FBI Cracks "Largest Phishing Case Ever"

nk497 writes "The FBI and Egyptian authorities have arrested 100 people in what they're calling 'the largest international phishing case ever conducted' as part of a wide-scale investigation called Operation Phish Phry. The criminals used phishing to get access to hundreds of bank accounts, stealing $1.5 million. 'This international phishing ring had a significant impact on two banks and caused huge headaches for hundreds, perhaps thousands of bank customers,' said Acting US Attorney George S. Cardona."

That was fast

[Bob_Who]

....talk about damage control!

Re:That was fast

[erroneus]

I think it goes to show what being personally involved and affected can do to job performance at the FBI. The previous story talks about why the FBI head guy doesn't do online banking... he was almost fooled by this sort of scammer. Suddenly they apply the weight of their position against the problem and come up with results.

So when it comes to the many, many things that aren't be accomplished, I have to wonder if it's because they don't care.

Re:That was fast

[A.+B3ttik]

Lets set up our e-mail accounts to forward all Spam to the head of the FBI. If this story is any indication, it shouldn't take more than 45 minutes to get rid of the problem.

Re:That was fast

[Jurily]

Your post advocates a

( ) technical ( ) legislative ( ) market-based (X) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
(X) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
(X) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(X) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(X) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(X) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(X) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:That was fast

You have a lot of time on your hands, don't you?

Re:That was fast

[justinlee37]

If you had read the article, you'd notice that the FBI have been working on this particular case since 2007. The story about Mueller nearly falling for a phishing scam is from 2009. I don't think the two events have anything to do with each other.

Re:That was fast

[xonar]

You must be new here

Re:That was fast

[Coren22]

You're joking right? I can't say I would call them exactly smooth, though they do get repaired on a regular basis.

Re:That was fast

[Antiocheian]

But "here" was new as well (actually non existing) when these forms first appeared on the Usenet.

This particular form is quite right and not just funny.

There are others, especially of flamebaiting nature, which are really creative.

Hmmm.

[Flowstone]

Always been more of a sushi guy myself, guess i'll have to wait for operation bonzai.

Is this related to the next story?

[ubrgeek]

The one about "Why the FBI Director Doesn't Bank Online"?

Re:Is this related to the next story?

[olsmeister]

I guess when the big dog nearly falls for the scam himself, resources magically get devoted to the case.

Re:Is this related to the next story?

[Mister+Whirly]

Additional memo: hire idiots to be the head of major organizations. Then when they almost fall for stupid scams, things will actually get done to help prevent them in the future.

Quick!

[bryanp]

Someone tell the FBI director it's safe for him to log on again.

Re:Quick!

[The+New+Andy]

What's his email? I'll send him a link so he can reactivate his account and get going again.

Re:Quick!

[L4t3r4lu5]

Don't forget that he'll need to re-validate his security credentials at http://confirm.credentials.here.genuine.yourbank.fsdnp4895.imgonnagetyourmoney.com/bankbanksecurity.html

Re:Quick!

[TheRaven64]

http://confirm.credentials.here.genuine.yourbank.fsdnp4895.imgonnagetyourmoney.com/bankbanksecurity.html [imgonnagetyourmoney.com]

Am I the only one that thinks it's sad that Slashdot's code for avoiding accidental goatse clicks is better than many mail client's code for avoiding having someone steal all of your money?

Best use of money?

[yamfry]

They spent 2+ years of US and Egyptian government resources to prosecute 100 people for tricking other people out of 1.5 million dollars. They will spend more resources on each of the 100 peoples' court cases. If their cases hold up in court they will spend more government resources to keep them in jail for up to 20 years each. They didn't state a dollar amount spent on this initiative in TFA, but wouldn't it be more efficient to use that money to educate online banking users on how to avoid phishing scans?

Re:Best use of money?

[Kokuyo]

Thereby teaching people it's okay to scam away as long as they just get a few million out of it. So when about a thousand different people do it independently, you're looking at total damages of 1.5 BILLION all of a sudden.

Sure, hte effort cost a lot of money but imagine what would happen if people started to believe they can get away with this sort of thing.

Re:Best use of money?

[thepooh81]

This is a great point. Although educating online banking users might not be the answer. Why don't banks have a 2-phased authorization type system (i.e. What you have and What you know)? I would gladly pay $5-$20 to have a PRNG pass-key (What I have) used in conjunction with a PIN (What I know) and have a more secure online banking system.

INGDirect uses a fairly good system by having a personalized phrase & picture displayed every time you log in while you click on the number images to input your PIN to bypass keyloggers. it's still relying on Joe Schmoe to actually pay attention to the picture and phrase every time they visit the site. Thus, it's still susceptible to social engineering. The above mentioned 2-phased is a better solution IMO.

Re:Best use of money?

[Hinhule]

My bank has had this for years.

To log on you enter your SSN, you get a random number. You take your pass generator, enter the pin then the random number number. You get a new number which you use as the password.
Also, new recipients must be authenticated in the same way, which makes it much less likely a program running on your computer can add a transaction once you have logged on.

Re:Best use of money?

[Bigbutt]

I'd expect higher level managerial types to be just as likely as the average Joe on the street really. There's nothing technically special about managers. Heck, my wife has been just as close to falling for a phishing scam. Maybe he has a postit note on his monitor too. The one that says "Don't click on links in e-mails!" :)

[John]

Jurisdiction

[TwistedGreen]

Shouldn't this have been handled by the Department of Phisheries?

Re:Jurisdiction

[Bigbutt]

I thought it was The Department of Phish and Game.

[John]

Re:Jurisdiction

[morgan_greywolf]

There are so many Government agencies that regulate shit

No, I think that would be your local government/water utility.

Operation code name

[Danathar]

I think Fried Phish would of been better.

Hope those 'BOA' Phishes I forwarded helped

[david.emery]

I was pretty religious about forwarding all the phishing emails I got purporting to be from Bank of America to BOA's fraud line.

Lately I'm getting swamped by IRS phishes "notice of underreported income" (perhaps 100 of them so far), that I've been sending to the phishing mailbox at irs.gov. Hopefully that'll help close that particular scheme.

How about capital punishment for widespread internet fraud???

Re:Hope those 'BOA' Phishes I forwarded helped

[Java+Pimp]

Lately I'm getting swamped by IRS phishes "notice of underreported income" (perhaps 100 of them so far), that I've been sending to the phishing mailbox at irs.gov.

Wait... those aren't Phishes... I was doing the same thing for a while... then the IRS just started showing up at my house in person. They didn't buy it when I tried telling them I thought someone was trying to scam me... Bad times those were... Bad times...

Codename

[MBGMorden]

I swear I would have never believe that the FBI had it in them to pick a name as cool sounding as "Operation Phish Phry".

Start charging

[m0s3m8n]

This is not a popular idea and most say it is a fail, but we need to start charging for each email sent, not much, but enough so that zombie box owners will wake up when their next monthly bill arrives. But the email charge must be ultimately paid by the ISPs who are the actual gateways onto the net. This way they too have an incentive to stop the flow of spam. And since the ISP must pay or be disconnected, third-world spam would dry up too. Use the money generated for backbone maintenance/improvement. Flame on.

Classic boss scenario

[thijsh]

Have you learned nothing at your work? The FBI was 'on the case' since 2007, probably outsourced the real work to some poor suckers in IT and just sat on their asses for two years. Until Mueller gave them an angry call why he was still being phished while they were 'fixing the problem'. From that moment they had to produce results fast to please the boss... they probably just arrested the first guys on the watch list compiled in 2007.

Problem with this business model is...

[hesaigo999ca]

They let this go on, because they think the cost of ruining a few lives is ok, as long as in the end they make their bust and all is ok in coptown. Problem is , real time transactions are happening while they study the case, and letting 1.5 million slip through in order to follow the trace back to the top. Like a guy holding a camera while someone is being mugged by a lynch mob and doing nothing, should there not also be consequences especially when FEDS (of all people) let something like this happen,
when they have the power to stop it in its tracks....instead of letting it go on, and on, how long was this case going on for...?

Hard decisions, but sometimes the ends do not justify the means.
I had a ticket once for running through a stop sign, although it was covered almost 100% behind a tree, as I mentioned this to the cop, they told me to just say that in court as they knew many people would run through, instead of just telling the city to fix the problem....however I felt very frustrated, should there have been a kid playing nearby and I had not seen the sign, I would have maybe run him over by accident, then the cop would have been responsible for his life being lost, because instead of directing traffic (like when an intersection is burned out) they were using the hidden stop sign to generate revenue....very depressing!