Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

"Phishing" Attacks to Increase 358

neutron_p writes "The number of people who succumb to identity thieves' "phishing" e-mails could go way up if immediate action isn't taken to preempt the next generation of attacks, according to an Indiana University School of Informatics researcher. "Phishing" e-mails appear to be sent by legitimate businesses, but are actually created and distributed by villains who are after your personal information. They describe some thieves' tricks. One kind of context-aware attack tricks eBay bidders into giving out identifying information by leading bidders to believe they've won an auction. In another kind of context-aware attack, a potential victim might receive a message from a known person -- for example, a friend or loved one - asking him or her to go to a Web site to update banking information."
This discussion has been archived. No new comments can be posted.

"Phishing" Attacks to Increase

Comments Filter:
  • Moving right along (Score:5, Interesting)

    by Lord Grey ( 463613 ) * on Monday October 18, 2004 @01:17PM (#10557879)
    The article does not really say anything new. Of course phishing scams are on the rise: When they succeed, they succeed very well. It's just like spam that sells Body Part Enlargement Pills. Only a few victims need to fall for it befor the perps fall in love with the whole idea.

    But off-topic, did anyone else notice the "Further Reading" section below the article?

    • The Elements of Style, Fourth Edition by Roger Angell
    • The Art of Innovation : Lessons in Creativity from IDEO, America's Leading Design Firm by by Tom Peters
    • Reporting Technical Information by Thomas E. Pearsall
    • Optical Illusions : Lucent and the Crash of Telecom by Lisa Endlich
    • National Electrical Code 2002 Handbook
    The dead tree compilation of HOWTO: PHISH (except for maybe the last one). Ha!
    • The article does not really say anything new

      No, it's all about a new class of "context aware" attacks which the author believes will have a much higher rate of success than the current ones (50% versus an estimated 3% now). You can disagree with the author's conclusions, but the article is at least talking about something I hadn't heard of before.

  • first post? (Score:3, Informative)

    by Anubis350 ( 772791 ) on Monday October 18, 2004 @01:18PM (#10557894)
    wasnt there a recent article about google doing something about this here: http://it.slashdot.org/article.pl?sid=04/10/18/023 6201&tid=111&tid=217&tid=95&tid=1 as I understand it, yahoo's signing technology, which hopefully will become a standard, will help stop such attacks. Google signing on to it helps push it quite a bit
  • by inkdesign ( 7389 ) on Monday October 18, 2004 @01:20PM (#10557917)
    Number of Idiots On the Internet To Increase...

  • by Anonymous Coward on Monday October 18, 2004 @01:20PM (#10557921)
    Was the addition of yellow highlighting for secure sites, and the domain in the status bar. It really makes picking up when you're on a secure site easier. In the past you had to really look for that little lock icon or whatever.

    Phishing is just conmen moving to the internet. They use similar tricks in the real world, just on a smaller audience. Here in the DC area there are several police imposters running around, some of them tricking people into withdrawing all the money from their bank (it's counterfeit!!!) and others actually using flashing lights to pull over people on the road.
    • by I_Love_Pocky! ( 751171 ) on Monday October 18, 2004 @01:26PM (#10557987)
      It really makes picking up when you're on a secure site easier.

      I'm sorry, but just because the site uses SSL doesn't mean they are who you think they are.
      • by syntap ( 242090 ) on Monday October 18, 2004 @01:39PM (#10558094)
        Yeah, but at least you are transmitting all your personal info to just that thief in a secure fashion, and it won't be picked up by other thieves.
      • If the URL in the bar says citibank.com, and its yellow, and I didn't do some jackass thing like ignore the certificate name mismatch, it sure does mean that.
        • by lukewarmfusion ( 726141 ) on Monday October 18, 2004 @01:55PM (#10558201) Homepage Journal
          Misleading domain names, username/host parameters in the URL, and certificates from not-so-trusted providers (or self-issued) are easy ways to trick a user into thinking they're at one site when they're at another.

          There was a Phishing test posted here on Slashdot a while back. One of the trickiest examples used a hostname/username/password in the URL. The regular user wouldn't know what that was - essentially, you're passing a username to the server along the lines of "www.hotmail.com" but the actual domain (which follows that username) is "www.youhavebeenowned.com"

          As another poster pointed out - citybank.com, citi-bank.com, citibanque.com, citibank.phishing.com, etc. are enough to trick a lot of people.
      • by cmg ( 31795 ) on Monday October 18, 2004 @01:51PM (#10558182) Homepage
        One thing I just got onto my banking website for is in a new version, they switched to using components spread amongst 4 domain names.

        It's hard enough telling grandma that www.examplebank.com is different from www.example-bank.com for phishing scams. It's only harder when the banks themselves are spreading confusion.
  • by johnhennessy ( 94737 ) on Monday October 18, 2004 @01:21PM (#10557924)

    Give anyone who falls for one a Darwin award.
  • Humans... (Score:5, Insightful)

    by Duncan3 ( 10537 ) on Monday October 18, 2004 @01:21PM (#10557925) Homepage
    Social engineering will always work, and will always be very easy, because users are stupid.

    Phishing is just technology-enabled social engineering.
    • Re:Humans... (Score:4, Interesting)

      by Anonymous Coward on Monday October 18, 2004 @01:23PM (#10557955)
      nahh I love these...

      I set up a website testing app full of profanity and point it at the "webform" these losers try and scam people with and fill their database.

      I let it run until it start's erroring out because it has been taken down.
      • Re:Humans... (Score:3, Insightful)

        by ednopantz ( 467288 )
        You my friend are a hero.

        Better yet, program it to fill in plausable data and let the bastards spend all their time trying to use bogus user info.

        Or perhaps the solution is to send out a bunch of phishing emails and point them to a website that educates users: "You just gave your banking info to an unknown party. Had this been a real scam, you would be broke now."
    • Re:Humans... (Score:5, Interesting)

      Seriously, doesn't the parent have a point here?

      I mean, there will be scam artists as long as people are uninformed enough to fall for a scam. Doesn't every single site that you give sensitive information to WARN you that they will never ask you for that information?

      I remember the first time I ever logged in to AOL, someone named "SS Rupert" IM-ed me telling me that my credit card number was lost in the last transmission and I needed to re-send it. This is immediately after the old AOL screen that says "We will never ask you for your password or credit card information". I laughed at his IM and asked him how many people fell for that? He told me that he just hung around the "newbie chat" or wherever it was that AOL dumped new users at the time and that he gets about 10 to 15 PER CENT of people to send him one or the other without even questioning him.

      I almost completely agree that if you're dumb enough to fall for the scam, you deserve it.
      • Re:Humans... (Score:5, Insightful)

        by stilwebm ( 129567 ) on Monday October 18, 2004 @01:43PM (#10558117)
        I almost completely agree that if you're dumb enough to fall for the scam, you deserve it.

        Most slashdot readers are smart enough to avoid this type of scam, so it's easy to say "these scams don't affect me." Them problem is, they do. Increased success of scams leads to increased fees and holdbacks for credit card transactions, increased retail prices, increased costs for investigations, increased costs for prevention and decreased productivity. These are all small hidden costs but they add up. Maximizing prevetion has real economic benefits for everyone. Sympathizing with the criminals only hurts lawful consumers.
        • Re:Humans... (Score:3, Interesting)

          by beacher ( 82033 )
          "Increased success of scams leads to increased fees"

          Give Master Card or VISA a completed investigation with the suspect's names, a written confession, an itemized list of goods purchased with stolen credit cards, videotapes of the suspects and THEY STILL WON'T PROSECUTE. They don't give a flying fuck because they can write it off and then pass the screwing on to you the customer. My department almost re-wrote their evidence rules because they were almost categorized as "victimless crimes" (the cc compan
      • Re:Humans... (Score:4, Insightful)

        by discord5 ( 798235 ) on Monday October 18, 2004 @02:05PM (#10558301)
        I mean, there will be scam artists as long as people are uninformed enough to fall for a scam.

        Internet is in more than one way a mirror of real life society. As long as there are people naive enough to disclose personal information, or lend money to people who'll never give it back, there will be people who do these kind of scams. The internet is not the place crooks are born, real life is. People seem to forget about that and mention internet as the source of all evil.

        I almost completely agree that if you're dumb enough to fall for the scam, you deserve it.

        I don't really share that opinion. Yes, people are too trusting far too often, but that doesn't mean that they earn getting ripped off.

        The thing is that while now we may say "Oh, it's just some idiot who gave out his VISA number to a lot of scammers", who knows maybe we'll be the fools of the generation of scammers to come. I'd rather not have someone say "People who are too dumb deserve to scammed" then.

      • Re:Humans... (Score:5, Insightful)

        by scot4875 ( 542869 ) on Monday October 18, 2004 @03:00PM (#10558854) Homepage
        I almost completely agree that if you're dumb enough to fall for the scam, you deserve it.

        I almost completely agree that if you're not strong enough to defend yourself, you deserved to get your ass kicked by that big linebacker guy.

        We have this thing called a 'society' around us -- it works best if we HELP LOOK OUT FOR THOSE PEOPLE WHO HAVE TROUBLE LOOKING OUT FOR THEMSELVES.

        --Jeremy
    • Re:Humans... (Score:5, Interesting)

      by White Roses ( 211207 ) on Monday October 18, 2004 @02:03PM (#10558281)
      Exatcly.

      My parents call me if they get something like this. My sister calls me. Now, the calls have been getting fewer and fewer since I've been subtly educating them on how to recognize such things. Plus, I've always told them, even if it's me asking you for information in an e-mail, call the person who sent it first. Call Earthlink. Call your bank. Call me if it looks like it came from me. Remember that all of these people should already know the information they are supposedly requesting.

      As an aside, kudos to National City Mortgage. Someone published a phishing e-mail, and I got it. First time I looked at it, I said, yeah, phishing. When I looked at it again half an hour later, the banner, which was linked in the e-mail to NCM's website, had "DO NOT REPLY TO THIS E-MAIL! IT IS A SCAM ATEMPTING TO GAIN ACCOUNT NUMBER AND PASSWORD!" overlayed on it. Pretty slick way for NCM to get the word out to everyone who got the e-mail, and not startle people who didn't. Of course, the phishers had to be morons to do something like that.

    • Re:Humans... (Score:3, Insightful)

      by Have Blue ( 616 )
      And social engineering is "just" lying or acting with intent to deceive. It's not fundamentally different just because it has a 1337er name.
    • Re:Humans... (Score:3, Insightful)

      Stupidity isn't the reason why social engineering succeeds, but rather it is rooted in the trust that we all must show towards each other in our daily life: you trust other drivers on the road, the train operator, the cook at the restaurant, and construction workers who built the house you live in, not to be targeting you. Social engineering abuses this trust.

      Most computer users have an appallingly crippled understanding of the technology they use to surf the web, write letters, and balance their checkboo

  • by drsmack1 ( 698392 ) * on Monday October 18, 2004 @01:21PM (#10557928)
    Until the majority of the people out there have the critial thinking skills to deal with this sort of thing the problems will continue. The same people who are stupid enough to give out their info to someone who e-mails them are the one buying shit from SPAM e-mails.
    • by bludstone ( 103539 ) on Monday October 18, 2004 @01:47PM (#10558154)
      I've actually recieved one of these emails. It looked legit.

      Really legit.

      In fact, the only clue that it wasnt an official notice was the email came from ebay.(official sounding name).com

      That and they asked for my l/p, which I know not to give over email.

      Honestly, I can say that this goes beyond normal user stupidity. People are being scammed, and these are expert scams. Yeah, people need to apply more critical thinking skills to these things, but I think you are not giving the creators of these emails enough credit.

      I mean, they look _really_ official.
      • So what? (Score:3, Informative)

        by Sycraft-fu ( 314770 )
        You do the intelligent (or lazy) thing: Go to their site and log in normally. If they want your attention, it'll prompt you. That's what I do if I get one that is legit. I just go log in as normal. If it's really legit, the site will then prompt me for what it wants. If not, no problem.
      • Perhaps the best way to handle these is to get even.

        Write a script which will go to the size and fill in bogus name/account/credit card info. Let's slashdot the phishers!
  • In related news... (Score:5, Informative)

    by slavemowgli ( 585321 ) on Monday October 18, 2004 @01:22PM (#10557944) Homepage
    In related news, Google has recently updated Gmail with an automatic detection of phishing attempts / spoofed emails; suspicious emails will be displayed with a warning:

    "Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information. Learn more"

    Like spam detection, it's not perfect, of course, but I think it's a very good idea.
  • Jealous (Score:5, Funny)

    by I_Love_Pocky! ( 751171 ) on Monday October 18, 2004 @01:23PM (#10557946)
    The author of the article is just jealous because I'm going to get millions from Nigeria, and he isn't!
  • by superpulpsicle ( 533373 ) on Monday October 18, 2004 @01:23PM (#10557950)
    For example

    1.) fleetbank send out some email advertisment
    2.) hackers now have a model email to modify
    3.) hackers can just redirect some links and resend it to different users.

    So to fix this, real companies need to STOP sending out spam.

    • by dthree ( 458263 ) <chaoslite@hotma i l . c om> on Monday October 18, 2004 @01:44PM (#10558124) Homepage
      Credit card companies, banks, paypal, and any site that deals with financial transactions that could be comprimised by phishing scams need to establish a 1-point policy for client email: never link back to the site from the email. If every company did this, and users were instructed to always type the url in the browser to access thier account, and made if clear that the company would never send an email with links to the site or account, eventually people would be able to tell the phishing from the real. I know its not a perfect solution, but the convenience of "click here to access your account" emails is what fuels the phishing scams.

      OTOH, I have yet to personally get a phising scam (and I get them every day) that purported to be from a company I actually do business with, with the exception of paypal. And all my credit cards are from big, national companies.
  • by magarity ( 164372 ) on Monday October 18, 2004 @01:23PM (#10557953)
    for example, a friend or loved one - asking him or her to go to a Web site to update banking information

    OK, hands up, whose mother has a habit of wanting one to provide bank account info via some web site? I can see the duplicitous falling for the fake 'from your bank' emails, but from friends and loved ones???

    And some people want democracy to be MORE direct???
  • by Anonymous Coward on Monday October 18, 2004 @01:23PM (#10557958)
    This is one from a friend I only know online, so take it's truthfulness with a grain of salt. Out of a mix of curiosity and a bet/dare with a co-worker, he engineered to insert a small harmless fake phish into email, one distributed to members of staff around the organisation, which provides financial support for other government departments. It was a completely stupid one, with the email simply asking staff members to go to a site and re-confirm their credit information, and the site took down names/addresses/SS/credit card numbers etc. Out of more than a hundred employees, *ONE* person came to him as support to check what the email might be, and fifteen filled out their complete credit information.

    That was around 10% of people, adults who should know better, who simply gave up their personal information to nobody they knew, just because they were asked. My friend lost his bet, he thought it would be closer to 30%, but still... send out hundreds of thousands of phish scams and you're guaranteed a good haul.
  • by Se7enLC ( 714730 ) on Monday October 18, 2004 @01:24PM (#10557961) Homepage Journal
    How are we supposed to tell the difference between a legitimate email from a company and a phishing attempt when places like CapitalOne [capitalone.com] use skeezy companies like bfi0.com for sending email to their customers? A link that says "Click here to access your statement" that actually goes to http://capitalone.bfi0.com/T8RT044ABB6D98DEB357FB2 EDD4A80 makes me feel safe inside.
    • by Scorchio ( 177053 ) on Monday October 18, 2004 @01:51PM (#10558179)
      This is a serious problem... I get emails from Bank of America, telling me how cool it is to pay my bills through their online service, and provides links to the site. The link isn't simply to http://www.bankofamerica.com/, it's http://links.bankofamerica1.com:8082/Click?q=eXXXX , which redirects to the former. Is it really Bank of America, or is it a phisher who's registered the domain name with a '1' on the end? I'm fairly sure it's ok, but I'm sure they don't expect all customers to run whois enquiries on link addresses.

      The thing that scares me is that it could so easily be a more subtle phishing email. It doesn't follow the more obvious method of asking for people to login to verify their details. If it was a scam, this could easily fool even those of us who should know better - those of us who have just crawled out of bed and remembered the phone bill still needs paying. Clicking the link and logging in is so easy, and exactly what a phisher is waiting for.
    • by Wanker ( 17907 ) * on Monday October 18, 2004 @02:03PM (#10558284)
      How are we supposed to tell the difference between a legitimate email from a company and a phishing attempt when places like CapitalOne use skeezy companies like bfi0.com for sending email to their customers?


      I realize your question was rhetorical-- there's no way to tell the difference between these "legitimate" off-domain links and phishing attacks based solely on the contents of the message.

      What you can do is to call the help number for the company (CapitalOne in the above example) and explain that you received a "suspicious" E-mail and want to verify that it's legitimate. If they get and pay for enough of these calls (sadly, this is unlikely) they might think twice about outsourcing their hosting to another domain.
  • I KNOW they are all bogus and just ignore them, but I'm worried that friends or family will fall to them. I have a number of elderly family members that surf and no matter how hard you try to explain things to them, they just don't get it.

    Some of these things look very legit to the untrained eye and some of them are pretty frightening, such as warnings that your account has been abused and that you need to log in to update your security profile or some such nonsense.

    I finally got it through to my elderly
    • On that note, most people attempting to guess my system's root password over SSH seem to be using computers in Korea as well. :)
    • by meringuoid ( 568297 ) on Monday October 18, 2004 @01:59PM (#10558236)
      I've tracked a LOT of these ebay scams to Korea. Dubya was right, North Korea is a threat.

      It's not North Korea, it's South Korea. The place is full of ridiculously fat broadband connections, and the ISPs don't seem too bothered about what goes on on the networks. Since Koreans aren't any brighter than the rest of us, an awful lot of those broadband connections go to Windows machines which have been 0wnz0red since about 30 seconds after they were first switched on.

      And that's before we even consider the mail servers installed in every school in the country, which are wide-open mail relays out of the box. Aaarrrggghhh!

      South Korea would be paradise to be in - fat connection and nobody giving a filesystem check what you're doing with it - but the consequences for the rest of the world are becoming a nightmare.

  • by mabu ( 178417 ) on Monday October 18, 2004 @01:25PM (#10557976)
    One easy way to address this situation would be to have a plugin or feature for most e-mail clients that would prominently display the general source of the message (i.e. "China, Brazil, DSL user in Texas, etc.) as a prominent part of the normally-viewable message headers.

    It is well known that most spam and phishing e-mails are coming from one of two sets of IP space: China and Korea and related "rogue IP space", and DSL-based zombie proxies. It would not be difficult to use a database or design an algorhythm which could 'flag' e-mail messages as suspicious based on the comparison between the from header information and the SMTP relay.

    Users who then received messages could get a color-coded warning when they view the message, i.e.:

    "WARNING: This e-mail claims to be from the domain ebay.com but it originated from a system suspected of being located in China - use caution"

    Very simple, elegant and helpful solution. Which probably means it would never be adopted.
    • Why do you think this would work? Its the mail server that generates such mail header content. When the "server" is a compromised home box sitting on a DSL connection, why would the trojan/virus/what have you be honest about the origins of the email it generates?
    • or how about just viewing your raw email?

      in mail.app i see the email address: eBay@reply3.ebay.com

      but when i go and view the raw source i actually it was delivered by:
      Received: from mail.wooms.net (unknown [212.124.39.178])

      a simple whois wooms.net tells me:
      Peter Brueggemann guardian@globe.de
      Wooms e.V.
      Hammer Strasse 37
      Muenster, NRW 48153
      DE
      +49 2512034762

      somehow i doubt that's ebay.
    • Gmail now will mark suspicious email with a banner that says something to the effect of "This email does not appear to be from who it claims. Learn More...", with a link to information about phishing scams.

  • "Mom" as a phisher (Score:5, Insightful)

    by FunWithHeadlines ( 644929 ) on Monday October 18, 2004 @01:25PM (#10557980) Homepage
    "a potential victim might receive a message from a known person -- for example, a friend or loved one - asking him or her to go to a Web site to update banking information"

    Yeah, that's a likely scenario. Your dad or mom writing you all concerned that your bank information needs updating. Has anyone, anywhere, ever had that happen in real life? OK, never mind, I'm sure it has happened to someone, and for sure that person is reading this comment and will respond all indignantly. But you get the point. I cannot believe this approach would be accepted. This is not a typical, 'Hey, check this out' type of email from a relative. It's just a little too strange to work.

    Now I have been phished, usually by Citibank-looking emails asking me to click here and update my information. The fact that I don't have a Citibank account was my first clue. The fact that I read /. and know about phishing was my second clue. The fact that I know banks don't operate that way was my third clue. But they are professionally looking emails, until you look closely and find all the typos. But pretending the email comes from Mom?? The first thing I would do is call her up and ask what's going on. And then she could say, "You called, it worked!"

    Oh wait, this is a phishing expedition, not from bad guys, but from parents who want more phone calls from their children!

  • by sharp-bang ( 311928 ) <sharp@bang@slashdot.gmail@com> on Monday October 18, 2004 @01:25PM (#10557981) Homepage
    You can read more about efforts to combat phishing here [antiphishing.org]. Lots of purty charts and plenty of specific examples.
  • by Solder Fumes ( 797270 ) on Monday October 18, 2004 @01:26PM (#10557988)
    I was pleasantly surprised at a commercial I recently heard on the radio while driving. It was a public service announcement laying down the basics of phishing (they even said "spelled with a 'ph'") and what kinds of warning signs to look for. I hope to see more announcements of this type, as computers begin to affect almost 100% of the people in our society.
  • 419 scams (Score:5, Interesting)

    by donnyspi ( 701349 ) <.junk5. .at. .donnyspi.com.> on Monday October 18, 2004 @01:27PM (#10558000) Homepage
    I use phishing techniques to get 419 scammers to give me their email password so i can shut them down. I usually direct them to a URL promising to contain a scanned image of my passport or whatever. The link usually goes to a log in screen for their particular email provider. This works great. I know they'll just get another email address, but this is a small thing I can do to disrupt them a little.
    • That's brilliant.
    • Out of curiousity since you're getting passwords, are you looking into their boxes? How many of these people have inboxes full of emails saying "I sent you the money via western union as you promised?" etc...just curious what the sucker count actually is...
      • Re:419 scams (Score:3, Interesting)

        by donnyspi ( 701349 )
        I do look in their boxes sometimes. Unfortunately the sucker count is moderately high. Their drafts folder is full of canned letters. Sometimes their Sent Items is full of sent scam emails. I thought most 419ers used programs to send out the initial bulk scam email.

        Check out http://www.419eater.com/ [419eater.com] for other people's reverse scam and phishing successes.

        • Re:419 scams (Score:3, Interesting)

          by tekiegreg ( 674773 ) *
          Heh, I'm a regular surfer of 419eater.com and even now am baiting a scammer, I actually wonder now if you were looking at faked responses in their inboxes from fellow 419 reverse scammers :-)
    • Yes, brilliant.

      I gather you have read Sun Tzu then?

      Perhaps there should be SF project on doing this...I'd join. :)

    • Phish your own users (Score:3, Interesting)

      by Wanker ( 17907 ) *

      I use phishing techniques to get 419 scammers to give me their email password so i can shut them down

      I wonder if anyone has thought about using a similar method to audit their own user base for inexperienced users who might fall for E-mail scams. I.e. send a message from a bogus domain registerred to "CompanyX Email Audits" requesting private data. Anyone who responds gets their account suspended until properly re-verified and a followup E-mail about how to avoid phishing attacks. :)

      It might upset a

  • by Doc Ruby ( 173196 ) on Monday October 18, 2004 @01:27PM (#10558002) Homepage Journal
    Now that we're in the PTO War that will last the rest of our lives, is Congress cracking down on the phishers who depend on trademark violation to bait their hooks as hard as the RIAA is persecuting perceived violators of their copyrights?
  • by slowhand ( 191637 ) on Monday October 18, 2004 @01:27PM (#10558004)
    The same folks will fall for Pharting scemes.

    "It has come to our attention that your Scents information may have been compromised. In order to prevent you becoming victim to an incorrect Rose scent on a virtual bouquet, or an invalid Roast Turkey smell this Christmas you should log in and sniff at our server to verify your sniffers. [pharts.com]
    Thank you!"

    Ewwww!
  • by trevdak ( 797540 ) on Monday October 18, 2004 @01:30PM (#10558021) Homepage
    An interesting thing about these scams is how game theory applies to them. If they don't send out any emails, of course they don't make any money. If they send out only a thousand or so per day, they'll probably succeed one or two people, and make a decent amount of money. Additionally, they'll remain more anonymous and reduce the risk of word spreading about this scam. If EVERY scammer sends out millions of these emails, people will catch on quickly and profits will plummet. That's what they did now. Everyone jumped on the bandwagon and the scam bubble burst.

    I believe that the success of these scams will decline over time. Just like with the 409 scams, there will a larger number of people who fall for it at the beginning, but then numbers will drop. Will it always be profittable for them? Most likely, yes, unless email verification becomes much more standard. Will they go away? No. Will they eventually find some new scheme that is even more clever? Without a doubt.

    I dunno what my point is. Someone agree with me.
  • by RyoShin ( 610051 ) <tukaro@[ ]il.com ['gma' in gap]> on Monday October 18, 2004 @01:30PM (#10558026) Homepage Journal
    I got a phishing e-mail (should it be called 'bate'?) a week or so ago, but there were two key things that let me know it was a scam (aside from general common sense):

    1) I don't have an account at the bank listed (Citibank, in this case.)

    2) The e-mail itself was a giant GIF. (It did have the 'fail-to-get-around-spamblocker' words in text at the bottom, though.)

    Instead of getting rid of phishing scams, we should get rid of low-common sense/stupid people on the net. Then we wouldn't have this problem. Or many others.

    A leader is only a leader when he has followers.
  • People dont use the word 'villain' enough. I think it has something to do with the fact that having a villain requires having some sort of superhero.
  • Counterattacks (Score:2, Interesting)

    by Anonymous Coward

    Whenever I get a phishing email I click the link so that I get the real url (the emails usually use Javascript to make it look like you're going to a legitimate website). I try to load the base url to see if it's actually some person's website who's been hacked, and doesn't know that he's hosting phishing pages. But usually, it's someone who's probably hosting a site on a residential connection. A traceroute should tell you where. Then, I blast that site with as much traffic as I can. Because they're often

  • Sad to say, but there are simply too many people out there that believe everything they read on the internet. Once the older generation passes on, I suspect this problem will go away, but until then scams like this and the old telephone ones will be a ripe place for ripoffs.

    Never give personal information to anyone requesting in online.

    PdcsvdCVCD*(B))
    • Re:Scams happen.. (Score:3, Interesting)

      by Amiga Lover ( 708890 )
      Sad to say, but there are simply too many people out there that believe everything they read on the internet. Once the older generation passes on, I suspect this problem will go away, but until then scams like this and the old telephone ones will be a ripe place for ripoffs.

      It's not just the older ones, not all the time. Take a third year university student I know who came in all excited that he got an email from this guy in africa who needed to transport $20million out of the country... ...his third year
  • Size of the problem (Score:4, Informative)

    by prostoalex ( 308614 ) on Monday October 18, 2004 @01:39PM (#10558097) Homepage Journal
    Americans lose $500 mln yearly to phishing [itfacts.biz].

    That's large enough amount for personal scale, especially if you've lost the savings that have been put up against a new house or new car.

    But on the large scale, banks won't care, the loss is $3-4 a person, you lose more per year on some dubious surcharges.
  • by OwlofCreamCheese ( 645015 ) on Monday October 18, 2004 @01:43PM (#10558120)
    its so easy to blame the problem being stupid. but people that grew up with only the 'real world' don't really have any referance to understand this by. I mean, I'd be dumb to fall for a trick where a dumpster across the street from me claims to be my bank. but you don't have to settle for that online, copys are easy. if a building across the street from me became a perfect copy of the bank I went to, I'd be like "hey, new branch, convenient"
  • This problem is directly caused by the use of insecure human-readable names, and the use of IP addresses as identifiers. Both things don't work on the Internet. You need names that can be mathematically verified to be owned by the party you're communicating with. Names should be public keys [cakem.net].

  • My firewall was subjected to the now-often seen ssh attacks.. but this one was different, there were thousands of attempts [dnsalias.net].

    When I pasted the originating IP address into Firefox, a web-based interface for sending phishing emails was shown, complete with defalt 'paypal' text filled in.

    When I followed the link in the 'paypal' email (another IP address) i discovered that not only did the site contain a 'paypal' site, but also an 'ebay' and 'Wells Fargo' site too.

    I took a mirror of the offending pages, a
  • I get email all the time in my inbox with things like "undeliverable: subject: Get a free loan". I tried a different email account and within 24 hours I began to recieve more undeliverable spam messages.

    My parents also use Verizon and have the same problem.

    My guess is a spammer cracked their email server and he just phises real email addresses to hide his identity.

    Nice.

    Whats scary is Verizon wont even acknowledge the problem and its been going on for months. I eventually left them. My guess is they are
  • Where did this term Phishing come from?

    Whenever I see it I think of the Band Phish who are now retired as a band. And weren't at all about attacks or fraud. Heck they probably hold a trademark on Phish, and should sue everyone for using it in this manner. This is a lot differnt then the spam and hormel thing. Spam ala hormel was bad ala mail spam. Phish ala the band isn't nearly as relatable to this "phishing" stuff.
  • So far I've read multiple 'stupid user' accounts. It amazes me that so many people are so arrogant because they see this type of stuff day in and day out that they'd expect every person out there to think of people this evil to come up to them with this type of attack.

    People genuinely trust folks, that's why they call it social engineering. You can walk just about anywhere with a clipboard and a pen and get access to just about anything in a standard business environment.

    Working for a vendor I've had many 'seasoned sysadmins' rattle off a password to me like it was nothing. Granted I've never once used them outside the context that they were given but the fact that some of them would affect the bottom line of the company with a few simple commands would not be the best thing.

    Do I call those admins stupid? no, not really. Guess that is where I differ. I don't find the BOFH and similar things funny either though.
      • Working for a vendor I've had many 'seasoned sysadmins' rattle off a password to me like it was nothing. Granted I've never once used them outside the context that they were given but the fact that some of them would affect the bottom line of the company with a few simple commands would not be the best thing.

      Poor planning on the SysAdmins part -- they should have set up an 'expires really soon' guest account with sudo

      Handing out root access is an invitation to disaster. Or maybe people want to test that

      • by AK Marc ( 707885 ) on Monday October 18, 2004 @05:21PM (#10559955)
        Poor planning on the SysAdmins part -- they should have set up an 'expires really soon' guest account with sudo

        Doesn't help. I've done that. The contractor needs adminnistrative access to the doman because the person that set up the web app was a moron and you couldn't do what you needed to without domain admin rights. So, he is on a 2 month contract. I set it to expire in 3 months. 3 months later, I get a call that the contractor can't get in. I ask when he will be done, another month. I set it to 3 months again. The next time (yes, the 2 month contractor was there over 12 months), I'm told to set it to never expire. I let them know that is a violation of security policy and I won't do it. A few minutes later, my boss orders me to do it.

        So, proper security policy was circumvented because schedules were not being met and someone was too impatient to wait a few minutes every 3 months (or warn me in advance they will be staying longer). I don't see how giving an time-unlimited password with full domain admin access to a non-employee was any fault of the sysadmin.
  • by seanvaandering ( 604658 ) <sean...vaandering@@@gmail...com> on Monday October 18, 2004 @02:06PM (#10558313)
    Well, if you think you are, then why not see if your prone to phishing scams, or if it's a legitimate e-mail offer! Take the Mail Phishing Test [mailfrontier.com]

    Enjoy! ;)
  • by xethair ( 692050 ) <robert@concordantthought.com> on Monday October 18, 2004 @02:11PM (#10558363)

    Does anyone else think that the only real problem here is HTML email? It's good for nothing, wastes resources, and enables pretty much every kind of annoying spam, hidden redirect, tracking bug--it just keeps coming. Why do we have to build all these widgets to help users see that URLs aren't what they say they are, and such? Do we really want to wait for the spammers to start building javascript messages that alter the url after/when clicking, or whatever next becomes really annoying to people?

    Isn't this enough of a problem yet to get the asinine companies that forced HTML down our throats (I'm looking at you AOL, MS, etc) to reconsider? Make the common clients block/ignore the HTML by default and *never* send HTML messages, instead of the current tactic of trying to trick or force users to send as HTML (maybe with an additional text version, if we're lucky), to just drown out the people asking for plain text.

    Maybe I'm just bitter. It's always so difficult to watch stupid obvious mistakes blossom so thoroughly predictably. At least I can filter most all the spam by dumping HTML messages.

  • by DarrinWest ( 203204 ) on Monday October 18, 2004 @02:17PM (#10558425)
    I very recently complained to Schwab IT about their online statement delivery. It comes in an email, contains an html doc that contains a java app that directly asks for my account and password info. I wrote them a letter saying how bad an idea that was, and that it encourages less sophisticated users to trust the sender too much.

    Their response indicated they didn't even understand what I was talking about. Should I have called it "Phishing"? I doubt it would have helped. How can a customer educate these people, and why should I have to? (Maybe someone in their IT dept reads slashdot :)

    Here is my letter:

    To Director of Technology,

    I am disappointed in the security offered by the transaction statement I receive each month. I am required to save an html file, which when opened presents me with an account/pin dialog.
    - I have no way of knowing where that information is going to be sent.
    - I cannot verify the originator of *any* email. How can I be sure that *this* email is definitely from schwab.com? (one b or two?) If the email is spoofed, the contents of the html document are suspect, putting my password etc at risk.
    - Since this arrived by email, I did not initiate the connection. It is generally a bad practice to give out personal information when one did not initiate the transaction (even in a phone call).
    - The process required by your system encourages less sophisticated users to develop poor security habits, such as responding to emails (of unknowable origins) with personal information.
    - I would feel *much* more secure if I initiated an https connection to a web address that *I* know is legitimate. It is significantly less likely an https connection mechanism would be exploited than a simple email message.

    Until something changes about this process, I have no alternative but to consider these emails SPAM, and am in fact getting no benefit out of receiving them.

    And their response...

    I appreciate your concerns regarding your request of electronic statements. In regards to your concerns, PostX technology sends an "HTML envelope" that contains the encrypted payload. This "HTML envelope" opens to present the user with a prompt for the users password. Once the password is entered the local javascript or java applet accepts the user password and decrypts
    the payload.

    Documents sent through the PostX platform are encrypted with highly secure, industry standard algorithms. Symmetric encryption defaults to ARC4 but AES encryption algorithm is available as well. End to end encryption between users or firms assures the highest levels of confidentiality for critical, sensitive or personal data on public networks. The password is hashed with 160 bit encryption (SHA1) with a large random number. This hash is then used along with the chosen encryption algorithm to encrypt the payload. The encryption is very secure. The most venerable part of the process is the password itself.

    If you still have further concerns regarding the security of the contents that you have chosen to have delivered via email, then you may want to elect to cancel this request. You may do so by following these simple steps: ...blah blah...

    Sincerely, ...blah...
    • by Convergence ( 64135 ) on Monday October 18, 2004 @03:17PM (#10559010) Homepage Journal
      The solution to this is a little white lie. When you recieve those messages, report them to Schwab that you believe that they are fraudulent and attempting to obtain your account details.

      When they reply saying that 'these are legitimate emails', ask them how you are supposed to tell that they're legitimate. If they give a good answer, your problem is solved. If they are unable to give a good answer, hopefully they'll realize the point that you're trying to make.

      Lather rinse and repeat on any other vendor that sends emails that can be easily mistaken for phishing.
  • Identity Theft (Score:3, Interesting)

    by Stiletto ( 12066 ) on Monday October 18, 2004 @02:57PM (#10558812)

    Identity theft is only a problem because we attach so much weight and importance to our individual histories. If we would stop screwing people over for life after things like bankrupcy, or when they fall ill, there wouldn't be a need to get other people's "clean" identities.

    As someone who can't even get health insurance because of some mysterious "red flag" in my past, I can see why someone could get desperate enough to try to become someone else! I can't even imagine a scenario where I couldnlt open a checking account because I made a few mistakes as a young adult.

    Identity theft won't stop until this "you are your credit score" mentality goes away!
  • Paypal SUCKS (Score:4, Interesting)

    by Jesus IS the Devil ( 317662 ) on Monday October 18, 2004 @03:04PM (#10558890)
    I just got scammed out of a thousand dollars from a crook who used a stolen "verified" Paypal account to pay me. When I saw the payment to be legit I let the guy pick up the merchandize from my house.

    A few hours later the item was charged back by Paypal saying it was unauthroized.

    Have a question for you guys. What are my chances to find Paypal liable for the loss if I can't find this crook?

    Here's my take:

    One is that Paypal sees themselves as an escrow service. If such is the case they have the right to intervene and take back funds from transactions that are deemed illegitimate. However if so, then they also have an obligation to ensure that account charges are in fact legit. The only reason I accepted the payment was that it was from a "verified paypal user". Therefore Paypal is liable.

    The other argument would be that Paypal isn't an escrow service, but only a payment transfer service. If this is the case, once the money is in my account it belongs to me (like a cash exchange). They have no right to take it out of my account and put it back.
  • by Thunderstruck ( 210399 ) on Monday October 18, 2004 @03:15PM (#10558991)
    ... so can we actually type out "legitimate" instead of using "legit?" I mean, I realize we all miss the days of "I checked it out and its legit, Microsoft will send you a zillion dollars if you forward this email to 10 people..."

    If we don't use the word legit, it will serve as a spam flag.

  • by esme ( 17526 ) on Monday October 18, 2004 @03:16PM (#10558997) Homepage

    I see a lot of people blaming stupid people for this. And stupidity, naivete, etc. are definitely part of it.

    But the fact is, some of the phishing emails look really good. I got one last week that was identical to a legit Citibank email, except that it went to http://citibankgroup.biz instead of https://citibank.com. Given all the weird URLs and bulk mailing companies banks use (and the fact that a lot of normal users view URLs to be voodoo), it not surprising to me at all that people fall for this stuff.

    In the end, this is just a special case of spam. Verifying the sender using SPF or any of the other systems being adopted right now, will solve this problem. And disabling HTML email (among the worst design decisions ever made, IMHO), would also help a lot.

    -Esme

  • by jasoncc ( 754385 ) on Monday October 18, 2004 @03:43PM (#10559209)
    I'm going to state the obvious because I'm bored at work.... As the "People in the Know", it is our responsibility to inform our grandmothers, friends, co-workers, etc. of all the pitfalls of the online world. For each person close to us that we can warn, that's one more person who will learn the "easy" way. The rest will have to learn the "hard" way by getting burned. Eventually everyone will learn. Unfortunately, there will always be new and more creative scams. "Fool me once - shame on you! Fool me twice - shame on me!"
  • by mixy1plik ( 113553 ) * <mhunt.ecin@net> on Monday October 18, 2004 @03:57PM (#10559313)
    On Friday, I received an email from "eBay" that my account was being suspended. This came just after:

    - I posted an item for sale
    - I realized I owed eBay about $40 in back listing fees

    It was just before I was going to get into bed, and I skimmed over the message as I usually do before deleting it. My usual thinking: "Sure", I thought, "I'll get back to it tomorrow and pay them." This time around, I clicked the link and got the "standard" eBay login screen. Being tired and lazy, at this point I didn't even glance at the URL. I entered my login and password for eBay, and as it was redirecting I glanced at the address bar, and in horror I saw "cgi2.eb4y.com" or something munged like that.

    In a panic, I immediately changed my eBay password, and all is once again well on my happy little computing planet. That being said, had I not caught that and gone straight to bed, who knows what I would've woken up to. The moral of the story is that you really have to be on your toes. The circumstances surrounding this dodged-bullet really were a perfect setup for me: owed eBay money, just posted a new item for sale that day, fatigue...

    Common sense is the key!

  • by scupper ( 687418 ) * on Monday October 18, 2004 @04:17PM (#10559451) Homepage
    E-mail scam plays on US elections
    By Alfred Hermida
    Published: 2004/10/05 08:50:43 GMT
    BBC News Online technology editor

    http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/3 714944.stm [bbc.co.uk]

    People are being warned about a scam e-mail which uses the US presidential poll to con them out of their money.

    A junk e-mail invites people to dial a premium rate number to express their support for President George W Bush or rival John Kerry.

    E-mail filtering firm BlackSpider estimates that almost a quarter of a million are being sent out every day.

    In the past, net fraudsters have tried to use the 9/11 attacks and the tragedy in Beslan to get money.

    900 number

    At first glance, the presidential election message appears to be legitimate, saying it was sent from a Lycos.com address.

    But BlackSpider Technologies said it had traced some of the e-mails to a server in the Czech Republic.

    No doubt we will be seeing some messages like this in the next general election in the UK John Cheney, BlackSpider Technologies The mail reads: "Fellow Citizen: The extremely jubilant crowds in Baghdad appeared to vindicate President George Bush's belief that the military action in Iraq was the right move.

    "But many questions still remain over the lack of hard evidence of Saddam's weapons of mass destruction. With these tough times before us, let us know."

    It goes on to ask readers if they support President Bush, prompting them to call a 900 premium rate number.

    It says votes will be sent to the Bush and Kerry campaigns.

    In an effort to convince people it is a genuine message, the e-mail says who commissioned the poll.

    The mail adds that the calls will cost $1.99, saying this is "a little price to pay for a better democracy".

    "This is a relatively new scam," said BlackSpider CEO, John Cheney.

    "The question is, are they breaking the law? In the UK they are, in the US they are not."

    Sending unsolicited messages to personal e-mail is barred in the UK. But in the US, people have to opt out of receiving these sorts of messages.

    Hotbed of scams

    BlackSpider estimates that 240,000 of the presidential scam e-mails are being sent out worldwide a day.

    The lack of any spelling mistakes and its resemblance to a genuine message means that it could slip through the spam filtering of home users.

    This latest scam reflects how the nature of spam is changing.

    In the past, spam was dominated by pornography. These days spam is a hotbed of financial scams, as well as a black market for fake pharmaceuticals and software.

    E-mail scams known as phishing have tried to trick customers into giving away confidential bank details.

    Other scams known as 419 try to part people from their cash by telling them they in line for millions from a deposed African leader.

    The US presidential mail is just the latest trick used by spammers to part the unwary from their money.

    "No doubt we will be seeing some messages like this in the next general election in the UK," said Mr Cheney.

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...