Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Security

Fishing for Phishers 152

Posted by CmdrTaco from the stuff-to-think-about dept.
mleachpdx writes "This blog entry probes into the details of an online banking phishing scam and suggests some fraud deterrence and detection measures."
This discussion has been archived. No new comments can be posted.

Fishing for Phishers More

Fishing for Phishers

Comments Filter:

  • More Info Available here (Score:5, Funny)

    by LiquidCoooled ( 634315 ) on Sunday November 07, 2004 @10:35AM (#10746442) Homepage Journal
    Full article mirror here:
    mirror.slashdot .org article [slashdit.com]

    Theres currently a problem with our server, you will have to login again to see the details.

    (yes this is only a joke)

  • Or.... (Score:5, Informative)

    by jmcmunn ( 307798 ) on Sunday November 07, 2004 @10:36AM (#10746446)
    From the article: "The home page of the phishing site looked identical to the actual online banking site. I was impressed. Someone had spent a considerable amount of time mirroring the entire look and feel."

    Or they just used the Spiderzilla extension for FireFox and downloaded the entire site. Wow, that scammer went to a lot of work. I have gotten these scams before though, and it is no laughing matter that they go to a lot of trouble to look legit. And I bet the estimate of 15% of people who fall for it listed in the article is actually a little low.

  • Solution: You authorise the bank first (Score:5, Interesting)

    by Anonymous Coward on Sunday November 07, 2004 @10:37AM (#10746453)
    When you sign up, the bank asks you for your 'personalised code', and that will be displayed in every email you recieve from the bank.

    If you dont see that code in your email, or it's wrong, you know its fraudulent.

    • Re:Solution: You authorise the bank first (Score:5, Interesting)

      by BobTheLawyer ( 692026 ) on Sunday November 07, 2004 @11:11AM (#10746572)
      Do any real banks send e-mails to customers? As far as I know, no UK bank does.
      • Mine certainly doesn't, for which I'm glad.
      • Mine has the option to send what they call "email alerts", for example if your balance goes below a certain point they send you a quick note. There's a whole bunch of different triggers you can set online to determine what kinds of alerts you get. Kind of handy, actually. But they're strictly informative messages: no requests for passwords or anything like that. Of course, they all come addressed from "The Financial Team" which my spam filter decided was too spam-like and proceeded to remove them.
      • Mine once froze my accounts because they suspected fraud. (Some over zealous algorithm decided my spending habits had changed too radically one week). I got both a phone call (taken by my answering machine) and an email. I've never been asked for my username, password or credit card number though.
    • the *REAL* solution: don't email the customer EVER.

      My bank doesn't even HAVE my email.
      • Good point, but suppose this happens:

        Your DNS, or the DNS for your area, is hijacked, and everybody who use that DNS is called up and told to log on to their bank in order to do something important?

        Second solution is:
        One-time passwords. I have a long list of login passwords and confirmation passwords, and a numerical customer ID known only to me. When they start running low, I can easily get a new one (mailed to me). So what if I happen to login to some fake site? The worst that can happen is that I waste
        • the way it's been done here for almost a decade is this.. you have login and a password(which happen to be numbers) which you use to 'get in'.

          then to do any transactions, to open any accounts, to apply for a loan or just about anything other than just checking how much cash you have the system asks a number from a list of one-time passcodes they've sent to you through regular mail(basically "enter the number pair for the number 4323 on your number card").

          the card with the one-time-use passcodes is a plast
          • Sure, I'd say that's good enough, but someone could still check you account balance whenever he wants. (I'm assuming the login thing never changes) In my case, you need the one-time pass even before that, and the paper they come on can be folded and put in the wallet too :). After doing your business, you confirm with a pass from a second list, that you can store separately if you want.. you could for example do all money transfers from one location, and then confirm everything from another computer/city/co

    • Re:Solution: You authorise the bank first (Score:5, Insightful)

      by legirons ( 809082 ) on Sunday November 07, 2004 @11:21AM (#10746614)
      "When you sign up, the bank asks you for your 'personalised code', and that will be displayed in every email you recieve from the bank. If you dont see that code in your email, or it's wrong, you know its fraudulent."

      And this code would be sent through which secure email-delivery system exactly? Plaintext SMTP on the internet, like all the other emails from your bank?

      Hell, banks don't even sign their emails. Many of them don't even know what PGP is. How many of us have had conversations with our banks along the lines of:?

      You: I just got an email purporting to be from you

      Bank: Yes, that's right

      You: So how do I know it's real without phoning you

      Bank: Because it's got our name in the From field

      You: Did you ever consider signing your emails

      Bank: OUR INTERNET IS SECURE, WE USE HTTPS WEBSITE!!!

      • And this code would be sent through which secure email-delivery system exactly? Plaintext SMTP on the internet, like all the other emails from your bank?

        I see your point, but _anything_ that is an indicator that the back actually knows you would reduce these phishing scams. They are generic, and the only thing that identifies th mail as being sent to you might be the "To:" field in the email, but that may also say something like "dedicated_customer@bank.com".

        The ease in making this kind of scam profitab

    • The problem is, that sort of thing only works with customers who have some awareness of security. This group of people are not likely to fall victim to a phishing scam anyway.

      The target audience for phishers is more likely to either not notice, or to think "Hmm, the bank must have changed its security system. I'll just do what this link says and my money will be safer than ever!".

    • One critical thing to do about Phishing is to get Banks, E-Bay, e-gold, etc. to publish SPF codes for their email servers. That would permit any ISP or end user whose spam filters support SPF to discard most of the Phishing mail unseen, rather than depend on the user to notice that it's fake. Digitally signing email is also important, but at the moment SPF is more useful for most people, since Joe Gullible isn't going to validate signatures anyway.

  • Customer details (Score:5, Interesting)

    by metlin ( 258108 ) * on Sunday November 07, 2004 @10:38AM (#10746456) Journal
    Limit access to customer records. This is pretty much standard practice in the banking industry anyway, but I found it eerie that my phisher knew what institution I did banking with. How did they know this?

    Well, I've received several of these mails, but I do not really think they go by any kinda cue -- I've received mails from various banks from around the US, so I think these guys randomly see where you are, make a wild guess at the likely bank and send you one.

    For instance, several students at GTech (where I study) have their bank accounts in a certain bank (which we shall call W) -- and a lot of these scams are directed at GT students pretending to be from W.

    However, that said -- I'd not be surprised if they acually did some dumpster diving and found out these kinda details. Spooky, man.
    • Okay, I realized that I contradicted myself a little up there -- I meant that these guys don't go by any cue based on any serious evidence (like your statements or insider operations) -- they probably look up your e-mail address from your website or Blog or whatever, guess where you are from and use that information to target the bank you're likely to be from.

      Because, I'd a page at which listed me as working in a certain lab that I used to work at - and some of these scams used to contain spoof elements of
      • they probably look up your e-mail address from your website or Blog or whatever, guess where you are from and use that information to target the bank you're likely to be from.

        They probably don't do that much targeting. Set up the phishing site, send the spam to every address they can come up with, and hope for a few suckers, more likely.

    • That startled me, too. Phishers don't typically target individual users, they send out the same mail to every address they can get hoping that some percentage will actually have an account with that bank.

      I've also gotten scam mails for various banks. The sophisticated ones took into account that my address is German (ends in .de), but I also get some for American banks. Some of the German ones actually got the institution right, but that's not too hard: there are a couple of really large names that probabl

  • They don't know who you are (Score:5, Informative)

    by Space cowboy ( 13680 ) * on Sunday November 07, 2004 @10:39AM (#10746458) Journal
    I must have got a dozen or so of these in the last few days, my spam appears to go in phases... either I'm in dire need of sexually-enhancing drugs, about to die from malnutrition, or they're all just after my CC details...

    It's just a blanket 'attack'. Email is cheap, and they're not trying to be smart because they don't need to be.

    Simon
    • I got one recently from someone who proported to be my phone company telling me that my bill was due in a few days and that I should go pay it online. It actually seemed legit because it had my phone number in it and it was to an email account I had given the phone company. However, the bill due date was wrong, and I had already paid the bill for the month. So I put it in the "deal with later" pile.

      It wasn't until later that I realized that it might be a phishing scam. Further research indicated that i

  • ways to prevent online fraud? (Score:5, Insightful)

    by Anonymous Coward on Sunday November 07, 2004 @10:40AM (#10746461)
    why not give consumers one time access (through pads)?
    This is done in Japan and works well there. Maybe consumers here would lose their card? The card isnt electronic its just card with pin numbers that you scratch off each time you use the PIN number.

    Banks should STRONGLY educate consumers to never expect emails from the bank that contain links.

    • I posted a comment a few days ago regarding how my bank secures online access.

      The gist of it is a longer code that I arrange with them in person, and when I go online with them, they ask for random portions of that code.

      I would have to be scammed multiple times before anyone had access to my banking.

      The comment is here: http://slashdot.org/comments.pl?sid=128336&cid=107 16472 [slashdot.org]
    • "Why not give consumers one time access (through pads)?"

      Ok, look at the story from the perspective of a real-world bank, rather than a mythically secure one.

      There's a bank in the UK called cahoot (part of abbey national) which offers one-time credit cards that you can use over the internet. For those of us who use the same card for foreign pr0n sites, that sounds quite useful, right?

      That's the smart bit. That was the good idea. Their security goes downhill for the rest of the story.

      It's an unencrypt

  • How to annoy phishers (Score:5, Interesting)

    by DrXym ( 126579 ) on Sunday November 07, 2004 @10:41AM (#10746462)
    Drown them in noise. Everytime you get one of these emails, visit the site and enter bogus information. That's what I do. It might not be enough to get the scumbags caught but it must certainly be an annoyance to them. And who knows, a few bogus logins might be enough to get alarm bells ringing at the bank.

    I reckon banks could do something similar too. Create some honeypot accounts, and track how the criminals attempt to access it. I'm sure they could play a few tricks with a seemingly big fat balance that could make the criminals reveal their hand.

    • Username "PHISHINGSCAM"
      Password "QUICKGETEM"
      Name "CALL SECURITY"
      DOB "01/01/1337"

      This would be cool to try.
      But tbh, I recon they would just take the list and try those that look legit.

      What we could do is simply forward any phishing scam mails to a central phishing clearing house.
      The banks could fund a small team to handle collective online fraud.
      • Just below this comment a poster has given a link to a phishing central source :)

        Looks like its already in action :)

        http://www.antiphishing.org/ [antiphishing.org]

      • Re:How to annoy phishers (Score:3, Interesting)

        by DrXym ( 126579 )
        In other words, make them look legit. Enter a well formed but bogus account / credit number, valid sort codes, expiry dates, names, PINs memorable dates etc. If you have an account with the target bank you could even ensure you enter an account number of the correct length and has the first four digits as your own.

        The only way they have to separate the wheat from the chaff is to actually try them. If they're really stupid, they (or their underlings) may actually get caught when they attempt to withdraw ca

        • Enter a well formed but bogus account / credit number,

          Today I got one of these fraudulent "the bank needs your information" E-mails. So, I thought, let's give them some noise to fill their log.

          But the credit card number I made up was detected as non-existent - or at least the fake website said so.

          Now, is there any way to:

          1) Generate fake credit card numbers that pass as "valid"
          2) Do this, and be certain that no-one actually owns that particular number, and if so, still not get into trouble?

          • Re:How to annoy phishers (Score:4, Informative)

            by throughthewire ( 675776 ) on Sunday November 07, 2004 @12:55PM (#10747248) Homepage
            But the credit card number I made up was detected as non-existent - or at least the fake website said so. Now, is there any way to:

            1) Generate fake credit card numbers that pass as "valid"

            They're probably doing something trivial with Luhn numbers. [webopedia.com] Trivial to implement, trivial to spoof. Generating apparently valid but fraudulent card numbers is known as carding. [creditcardco.co.uk]

            2) Do this, and be certain that no-one actually owns that particular number, and if so, still not get into trouble?

            Trouble with whom? The scammers? If you aren't using the number to commit fraud, I wouldn't worry. We want to get the phishers in trouble!

            • They may also know what BIN [wikipedia.org]s they are looking for. The first six digits of your credit card number are the Bank Identification Number, which identify the issuing bank and (often) the type of card.

              Some card generating products, such as Creditmaster, have a database of BINs as well as an implementation of the Luhn algorithm. Thus you can (say) ask for a random Bank of America Visa Platinum, rather than just a random 16-digit number that passes the Luhn check.

              Of course, you need the expiry date on the ca

              • If you want a Luhn-valid number that is not in use, you could try 1000 0000 0000 0008 :-)

                Yes:

                $ perl -MBusiness::CreditCard -e 'print validate("1000 0000 0000 0008"), "\n"'
                1

                But:

                $ perl -MBusiness::CreditCard -e 'print cardtype("1000 0000 0000 0008"), "\n"'
                Unknown
          • 1) Generate fake credit card numbers that pass as "valid"

            Easy: Business::CreditCard - Validate/generate credit card checksums/names [cpan.org].

    • Drown them in noise. Everytime you get one of these emails, visit the site and enter bogus information.

      I've always wanted to find a way to automate that. Have a site where you could submit a phishing site, have it analyzed and then feed it a bunch of noise.

      If it's all done from the same computer, smart people could weed out the noise by IP address, so you'd have to account for that somehow, too.

      Once you make enough noise in the system, scams like this do not remain economical, I would think.

      ---

    • > It might not be enough to get the scumbags caught but it must certainly be an
      > annoyance to them

      People say that about spammers. I'm sure they're annoyed with the millions they make from their activities.

      The best way to avoid getting hit by phishers is to delete any emails that claim to come from your bank, paypal etc without reading them. And if they insist that they contact you via email rather than post, or via messages readable once you've logged on then I suggest you close your account with th
    • I've been meaning to make a little python library to make writing new noise scripts quick and easy. I get one of these phishing mails once every couple of days. I figure if I was quick I could drown their database in noise, especially if I made it pipe the requests through a random selection of public proxies.

      If I ever get around to writing something like this, I'd be tempted to share it, but its power could be used for Evil as well as Good. Also, bizarrely enough, using such a program is probably against
    • Slashdot moderators rejected an article I sent in over a month ago about this very concept.

      A lot of times, you can send a URL encoded request (GET Request) to fill in bogus data from the address line. I've happliy sent random values to these seedy servers with a small bash script using lynx.

      I suggested that one or more popular websites add a new 'banner ad' whose image location is a properly formed URL to submit a random value to a known phishing server. As people come by the site, a new request is sent t

  • check out antiphishing.org (Score:5, Informative)

    by enbody ( 472304 ) on Sunday November 07, 2004 @10:42AM (#10746468) Homepage
    Check out antiphising.org [antiphishing.org]

  • The wrost ones are... (Score:5, Insightful)

    by ScooterBill ( 599835 ) * on Sunday November 07, 2004 @10:42AM (#10746470)
    The EBay request to verify account information. I've received this several times. Perhaps the financial institutions don't do much because a small country in Africa isn't going to let U.S. law enforcement take care of the problem. Too much corruption is usually the case.

    The maxim I always use is: The company that holds your account never needs to ask you for your password since they already have it.

    Something many probably don't know is that your local police dept. probably has a high tech crimes unit. They will investigate and prosecute illegal activites like snooping around your company network. They can be very helpful.
    • The maxim I always use is: The company that holds your account never needs to ask you for your password since they already have it.

      Eh, unless they want to verify that you know the right password, which is what these kind of scams are giving the impression of - a complete login page.

    • Re:The wrost ones are... (Score:4, Informative)

      by jdkane ( 588293 ) on Sunday November 07, 2004 @12:13PM (#10747000)
      The maxim I always use is: The company that holds your account never needs to ask you for your password since they already have it.

      I would add: Often the employees of the company don't have access to the password because it is encrypted on their end. But the institution can change or reset your password without knowing the old password. This is usually preceded by a manual check performed by customer service over the phone to ensure you are really you. They might also ask you to come into the bank and provide ID.

  • Enough Already. (Score:5, Insightful)

    by xanadu-xtroot.com ( 450073 ) <(moc.tibroni) (ta) (udanax)> on Sunday November 07, 2004 @10:43AM (#10746471) Homepage Journal
    Enough already with this "a blog entry says" stuff. Can we please get some ACTUAL news on this site and not just someone's rantings on a BB? Is that too much to ask?

  • Receiving too (Score:4, Interesting)

    by gmuslera ( 3436 ) on Sunday November 07, 2004 @10:44AM (#10746477) Homepage Journal
    in a mailing list I administer, and in my own personal address (time to test the new "report phishing" gmail feature) I received today what could be the same message, but the IP it pointed to resolved as ipvpn101156.netvigator.com (don't look like to be in zimbabwe) port 38, that looked like a Windows 2000/XP with too many open ports.

    Probably that message is sent from hacked/owned/not patched windows machines that send the entered info to the real criminal. I suppose that for really knowimg who is him that "infected" machines should be hacked back or that the provider of that internet connection contacts/gives the address of the owner, and check the programs there.

  • Is it that simple? (Score:5, Interesting)

    by Sarin ( 112173 ) on Sunday November 07, 2004 @10:45AM (#10746480) Homepage Journal
    I still don't understand, do these banks just give their customers a login/password for their account?

    The bank I use gave me a little authentication device which combined with my bank card, my personal code and a random code provided by the bank site can generate digital signatures. In order to login and in order to make all transactions final I must provide the right code.
    I've been using this system for about 10 years now, if those exploitable banks still use a normal password protection it's their fault they're exoploited this way and there's no way customers should be responsible for it.
    • My bank issues two codes, a registration code and an id code. These are used together with your card number when logging in, and you're encouraged to change them on first log in.

      So, essentially I have two passwords, but they're both required to log in. I've not heard of any UK bank that issues anything like the authentication device you describe.
    • Some banks get fancy and use SecureID or similar access tokens, but most US banks seem to only use login and password, and it's not uncommon for the password to be your ATM PIN.
  • I have used the same bank for over 15 years for my personal checking account.

    I have not gotten one email from that bank (either legitimate email or a phishing scam with that bank's name or fake url.

    That bank does have my email address.

    I have gotten phising scams that have ebay in them (I do have an ebay account). I have also gotten phising scams with the names of other banks in my area.

    I think they go by geographical data for banks. For ebay, it's no problem. They can scan ebay's pages and get seller's ebay account names with no problem.

  • Damn (Score:5, Funny)

    by Glonoinha ( 587375 ) on Sunday November 07, 2004 @10:56AM (#10746526) Journal
    I misread the subject line on this article, thought it read Fisting for Phishers.
    Now that is a punishment that would work pretty good, once word got out!

  • The problem is much larger than just banks. (Score:5, Interesting)

    by daperdan ( 446613 ) * on Sunday November 07, 2004 @10:57AM (#10746527)
    I work for a company that attempts to protect its customers from this kind of fraud. We monitor domain registrations to locate potential phishing scams. It's interesting to see that it's not only banks that are hit with this kind of scam. These guys will set up an entire shopping cart taking credit cards that mimick an online store like Dell. It's a pretty interesting scam that only seems to be gaining popularity.

    It's not a major concern in the 3rd world so these guys have no reason to stop. We've seen scams like this based out of Russia, Brazil, China, and several African countries. It will be interesting to see how this all pans out.

  • Why is it so hard to catch these criminals? (Score:4, Interesting)

    by Anonymous Coward on Sunday November 07, 2004 @10:58AM (#10746533)
    In order for them to get their ill gotten gains, they have to eventually withdraw some money from somewhere. It seems it would be trivial for INTERPOL or some other agency to set up a bunch of bank accounts with a few thousand dollars/euros in them and then start responding to all the phishers. Then just follow the money to the crooks. What's the big deal? Is there just no will to do this or am I missing something?

    Cheers,
    • Is there just no will to do this or am I missing something?

      I doubt it's that easy or simple, but.
      The authorities tend to be good at gathering and accumulating statistics.
      The banks should also be concerned that somebody is using their identity fraudulently.
      Savvy users forward the email with headers to such as abuse@citibank.com (which bounces, so there probably is no will to actually do anything about it).

      Seems that if the authorities are to be able to do anything about it, they need lots of in-depth info
    • The money doesn't go to the criminals; it goes to a mule who thinks he's processing charity donations. Then it goes to another mule who thinks she's reselling computers. Then someone uses the cash to buy a plasma tv and send it to some other country. Then the recipient sells the plasma tv and wires the money to someone else..... The basic problem is money laundering, and we still don't have a good handle on that.

  • Gmail vs. Phishers (Score:5, Interesting)

    by igrp ( 732252 ) on Sunday November 07, 2004 @11:08AM (#10746558)
    It's definitely becoming more of a "mainstream problem". Afterall, the whole identitity theft problem is perfect Dateline/60 Minutes material.

    Has anyone else noticed that the folks at Gmail have added a "report phishing" feature? When you view a message, click "More Options" and you'll see it.

    Then again, maybe it's been there for some time and I just haven't noticed (it definitely wasn't there when I first got my Gmail account though and it doesn't appear to be listed as a new feature).

  • Slashdot this (Score:5, Interesting)

    by GQuon ( 643387 ) on Sunday November 07, 2004 @11:09AM (#10746568) Journal
    On a related note:
    The lad vampire [aa419.org] needs your help
    • The Lad Vampire [aa419.org] is a project of Artists Against 419 [aa419.org] which has taken down ~150 scammer websites. The scammers tend to have lots of websites out there for their fake banks, and they're usually cheap and disposable and typically have monthly bandwidth limits. The lad vampire page shows images from 20 or so of the sites, and keeps refreshing them rapidly until they've burned the monthly quota (after all, a few hundred people with DSL lines or cable modems can use a lot of download bits.) When one scammer fak
  • Honestly how stupid are you people to fall for any of this. Absolutely do not respond to any request from anyone to provide any information for any reason whatsoever. Not even from someone who purports to be from the government. If anyone needs to get in touch with me that badly they can send a letter registered mail or have their attorney contact me.
    • Great advice if you are computer literate. You fail to realize that a very large percentage of computer users 1. Do not read slashdot and 2. Have no idea that they shouldn't trust the official looking emails they get. (If you recieved a physical mail on bank letterhead that said please visit your branch to confirm some details with your account, you'd probably trust it)

      How exactly are these newbie users supposed to get the information that the web is different than real life? Watch the RvB PSA (yeah, my 6

    • I only ignore them if I don't have enough time to fill out one of their forms with some incredibly bogus and insulting information.
  • What monetary transaction can you make on an account that leaves no trace?

    In every case getting cash out of my account involves paying a bill (to an authorized agent like VISA), or emailing money or transferring money to a 3rd party acct. All of these leave a trail that banks can recognize and plug.

    I once changed my buying habits with my VISA card and had to confirm my identity before the transaction could be authorized. Since fradulent VISA transactions cost VISA, it appears that when it affects the bott

    • It's amazing what people will do for you for some cash.

      My friend's paypal account was ripped off. A 3rd party bought a camera and shipped it to Russia, because the auction's shipping was only avalible in the US and the Russian wanted the deal. The Russian supplied my friend's paypal and a $20.

      The camera is safe in Russia while the idiot who bought it had a chat with the police.
  • Just like spam, can we @ /. take any countermeasures? I'm not up on this stuff, so if I make a few silly suggestions, please give me a break. Pick a phisher /spammer and: /. them Send a reply with the name of a pop tune or movie in the title. Send a reply with a big attachment Send a reply with a virus attached If it's possible, think of all of on one day, sending an email with "White Houses" on the title, and a 4 Mb attachment to a spammer / phisher. A toasted server, maybe?
    • Pick a phisher /spammer and: /. them

      So you're advocating a distributed denial of service attack on somebody's server?

      An actual phisher would undeniably deserve such a treatment and much more, but that doesn't make it okay. But what if you make a (gasp!) mistake? You could be asking thousands of Slashdotters to participate in a DDoS attack against someone who might be completely innocent, or whose only 'crime' is that their own server was compromised and used by the real phisher.

      What you're talking abou
      • You could be asking thousands of Slashdotters to participate in a DDoS attack against someone who might be completely innocent, or whose only 'crime' is that their own server was compromised and used by the real phisher.
        ... or that their server is hosting a site linked on Slashdot. Same effect.
  • I am the recent victim of a scam.

    OK, not a victim. Let me restate: I am the recent victimizer of a scammer looking for a victim.

    And I have a new $3000 to prove it. Sent to me directly from an "honest businessman" from Nigeria. Really. It was FedEx'd from Nigeria. From a guy named Walter Nabanu.

    OK, I don't have a new $3000. But I have a check that says it is worth $3000. But I'm not going to cash it.

    How much does it cost to Fedex an envelope from Nigeria to the US?

    At least FedEx made out on this d
    • All my posts have the "sarcasm" volume turned up to high. Read as "this is a joke".

      OK, not a joke. Let me restate: despite significant evidence to the contrary, I continue to think that I am clever.
  • Is the day that some phisher gets control of an ISP's name server, either by hacking it or by being in cahoots with the ISP. They could then redirect somebank.com to their own server, and just sit back and let all the unwitting victims come to them. Throw up a "service not available, try again later", message after login, and the victim would leave, totally unaware.

    What would be the best way to protect yourself against this? Is it possible to set up caching DNS to pool from multiple independent sources

    • Genuine banks' web-sites should have digital certificates signed by known authorities (Verisign, etc.). If I know my authentication schemes correctly, this signature is nigh-on impossible to forge (one of those "mathematically hard" tasks). Thus, even though the name resolves to a bogus server, the certificates don't add up. To make a convincing effort, a phisher would need access to private data from within the on-line bank's systems (i.e., run an inside job).

      Although I might be wrong on this...

  • Re: (Score:2, Informative)

    by account_deleted ( 4530225 )
    Comment removed based on user account deletion
  • I have about a hundred email aliases that I use on a regular basis (for spam control - so I can see if any of my vendors divulge my address).

    I have made numerous postings to Usenet and public email lists with some of those addresses.

    I have a few email addresses in mailto: links on web pages.

    I have about five times as many credit cards and bank accounts as the average person.

    Some of my email aliases are six years old -- I don't think that any of my email addresses from > six years ago still forward to
    • Am I living in a different universe from the technology journalists?

      Clearly.

      I have one adress that's about 6 years old, use(d) it everywere, and it gets regular esp. 'Ebay' queries.

  • I have a fair degree of familiarity with this issue and have some comments on the blog entry.

    Limit access to customer records.

    There's almost zero chance the phishers knew the author had an account at his bank. They use spamming techniques and count on getting lucky.

    Financial Institutions could automate the process of identifying where their logos and site images are used as a standard practice of trademark enforcement.

    Some financial institutions already do this but it is very expensive. Despite the

  • Every time I get a phishing scam, I contact the affected bank's security department providing them all of the information that I've developed. In many cases this is made extra difficult because the only method they provide of contacting is a web-form. With these, I have to cut and paste the headder info and so on. It really sucks.

    Usually, no matter what the method of contact, all I get is an email reply with boilerplate info telling me how to protect myself against these scams. This is utterly stupid,
    • I read an article once by someone familiar with security/fraud divisions of large banks and the like. (Sorry, I can't seem to find a link or reference at the moment.)

      But essentially the gist was they need the fraud to occur in order to do anything about it. Their entire machinery for dealing with fraud requires that it has already happened, i.e. the money has changed hands. They start to act after the fraudulent transactions have been processed. Apparently they need that amount of concrete evidence in
      • So, the solution is to open a bank account, put a minimal amount of money into it, and give it to a phishing site? Use a corporation or an LLC to keep your personal life as unaffected as possible. Of course, at that point, they'll probably require a minimum amount of damage, and I'm not willing to risk $25k on this type of endeavor.
  • I think there is a simple solution to this. If you are fishing for phisherman and as soon as you find one, fire off a script that will insert bogus (but legit looking) information. Say they had a DB with 90% of the entries were valid info from their victims, you could poison their database down to 20% correct quite easily, and they will either have to scrap the whole thing or risk getting nailed by International authorities for fraud when they try to use the false info, repeatedly (which they will of cour
  • Is evil. Don't read it. Persuade your friends not to read it. If someone legit sends you some, reply asking them to re-send in a sane format, explaining why.

    It's a slim chance, but if enough people get irritated enough from having to re-send enough email, then perhaps we can still get rid of this idiotic idea.

Slashdot Top Deals

news: gotcha

Close