A Tour of the Google Blacklist

WienerPizza writes "Michael Sutton takes us on a tour of the Google blacklist, a list of suspected phishing sites. He finds that eBay, PayPal and Bank of America combined account for 63% of the active phishing sites. Amusingly, he also reveals that Yahoo! has a nasty habit of hosting phishing sites that harvest — you guessed it — Yahoo! credentials!"

But it's not a problem

Try telling Ebay or Paypal that there's a problem. All they do is flood you with propaganda about how they're keeping you safe.

After a bad experience I closed my Paypal account and only use Ebay for small purchases.

Re:But it's not a problem

PayPal is annoying.I can't start a new account with them because I never verified my old account which was connected to a bank account I no longer have. Not that I really want to, I wouldn't trust those guys any further than I could throw them.

Re:But it's not a problem

Or define [zug.com] the type of scam you're trying to report. (Scroll down, it's in black, indented courier.)

Good Experience with Paypal

Am I the only one that has had a good experience with Paypal? I mean, yah normal banks can handle a deposited check, but they also charge a monthly fee. Paypal OTOH cuts me a check for *interest*, and that is ontop of the 1.5% cash back they offer. I can sell junk on EBay, and take my PayPal card right to the liquor store. That's the best banking scenario I can imagine!

Re:Good Experience with Paypal

Most banks require a minimum balance before they waive the monthly service fee.
In my experience, it's just a matter of finding the right bank that has a relationship with someone you also have a relationship with. I get offers for free checking (no minimum balance requirements) through my alumni associations (undergrad and graduate), my wife's employer, my employer, even through the fact that my father-in-law is retired military. Dun Malg also said:

This is one of the many ways they soak the poor.
I don't really think that is a fair portrayal of the situation. Banks charge fees for accounts that don't keep high balances because they don't make money on them. Banks are not charitable organizations, they are in business to make money.

Excellent advice on how to locate the "free checking" offers. I have a couple of additional tips:
1) Direct deposit. If your paycheck goes directly to your financial institution, you may be eligible for free checking.
2) Skip the "bank" and check-out a local credit union. As the parent poster said about banks, "they are in business to make money". While banks treat their customers like cattle that can be slowly tapped for blood [wonderclub.com], credit unions treat their customers like...people. I haven't had an account at a "bank" for fifteen years. I am a very happy credit union member.

Question do Sys Admins

Do any of you guys actively block IPs and IP blocks of phishing sites? And also those "fake domains" which just have search results? If so, how is that working out?

Re:Question do Sys Admins

OpenDNS will do phishing detection for you. Not only that, it'll correct common typos and speedup name resolution on your entire network. Oh yeah, it's also free, but it won't block those annoying fake search pages.

http://opendns.com/ [opendns.com]

Re:Question do Sys Admins

Yeah, because DNS is something that you should obviously trust a single company about!

Who need that old DNS system with the robust infrastructure, when we can have ads pushed on us for every domain we mistype and alongside our search results!

Someone call Verisign and tell them to fire sitefinder back up, these guys need some competition!

Re:Question do Sys Admins

opendns is a copycat of the verisign adware dns trick... it's hoping to achieve success by relying on the many ISPs who are clueless when it comes to running effective dns resolvers.

So...

That guy on eBay who told me to use my Bank of America account to send money to Paypal all through his link may not have been legit?

Re:So...

You know that guy too? Don't worry, I'm pretty sure he's legit. I just used his service to order some chemicals to clean the dye off of a suitcase full of money I'm splitting with an exiled doctor from Nigeria. Can you believe it? This doctor contacted me right out of the blue, and all I needed was a U.S. bank account and a sympathetic heart. And, except for the chemicals, this is all at no cost to me! I can't believe such a great proposition initially got filtered to my spam folder!

The list still isnt big enough

I still get phishing emails and see sites every week. It will be a glorious day when phishing sites and emails can be shutdown within seconds of being setup. This has the downside, that if google can do it with phishing. What if the government forces them to do it with something like pr0n? or build a p2p blacklist?

This one made me cry a little inside

Here is one of the last entries on the Google blacklist:

+http://zeta-os.com/astats/bankofamerica/......... ..

For those not in the know, Zeta-os.com is/was the successor developer to YellowTab, which was developing a new operating system based on the old BeOS code. Now, zeta-os.com (or at least a part of it) has been reduced to a phishing site. *sigh*

Re:This one made me cry a little inside

I just loaded http://zeta-os.com/astats/bankofamerica/ [zeta-os.com] on Firefox 2.0.0.1 using Firefox's built-in phishing detector using Google to provide the blacklist ["Check by asking Google about each site I visit" option]. It loaded the site just fine, without any warning.

Re:This one made me cry a little inside

That's because I truncated the full URL. You have to follow the link in the article to get the whole thing.

Oh, and thanks for modding my little emotional episode as funny, you bastards.

Someone should start an "anti-spam"...

...that blasts people with security information/education.

Google's not keeping up

Judging by the huge proportion of the blacklisted sites that are offline (and the tiny fraction that are actually phishing sites) it seems Google isn't taking this seriously enough. There is much, much more than 341 phishing sites in the world. This list should be being updated daily, they should start a way for suggesting sites or, if it exists, make it more visible.

For the only external blacklisting organisation on Firefox, and as the provider for possibly the most widely used toolbar ever, they're not taking this seriously enough. But would any security company come in with a better free blacklist?

Re:Google's not keeping up

They don't have to do this at all.

Any way to suggest sites would be gamed and abused. There are thousands of people in the "search engine optimization" "industry" that are total sleeze.

Here is a site that has a lot of IPs

Banned IP Address [glodev.com] - a lot of them are spammers or fake bots that will look around your website and fill your forms in the attempt to spam you or your forums/blog or whatever else you might have

Pollute the phishing sites

Go there and put in false information. Make it harder for them to get valid data.

Re:Pollute the phishing sites

mod parent up!

I do this when I have time... ensure you use what look like valid entries for bank a/c and pin values.

I also enter things like "f**k you spammer" into the name fields, so that when they go through to test the captured data, they get to see my opinion of them (yeah, relatively useless I know, but I get tiny twinge of pleasure at the thought)

Re:Pollute the phishing sites

Well, I wouldn't write "f**k you spammer" or anything like that, it makes your entries distinguishable. If you want to ensure having a correct credit card number (except for the CVV code, bug the phisher couldn't verify those directly anyway), you could use something like this quick dirty hack I wrote up a few months ago to spam a phishing site using simple wget queries. To read up on the format of valid credit card numbers, see for instance this article on the anatomy of credit card numbers [merriampark.com]. The following code worked for me to create numbers that were accepted by a phishing site I spammed:

my $cc = substr("000000" . int(rand(1000000)), -6); # Any format

# Add 9 digits for the account number
$cc .= int(rand(900000000))+100000000;

# Check digit: Luhn Code
my $checknum = 0;
for (my $j = 0; $j < length($cc); $j++) {
my $val = substr($cc, $j, 1);
if ($j % 2 == 0) {
# These will be doubled
my $v = 2*$val;
$v -= 9 if ($v > 9);
$checknum += $v;
} else {
# These will just be added normally
$checknum += $val;
}
}
# The last digit should add up to a multiple of 10
$cc .= ($checknum%10 != 0)?(10-($checknum%10)):'0';

# Output an expiration date (arbitrary, 2007..2015)
my $month = int(rand(12))+1;
my $year = qw(2007 2008 2009 2010 2011 2012 2013 2014 2015)[int(rand(9))];

# Random CVV2 code
my $cvv = substr("000" . int(rand(1000)), -3);

Check out the whitelist

Either Google is really paranoid or they have yet to find a site to put on the whitelist that was linked to.

See for yourself what I mean [google.com] Nothing there.

What?

I tried signing into one of the listed Geocities site and nothing happened... what gives?

You mean to tell me this [geocities.com] is not a legit Yahoo Photos gateway?!

Interesting example for URL redirection

URL Redirection

Another surprising finding was that few of the phishing scams utilized open URL redirectors. This is a known technique whereby phishers identify redirection functionality at a popular website (e.g. Google) and use that functionality to redirect the victim to the targeted phishing site in order to minimize suspicion. Combing through the blacklist did however reveal the following redirection attack using Google AdWords: http://www.google.com/pagead/iclk?sa=l&ai=x&adurl= http://www.spidynamics.com [google.com]

SPI Dynamics is a web application security software development company - not a phisher at all. Perhaps that example was used by them as a proof-of-concept and Google wasn't a big fan of that vulnerability being known?

Good help for fishing actually ...

from: a post on full-disclosure [derkeiler.com]:

I just played around a bit with those lists and as it seems,
Google did a splendid job, even capturing some people's login data.
Like here:
http://sb.google.com/safebrowsing/update?version=g oog-black-url:1:7753 [google.com]

Regards,
J.M.
Professional Lurker

Google have fixed this link now but that was funny, most of the logins/passwords were for gmail accounts...

Biased

This blurb is horribly biased, using ! and "amusingly" and "you guessed it". Google don't own any properties like Geocities, and don't have that problem. Yahoo! have several people weeding out scam stuff all day long.

Google blacklist

At least Google made efforts to weed out these sites. http://www.ituloyangsulong.org/ [ituloyangsulong.org]

BOA came in right now!

Date: Fri, 05 Jan 2007 12:44:23 +0000
From: Bank of America
Subject: Secure SSL server update

[-- text/html is unsupported (use 'v' to view this part) --]

(a) Known for years and (b) not just Yahoo

A. This problem has been discussed in depth on various
anti-spam mailng lists and newsgroups for many years.
This long-standing problem has been steadfastly ignored
by Yahoo, who went so far as to dismiss the key people
on their own abuse staff when they tried to address it.

As a consequence, it's now a better-than-even bet
that any site hosted by Yahoo belongs to a spammer,
phisher, spyware injector, child pornographer, scammer
or other lowlife. My own meager list of Yahoo-hosted
dropboxes for such stands at 26,831 this morning and
those are just the ones that brought themselves to
my attention, i.e. I'm passively noting them and not
actively searching them out.

As a result, Yahoo is one of the biggest spam-sending
and spam-supporting operations on the entire Internet.
(Oh, and Geocities is now completely infested. Rejecting
all inbound mail [except anti-spam discussions] that contains
a Geocities URL is a surprising effective tactic.)

B. They're not alone. For instance, MSN BCentral should
be renamed MSN SpamCentral -- it's just as bad. And Hotmail
cheerfully hosts spammer dropboxes by the tens of thousands.

There are others, but what makes these two particularly
annoying is that they make a public show of being anti-spam
by promoting snake-oil like SenderID and DomainKeys, both
of which are worthless. (If it isn't obvious why, then think
about the hundreds of millions of zombies -- hijacked Windows
systems -- out there and consider that their new masters
have possession of all email credentials belonging to their
former owners -- from POP passwords to PGP keys. It is not
possible to solve the forgery problem -- for any useful
definition of "solve" -- without solving this problem first.
Good luck. This same thing applies to SPF and variants, by
the way, all of which are complete failures.)

Another thing that distinguishes them is the absolutely
irresponsible, totally clueless way in which abuse reports
are handled. Most seem to disappear into black holes. The
majority of the rest are returned with semi-literate denials
that the abuse has any connection with their operation -- even
when their own IP address are clearly the source. If you'd
like to browse a huge number of examples of this, go to
Usenet's news.admin.net-abuse.email and search for
"Yahoo clueless" or "Hotmail clueless". Make coffee first.

The bottom line is that both of these services are huge abuse
magnets and have been for years, so I find it curious that
yet another report of the same old thing is deemed noteworthy.

ReGoogle ReSearch

How does Google monitor these sites for content updates to update the Google index? Does Google offer the public (or private subscribers) a way to register a website or URL to be polled ongoing? Notification that it's changed? Web services offering "uptime" monitors seem to do this, as does apparently Google News. Can mere mortals access the feature?

www.microsoft.com, www.msn.com ...

Hmm, looks suspicious to me.

yahoo phishing site

i went to mail.yahoo.com and they asked my name and password. i am smart and i fooled them by giving my gmail password.

Linking to original site

"The pages are generally exact replicas of the original web page and generally pull graphics (*.jpg, *.gif, etc.) from the legitimate web site."

The owners of the original sites should regularly rename the real image files, and replace the old files with images that would help inform the potential victim that they were on a scam site.

Next step is that the phishers no longer link to the image files, but copy them instead ... but this gives the real site owner another legal tool (copyright infringement) to shut down the phishing site plus a clear legal path to extract money from the phisher.

Mod Papa Funny

It made my ass laugh at 6am.