Fishing for Phishers

mleachpdx writes "This blog entry probes into the details of an online banking phishing scam and suggests some fraud deterrence and detection measures."

Solution: You authorise the bank first

[Anonymous Coward]

When you sign up, the bank asks you for your 'personalised code', and that will be displayed in every email you recieve from the bank.

If you dont see that code in your email, or it's wrong, you know its fraudulent.

Re:Nothing to see here...

[clodney]

The FA didn't give any reason for why he thought the phish was targeted at him. Without an explanation, I'm sceptical that it was targeted in any way. I get phishing mails all the time - most commonly aimed at Citibank or Paypal, neither of which I do business with. I don't know why the phisher would bother to target them. Seems like more effort than it is worth.

Customer details

[metlin]

Limit access to customer records. This is pretty much standard practice in the banking industry anyway, but I found it eerie that my phisher knew what institution I did banking with. How did they know this?

Well, I've received several of these mails, but I do not really think they go by any kinda cue -- I've received mails from various banks from around the US, so I think these guys randomly see where you are, make a wild guess at the likely bank and send you one.

For instance, several students at GTech (where I study) have their bank accounts in a certain bank (which we shall call W) -- and a lot of these scams are directed at GT students pretending to be from W.

However, that said -- I'd not be surprised if they acually did some dumpster diving and found out these kinda details. Spooky, man.

How to annoy phishers

[DrXym]

Drown them in noise. Everytime you get one of these emails, visit the site and enter bogus information. That's what I do. It might not be enough to get the scumbags caught but it must certainly be an annoyance to them. And who knows, a few bogus logins might be enough to get alarm bells ringing at the bank.

I reckon banks could do something similar too. Create some honeypot accounts, and track how the criminals attempt to access it. I'm sure they could play a few tricks with a seemingly big fat balance that could make the criminals reveal their hand.

Receiving too

[gmuslera]

in a mailing list I administer, and in my own personal address (time to test the new "report phishing" gmail feature) I received today what could be the same message, but the IP it pointed to resolved as ipvpn101156.netvigator.com (don't look like to be in zimbabwe) port 38, that looked like a Windows 2000/XP with too many open ports.

Probably that message is sent from hacked/owned/not patched windows machines that send the entered info to the real criminal. I suppose that for really knowimg who is him that "infected" machines should be hacked back or that the provider of that internet connection contacts/gives the address of the owner, and check the programs there.

Is it that simple?

[Sarin]

I still don't understand, do these banks just give their customers a login/password for their account?

The bank I use gave me a little authentication device which combined with my bank card, my personal code and a random code provided by the bank site can generate digital signatures. In order to login and in order to make all transactions final I must provide the right code.
I've been using this system for about 10 years now, if those exploitable banks still use a normal password protection it's their fault they're exoploited this way and there's no way customers should be responsible for it.

Re:ways to prevent online fraud?

[LiquidCoooled]

I posted a comment a few days ago regarding how my bank secures online access.

The gist of it is a longer code that I arrange with them in person, and when I go online with them, they ask for random portions of that code.

I would have to be scammed multiple times before anyone had access to my banking.

The comment is here: http://slashdot.org/comments.pl?sid=128336&cid=107 16472 [slashdot.org]

Re:How to annoy phishers

[LiquidCoooled]

Username "PHISHINGSCAM"
Password "QUICKGETEM"
Name "CALL SECURITY"
DOB "01/01/1337"

This would be cool to try.
But tbh, I recon they would just take the list and try those that look legit.

What we could do is simply forward any phishing scam mails to a central phishing clearing house.
The banks could fund a small team to handle collective online fraud.

The problem is much larger than just banks.

[daperdan]

I work for a company that attempts to protect its customers from this kind of fraud. We monitor domain registrations to locate potential phishing scams. It's interesting to see that it's not only banks that are hit with this kind of scam. These guys will set up an entire shopping cart taking credit cards that mimick an online store like Dell. It's a pretty interesting scam that only seems to be gaining popularity.

It's not a major concern in the 3rd world so these guys have no reason to stop. We've seen scams like this based out of Russia, Brazil, China, and several African countries. It will be interesting to see how this all pans out.

Why is it so hard to catch these criminals?

[Anonymous Coward]

In order for them to get their ill gotten gains, they have to eventually withdraw some money from somewhere. It seems it would be trivial for INTERPOL or some other agency to set up a bunch of bank accounts with a few thousand dollars/euros in them and then start responding to all the phishers. Then just follow the money to the crooks. What's the big deal? Is there just no will to do this or am I missing something?

Cheers,

Re:How to annoy phishers

[DrXym]

In other words, make them look legit. Enter a well formed but bogus account / credit number, valid sort codes, expiry dates, names, PINs memorable dates etc. If you have an account with the target bank you could even ensure you enter an account number of the correct length and has the first four digits as your own.

The only way they have to separate the wheat from the chaff is to actually try them. If they're really stupid, they (or their underlings) may actually get caught when they attempt to withdraw cash or buy something. Now that would be funny.

Gmail vs. Phishers

[igrp]

It's definitely becoming more of a "mainstream problem". Afterall, the whole identitity theft problem is perfect Dateline/60 Minutes material.

Has anyone else noticed that the folks at Gmail have added a "report phishing" feature? When you view a message, click "More Options" and you'll see it.

Then again, maybe it's been there for some time and I just haven't noticed (it definitely wasn't there when I first got my Gmail account though and it doesn't appear to be listed as a new feature).

Slashdot this

[GQuon]

On a related note:
The lad vampire [aa419.org] needs your help

Re:Solution: You authorise the bank first

[BobTheLawyer]

Do any real banks send e-mails to customers? As far as I know, no UK bank does.

Re:How to annoy phishers

[Sepodati]

Drown them in noise. Everytime you get one of these emails, visit the site and enter bogus information.

I've always wanted to find a way to automate that. Have a site where you could submit a phishing site, have it analyzed and then feed it a bunch of noise.

If it's all done from the same computer, smart people could weed out the noise by IP address, so you'd have to account for that somehow, too.

Once you make enough noise in the system, scams like this do not remain economical, I would think.

---John Holmes...

Re:Solution: You authorise the bank first

[fbjon]

Good point, but suppose this happens:

Your DNS, or the DNS for your area, is hijacked, and everybody who use that DNS is called up and told to log on to their bank in order to do something important?

Second solution is:
One-time passwords. I have a long list of login passwords and confirmation passwords, and a numerical customer ID known only to me. When they start running low, I can easily get a new one (mailed to me). So what if I happen to login to some fake site? The worst that can happen is that I waste some time and a little bandwidth, since they can't do anything with only one part out of three (the ID), and anything I do with the fake stuff won't happen anyway. Besides, I'd be mighty suspicious if the balance of the account(s) isn't correct, since that is what I see the moment I login.

Re:Solution: You authorise the bank first

[gl4ss]

the way it's been done here for almost a decade is this.. you have login and a password(which happen to be numbers) which you use to 'get in'.

then to do any transactions, to open any accounts, to apply for a loan or just about anything other than just checking how much cash you have the system asks a number from a list of one-time passcodes they've sent to you through regular mail(basically "enter the number pair for the number 4323 on your number card").

the card with the one-time-use passcodes is a plastic credit card shaped one, too. easy to have in the wallet, but totally useless without the other codes needed to get into the site.

Re:Solution: You authorise the bank first

[fbjon]

Sure, I'd say that's good enough, but someone could still check you account balance whenever he wants. (I'm assuming the login thing never changes) In my case, you need the one-time pass even before that, and the paper they come on can be folded and put in the wallet too :). After doing your business, you confirm with a pass from a second list, that you can store separately if you want.. you could for example do all money transfers from one location, and then confirm everything from another computer/city/country entirely. I don't know if knowing the balance is a significant risk of anything though..