys Admins

[pembo13]

Do any of you guys actively block IPs and IP blocks of phishing sites? And also those "fake domains" which just have search results? If so, how is that working out?

Re:Question do Sys Admins

[pestilence669]

OpenDNS will do phishing detection for you. Not only that, it'll correct common typos and speedup name resolution on your entire network. Oh yeah, it's also free, but it won't block those annoying fake search pages.

http://opendns.com/

Re:Question do Sys Admins

[GigsVT]

Yeah, because DNS is something that you should obviously trust a single company about!

Who need that old DNS system with the robust infrastructure, when we can have ads pushed on us for every domain we mistype and alongside our search results!

Someone call Verisign and tell them to fire sitefinder back up, these guys need some competition!

Re:Question do Sys Admins

[mr_Spook]

Sadly, OpenDNS will give you its own fake/crappy search page when you type something wrong. That alone was cause enough for me to stop using it.

Re:Question do Sys Admins

[speculatrix]

opendns is a copycat of the verisign adware dns trick... it's hoping to achieve success by relying on the many ISPs who are clueless when it comes to running effective dns resolvers.

Re:Question do Sys Admins

[Arimus]

You turn it off if you have a static ip address...

So...

[NightWulf]

That guy on eBay who told me to use my Bank of America account to send money to Paypal all through his link may not have been legit?

Re:So...

[The+Zon]

You know that guy too? Don't worry, I'm pretty sure he's legit. I just used his service to order some chemicals to clean the dye off of a suitcase full of money I'm splitting with an exiled doctor from Nigeria. Can you believe it? This doctor contacted me right out of the blue, and all I needed was a U.S. bank account and a sympathetic heart. And, except for the chemicals, this is all at no cost to me! I can't believe such a great proposition initially got filtered to my spam folder!

This one made me cry a little inside

[Rude+Turnip]

Here is one of the last entries on the Google blacklist:

+http://zeta-os.com/astats/bankofamerica/......... ..

For those not in the know, Zeta-os.com is/was the successor developer to YellowTab, which was developing a new operating system based on the old BeOS code. Now, zeta-os.com (or at least a part of it) has been reduced to a phishing site. *sigh*

Re:This one made me cry a little inside

[jasonwc]

I just loaded http://zeta-os.com/astats/bankofamerica/ on Firefox 2.0.0.1 using Firefox's built-in phishing detector using Google to provide the blacklist ["Check by asking Google about each site I visit" option]. It loaded the site just fine, without any warning.

Re:This one made me cry a little inside

[Rude+Turnip]

That's because I truncated the full URL. You have to follow the link in the article to get the whole thing.

Oh, and thanks for modding my little emotional episode as funny, you bastards.

Re:This one made me cry a little inside

[AndrewNeo]

I once got mail pointing to a phishing page on a school's website. Never know where those things are going to pop up..

Google's not keeping up

[Jonnty]

Judging by the huge proportion of the blacklisted sites that are offline (and the tiny fraction that are actually phishing sites) it seems Google isn't taking this seriously enough. There is much, much more than 341 phishing sites in the world. This list should be being updated daily, they should start a way for suggesting sites or, if it exists, make it more visible.

For the only external blacklisting organisation on Firefox, and as the provider for possibly the most widely used toolbar ever, they're not taking this seriously enough. But would any security company come in with a better free blacklist?

Re:Google's not keeping up

[GigsVT]

They don't have to do this at all.

Any way to suggest sites would be gamed and abused. There are thousands of people in the "search engine optimization" "industry" that are total sleeze.

Re:Google's not keeping up

[Ravadill]

In the comments section it's mentioned that the Encoded/Hashed blacklist is larger and more frequently updated than the plain text one.
I assume to prevent phishers using a live plain text list to know when they have been found.

Re:Google's not keeping up

[Tim+C]

That's simple to abuse. If there really is a human sat there reviewing submitted URLs, then you just DoS it, by flooding it with far more submissions than it's possible to review.

If it's an automatic, "X hits and you're blacklisted" type system, then zombie PC networks will be submitting URLs and getting legitimate sites blacklisted - sure, you probably won't be able to do that to a large, well known site, but there are millions of sites that would be vulnerable.

It's a nice idea, but I personally think that a world in which such a system would actually be practicable wouldn't need it in the first place. In ours, I just don't see it working; too easy to abuse, and too many people with an interest in abusing it (before we even get to the bored ne'er-do-wells)

Re:Google's not keeping up

[simstick]

I use the phishtank plugin for firefox. And when I have a minute I jump on and rate some submitted phishes. One thing I disagree on is if a site is offline already people vote it as a not phish. I say if they are trying they need to be rated bad to build a history.

Here is a site that has a lot of IPs

[VGfort]

Banned IP Address - a lot of them are spammers or fake bots that will look around your website and fill your forms in the attempt to spam you or your forums/blog or whatever else you might have

Pollute the phishing sites

[thewils]

Go there and put in false information. Make it harder for them to get valid data.

Re:Pollute the phishing sites

[speculatrix]

mod parent up!

I do this when I have time... ensure you use what look like valid entries for bank a/c and pin values.

I also enter things like "f**k you spammer" into the name fields, so that when they go through to test the captured data, they get to see my opinion of them (yeah, relatively useless I know, but I get tiny twinge of pleasure at the thought)

Re:Pollute the phishing sites

[mindriot]

Well, I wouldn't write "f**k you spammer" or anything like that, it makes your entries distinguishable. If you want to ensure having a correct credit card number (except for the CVV code, bug the phisher couldn't verify those directly anyway), you could use something like this quick dirty hack I wrote up a few months ago to spam a phishing site using simple wget queries. To read up on the format of valid credit card numbers, see for instance this article on the anatomy of credit card numbers. The following code worked for me to create numbers that were accepted by a phishing site I spammed:

my $cc = substr("000000" . int(rand(1000000)), -6); # Any format

# Add 9 digits for the account number
$cc .= int(rand(900000000))+100000000;

# Check digit: Luhn Code
my $checknum = 0;
for (my $j = 0; $j < length($cc); $j++) {
my $val = substr($cc, $j, 1);
if ($j % 2 == 0) {
# These will be doubled
my $v = 2*$val;
$v -= 9 if ($v > 9);
$checknum += $v;
} else {
# These will just be added normally
$checknum += $val;
}
}
# The last digit should add up to a multiple of 10
$cc .= ($checknum%10 != 0)?(10-($checknum%10)):'0';

# Output an expiration date (arbitrary, 2007..2015)
my $month = int(rand(12))+1;
my $year = qw(2007 2008 2009 2010 2011 2012 2013 2014 2015)[int(rand(9))];

# Random CVV2 code
my $cvv = substr("000" . int(rand(1000)), -3);

Check out the whitelist

[tecker]

Either Google is really paranoid or they have yet to find a site to put on the whitelist that was linked to.

See for yourself what I mean Nothing there.

What?

[8ball629]

I tried signing into one of the listed Geocities site and nothing happened... what gives?

You mean to tell me this is not a legit Yahoo Photos gateway?!

Good help for fishing actually ...

[perenaurel]

from: a post on full-disclosure:

I just played around a bit with those lists and as it seems,
Google did a splendid job, even capturing some people's login data.
Like here:
http://sb.google.com/safebrowsing/update?version=g oog-black-url:1:7753

Regards,
J.M.
Professional Lurker

Google have fixed this link now but that was funny, most of the logins/passwords were for gmail accounts...

Good Experience with Paypal

[drewzhrodague]

Am I the only one that has had a good experience with Paypal? I mean, yah normal banks can handle a deposited check, but they also charge a monthly fee. Paypal OTOH cuts me a check for *interest*, and that is ontop of the 1.5% cash back they offer. I can sell junk on EBay, and take my PayPal card right to the liquor store. That's the best banking scenario I can imagine!

Re:Good Experience with Paypal

[HistoricPrizm]

Dun Malg said:

Most banks require a minimum balance before they waive the monthly service fee. In my experience, it's just a matter of finding the right bank that has a relationship with someone you also have a relationship with. I get offers for free checking (no minimum balance requirements) through my alumni associations (undergrad and graduate), my wife's employer, my employer, even through the fact that my father-in-law is retired military. Dun Malg also said:

This is one of the many ways they soak the poor. I don't really think that is a fair portrayal of the situation. Banks charge fees for accounts that don't keep high balances because they don't make money on them. Banks are not charitable organizations, they are in business to make money.

Re:Good Experience with Paypal

[scottv67]

Most banks require a minimum balance before they waive the monthly service fee.
In my experience, it's just a matter of finding the right bank that has a relationship with someone you also have a relationship with. I get offers for free checking (no minimum balance requirements) through my alumni associations (undergrad and graduate), my wife's employer, my employer, even through the fact that my father-in-law is retired military. Dun Malg also said:

This is one of the many ways they soak the poor.
I don't really think that is a fair portrayal of the situation. Banks charge fees for accounts that don't keep high balances because they don't make money on them. Banks are not charitable organizations, they are in business to make money.

Excellent advice on how to locate the "free checking" offers. I have a couple of additional tips:
1) Direct deposit. If your paycheck goes directly to your financial institution, you may be eligible for free checking.
2) Skip the "bank" and check-out a local credit union. As the parent poster said about banks, "they are in business to make money". While banks treat their customers like cattle that can be slowly tapped for blood, credit unions treat their customers like...people. I haven't had an account at a "bank" for fifteen years. I am a very happy credit union member.

Re:Good Experience with Paypal

[DerekLyons]

Am I the only one that has had a good experience with Paypal?

No, you aren't. Like any service - from Slashdot to your local quick-e-mart, Paypal has unsatisfied users. Those unsatisfied with Paypal however are *extremely* vocal.

(a) Known for years and (b) not just Yahoo

[Arrogant-Bastard]

A. This problem has been discussed in depth on various
anti-spam mailng lists and newsgroups for many years.
This long-standing problem has been steadfastly ignored
by Yahoo, who went so far as to dismiss the key people
on their own abuse staff when they tried to address it.

As a consequence, it's now a better-than-even bet
that any site hosted by Yahoo belongs to a spammer,
phisher, spyware injector, child pornographer, scammer
or other lowlife. My own meager list of Yahoo-hosted
dropboxes for such stands at 26,831 this morning and
those are just the ones that brought themselves to
my attention, i.e. I'm passively noting them and not
actively searching them out.

As a result, Yahoo is one of the biggest spam-sending
and spam-supporting operations on the entire Internet.
(Oh, and Geocities is now completely infested. Rejecting
all inbound mail [except anti-spam discussions] that contains
a Geocities URL is a surprising effective tactic.)

B. They're not alone. For instance, MSN BCentral should
be renamed MSN SpamCentral -- it's just as bad. And Hotmail
cheerfully hosts spammer dropboxes by the tens of thousands.

There are others, but what makes these two particularly
annoying is that they make a public show of being anti-spam
by promoting snake-oil like SenderID and DomainKeys, both
of which are worthless. (If it isn't obvious why, then think
about the hundreds of millions of zombies -- hijacked Windows
systems -- out there and consider that their new masters
have possession of all email credentials belonging to their
former owners -- from POP passwords to PGP keys. It is not
possible to solve the forgery problem -- for any useful
definition of "solve" -- without solving this problem first.
Good luck. This same thing applies to SPF and variants, by
the way, all of which are complete failures.)

Another thing that distinguishes them is the absolutely
irresponsible, totally clueless way in which abuse reports
are handled. Most seem to disappear into black holes. The
majority of the rest are returned with semi-literate denials
that the abuse has any connection with their operation -- even
when their own IP address are clearly the source. If you'd
like to browse a huge number of examples of this, go to
Usenet's news.admin.net-abuse.email and search for
"Yahoo clueless" or "Hotmail clueless". Make coffee first.

The bottom line is that both of these services are huge abuse
magnets and have been for years, so I find it curious that
yet another report of the same old thing is deemed noteworthy.

www.microsoft.com, www.msn.com ...

[peter303]

Hmm, looks suspicious to me.

yahoo phishing site

[TheCybernator]

i went to mail.yahoo.com and they asked my name and password. i am smart and i fooled them by giving my gmail password.

Linking to original site

[aegl]

"The pages are generally exact replicas of the original web page and generally pull graphics (*.jpg, *.gif, etc.) from the legitimate web site."

The owners of the original sites should regularly rename the real image files, and replace the old files with images that would help inform the potential victim that they were on a scam site.

Next step is that the phishers no longer link to the image files, but copy them instead ... but this gives the real site owner another legal tool (copyright infringement) to shut down the phishing site plus a clear legal path to extract money from the phisher.