Fishing for Phishers 152
mleachpdx writes "This blog entry probes into the details of an online banking phishing scam and suggests some fraud deterrence and detection measures."
A list is only as strong as its weakest link. -- Don Knuth
Or.... (Score:5, Informative)
Or they just used the Spiderzilla extension for FireFox and downloaded the entire site. Wow, that scammer went to a lot of work. I have gotten these scams before though, and it is no laughing matter that they go to a lot of trouble to look legit. And I bet the estimate of 15% of people who fall for it listed in the article is actually a little low.
They don't know who you are (Score:5, Informative)
It's just a blanket 'attack'. Email is cheap, and they're not trying to be smart because they don't need to be.
Simon
check out antiphishing.org (Score:5, Informative)
ROI (Score:5, Informative)
Re:How to annoy phishers (Score:3, Informative)
Looks like its already in action
http://www.antiphishing.org/ [antiphishing.org]
I Have Not Seen My Bank's Name in Phishing Scams (Score:3, Informative)
I have not gotten one email from that bank (either legitimate email or a phishing scam with that bank's name or fake url.
That bank does have my email address.
I have gotten phising scams that have ebay in them (I do have an ebay account). I have also gotten phising scams with the names of other banks in my area.
I think they go by geographical data for banks. For ebay, it's no problem. They can scan ebay's pages and get seller's ebay account names with no problem.
Re:The wrost ones are... (Score:4, Informative)
I would add: Often the employees of the company don't have access to the password because it is encrypted on their end. But the institution can change or reset your password without knowing the old password. This is usually preceded by a manual check performed by customer service over the phone to ensure you are really you. They might also ask you to come into the bank and provide ID.
Re:Transfers are between your own accounts. (Score:4, Informative)
Of the four banks with which I have bank accounts, all allow me to make payments to anyone else whose account details I know. I can also make SWIFT [swift.com] (i.e. international) transfers to any account worldwide, by providing branch SWIFT code and account number.
Re:How to annoy phishers (Score:4, Informative)
1) Generate fake credit card numbers that pass as "valid"
They're probably doing something trivial with Luhn numbers. [webopedia.com] Trivial to implement, trivial to spoof. Generating apparently valid but fraudulent card numbers is known as carding. [creditcardco.co.uk]
2) Do this, and be certain that no-one actually owns that particular number, and if so, still not get into trouble?
Trouble with whom? The scammers? If you aren't using the number to commit fraud, I wouldn't worry. We want to get the phishers in trouble!
Comment removed (Score:2, Informative)
Re:fake credit card numbers (Score:3, Informative)
Easy: Business::CreditCard - Validate/generate credit card checksums/names [cpan.org].
Re:Why is it so hard to catch these criminals? (Score:2, Informative)
Re:How to annoy phishers (Score:3, Informative)
A lot of times, you can send a URL encoded request (GET Request) to fill in bogus data from the address line. I've happliy sent random values to these seedy servers with a small bash script using lynx.
I suggested that one or more popular websites add a new 'banner ad' whose image location is a properly formed URL to submit a random value to a known phishing server. As people come by the site, a new request is sent to the phishing server on their behalf and floods the phishing server with bogus data coming from many locations. Of course, you may get a red X in the banner image, but who cares. Maybe have it a user optional response. The banner ad could read "Fight Internet Scams, Click here to vote."
Until such a time, I usually have fun overloading the form fields with typographic or unprintable characters well over the string length coded in the form. Hopefully, I cause havoc with their databases when I do that.