Slashdot Mirror
FBI Cracks "Largest Phishing Case Ever"
nk497 writes "The FBI and Egyptian authorities have arrested 100 people in what they're calling 'the largest international phishing case ever conducted' as part of a wide-scale investigation called Operation Phish Phry. The criminals used phishing to get access to hundreds of bank accounts, stealing $1.5 million. 'This international phishing ring had a significant impact on two banks and caused huge headaches for hundreds, perhaps thousands of bank customers,' said Acting US Attorney George S. Cardona."
I guess when the big dog nearly falls for the scam himself, resources magically get devoted to the case.
I think it goes to show what being personally involved and affected can do to job performance at the FBI. The previous story talks about why the FBI head guy doesn't do online banking... he was almost fooled by this sort of scammer. Suddenly they apply the weight of their position against the problem and come up with results.
So when it comes to the many, many things that aren't be accomplished, I have to wonder if it's because they don't care.
Thereby teaching people it's okay to scam away as long as they just get a few million out of it. So when about a thousand different people do it independently, you're looking at total damages of 1.5 BILLION all of a sudden.
Sure, hte effort cost a lot of money but imagine what would happen if people started to believe they can get away with this sort of thing.
This is a great point. Although educating online banking users might not be the answer. Why don't banks have a 2-phased authorization type system (i.e. What you have and What you know)? I would gladly pay $5-$20 to have a PRNG pass-key (What I have) used in conjunction with a PIN (What I know) and have a more secure online banking system.
INGDirect uses a fairly good system by having a personalized phrase & picture displayed every time you log in while you click on the number images to input your PIN to bypass keyloggers. it's still relying on Joe Schmoe to actually pay attention to the picture and phrase every time they visit the site. Thus, it's still susceptible to social engineering. The above mentioned 2-phased is a better solution IMO.
Your post advocates a
( ) technical ( ) legislative ( ) market-based (X) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
(X) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
(X) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(X) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(X) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(X) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(X) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
You have a lot of time on your hands, don't you?
If you had read the article, you'd notice that the FBI have been working on this particular case since 2007. The story about Mueller nearly falling for a phishing scam is from 2009. I don't think the two events have anything to do with each other.
This is not a popular idea and most say it is a fail, but we need to start charging for each email sent, not much, but enough so that zombie box owners will wake up when their next monthly bill arrives. But the email charge must be ultimately paid by the ISPs who are the actual gateways onto the net. This way they too have an incentive to stop the flow of spam. And since the ISP must pay or be disconnected, third-world spam would dry up too. Use the money generated for backbone maintenance/improvement. Flame on.
Conservative, mod down for violating
Have you learned nothing at your work? The FBI was 'on the case' since 2007, probably outsourced the real work to some poor suckers in IT and just sat on their asses for two years. Until Mueller gave them an angry call why he was still being phished while they were 'fixing the problem'. From that moment they had to produce results fast to please the boss... they probably just arrested the first guys on the watch list compiled in 2007.
http://confirm.credentials.here.genuine.yourbank.fsdnp4895.imgonnagetyourmoney.com/bankbanksecurity.html [imgonnagetyourmoney.com]
Am I the only one that thinks it's sad that Slashdot's code for avoiding accidental goatse clicks is better than many mail client's code for avoiding having someone steal all of your money?
I am TheRaven on Soylent News
Additional memo: hire idiots to be the head of major organizations. Then when they almost fall for stupid scams, things will actually get done to help prevent them in the future.
"But this one goes to 11!"
100 people stole $1.5 million over the course of two years. That's about $7500 per person per year. Phishing doesn't seem to be a very lucrative profession.