"Phishing" Attacks to Increase 358
neutron_p writes "The number of people who succumb to identity thieves' "phishing" e-mails could go way up if immediate action isn't taken to preempt the next generation of attacks, according to an Indiana University School of Informatics researcher. "Phishing" e-mails appear to be sent by legitimate businesses, but are actually created and distributed by villains who are after your personal information. They describe some thieves' tricks. One kind of context-aware attack tricks eBay bidders into giving out identifying information by leading bidders to believe they've won an auction. In another kind of context-aware attack, a potential victim might receive a message from a known person -- for example, a friend or loved one - asking him or her to go to a Web site to update banking information."
Moving right along (Score:5, Interesting)
But off-topic, did anyone else notice the "Further Reading" section below the article?
- The Elements of Style, Fourth Edition by Roger Angell
- The Art of Innovation : Lessons in Creativity from IDEO, America's Leading Design Firm by by Tom Peters
- Reporting Technical Information by Thomas E. Pearsall
- Optical Illusions : Lucent and the Crash of Telecom by Lisa Endlich
- National Electrical Code 2002 Handbook
The dead tree compilation of HOWTO: PHISH (except for maybe the last one). Ha!Re:Moving right along (Score:3, Insightful)
No, it's all about a new class of "context aware" attacks which the author believes will have a much higher rate of success than the current ones (50% versus an estimated 3% now). You can disagree with the author's conclusions, but the article is at least talking about something I hadn't heard of before.
first post? (Score:3, Informative)
fixed link (Score:2, Informative)
here [slashdot.org]
oh, and btw, how the hell is my post offtopic???
In Other News... (Score:5, Funny)
One nice new thing in Firefox (Score:5, Insightful)
Phishing is just conmen moving to the internet. They use similar tricks in the real world, just on a smaller audience. Here in the DC area there are several police imposters running around, some of them tricking people into withdrawing all the money from their bank (it's counterfeit!!!) and others actually using flashing lights to pull over people on the road.
Re:One nice new thing in Firefox (Score:5, Insightful)
I'm sorry, but just because the site uses SSL doesn't mean they are who you think they are.
Re:One nice new thing in Firefox (Score:5, Funny)
Re:One nice new thing in Firefox (Score:3, Informative)
Re:One nice new thing in Firefox (Score:5, Insightful)
There was a Phishing test posted here on Slashdot a while back. One of the trickiest examples used a hostname/username/password in the URL. The regular user wouldn't know what that was - essentially, you're passing a username to the server along the lines of "www.hotmail.com" but the actual domain (which follows that username) is "www.youhavebeenowned.com"
As another poster pointed out - citybank.com, citi-bank.com, citibanque.com, citibank.phishing.com, etc. are enough to trick a lot of people.
Re:One nice new thing in Firefox (Score:3, Informative)
Yep. story (IT subdomain removed to preserve eyes) [slashdot.org]
test [n15th.com]
Enjoy.
Re:One nice new thing in Firefox (Score:5, Insightful)
It's hard enough telling grandma that www.examplebank.com is different from www.example-bank.com for phishing scams. It's only harder when the banks themselves are spreading confusion.
Re:One nice new thing in Firefox (Score:5, Insightful)
Re:One nice new thing in Firefox (Score:5, Insightful)
Its still easy to misread "www.capital-one.com" as the place where you do banking.
Re:One nice new thing in Firefox (Score:3, Insightful)
Would it?
Just use a stolen credit card or a credit card with fake id and a fake address. All it needs it to be up for a few weeks. Done.
That is useful for sure, HOWEVER... (Score:4, Informative)
Paypal was one of the earliest business victims of phishing scams, which were successful becasue of the unfortunate last character in the name. The scammers registered paypai.com (shown in the url as paypaI.com) and paypa1.com (number one at the end) and set up convincing, secure sites to scam people.
I applaud the Mozilla people for giving users the tools to help spot scams, but people still have to use their heads.
Re:One nice new thing in Firefox (Score:3, Insightful)
Re:One nice new thing in Firefox (Score:5, Insightful)
I disagree. We aren't dealing with fools here, we discussing people who have been ripped off.
Crime victims are not fools because they have been defrauded by technologically-advanced shitpeople.
If there are any 'fools' here it is us. For assuming that we could unleash cool advanced new technology like internet commerce onto the general public without our having built-in safeguards against the criminal element who would use this new technology to prey on people. People who trusted us and our technology.
We should be the ones who take responsibility to ensure that the criminals who use our technology to steal and defraud are punished. We can't rely on the established law-enforcement authorities since they are far too busy dealing with all the 12-year-old file-sharers, pot smokers, and grandmas trying to board airplanes with plastic forks.
We created the technology that created the problem. We can't deal with the problem by just calling people 'fools' as a result of their using the technology that we told them would improve their lives.
Just once I'd like the see the sun come up in the West over the Golden Gate Bridge. Just once I'd like to read mature and ethical comments from Slashdot posters.
Quick & Dirty Hack ... (Score:5, Funny)
Give anyone who falls for one a Darwin award.
Humans... (Score:5, Insightful)
Phishing is just technology-enabled social engineering.
Re:Humans... (Score:4, Interesting)
I set up a website testing app full of profanity and point it at the "webform" these losers try and scam people with and fill their database.
I let it run until it start's erroring out because it has been taken down.
Re:Humans... (Score:3, Insightful)
Better yet, program it to fill in plausable data and let the bastards spend all their time trying to use bogus user info.
Or perhaps the solution is to send out a bunch of phishing emails and point them to a website that educates users: "You just gave your banking info to an unknown party. Had this been a real scam, you would be broke now."
Re:Humans... (Score:5, Interesting)
I mean, there will be scam artists as long as people are uninformed enough to fall for a scam. Doesn't every single site that you give sensitive information to WARN you that they will never ask you for that information?
I remember the first time I ever logged in to AOL, someone named "SS Rupert" IM-ed me telling me that my credit card number was lost in the last transmission and I needed to re-send it. This is immediately after the old AOL screen that says "We will never ask you for your password or credit card information". I laughed at his IM and asked him how many people fell for that? He told me that he just hung around the "newbie chat" or wherever it was that AOL dumped new users at the time and that he gets about 10 to 15 PER CENT of people to send him one or the other without even questioning him.
I almost completely agree that if you're dumb enough to fall for the scam, you deserve it.
Re:Humans... (Score:5, Insightful)
Most slashdot readers are smart enough to avoid this type of scam, so it's easy to say "these scams don't affect me." Them problem is, they do. Increased success of scams leads to increased fees and holdbacks for credit card transactions, increased retail prices, increased costs for investigations, increased costs for prevention and decreased productivity. These are all small hidden costs but they add up. Maximizing prevetion has real economic benefits for everyone. Sympathizing with the criminals only hurts lawful consumers.
Re:Humans... (Score:3, Interesting)
Give Master Card or VISA a completed investigation with the suspect's names, a written confession, an itemized list of goods purchased with stolen credit cards, videotapes of the suspects and THEY STILL WON'T PROSECUTE. They don't give a flying fuck because they can write it off and then pass the screwing on to you the customer. My department almost re-wrote their evidence rules because they were almost categorized as "victimless crimes" (the cc compan
Re:Humans... (Score:5, Insightful)
That's unenforceable because it's impossible to prove that any particular illegal use of my credit card number was the (direct or indirect) result of my giving the number to the wrong person. Besides, that liability clause is a selling point for credit cards. No one would choose a card that held them liable for unauthorized charges.
Re:Humans... (Score:3, Interesting)
Bottom-line, if it were all under your control, then you might reasonably want to assume responsability for it. But this is not the case - and all you need is for one of the points of failure to give in. Are you willing to risk it?
Re:Humans... (Score:4, Insightful)
Internet is in more than one way a mirror of real life society. As long as there are people naive enough to disclose personal information, or lend money to people who'll never give it back, there will be people who do these kind of scams. The internet is not the place crooks are born, real life is. People seem to forget about that and mention internet as the source of all evil.
I don't really share that opinion. Yes, people are too trusting far too often, but that doesn't mean that they earn getting ripped off.
The thing is that while now we may say "Oh, it's just some idiot who gave out his VISA number to a lot of scammers", who knows maybe we'll be the fools of the generation of scammers to come. I'd rather not have someone say "People who are too dumb deserve to scammed" then.
Re:Humans... (Score:5, Insightful)
I almost completely agree that if you're not strong enough to defend yourself, you deserved to get your ass kicked by that big linebacker guy.
We have this thing called a 'society' around us -- it works best if we HELP LOOK OUT FOR THOSE PEOPLE WHO HAVE TROUBLE LOOKING OUT FOR THEMSELVES.
--Jeremy
Re:Humans... (Score:5, Interesting)
My parents call me if they get something like this. My sister calls me. Now, the calls have been getting fewer and fewer since I've been subtly educating them on how to recognize such things. Plus, I've always told them, even if it's me asking you for information in an e-mail, call the person who sent it first. Call Earthlink. Call your bank. Call me if it looks like it came from me. Remember that all of these people should already know the information they are supposedly requesting.
As an aside, kudos to National City Mortgage. Someone published a phishing e-mail, and I got it. First time I looked at it, I said, yeah, phishing. When I looked at it again half an hour later, the banner, which was linked in the e-mail to NCM's website, had "DO NOT REPLY TO THIS E-MAIL! IT IS A SCAM ATEMPTING TO GAIN ACCOUNT NUMBER AND PASSWORD!" overlayed on it. Pretty slick way for NCM to get the word out to everyone who got the e-mail, and not startle people who didn't. Of course, the phishers had to be morons to do something like that.
Re:Humans... (Score:3, Insightful)
Re:Humans... (Score:3, Insightful)
Stupidity isn't the reason why social engineering succeeds, but rather it is rooted in the trust that we all must show towards each other in our daily life: you trust other drivers on the road, the train operator, the cook at the restaurant, and construction workers who built the house you live in, not to be targeting you. Social engineering abuses this trust.
Most computer users have an appallingly crippled understanding of the technology they use to surf the web, write letters, and balance their checkboo
USERS are the problem (Score:5, Insightful)
Re: I would agree with you... but.. (Score:5, Informative)
Really legit.
In fact, the only clue that it wasnt an official notice was the email came from ebay.(official sounding name).com
That and they asked for my l/p, which I know not to give over email.
Honestly, I can say that this goes beyond normal user stupidity. People are being scammed, and these are expert scams. Yeah, people need to apply more critical thinking skills to these things, but I think you are not giving the creators of these emails enough credit.
I mean, they look _really_ official.
So what? (Score:3, Informative)
Re: I would agree with you... but.. (Score:3, Insightful)
Write a script which will go to the size and fill in bogus name/account/credit card info. Let's slashdot the phishers!
In related news... (Score:5, Informative)
"Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information. Learn more"
Like spam detection, it's not perfect, of course, but I think it's a very good idea.
Re:In related news... (Score:3, Interesting)
Re:In related news... (Score:3, Informative)
Jealous (Score:5, Funny)
All starts with real SPAM (Score:5, Insightful)
1.) fleetbank send out some email advertisment
2.) hackers now have a model email to modify
3.) hackers can just redirect some links and resend it to different users.
So to fix this, real companies need to STOP sending out spam.
Well, thats not gonna happen, but... (Score:5, Insightful)
OTOH, I have yet to personally get a phising scam (and I get them every day) that purported to be from a company I actually do business with, with the exception of paypal. And all my credit cards are from big, national companies.
Loved ones wanting bank info? (Score:5, Insightful)
OK, hands up, whose mother has a habit of wanting one to provide bank account info via some web site? I can see the duplicitous falling for the fake 'from your bank' emails, but from friends and loved ones???
And some people want democracy to be MORE direct???
Re:Loved ones wanting bank info? (Score:5, Funny)
Dear son,
Pleaze go to the link below to update yoor bank account infromation. I am not feeeling well these days and I want to make shure that you get yoor inheretence munny as quickly as possible. Thanks!
Love,
Mom
Could be real... might not be (Score:5, Interesting)
That was around 10% of people, adults who should know better, who simply gave up their personal information to nobody they knew, just because they were asked. My friend lost his bet, he thought it would be closer to 30%, but still... send out hundreds of thousands of phish scams and you're guaranteed a good haul.
Somebody teach the legit companies... (Score:5, Insightful)
Re:Somebody teach the legit companies... (Score:5, Insightful)
The thing that scares me is that it could so easily be a more subtle phishing email. It doesn't follow the more obvious method of asking for people to login to verify their details. If it was a scam, this could easily fool even those of us who should know better - those of us who have just crawled out of bed and remembered the phone bill still needs paying. Clicking the link and logging in is so easy, and exactly what a phisher is waiting for.
Re:Somebody teach the legit companies... (Score:4, Insightful)
I realize your question was rhetorical-- there's no way to tell the difference between these "legitimate" off-domain links and phishing attacks based solely on the contents of the message.
What you can do is to call the help number for the company (CapitalOne in the above example) and explain that you received a "suspicious" E-mail and want to verify that it's legitimate. If they get and pay for enough of these calls (sadly, this is unlikely) they might think twice about outsourcing their hosting to another domain.
I get countless dozens of these every week (Score:2, Insightful)
Some of these things look very legit to the untrained eye and some of them are pretty frightening, such as warnings that your account has been abused and that you need to log in to update your security profile or some such nonsense.
I finally got it through to my elderly
Korea (Score:2)
Re:I get countless dozens of these every week (Score:5, Insightful)
It's not North Korea, it's South Korea. The place is full of ridiculously fat broadband connections, and the ISPs don't seem too bothered about what goes on on the networks. Since Koreans aren't any brighter than the rest of us, an awful lot of those broadband connections go to Windows machines which have been 0wnz0red since about 30 seconds after they were first switched on.
And that's before we even consider the mail servers installed in every school in the country, which are wide-open mail relays out of the box. Aaarrrggghhh!
South Korea would be paradise to be in - fat connection and nobody giving a filesystem check what you're doing with it - but the consequences for the rest of the world are becoming a nightmare.
easy algorhythms for thwarting scams (Score:5, Interesting)
It is well known that most spam and phishing e-mails are coming from one of two sets of IP space: China and Korea and related "rogue IP space", and DSL-based zombie proxies. It would not be difficult to use a database or design an algorhythm which could 'flag' e-mail messages as suspicious based on the comparison between the from header information and the SMTP relay.
Users who then received messages could get a color-coded warning when they view the message, i.e.:
"WARNING: This e-mail claims to be from the domain ebay.com but it originated from a system suspected of being located in China - use caution"
Very simple, elegant and helpful solution. Which probably means it would never be adopted.
Re:easy algorhythms for thwarting scams (Score:3, Insightful)
Re:easy algorhythms for thwarting scams (Score:3, Informative)
Re:easy algorhythms for thwarting scams (Score:3, Interesting)
in mail.app i see the email address: eBay@reply3.ebay.com
but when i go and view the raw source i actually it was delivered by:
Received: from mail.wooms.net (unknown [212.124.39.178])
a simple whois wooms.net tells me:
Peter Brueggemann guardian@globe.de
Wooms e.V.
Hammer Strasse 37
Muenster, NRW 48153
DE
+49 2512034762
somehow i doubt that's ebay.
Gmail has started to do something similar (Score:4, Informative)
"Mom" as a phisher (Score:5, Insightful)
Yeah, that's a likely scenario. Your dad or mom writing you all concerned that your bank information needs updating. Has anyone, anywhere, ever had that happen in real life? OK, never mind, I'm sure it has happened to someone, and for sure that person is reading this comment and will respond all indignantly. But you get the point. I cannot believe this approach would be accepted. This is not a typical, 'Hey, check this out' type of email from a relative. It's just a little too strange to work.
Now I have been phished, usually by Citibank-looking emails asking me to click here and update my information. The fact that I don't have a Citibank account was my first clue. The fact that I read /. and know about phishing was my second clue. The fact that I know banks don't operate that way was my third clue. But they are professionally looking emails, until you look closely and find all the typos. But pretending the email comes from Mom?? The first thing I would do is call her up and ask what's going on. And then she could say, "You called, it worked!"
Oh wait, this is a phishing expedition, not from bad guys, but from parents who want more phone calls from their children!
Anti-Phishing Working Group (Score:3, Informative)
Public Awareness == Good (Score:5, Interesting)
419 scams (Score:5, Interesting)
Re:419 scams (Score:2)
Re:419 scams (Score:2)
Re:419 scams (Score:3, Interesting)
Check out http://www.419eater.com/ [419eater.com] for other people's reverse scam and phishing successes.
Re:419 scams (Score:3, Interesting)
Re:419 scams (Score:2)
I gather you have read Sun Tzu then?
Perhaps there should be SF project on doing this...I'd join.
Phish your own users (Score:3, Interesting)
I wonder if anyone has thought about using a similar method to audit their own user base for inexperienced users who might fall for E-mail scams. I.e. send a message from a bogus domain registerred to "CompanyX Email Audits" requesting private data. Anyone who responds gets their account suspended until properly re-verified and a followup E-mail about how to avoid phishing attacks. :)
It might upset a
always a bigger phish (Score:3, Insightful)
Once Virtual Scent Sensing is widely available... (Score:5, Funny)
"It has come to our attention that your Scents information may have been compromised. In order to prevent you becoming victim to an incorrect Rose scent on a virtual bouquet, or an invalid Roast Turkey smell this Christmas you should log in and sniff at our server to verify your sniffers. [pharts.com]
Thank you!"
Ewwww!
Econ class paid off after all... (Score:4, Insightful)
I believe that the success of these scams will decline over time. Just like with the 409 scams, there will a larger number of people who fall for it at the beginning, but then numbers will drop. Will it always be profittable for them? Most likely, yes, unless email verification becomes much more standard. Will they go away? No. Will they eventually find some new scheme that is even more clever? Without a doubt.
I dunno what my point is. Someone agree with me.
Got one of these a week ago... (Score:4, Informative)
1) I don't have an account at the bank listed (Citibank, in this case.)
2) The e-mail itself was a giant GIF. (It did have the 'fail-to-get-around-spamblocker' words in text at the bottom, though.)
Instead of getting rid of phishing scams, we should get rid of low-common sense/stupid people on the net. Then we wouldn't have this problem. Or many others.
A leader is only a leader when he has followers.
Good use of vocabulary (Score:2, Funny)
Counterattacks (Score:2, Interesting)
Whenever I get a phishing email I click the link so that I get the real url (the emails usually use Javascript to make it look like you're going to a legitimate website). I try to load the base url to see if it's actually some person's website who's been hacked, and doesn't know that he's hosting phishing pages. But usually, it's someone who's probably hosting a site on a residential connection. A traceroute should tell you where. Then, I blast that site with as much traffic as I can. Because they're often
Scams happen.. (Score:2)
Never give personal information to anyone requesting in online.
PdcsvdCVCD*(B))
Re:Scams happen.. (Score:3, Interesting)
It's not just the older ones, not all the time. Take a third year university student I know who came in all excited that he got an email from this guy in africa who needed to transport $20million out of the country...
Size of the problem (Score:4, Informative)
That's large enough amount for personal scale, especially if you've lost the savings that have been put up against a new house or new car.
But on the large scale, banks won't care, the loss is $3-4 a person, you lose more per year on some dubious surcharges.
its easy to call people stupid (Score:4, Insightful)
This problem is directly caused by (Score:3, Interesting)
This problem is directly caused by the use of insecure human-readable names, and the use of IP addresses as identifiers. Both things don't work on the Internet. You need names that can be mathematically verified to be owned by the party you're communicating with. Names should be public keys [cakem.net].
Multiple Phishing websites (Score:2, Interesting)
When I pasted the originating IP address into Firefox, a web-based interface for sending phishing emails was shown, complete with defalt 'paypal' text filled in.
When I followed the link in the 'paypal' email (another IP address) i discovered that not only did the site contain a 'paypal' site, but also an 'ebay' and 'Wells Fargo' site too.
I took a mirror of the offending pages, a
Happening already from Hacked Verizon servers (Score:2, Flamebait)
My parents also use Verizon and have the same problem.
My guess is a spammer cracked their email server and he just phises real email addresses to hide his identity.
Nice.
Whats scary is Verizon wont even acknowledge the problem and its been going on for months. I eventually left them. My guess is they are
Where did this name come from? (Score:2, Insightful)
Whenever I see it I think of the Band Phish who are now retired as a band. And weren't at all about attacks or fraud. Heck they probably hold a trademark on Phish, and should sue everyone for using it in this manner. This is a lot differnt then the spam and hormel thing. Spam ala hormel was bad ala mail spam. Phish ala the band isn't nearly as relatable to this "phishing" stuff.
The Arrogance of the Comments is Astounding. (Score:5, Insightful)
People genuinely trust folks, that's why they call it social engineering. You can walk just about anywhere with a clipboard and a pen and get access to just about anything in a standard business environment.
Working for a vendor I've had many 'seasoned sysadmins' rattle off a password to me like it was nothing. Granted I've never once used them outside the context that they were given but the fact that some of them would affect the bottom line of the company with a few simple commands would not be the best thing.
Do I call those admins stupid? no, not really. Guess that is where I differ. I don't find the BOFH and similar things funny either though.
Re:The Arrogance of the Comments is Astounding. (Score:3, Insightful)
Poor planning on the SysAdmins part -- they should have set up an 'expires really soon' guest account with sudo
Handing out root access is an invitation to disaster. Or maybe people want to test that
Re:The Arrogance of the Comments is Astounding. (Score:4, Interesting)
Doesn't help. I've done that. The contractor needs adminnistrative access to the doman because the person that set up the web app was a moron and you couldn't do what you needed to without domain admin rights. So, he is on a 2 month contract. I set it to expire in 3 months. 3 months later, I get a call that the contractor can't get in. I ask when he will be done, another month. I set it to 3 months again. The next time (yes, the 2 month contractor was there over 12 months), I'm told to set it to never expire. I let them know that is a violation of security policy and I won't do it. A few minutes later, my boss orders me to do it.
So, proper security policy was circumvented because schedules were not being met and someone was too impatient to wait a few minutes every 3 months (or warn me in advance they will be staying longer). I don't see how giving an time-unlimited password with full domain admin access to a non-employee was any fault of the sysadmin.
This your smart enough? (Score:3, Informative)
Enjoy!
Free us from HTML messages (Score:3, Insightful)
Does anyone else think that the only real problem here is HTML email? It's good for nothing, wastes resources, and enables pretty much every kind of annoying spam, hidden redirect, tracking bug--it just keeps coming. Why do we have to build all these widgets to help users see that URLs aren't what they say they are, and such? Do we really want to wait for the spammers to start building javascript messages that alter the url after/when clicking, or whatever next becomes really annoying to people?
Isn't this enough of a problem yet to get the asinine companies that forced HTML down our throats (I'm looking at you AOL, MS, etc) to reconsider? Make the common clients block/ignore the HTML by default and *never* send HTML messages, instead of the current tactic of trying to trick or force users to send as HTML (maybe with an additional text version, if we're lucky), to just drown out the people asking for plain text.
Maybe I'm just bitter. It's always so difficult to watch stupid obvious mistakes blossom so thoroughly predictably. At least I can filter most all the spam by dumping HTML messages.
Schwab contributes to Phishing (Score:5, Interesting)
Their response indicated they didn't even understand what I was talking about. Should I have called it "Phishing"? I doubt it would have helped. How can a customer educate these people, and why should I have to? (Maybe someone in their IT dept reads slashdot
Here is my letter:
To Director of Technology,
I am disappointed in the security offered by the transaction statement I receive each month. I am required to save an html file, which when opened presents me with an account/pin dialog.
- I have no way of knowing where that information is going to be sent.
- I cannot verify the originator of *any* email. How can I be sure that *this* email is definitely from schwab.com? (one b or two?) If the email is spoofed, the contents of the html document are suspect, putting my password etc at risk.
- Since this arrived by email, I did not initiate the connection. It is generally a bad practice to give out personal information when one did not initiate the transaction (even in a phone call).
- The process required by your system encourages less sophisticated users to develop poor security habits, such as responding to emails (of unknowable origins) with personal information.
- I would feel *much* more secure if I initiated an https connection to a web address that *I* know is legitimate. It is significantly less likely an https connection mechanism would be exploited than a simple email message.
Until something changes about this process, I have no alternative but to consider these emails SPAM, and am in fact getting no benefit out of receiving them.
And their response...
I appreciate your concerns regarding your request of electronic statements. In regards to your concerns, PostX technology sends an "HTML envelope" that contains the encrypted payload. This "HTML envelope" opens to present the user with a prompt for the users password. Once the password is entered the local javascript or java applet accepts the user password and decrypts
the payload.
Documents sent through the PostX platform are encrypted with highly secure, industry standard algorithms. Symmetric encryption defaults to ARC4 but AES encryption algorithm is available as well. End to end encryption between users or firms assures the highest levels of confidentiality for critical, sensitive or personal data on public networks. The password is hashed with 160 bit encryption (SHA1) with a large random number. This hash is then used along with the chosen encryption algorithm to encrypt the payload. The encryption is very secure. The most venerable part of the process is the password itself.
If you still have further concerns regarding the security of the contents that you have chosen to have delivered via email, then you may want to elect to cancel this request. You may do so by following these simple steps:
Sincerely,
Re:Schwab contributes to Phishing (Score:4, Insightful)
When they reply saying that 'these are legitimate emails', ask them how you are supposed to tell that they're legitimate. If they give a good answer, your problem is solved. If they are unable to give a good answer, hopefully they'll realize the point that you're trying to make.
Lather rinse and repeat on any other vendor that sends emails that can be easily mistaken for phishing.
Re:PostX is Phish-friendly? (Score:3, Informative)
1.) Because the user can access their statements even if they're not on-line (although the contents stay encrypted on their hard disk).
2.) Because the financial institution chooses when they want to use their bandwidth to send the messages and doesn't receive random spikes that they would get if the user was "pulled" back to the site to
Identity Theft (Score:3, Interesting)
Identity theft is only a problem because we attach so much weight and importance to our individual histories. If we would stop screwing people over for life after things like bankrupcy, or when they fall ill, there wouldn't be a need to get other people's "clean" identities.
As someone who can't even get health insurance because of some mysterious "red flag" in my past, I can see why someone could get desperate enough to try to become someone else! I can't even imagine a scenario where I couldnlt open a checking account because I made a few mistakes as a young adult.
Identity theft won't stop until this "you are your credit score" mentality goes away!
Paypal SUCKS (Score:4, Interesting)
A few hours later the item was charged back by Paypal saying it was unauthroized.
Have a question for you guys. What are my chances to find Paypal liable for the loss if I can't find this crook?
Here's my take:
One is that Paypal sees themselves as an escrow service. If such is the case they have the right to intervene and take back funds from transactions that are deemed illegitimate. However if so, then they also have an obligation to ensure that account charges are in fact legit. The only reason I accepted the payment was that it was from a "verified paypal user". Therefore Paypal is liable.
The other argument would be that Paypal isn't an escrow service, but only a payment transfer service. If this is the case, once the money is in my account it belongs to me (like a cash exchange). They have no right to take it out of my account and put it back.
Bandwith is not that expensive anymore... (Score:3, Funny)
If we don't use the word legit, it will serve as a spam flag.
Stop Blaming The Victims (Score:4, Insightful)
I see a lot of people blaming stupid people for this. And stupidity, naivete, etc. are definitely part of it.
But the fact is, some of the phishing emails look really good. I got one last week that was identical to a legit Citibank email, except that it went to http://citibankgroup.biz instead of https://citibank.com. Given all the weird URLs and bulk mailing companies banks use (and the fact that a lot of normal users view URLs to be voodoo), it not surprising to me at all that people fall for this stuff.
In the end, this is just a special case of spam. Verifying the sender using SPF or any of the other systems being adopted right now, will solve this problem. And disabling HTML email (among the worst design decisions ever made, IMHO), would also help a lot.
-Esme
Education is the key (Score:3, Insightful)
Don't let your guard down! (Score:5, Insightful)
- I posted an item for sale
- I realized I owed eBay about $40 in back listing fees
It was just before I was going to get into bed, and I skimmed over the message as I usually do before deleting it. My usual thinking: "Sure", I thought, "I'll get back to it tomorrow and pay them." This time around, I clicked the link and got the "standard" eBay login screen. Being tired and lazy, at this point I didn't even glance at the URL. I entered my login and password for eBay, and as it was redirecting I glanced at the address bar, and in horror I saw "cgi2.eb4y.com" or something munged like that.
In a panic, I immediately changed my eBay password, and all is once again well on my happy little computing planet. That being said, had I not caught that and gone straight to bed, who knows what I would've woken up to. The moral of the story is that you really have to be on your toes. The circumstances surrounding this dodged-bullet really were a perfect setup for me: owed eBay money, just posted a new item for sale that day, fatigue...
Common sense is the key!
E-mail scam plays on US elections -BBC (Score:3, Informative)
By Alfred Hermida
Published: 2004/10/05 08:50:43 GMT
BBC News Online technology editor
http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/
People are being warned about a scam e-mail which uses the US presidential poll to con them out of their money.
A junk e-mail invites people to dial a premium rate number to express their support for President George W Bush or rival John Kerry.
E-mail filtering firm BlackSpider estimates that almost a quarter of a million are being sent out every day.
In the past, net fraudsters have tried to use the 9/11 attacks and the tragedy in Beslan to get money.
900 number
At first glance, the presidential election message appears to be legitimate, saying it was sent from a Lycos.com address.
But BlackSpider Technologies said it had traced some of the e-mails to a server in the Czech Republic.
No doubt we will be seeing some messages like this in the next general election in the UK John Cheney, BlackSpider Technologies The mail reads: "Fellow Citizen: The extremely jubilant crowds in Baghdad appeared to vindicate President George Bush's belief that the military action in Iraq was the right move.
"But many questions still remain over the lack of hard evidence of Saddam's weapons of mass destruction. With these tough times before us, let us know."
It goes on to ask readers if they support President Bush, prompting them to call a 900 premium rate number.
It says votes will be sent to the Bush and Kerry campaigns.
In an effort to convince people it is a genuine message, the e-mail says who commissioned the poll.
The mail adds that the calls will cost $1.99, saying this is "a little price to pay for a better democracy".
"This is a relatively new scam," said BlackSpider CEO, John Cheney.
"The question is, are they breaking the law? In the UK they are, in the US they are not."
Sending unsolicited messages to personal e-mail is barred in the UK. But in the US, people have to opt out of receiving these sorts of messages.
Hotbed of scams
BlackSpider estimates that 240,000 of the presidential scam e-mails are being sent out worldwide a day.
The lack of any spelling mistakes and its resemblance to a genuine message means that it could slip through the spam filtering of home users.
This latest scam reflects how the nature of spam is changing.
In the past, spam was dominated by pornography. These days spam is a hotbed of financial scams, as well as a black market for fake pharmaceuticals and software.
E-mail scams known as phishing have tried to trick customers into giving away confidential bank details.
Other scams known as 419 try to part people from their cash by telling them they in line for millions from a deposed African leader.
The US presidential mail is just the latest trick used by spammers to part the unwary from their money.
"No doubt we will be seeing some messages like this in the next general election in the UK," said Mr Cheney.
Re:Maybe this is a good sign (Score:2)
Keep up the good work, admins.
I would say this shows that the hackers are becoming more lazy rather then the admins becoming more secure. What's easier? Hacking into a system and then trying to decrypt the password file or tricking some cluebie into giving it to you?
Still in the long-term that means we'll still win -- since the hackers will eventually all die from muscle atrophy and heart attacks brought on by laziness.
Re:Maybe this is a good sign (Score:2, Insightful)
Re:Maybe this is a good sign (Score:5, Interesting)
Also, there are various graduations of criminal, from petty thug to criminal mastermind. There are more thugs than masterminds (mostly because if there were tons of masterminds, all the cool costumes would be taken).
Read it how you will. This is, I assume, much easier than hacking into the bank. Doesn't mean that you couldn't hack into the bank.
Re:Huh? (Score:5, Informative)
Re:Where did the test go? (Score:3, Informative)