FBI Cracks "Largest Phishing Case Ever"

nk497 writes "The FBI and Egyptian authorities have arrested 100 people in what they're calling 'the largest international phishing case ever conducted' as part of a wide-scale investigation called Operation Phish Phry. The criminals used phishing to get access to hundreds of bank accounts, stealing $1.5 million. 'This international phishing ring had a significant impact on two banks and caused huge headaches for hundreds, perhaps thousands of bank customers,' said Acting US Attorney George S. Cardona."

That was fast

[Bob_Who]

....talk about damage control!

Re:That was fast

[erroneus]

I think it goes to show what being personally involved and affected can do to job performance at the FBI. The previous story talks about why the FBI head guy doesn't do online banking... he was almost fooled by this sort of scammer. Suddenly they apply the weight of their position against the problem and come up with results.

So when it comes to the many, many things that aren't be accomplished, I have to wonder if it's because they don't care.

Re:That was fast

[A.+B3ttik]

Lets set up our e-mail accounts to forward all Spam to the head of the FBI. If this story is any indication, it shouldn't take more than 45 minutes to get rid of the problem.

Re:That was fast

[Jurily]

Your post advocates a

( ) technical ( ) legislative ( ) market-based (X) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
(X) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
(X) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(X) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(X) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(X) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(X) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:That was fast

You have a lot of time on your hands, don't you?

Re:That was fast

[justinlee37]

If you had read the article, you'd notice that the FBI have been working on this particular case since 2007. The story about Mueller nearly falling for a phishing scam is from 2009. I don't think the two events have anything to do with each other.

Re:That was fast

[xonar]

You must be new here

Re:That was fast

[commodore64_love]

>>>I think it goes to show what being personally involved and affected can do to job performance at the [government]

You think it's coincidence that the roads leading into and out of D.C. are the smoothest in the whole nation? People in power fix what affects them directly, give a passing notice when constituents complain, and ignore all else. (Which is a good argument for why power & politicians should be concentrated *at home*, rather than 2000 miles away in some central capital.)

Re:That was fast

[Coren22]

You're joking right? I can't say I would call them exactly smooth, though they do get repaired on a regular basis.

Re:That was fast

[Antiocheian]

But "here" was new as well (actually non existing) when these forms first appeared on the Usenet.

This particular form is quite right and not just funny.

There are others, especially of flamebaiting nature, which are really creative.

Re:That was fast

[xonar]

Indubitably

Re:That was fast

haha that's been copied to different topics for ages he didn't just write it up himself. Besides this is /. none of us really work we just edit wiki's and rate boobs while our pet monkeys move papers from the in to the out box for us.

Re:That was fast

Doesn't take much time to copy and paste...

Re:That was fast

[justthinkit]

The counterpoint to this is that "the cobbler's children have no shoes". In this case, the Washington big boys could care less about local roads while they are trying to bring back billion contracts to their home states.

Re:That was fast

[commodore64_love]

Perhaps it's because you've never driven anywhere else? DC's I-95, I-295, I-66, and I-270 are like glass compared to the terrible pothole-ridden interstates leading into or out-of Philadephia, New York, Boston, Chicago, Seattle.

And the absolute worst interstate I've ever driven was I-40 through Oklahoma City which feels like your car's going to shake to pieces. The highways/interstates leaving D.C. truly are the best in the whole nation, because that's the center of power and Congressmen would not stand for poor quality roads ruining their cars' suspensions.

Re:That was fast

You have obviously never actually driven around the DC area before. The roads are not that smooth. And why would a politician from out of state care about the roads in DC? They are all too busy trying to get pork barrel projects approved for their home states. They don't give a rat's ass about DC or it's roads.

Re:That was fast

[ais523]

( ) Asshats

There must be something wrong with you: I've never seen one of these forms before where "Asshats" wasn't ticked.

Re:That was fast

Mmmmm, I smell delicious CopyPasta!

Re:That was fast

[Crazy+Taco]

Is there a known online repository of other forms similar to this somewhere?

Re:That was fast

[Em+Emalb]

You're wrong on this one.

I can easily think of 3 states off the top of my head with better roads: California, Colorado, and Texas.

DC highways are not bad, but if you haven't been here in a few years, you might wanna go take a run around the 495 loop and tell me how smooth those highways are.

(Nevermind the constant lane closures for "construction".

Re:That was fast

usenet

Re:That was fast

If you had read the article, you'd notice that the FBI have been working on this particular case since 2007. The story about Mueller nearly falling for a phishing scam is from 2009. I don't think the two events have anything to do with each other.

100 people stole $1.5 million over the course of two years. That's about $7500 per person per year. Phishing doesn't seem to be a very lucrative profession.

Re:That was fast

[interkin3tic]

Dear sir or madam,

Your post

(x)woosh'd
(x)intentionally woosh'd
( )runs linux
(x)was copy pasted with a few X filled in
(x)was funny
( )???
( )profit

Re:That was fast

[Coren22]

I would mainly point out where all those cities you mentioned are...they are north of here, therefore they get more snow. I have driven from MD to Mass, and can say the roads are all about equal, I should actually be driving that trip next week, so I will reassess the roads on this trip. I would however say that the roads to the south of DC should be in much better repair as there is no seasonal frost destroying them, but as I drive and enjoy half the roads mentioned on a daily basis, I will agree that they are repaired rather quickly when damaged.

Re:That was fast

[commodore64_love]

>>>I think it goes to show what being personally involved and affected can do to job performance at the [government]

Fixed.

You think it's coincidence that the roads leading into and out of D.C. are the smoothest in the whole nation? People in power fix what affects them directly, give a passing notice when constituents complain, and ignore all else. (Which is a good argument for why power & politicians should be concentrated *at home*, rather than 2000 miles away in some central capital.)

Hmmm.

[Flowstone]

Always been more of a sushi guy myself, guess i'll have to wait for operation bonzai.

Is this related to the next story?

[ubrgeek]

The one about "Why the FBI Director Doesn't Bank Online"?

Re:Is this related to the next story?

[olsmeister]

I guess when the big dog nearly falls for the scam himself, resources magically get devoted to the case.

Re:Is this related to the next story?

[jacktherobot]

The moral of the story is that we can eliminate all spam and phishing by signing Robert Mueller up on every spam list we can find.

Re:Is this related to the next story?

[confuto]

Memo to self: Don't Mess With The FBI

Re:Is this related to the next story?

[Mister+Whirly]

Additional memo: hire idiots to be the head of major organizations. Then when they almost fall for stupid scams, things will actually get done to help prevent them in the future.

If only Robert Mueller got more spam...

[Golbez81]

Seriously.... the FBI would obviously be much more productive

Quick!

[bryanp]

Someone tell the FBI director it's safe for him to log on again.

Re:Quick!

[The+New+Andy]

What's his email? I'll send him a link so he can reactivate his account and get going again.

Re:Quick!

[L4t3r4lu5]

Don't forget that he'll need to re-validate his security credentials at http://confirm.credentials.here.genuine.yourbank.fsdnp4895.imgonnagetyourmoney.com/bankbanksecurity.html

Re:Quick!

robert.mueller@ic.fbi.gov

Re:Quick!

[TheRaven64]

http://confirm.credentials.here.genuine.yourbank.fsdnp4895.imgonnagetyourmoney.com/bankbanksecurity.html [imgonnagetyourmoney.com]

Am I the only one that thinks it's sad that Slashdot's code for avoiding accidental goatse clicks is better than many mail client's code for avoiding having someone steal all of your money?

Re:Quick!

[elrous0]

It's probably best that he stay off the internet. Of course, it's probably also best that he not be the head of the FBI either.

Re:Quick!

[aztracker1]

Honestly, I don't know why mail readers don't simply disable, or not link to urls with more than 3 dots in the hostname portion, or are an IP address. I mean, is there *REALLY* a need to have more than four points in a domain for an emailed URL... sub.section.your.domain is enough... if there's more, you can always copy/paste, but this might get people to think twice, not to mention catch the people who paste URLs into their google/yahoo/bing search page instead of the URL input.

Re:Quick!

[ais523]

The homepage of the place I currently work has four dots: "www.department.organisation.secondleveldomain.country". Of course, pretty much everyone here will know that it's hugely crazy that the site doesn't work without the www, but there's often legitimate need for URLs like those. (You probably forgot that country codes are used in many non-american domains...)

Re:Quick!

[troll8901]

How about this?

  http ://www.yourbank.com@mydomain.com/bankbanksecurity.html ?

Does it pass the "more than 3 dots" test?

Re:Quick!

[BJ_Covert_Action]

Am I the only one that thinks it's sad that Slashdot's code for avoiding accidental goatse clicks is better than many mail client's code for avoiding having someone steal all of your money?

Obviously you've never clicked on a goatse link at work or while your girlfriend was looking over your shoulder. It may be painful, but you can recover from online identity theft.In the long run, however, no amount of psychotherapy and pills will eliminate that terrible image from being permanently scalded into your brain cavities. Nor will it restore your job or help you ever live down the fact that you once got dumped for, "being into extreme male anal fetishes." =P

Re:Quick!

[b4dc0d3r]

Just wondering what slashdot does without the extra space:
http://mydomain.com/bankbanksecurity.html

Looks like it detected and trimmed it, which is why you had to put a space in there. So the answer is yes, goatse turned out to be helpful, giving us the tools we need to prevent phishing attempts.

Re:Quick!

That's why browsers have not allowed that URL format for years now.

Re:Quick!

[Ibiwan]

Did you really have to say brain "cavities"??

Re:Quick!

[Lord_of_the_nerf]

I would, but he's hiding in a Y2K bunker.

Re:Quick!

[troll8901]

Once again, I'm embarrassed beyond words. Thanks for your update.

Re:Quick!

[aztracker1]

then users could cut/paste direct links, or you could use a shortening tool like tr.im or bit.ly ... which for a bank/paypal scam would be obvious.

Best use of money?

[yamfry]

They spent 2+ years of US and Egyptian government resources to prosecute 100 people for tricking other people out of 1.5 million dollars. They will spend more resources on each of the 100 peoples' court cases. If their cases hold up in court they will spend more government resources to keep them in jail for up to 20 years each. They didn't state a dollar amount spent on this initiative in TFA, but wouldn't it be more efficient to use that money to educate online banking users on how to avoid phishing scans?

Re:Best use of money?

[Kokuyo]

Thereby teaching people it's okay to scam away as long as they just get a few million out of it. So when about a thousand different people do it independently, you're looking at total damages of 1.5 BILLION all of a sudden.

Sure, hte effort cost a lot of money but imagine what would happen if people started to believe they can get away with this sort of thing.

Re:Best use of money?

[Krneki]

but wouldn't it be more efficient to use that money to educate online banking users on how to avoid phishing scans?

If the FBI director (almost) falls for it, what are the chances Joe will spot the difference?

The techniques used gets better and better and you really must know what you are doing and be focused to avoid the scam. But maybe a better technique would be to give banks a rating, so we know which one has the highest amount of successful online scams.

Re:Best use of money?

[thepooh81]

This is a great point. Although educating online banking users might not be the answer. Why don't banks have a 2-phased authorization type system (i.e. What you have and What you know)? I would gladly pay $5-$20 to have a PRNG pass-key (What I have) used in conjunction with a PIN (What I know) and have a more secure online banking system.

INGDirect uses a fairly good system by having a personalized phrase & picture displayed every time you log in while you click on the number images to input your PIN to bypass keyloggers. it's still relying on Joe Schmoe to actually pay attention to the picture and phrase every time they visit the site. Thus, it's still susceptible to social engineering. The above mentioned 2-phased is a better solution IMO.

Re:Best use of money?

[Hinhule]

My bank has had this for years.

To log on you enter your SSN, you get a random number. You take your pass generator, enter the pin then the random number number. You get a new number which you use as the password.
Also, new recipients must be authenticated in the same way, which makes it much less likely a program running on your computer can add a transaction once you have logged on.

Re:Best use of money?

[Bigbutt]

I'd expect higher level managerial types to be just as likely as the average Joe on the street really. There's nothing technically special about managers. Heck, my wife has been just as close to falling for a phishing scam. Maybe he has a postit note on his monitor too. The one that says "Don't click on links in e-mails!" :)

[John]

Re:Best use of money?

[L4t3r4lu5]

The old boss of GCHQ was Director of Personnel and Director of Finance before taking over the top job for the Home Office. Consider; He only has to be a good manager / director, not a good intelligence expert.

Re:Best use of money?

[morgan_greywolf]

If the FBI director (almost) falls for it, what are the chances Joe will spot the difference?

You're right. Joe Sixpack is much smarter than the director of the FBI.

Re:Best use of money?

[craagz]

Maybe because the managerials types are from another generation. Not used to the varied ways of the tubes.

Re:Best use of money?

[Pentium100]

Both of my banks have this, however, the basic service is a card with 20-30 passwords on it.
To log in, you need to type your user number, regular password and one password from the card. 3 failed attempts and your access is blocked (you need to go to the bank to reactivate it).
If you want to transfer money to some account that does not belong to you, you also need to enter one password from the card.

For some money you can get a password generator which you use instead of the card.

Re:Best use of money?

[Bigbutt]

Well, perhaps the higher level ones like Mueller. He's likely 15 years or so older than me.

[John]

Re:Best use of money?

Schneier:

I've met users, and they're not fluent in security. They might be fluent in spreadsheets, eBay, or sending jokes over e-mail, but they're not technologists, let alone security people. Of course, they're making all sorts of security mistakes. I too have tried educating users, and I agree that it's largely futile.

http://www.schneier.com/blog/archives/2006/08/educating_users.html

Re:Best use of money?

[pgmrdlm]

Whats wrong? Lose a source of income??

Re:Best use of money?

[shentino]

You forgot to take into account the number of thefts that WON'T happen because of one of the following:

1) assholes who are sent to jail and knocked out of the fraud business by virtue of being behind bars
2) would-be assholes who get spooked out of the fraud business by virtue of being scared of going to jail

Re:Best use of money?

You're pretty smug for someone who just had their password stolen by me.

Re:Best use of money?

[adavies42]

my world of warcraft account is now more secure, courtesy of the iphone authenticator, than my real bank account. this is pathetic.

Re:Best use of money?

Expect has nothing to do with it.

We're not talking about "higher level managerial types", you schmuck.

We're talking about the director of the goddamn FBI.

Does your family ever tell you that you're impossible to communicate with? They should.

Re:Best use of money?

[yamfry]

Well, that depends on what we would like the purpose of punishment to be. If we want to put these people in jail to get revenge on them for stealing money then cost is not an issue. If we want to decrease the money lost in phishing, then we can focus efforts on making it more risky for people to steal or teach people and banks how to prevent theft.
If we want to make it more risky, here's some calculations based on a minimum of research [emphasis on minimum]: Total annual amount lost in phishing in the US is $3.2 billion, if you'll believe some estimates (and I don't). So here's a back-of-envelope calculation with some assumptions:
1. The US government is always this efficient in arresting phishers.
2. All phishing groups are equally as effective (these weren't the dumbest phishers).
3. Phishing groups are socialist (i.e. all members receive an equal share of what is stolen).

100 people stole $1.5 million. Let's assume they managed to do this over a 1-year period so each has a salary of $15k. If the entire market of phishing theft is $3.2B and everyone steals the same amount, then there are about 2.1 million phishers in any given year. If they are caught at a rate of 100/2 years or 50/year, then you have a probability of being caught of about 0.00238% each year. Personally, I am highly risk-averse, so I wouldn't participate in this even if I knew the right people and knew the odds were this low -- discounting the moral argument, of course. Given a large enough population, I think that even if you doubled the risk of being caught there would be no short supply of phishers.
If we take a lower damage estimate of $60M, then there are 4000 phishers with a 1.25% change of getting caught every year. More risky, but I don't think we're taking a huge chunk out of the number of people who would be willing to get into this line of "work".
It is distasteful for me as well to let people steal with impunity, but I'd prefer that we use the resources to efficiently stop theft, not on making it look like we're doing something to stop theft. I got all of my data from TFA and wikipedia, so feel free to call BS if you know more (not-an-expert disclaimer).

Re:Best use of money?

[Dahan]

This is a great point. Although educating online banking users might not be the answer. Why don't banks have a 2-phased authorization type system (i.e. What you have and What you know)? I would gladly pay $5-$20 to have a PRNG pass-key (What I have) used in conjunction with a PIN (What I know) and have a more secure online banking system.

Bank of America offers that. You can either have them send an SMS to your phone with a number that you have to enter on the website; or you can buy a hardware token for $20.

Re:Best use of money?

[Blink+Tag]

Your analysis assumes a) those prosecuted would have stopped on their own (you underestimate their lifetime earning potential), b) the amount reported reflects the actual amount stolen, c) the actions of these governments will have no deterrence effect, and d) this money wasn't used to fund other illegal activities. Even if you still believe the amount lost is lower than what was spent on enforcement, it's clear some judgements were made regarding the value of perceived justice|security|.*.

Re:Best use of money?

[teh+moges]

Don't forget the "it'll never happen to me" attitude that allows people to ignore the risks and do phishing anyway.
There will never be a short supply of people desperate enough to become phishers, just like house robberies are still an issue (despite, I am assuming, higher arrest rates).

Re:Best use of money?

[metaforest]

The more interesting thing is that from my read of the indictment they had all of their communications tapped.
It's clear they got pwnd. Good work FBI!!!

You know why this was?

[Pvt_Ryan]

The FBI director actually fell for a previous phishing scam and this was REVENGE!!!

Good job, guys!

[NoYob]

Way to reel 'em in!

Jurisdiction

[TwistedGreen]

Shouldn't this have been handled by the Department of Phisheries?

Re:Jurisdiction

[NoYob]

I think it's be the NOAA

Sorry, didn't mean to be a pedant, but I was curious exactly who regulates the fisheries.

There are so many Government agencies that regulate shit, it's hard to keep track and it does occasionally come in handy - like when a bank screws you the folks that they are afraid of is the Office of the Comptroller of the Currency. occ.treas.gov

Re:Jurisdiction

[Bigbutt]

I thought it was The Department of Phish and Game.

[John]

Re:Jurisdiction

[Kohenkatz]

Well, now that these scammers are "Phried Phish", it should be the FDA.

Re:Jurisdiction

[morgan_greywolf]

There are so many Government agencies that regulate shit

No, I think that would be your local government/water utility.

Re:Jurisdiction

[CarpetShark]

Shouldn't this have been handled by the Department of Phisheries?

Rather than the current Department of Philistines?

Re:Jurisdiction

[PPH]

Sorry, didn't mean to be a pedant, but I was curious exactly who regulates the fisheries.

The Ministry of Agriculture.

Operation code name

[Danathar]

I think Fried Phish would of been better.

Re:Operation code name

Dude, it is the FBI, they have to be all formal and stuff... so add Operation before it and we're green to go.

Re:Operation code name

[nacturation]

I think "would've" would have been better.

I finally know how we can win the "war on terror"!

[elrous0]

We just wait for the Al Quaida to attack the FBI director and the FBI will finally start to bring them down the next day.

Largest phishing case ever?

[Magrovsky]

There was a guy arrested in Brazil a couple of years ago that scammed over 10 million dollars.

Oh yeah ....

[NoYob]

I see, you are correct. They have a bunch of stuff for the regulation of fishing: both sport and commercial.

They spelled phish wrong - they spelled it with an 'F' - that's government for you!

New Mail

CONFIDENTIAL:
Dear Sir,

Good day and compliments. This letter will definitely come to you as a huge surprise, but I implore you to take the time to go through it carefully as the decision you make will go off a long way to determine the future and continued existence of the entire members of my family. Please allow me to introduce myself. My name is Dr. (Mrs.) Alexandria Massri, the wife of the head of state and commander in chief of the armed forces of Egypt who arrested by FBI on the 8th of October 2009.

My ordeal started immediately after my husband's arrest on the morning of 8th October 2009. FBI is determined to portray all the good work of my husband in a bad light and have gone as far as confiscating all my late husband's assets, properties, freezing our accounts both within and outside Egypt.

My husband has $1.5 Million USD ($1,500,000.00) specially preserved and well packed in trunk boxes of which only my husband and I knew about. It is packed in such a way to forestall just anybody having access to it. It is this sum that I seek your assistance to get out of Egypt as soon as possible before FBI finds out about it and confiscate it just like they have done to all our assets.

I implore you to please give consideration to my predicament and help a woman in need.

May Allah show you mercy as you do so.

Your faithfully, Dr (Mrs.) Alexandria Massri.

Hope those 'BOA' Phishes I forwarded helped

[david.emery]

I was pretty religious about forwarding all the phishing emails I got purporting to be from Bank of America to BOA's fraud line.

Lately I'm getting swamped by IRS phishes "notice of underreported income" (perhaps 100 of them so far), that I've been sending to the phishing mailbox at irs.gov. Hopefully that'll help close that particular scheme.

How about capital punishment for widespread internet fraud???

Re:Hope those 'BOA' Phishes I forwarded helped

[Java+Pimp]

Lately I'm getting swamped by IRS phishes "notice of underreported income" (perhaps 100 of them so far), that I've been sending to the phishing mailbox at irs.gov.

Wait... those aren't Phishes... I was doing the same thing for a while... then the IRS just started showing up at my house in person. They didn't buy it when I tried telling them I thought someone was trying to scam me... Bad times those were... Bad times...

Re:Hope those 'BOA' Phishes I forwarded helped

[Gilmoure]

Yeah, I keep getting some kind of phishing email saying it's from Southwest Airlines and that the TSA wants me to 'update' my info.

Yeah, I'll get right on that one.

Re:Hope those 'BOA' Phishes I forwarded helped

[PPH]

Wait... those aren't Phishes... I was doing the same thing for a while... then the IRS just started showing up at my house in person.

Get a PO Box dude! The IRS has no idea where I am.

It also helps to have a residence with an "undeliverable" address.

Codename

[MBGMorden]

I swear I would have never believe that the FBI had it in them to pick a name as cool sounding as "Operation Phish Phry".

Re:Codename

[Random2]

Well, they did have two years to come up with the name.

Re:Codename

I like FBI operations naming,from wikipedia

Operation Buccaneer

"law enforcement agents in six countries targeted 62 people suspected of software piracy, with leads in twenty other countries."

Operation D-Elite:
"Operation by agents of the FBI and U.S. Bureau of Immigration and Customs Enforcement against leading members of EliteTorrents"

And the fameous Operation Sundevil

Only $1.5 million?

Only $1.5 million? Sounds like a small time ring to me. If I were inclined to do so, I could pull that off in two weeks with an organized ring of Cracker Barrel waitresses.

Start charging

[m0s3m8n]

This is not a popular idea and most say it is a fail, but we need to start charging for each email sent, not much, but enough so that zombie box owners will wake up when their next monthly bill arrives. But the email charge must be ultimately paid by the ISPs who are the actual gateways onto the net. This way they too have an incentive to stop the flow of spam. And since the ISP must pay or be disconnected, third-world spam would dry up too. Use the money generated for backbone maintenance/improvement. Flame on.

Re:Start charging

but we need to start charging for each email sent

Between 'people' and 'spammers', that would only solve the problem in that no person could afford to send email, and all spammers can. So yes, removing everyone BUT the spammers from using email would kinda sorta solve the problem, but no more than just everyone shutting down every mail server on the same day.

But the email charge must be ultimately paid by the ISPs who are the actual gateways onto the net.

So two ISPs are sharing data between eachother (email) and no one else is involved. Who exactly is to charge this fee? Why should the ISPs bother paying?

It is also unmaintainable, as other ISPs will simply advertise their main advantage of "No per charge email!" and get a flock of new customers from the ISPs that do.

If you understood the basis of how email and packet switched networking worked, you would realize there is no possible way to do what you suggest short of fully killing email off, and even then, it only takes two people to ignore your rules and run their own mail servers to freely email each other. One day, one of those two will send an email to the other which the other did not want, and you are back to the same spamming problem as now.

Re:Start charging

You don't need to actually charge money to make this useful, you can charge CPU cycles. If you charged each email some number of available CPU, and approx 10 seconds of real time to be sent, then mass mailing spambots would cease to be useful as their CPUs become full and the time it took to mass spam millions of messages would exceed allowable time.

It obviously would not put an end to such things but it would significantly curtail.

Re:Start charging

Your post advocates a

( ) technical ( ) legislative (x) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
(x) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
(x) Jurisdictional problems
(x) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Re:Start charging

Wouldn't it be better to force the digital signing of emails in order to ensure that the sender is indeed the person it claims to be?
After all websites uses certificates (although the current implementation is flawed).

If we're really progressive, we could also force the encryption of the email, which would also ensure the confidentiality of our conversations (better safe than sorry?).

Re:Start charging

Your post advocates a

( ) technical (X) legislative (X) market-based () vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
(X) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
(X) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(X) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
(X) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(X) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
(X) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(X) Countermeasures should not involve sabotage of public networks
(X) Countermeasures must work if phased in gradually
(X) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

() Sorry dude, but I don't think it would work.
(X ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:Start charging

[spidkit]

We already get a bill for internet services. It's not complicated to send each email account holder the total quantity of emails sent as part of their monthly bill. Surely that approach should twig a compromised machine owner to action if their box sent 1000's of emails.

Re:Start charging

[aztracker1]

I still say require the sender's email domain to match credentials in DNS.. hard SPF rules basically... then combined with black/white-lists it could get better... if MS, Yahoo, Google, and a few of the larger ISPs would get together and require strong SPF records, rejecting mails without them it would get implemented fairly quickly. Of course none of them can make money off of everyone else using this concept so they'll never do it...

Re:Start charging

[Luthe_Faydwire]

Very small amounts of the spam is sent though the ISP mail gateway. To get a mildly accurate number the ISP would need to deep packet inspect all traffic to the standard mail gateways ports. While this is possible there is very little immediate benefit to the ISP. As the infrastructure cost is immediate most ISPs only deploy a trial to benchmark the system before abandoning the project.

I am also fairly sure that most people only glance at their bills for the amount due.

Re:Start charging

Sorry, but I have to comment arrogantly to your post enumerating the different flaws of your reasoning; interpret this as an attempt to make you rethink this.

[...] enough so that zombie box owners will wake up when their next monthly bill arrives. But the email charge must be ultimately paid by the ISPs who are the actual gateways onto the net.

This contradicts itself. Or the client pays, or the ISP pays.

But the email charge must be ultimately paid by the ISPs who are the actual gateways onto the net

This way ISPs will have also an extra reason to undermine net neutrality (the how is left as a trivial exercise to the reader).

And since the ISP must pay or be disconnected, third-world spam would dry up too.

Yes, let's get the United States (which is ATM the authority over ICANN) to collect taxes from the poorest countries and limit their freedom of expression; I'm sure that would help with your popularity, and respected everywere.

Use the money generated for backbone maintenance/improvement.

You've screwed it a lot, so I guess a bit of state intervention is just mildly annoying at this point. But I guess is futile to collect taxes from ISPs, when you're going to pay them later.

Re:Start charging

[cdrguru]

So let's see what happens if your neighbor gets a bill in the mail indicating that they used 34 thousand quadriloons. There are only two possible responses:

1. Wow. That's nice.
2. Frantically calls ISP believing they only used 22 thousand.

End result? Nothing happens. We are talking about something that makes as much sense to your neighbor as "34 thousand quadriloons". The truth is that these people are incapable of "administering" their computer system and what we have are general-purposes computer systems that require trained people to do the administration. These computer systems were sold to people with the understanding that no such training or administration was required. The end result is they are trying to use them as an appliance when they are not applicances.

Do you require any training to use a TV? How about a VCR? How about a toaster? No? Good - these are appliances. With a computer system the difference is that if you add the "wrong" software to it the computer can be used to damage everyone else on the planet. I assure you that this has nothing to do with the operating system, security or anything else. If Joe User can add software to the computer without requiring the advice and authorization from a knowledgeable administrator, you have a disaster in the making.

Re:Start charging

[thisisaccount2]

Your post advocates a

( ) technical (*) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(*) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(*) It will stop spam for two weeks and then we'll be stuck with it
(*) Users of email will not put up with it
(*) Microsoft will not put up with it
(*) The police will not put up with it
( ) Requires too much cooperation from spammers
(*) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(*) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(*) Asshats
(*) Jurisdictional problems
(*) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(*) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(*) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(*) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(***) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
(*) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Yeah, right

Sure it was the "largest phishing case ever". Just how long was it again? Some phish story.

Classic boss scenario

[thijsh]

Have you learned nothing at your work? The FBI was 'on the case' since 2007, probably outsourced the real work to some poor suckers in IT and just sat on their asses for two years. Until Mueller gave them an angry call why he was still being phished while they were 'fixing the problem'. From that moment they had to produce results fast to please the boss... they probably just arrested the first guys on the watch list compiled in 2007.

Re:Classic boss scenario

[MarkvW]

Wow! Great post! When are you starting your next conspiracy story?

Re:Classic boss scenario

[BrokenHalo]

they probably just arrested the first guys on the watch list compiled in 2007.

In which case, I hope for the sakes of the ~100 people they've nailed so far that they managed to skim more than $1.5M between them. If they're all involved in the same scam, that's only $150K each, which is pretty much peanuts nowadays.

If I were likely to do the same time in PITA jail for stealing $100 as I would for $100*10^6, I'd make damn sure I did the latter.

Re:Classic boss scenario

[MoriaOrc]

Its even worse for them then you thought: 1.5m / 100 = 15k, not 150k.

Re:Classic boss scenario

[rohan972]

Wow! Great post! When are you starting your next conspiracy story?

Congratulations. I'm glad someone called him out on this. Government workers being slow to finish a job unless the pressure is put on them? How do people come up with these ridiculous conspiracy theories?

Wouldnt it be nice...

[Zantac69]

...if the offenders are stuffed and mounted. Maybe they can be implated with cheesey electronics and form a choir of Billy Bass!

Poor Phish (the band)

Poor Phish (the band)
Their name is forever ruined.

Re:Poor Phish (the band)

[lectos]

I think they did that for themselves by attempting to play music.

Re:Osama Bin Laden captured!

[Starayo]

Found hiding in the closet after director came home early?



...New headline. Bin Laden comes out of the closet! Hee hee.

What actually happened

[gaspyy]

Contrary to popular opinion on Slashdot, I believe the Mueller story was a classic bait to raise interest and to be followed by this real story.

Think about it - mainstream media ignores tech stories or buries them somewhere no one reads them. Meanwhile, stories about people affected by a problem are always given prominence.

Let me put it this way:
1. Put out a sensationalistic story about how no one (not even the head of FBI) is safe from phishing - raise fear, uncertainty and doubt.
2. Get the real story out about FBI catching phishers. The media will link the two, where otherwise the real story would have gone unnoticed.
3. Profit! (Bonuses, awards, whatever)

Problem with this business model is...

[hesaigo999ca]

They let this go on, because they think the cost of ruining a few lives is ok, as long as in the end they make their bust and all is ok in coptown. Problem is , real time transactions are happening while they study the case, and letting 1.5 million slip through in order to follow the trace back to the top. Like a guy holding a camera while someone is being mugged by a lynch mob and doing nothing, should there not also be consequences especially when FEDS (of all people) let something like this happen,
when they have the power to stop it in its tracks....instead of letting it go on, and on, how long was this case going on for...?

Hard decisions, but sometimes the ends do not justify the means.
I had a ticket once for running through a stop sign, although it was covered almost 100% behind a tree, as I mentioned this to the cop, they told me to just say that in court as they knew many people would run through, instead of just telling the city to fix the problem....however I felt very frustrated, should there have been a kid playing nearby and I had not seen the sign, I would have maybe run him over by accident, then the cop would have been responsible for his life being lost, because instead of directing traffic (like when an intersection is burned out) they were using the hidden stop sign to generate revenue....very depressing!

Re:Problem with this business model is...

[gujo-odori]

Yeah, I got a ticket like that once, too. Wasn't in Glendora, CA, was it? :p

I'm in the vendor side of anti-phishing, and I've got to challenge the idea that the FBI had the power to stop those events in their tracks. Sure, they could have busted a small number of low-level criminals early in the investigation, but that wouldn't have stopped anything. The higher-level criminals would have continued as usual, made more wary by the bust of a few small fish. To fully investigate and to build a case that will win in court and send the perps to prison takes time. That's unfortunate, but it does take time, and it's the only way to get that particular gang off the street for a while. The FBI made the right call.

A few asides to that:

-In most cases, banks cover phishing losses. If they'd stop doing that.

-Phishing is generally so obvious that my brother's best friend - who is blind - could figure out it's phish with his cane. A certain amount of responsibility for getting phished has to be assigned to the victim. It's like walking through a bad part of town at night with a wallet stuffed full of cash sticking out of your back pocket. Sure, the criminal is still the criminal and belongs in jail, but anyone who walks around like that is giving the criminal every possible opportunity. AKA setting himself up to become a crime victim through stupid action.

-The other day, we noticed a large spike in certain kinds of phishing (all of which was caught by our filters, fortunately). Then today this news breaks. It's almost as if the phishers sensed a crackdown was imminent and wanted to make one last big push before they went underground. It's a possible coincidence of course, but it's hard to believe in coincidences in this business.

-I applaud this arrest, but I don't expect it to make even a blip in the level of phishing. If hits on our anti-phishing rules go down at all, I'll be genuinely surprised. The only events that seem to have major impact on spam levels are cable cuts to China or Africa :p

Re:Problem with this business model is...

[JSBiff]

"They let this go on, because they think the cost of ruining a few lives is ok, as long as in the end they make their bust and all is ok in coptown."

How are they *supposed* to stop it if they don't know everyone involved? Busting one punk out of a group of 100+ conspirators won't even put a dent in the fraud. The only *way* to stop the fraud is for them to take the time to trace out the whole network.

"when they have the power to stop it in its tracks."

That's a bold statement. How do they stop it in it's tracks if they don't fully understand who all is involved in the fraud and how it's being comitted? If you mean shutting down an individual phishing website, if you haven't caught the criminals behind them, you're just playing whack-a-mole: another 5 phishing sites will be created on another 5 hosts within minutes of you shutting down the old one. That's not to say they shouldn't shut down the phishing sites as they are found - I'm pretty sure they *do*, but shutting down any given phishing site doesn't qualify as 'stopping it in it's tracks'.

Plus, it may be possible to recover some (most?) of those stolen funds, if they haven't been converted yet (i.e. spent on goods and services, or converted to other valuables like cash, bonds, metals, oil, gemstones, etc). In the case of conversion to other valuables, they still might be able to recover the cash, bonds, gems, etc, and convert most of the money back to cash and return it to the banks.

In any case, I disagree with your general premise - you can't jump the gun on the investigation and expect to actually result in *fewer* people screwed for less money. Also, once you start taking any action, the birds are gonna take flight, you know? So, you have to wait till you are ready to throw the net over the whole flock.

Re:Problem with this business model is...

[hesaigo999ca]

Probably, but at least offer to help rebuild the damages caused by your lack of action.
I know a few people who got stung by identity theft and still have problems today because of it, and yet, you would think with the power that the FBI has, they could write up a sort of side note on that person's record that would help rectify any problems associated with this type of activity, on that person's account.

Of course not, that would mean they accept responsibility for their actions...which they never do, siting that it's a necessary evil to do the work they do. I don't buy it though, there is a better way, just not one which is cost efficient for THEM, this is the easier and cheaper way, make someone else suffer to be able to trace the money back up the line.

4 sale: the ultimate credit card collection

[Skapare]

The ultimate credit collection is now for sale. For 10 million dollars ($10,000,000.00), plus $500,000 copying and media fees, you can be the exclusive buyer of this collection. That's right. This is the ULTIMATE credit card number collection. There is no collection any larger. Only ONE copy will be sold to the lucky buyer. This is actually a lower cost than any other offer by any other credit card list provider. This is an amazing 10 million (10,000,000) card numbers per penny ... a total of ten quadrillion credit card numbers. And it can all be exclusively yours if you send the payment within 24 hours.

Old School Rap, Vol 5

[LoudMusic]

Are you down with the O.P.P.?

O is for Operation, P is for Phish don't you know,
The last P, well that's not so simple bro ...

even just a fraction of a penny would work

[circletimessquare]

then take all that cash, and invest it in third world communication infrastructure. that should shut the critics up

Operation Phish Phry???!!!

[smilnrt]

My goodness that is about as dumb as an undercover officer wearing one of those tee-shirts that says "Police" on it! I mean, if I were into malicious computer activity, (disclaimer: I am not involved in malicious computer activity, nor do I condone or recommend it, and know of no one who is, nor have I ever knowingly engaged in it) I sure as heck would not name my activity after what I am doing. Let's call it the "Biggest Worm Ever", think we'll get caught???!!! Dumb, just palin (not a typo) dumb!

They can't?

[cmseagle]

It took 2 years to build a case against 100 of these people, and I'd be incredibly surprised if 100 people even amount to 1% of all phishers. I'd say that that the other 99% have pretty much gotten away with it.

It's like

[youdpreferanastronau]

almost getting into a car accident and saying "I'll never drive again"...

Some kinds of phishing down a bit

[Animats]

This may be having an effect. I'm seeing a small decline in major domains being exploited by phishing scams. That monitors phishing attacks which use major domains to give themselves convincing-looking URLs.

In the year and a half we've been monitoring this, the number of sites being exploited has dropped from 174 to today's value of 37. We nag sites that have problems to tighten up their security. It's working. Ebay used to have a security hole which allowed creating URLs under "ebay.com" that redirected elsewhere. That's been fixed. The "short URL" companies are now much more aggressive in detecting phishing and kicking off those URLs. Bugs at Yahoo and Microsoft Live have been fixed. Geocities had problems, but they're shutting down at the end of the month.

Now if Google would just kick off this phony Habbo login page implemented using Google Spreadsheets, all the biggest names would be OK. If anyone from Google is reading this, please pass that along to someone with a clue. (Yes, it's been reported via the usual "Google abuse" mechanism.)

Yeah but ...

[PPH]

... you should have seen the size of the one that got away!

$1.5 million

$1.5 million dollars was the largest phishing scam ever? These guys should find a more lucrative scam. Credit/debit card fraud usually nets more than that.