Fishing for Phishers 152
mleachpdx writes "This blog entry probes into the details of an online banking phishing scam and suggests some fraud deterrence and detection measures."
If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol
More Info Available here (Score:5, Funny)
mirror.slashdot
Theres currently a problem with our server, you will have to login again to see the details.
(yes this is only a joke)
Re:More Info Available here (Score:2)
Or.... (Score:5, Informative)
Or they just used the Spiderzilla extension for FireFox and downloaded the entire site. Wow, that scammer went to a lot of work. I have gotten these scams before though, and it is no laughing matter that they go to a lot of trouble to look legit. And I bet the estimate of 15% of people who fall for it listed in the article is actually a little low.
ROI (Score:5, Informative)
How is it possible to make money? (Score:2)
How is it possible to make money, knowing the login name and password for a bank's customer? The only actions allowed are transferring money from one account to another, ordering new checks, and finding the check amounts and account balance.
Re:How is it possible to make money? (Score:3, Insightful)
Like from your account to mine...
Re:How is it possible to make money? (Score:1)
Transfers are between your own accounts. (Score:2)
You can ONLY transfer money from one of your own accounts to another of yours.
Re:Transfers are between your own accounts. (Score:4, Informative)
Of the four banks with which I have bank accounts, all allow me to make payments to anyone else whose account details I know. I can also make SWIFT [swift.com] (i.e. international) transfers to any account worldwide, by providing branch SWIFT code and account number.
Re:Transfers are between your own accounts. (Score:2)
Re:Transfers are between your own accounts. (Score:2)
Solution: You authorise the bank first (Score:5, Interesting)
If you dont see that code in your email, or it's wrong, you know its fraudulent.
Re:Solution: You authorise the bank first (Score:5, Interesting)
Re:Solution: You authorise the bank first (Score:1)
Re:Solution: You authorise the bank first (Score:2)
Re:Solution: You authorise the bank first (Score:2)
Re:Solution: You authorise the bank first (Score:3)
My bank doesn't even HAVE my email.
Re:Solution: You authorise the bank first (Score:2, Interesting)
Your DNS, or the DNS for your area, is hijacked, and everybody who use that DNS is called up and told to log on to their bank in order to do something important?
Second solution is:
One-time passwords. I have a long list of login passwords and confirmation passwords, and a numerical customer ID known only to me. When they start running low, I can easily get a new one (mailed to me). So what if I happen to login to some fake site? The worst that can happen is that I waste
Re:Solution: You authorise the bank first (Score:3, Interesting)
then to do any transactions, to open any accounts, to apply for a loan or just about anything other than just checking how much cash you have the system asks a number from a list of one-time passcodes they've sent to you through regular mail(basically "enter the number pair for the number 4323 on your number card").
the card with the one-time-use passcodes is a plast
Re:Solution: You authorise the bank first (Score:2, Interesting)
Re:Solution: You authorise the bank first (Score:5, Insightful)
And this code would be sent through which secure email-delivery system exactly? Plaintext SMTP on the internet, like all the other emails from your bank?
Hell, banks don't even sign their emails. Many of them don't even know what PGP is. How many of us have had conversations with our banks along the lines of:?
You: I just got an email purporting to be from you
Bank: Yes, that's right
You: So how do I know it's real without phoning you
Bank: Because it's got our name in the From field
You: Did you ever consider signing your emails
Bank: OUR INTERNET IS SECURE, WE USE HTTPS WEBSITE!!!
Re:Solution: You authorise the bank first (Score:2)
I see your point, but _anything_ that is an indicator that the back actually knows you would reduce these phishing scams. They are generic, and the only thing that identifies th mail as being sent to you might be the "To:" field in the email, but that may also say something like "dedicated_customer@bank.com".
The ease in making this kind of scam profitab
Re:Solution: You authorise the bank first (Score:2, Insightful)
Okay, and how do the spammers get somebody's email address to start with? Oh yes, a virus emails the contents of their inbox to a russian server"
Along with your special code.
And don't pretend that you can just secure your computer -- there have been 5 major windows viruses already this year, and as far as I can tell, nearl
Re:Solution: You authorise the bank first (Score:2)
The problem is, that sort of thing only works with customers who have some awareness of security. This group of people are not likely to fall victim to a phishing scam anyway.
The target audience for phishers is more likely to either not notice, or to think "Hmm, the bank must have changed its security system. I'll just do what this link says and my money will be safer than ever!".
Getting Banks to Advertise SPF on their email (Score:2)
Customer details (Score:5, Interesting)
Well, I've received several of these mails, but I do not really think they go by any kinda cue -- I've received mails from various banks from around the US, so I think these guys randomly see where you are, make a wild guess at the likely bank and send you one.
For instance, several students at GTech (where I study) have their bank accounts in a certain bank (which we shall call W) -- and a lot of these scams are directed at GT students pretending to be from W.
However, that said -- I'd not be surprised if they acually did some dumpster diving and found out these kinda details. Spooky, man.
Re:Customer details (Score:2)
Because, I'd a page at which listed me as working in a certain lab that I used to work at - and some of these scams used to contain spoof elements of
Re:Customer details (Score:2)
They probably don't do that much targeting. Set up the phishing site, send the spam to every address they can come up with, and hope for a few suckers, more likely.
Re:Customer details (Score:2)
I've also gotten scam mails for various banks. The sophisticated ones took into account that my address is German (ends in
They don't know who you are (Score:5, Informative)
It's just a blanket 'attack'. Email is cheap, and they're not trying to be smart because they don't need to be.
Simon
Re:They don't know who you are (Score:2)
It wasn't until later that I realized that it might be a phishing scam. Further research indicated that i
ways to prevent online fraud? (Score:5, Insightful)
This is done in Japan and works well there. Maybe consumers here would lose their card? The card isnt electronic its just card with pin numbers that you scratch off each time you use the PIN number.
Banks should STRONGLY educate consumers to never expect emails from the bank that contain links.
Re:ways to prevent online fraud? (Score:2, Interesting)
The gist of it is a longer code that I arrange with them in person, and when I go online with them, they ask for random portions of that code.
I would have to be scammed multiple times before anyone had access to my banking.
The comment is here: http://slashdot.org/comments.pl?sid=128336&cid=107 16472 [slashdot.org]
Re:ways to prevent online fraud? (Score:2)
Ok, look at the story from the perspective of a real-world bank, rather than a mythically secure one.
There's a bank in the UK called cahoot (part of abbey national) which offers one-time credit cards that you can use over the internet. For those of us who use the same card for foreign pr0n sites, that sounds quite useful, right?
That's the smart bit. That was the good idea. Their security goes downhill for the rest of the story.
It's an unencrypt
How to annoy phishers (Score:5, Interesting)
I reckon banks could do something similar too. Create some honeypot accounts, and track how the criminals attempt to access it. I'm sure they could play a few tricks with a seemingly big fat balance that could make the criminals reveal their hand.
Re:How to annoy phishers (Score:2, Interesting)
Password "QUICKGETEM"
Name "CALL SECURITY"
DOB "01/01/1337"
This would be cool to try.
But tbh, I recon they would just take the list and try those that look legit.
What we could do is simply forward any phishing scam mails to a central phishing clearing house.
The banks could fund a small team to handle collective online fraud.
Re:How to annoy phishers (Score:3, Informative)
Looks like its already in action
http://www.antiphishing.org/ [antiphishing.org]
Re:How to annoy phishers (Score:3, Interesting)
The only way they have to separate the wheat from the chaff is to actually try them. If they're really stupid, they (or their underlings) may actually get caught when they attempt to withdraw ca
Re:How to annoy phishers (Score:2, Insightful)
Today I got one of these fraudulent "the bank needs your information" E-mails. So, I thought, let's give them some noise to fill their log.
But the credit card number I made up was detected as non-existent - or at least the fake website said so.
Now, is there any way to:
1) Generate fake credit card numbers that pass as "valid"
2) Do this, and be certain that no-one actually owns that particular number, and if so, still not get into trouble?
Re:How to annoy phishers (Score:4, Informative)
1) Generate fake credit card numbers that pass as "valid"
They're probably doing something trivial with Luhn numbers. [webopedia.com] Trivial to implement, trivial to spoof. Generating apparently valid but fraudulent card numbers is known as carding. [creditcardco.co.uk]
2) Do this, and be certain that no-one actually owns that particular number, and if so, still not get into trouble?
Trouble with whom? The scammers? If you aren't using the number to commit fraud, I wouldn't worry. We want to get the phishers in trouble!
Re:How to annoy phishers (Score:2)
They may also know what BIN [wikipedia.org]s they are looking for. The first six digits of your credit card number are the Bank Identification Number, which identify the issuing bank and (often) the type of card.
Some card generating products, such as Creditmaster, have a database of BINs as well as an implementation of the Luhn algorithm. Thus you can (say) ask for a random Bank of America Visa Platinum, rather than just a random 16-digit number that passes the Luhn check.
Of course, you need the expiry date on the ca
Re:How to annoy phishers (Score:2)
Yes:
$ perl -MBusiness::CreditCard -e 'print validate("1000 0000 0000 0008"), "\n"'
1
But:
$ perl -MBusiness::CreditCard -e 'print cardtype("1000 0000 0000 0008"), "\n"'
Unknown
No (Score:2)
$ perl -MBusiness::CreditCard -e 'print cardtype("9111 1111 1111 1111"), "\n"'
Unknown
$ perl -MBusiness::CreditCard -e 'print validate("9111 1111 1111 1111"), "\n"'
0
Re:fake credit card numbers (Score:3, Informative)
Easy: Business::CreditCard - Validate/generate credit card checksums/names [cpan.org].
Re:How to annoy phishers (Score:2)
1. Remove any non digits from string.
2. Reverse the string.
3. double every second digit counting from zero (i.e first one gets doubled)
4. If a doubled digit is >= 10, add the 2 digits together (i.e. 12 becomes 3)
5. Add all the digits together.
6. If the result is exactly divisible by 10, then the card is valid...
...
...
8. Profit
Re:How to annoy phishers (Score:2, Interesting)
I've always wanted to find a way to automate that. Have a site where you could submit a phishing site, have it analyzed and then feed it a bunch of noise.
If it's all done from the same computer, smart people could weed out the noise by IP address, so you'd have to account for that somehow, too.
Once you make enough noise in the system, scams like this do not remain economical, I would think.
---
Re:How to annoy phishers (Score:1)
> annoyance to them
People say that about spammers. I'm sure they're annoyed with the millions they make from their activities.
The best way to avoid getting hit by phishers is to delete any emails that claim to come from your bank, paypal etc without reading them. And if they insist that they contact you via email rather than post, or via messages readable once you've logged on then I suggest you close your account with th
Re:How to annoy phishers (Score:2)
If I ever get around to writing something like this, I'd be tempted to share it, but its power could be used for Evil as well as Good. Also, bizarrely enough, using such a program is probably against
Re:How to annoy phishers (Score:3, Informative)
A lot of times, you can send a URL encoded request (GET Request) to fill in bogus data from the address line. I've happliy sent random values to these seedy servers with a small bash script using lynx.
I suggested that one or more popular websites add a new 'banner ad' whose image location is a properly formed URL to submit a random value to a known phishing server. As people come by the site, a new request is sent t
check out antiphishing.org (Score:5, Informative)
Also check out aa419.org (Score:2)
If you've got bandwith to spare, be sure to check out The Lad Vampire [aa419.org]
Please modify the news post and add one of those links. They could use the help of a lot of slashdotters, I think.
The wrost ones are... (Score:5, Insightful)
The maxim I always use is: The company that holds your account never needs to ask you for your password since they already have it.
Something many probably don't know is that your local police dept. probably has a high tech crimes unit. They will investigate and prosecute illegal activites like snooping around your company network. They can be very helpful.
Re:The wrost ones are... (Score:1)
Eh, unless they want to verify that you know the right password, which is what these kind of scams are giving the impression of - a complete login page.
Re:The wrost ones are... (Score:4, Informative)
I would add: Often the employees of the company don't have access to the password because it is encrypted on their end. But the institution can change or reset your password without knowing the old password. This is usually preceded by a manual check performed by customer service over the phone to ensure you are really you. They might also ask you to come into the bank and provide ID.
Enough Already. (Score:5, Insightful)
Receiving too (Score:4, Interesting)
Probably that message is sent from hacked/owned/not patched windows machines that send the entered info to the real criminal. I suppose that for really knowimg who is him that "infected" machines should be hacked back or that the provider of that internet connection contacts/gives the address of the owner, and check the programs there.
Is it that simple? (Score:5, Interesting)
The bank I use gave me a little authentication device which combined with my bank card, my personal code and a random code provided by the bank site can generate digital signatures. In order to login and in order to make all transactions final I must provide the right code.
I've been using this system for about 10 years now, if those exploitable banks still use a normal password protection it's their fault they're exoploited this way and there's no way customers should be responsible for it.
Re:Is it that simple? (Score:2)
So, essentially I have two passwords, but they're both required to log in. I've not heard of any UK bank that issues anything like the authentication device you describe.
Mostly, yes (Score:2)
I Have Not Seen My Bank's Name in Phishing Scams (Score:3, Informative)
I have not gotten one email from that bank (either legitimate email or a phishing scam with that bank's name or fake url.
That bank does have my email address.
I have gotten phising scams that have ebay in them (I do have an ebay account). I have also gotten phising scams with the names of other banks in my area.
I think they go by geographical data for banks. For ebay, it's no problem. They can scan ebay's pages and get seller's ebay account names with no problem.
Damn (Score:5, Funny)
Now that is a punishment that would work pretty good, once word got out!
The problem is much larger than just banks. (Score:5, Interesting)
It's not a major concern in the 3rd world so these guys have no reason to stop. We've seen scams like this based out of Russia, Brazil, China, and several African countries. It will be interesting to see how this all pans out.
Why is it so hard to catch these criminals? (Score:4, Interesting)
Cheers,
Re:Why is it so hard to catch these criminals? (Score:2)
I doubt it's that easy or simple, but.
The authorities tend to be good at gathering and accumulating statistics.
The banks should also be concerned that somebody is using their identity fraudulently.
Savvy users forward the email with headers to such as abuse@citibank.com (which bounces, so there probably is no will to actually do anything about it).
Seems that if the authorities are to be able to do anything about it, they need lots of in-depth info
Re:Why is it so hard to catch these criminals? (Score:2, Informative)
Gmail vs. Phishers (Score:5, Interesting)
Has anyone else noticed that the folks at Gmail have added a "report phishing" feature? When you view a message, click "More Options" and you'll see it.
Then again, maybe it's been there for some time and I just haven't noticed (it definitely wasn't there when I first got my Gmail account though and it doesn't appear to be listed as a new feature).
Slashdot this (Score:5, Interesting)
The lad vampire [aa419.org] needs your help
Fun Scammer Bandwidth-Burner aa419.org (Score:2)
Here is a good rule of thumb: ignore them 100% (Score:2)
Re:Here is a good rule of thumb: ignore them 100% (Score:1)
How exactly are these newbie users supposed to get the information that the web is different than real life? Watch the RvB PSA (yeah, my 6
Re:Here is a good rule of thumb: ignore them 100% (Score:4, Insightful)
There is little new under the sun. Just because we give it an incredibly lame 1337 name; "PHishing" doesn't mean it's not a hundred year old con game.
Re:Here is a good rule of thumb: ANNOY them 100% (Score:2)
How do you drain an account without a trace? (Score:2, Insightful)
In every case getting cash out of my account involves paying a bill (to an authorized agent like VISA), or emailing money or transferring money to a 3rd party acct. All of these leave a trail that banks can recognize and plug.
I once changed my buying habits with my VISA card and had to confirm my identity before the transaction could be authorized. Since fradulent VISA transactions cost VISA, it appears that when it affects the bott
Idiots looking to make a quick buck, that's who. (Score:2)
My friend's paypal account was ripped off. A 3rd party bought a camera and shipped it to Russia, because the auction's shipping was only avalible in the US and the Russian wanted the deal. The Russian supplied my friend's paypal and a $20.
The camera is safe in Russia while the idiot who bought it had a chat with the police.
countermeasures? (Score:2, Insightful)
Re:countermeasures? (Score:2)
So you're advocating a distributed denial of service attack on somebody's server?
An actual phisher would undeniably deserve such a treatment and much more, but that doesn't make it okay. But what if you make a (gasp!) mistake? You could be asking thousands of Slashdotters to participate in a DDoS attack against someone who might be completely innocent, or whose only 'crime' is that their own server was compromised and used by the real phisher.
What you're talking abou
Re:countermeasures? (Score:2)
Re:countermeasures? (Score:2)
When you can't get to www.pornopalace.com or whatever sites you like to visit every day because there just happened to be a phisher in the same co-lo, and a bunch of vigilantes decided to DOS that phisher off the net to protect the innocent (and the stupid), or when your personal site i
Re:countermeasures? (Score:2)
So, who decides which web sites MUST be taken down, and which may be allowed to remain? You? Oh, I see. And this differs from vigilante [m-w.com] justice exactly how? Let's take a look:
a member of a volunteer committee organized to suppress and punish crime summarily (as when the processes of law appear inadequate); bro
Re:countermeasures? (Score:2)
Re:countermeasures? (Score:2)
Hopefully that's not the case. Hopefully you'd take some action above and beyond going home, calling 911, and waiting 15 minutes or more for the police to arrive.
Yes, of course I'd intercede if someone were in direct physical danger. I'd also take action if I saw someone about to reply to a phishing scam.
Ho
I am a victim! (Score:2)
OK, not a victim. Let me restate: I am the recent victimizer of a scammer looking for a victim.
And I have a new $3000 to prove it. Sent to me directly from an "honest businessman" from Nigeria. Really. It was FedEx'd from Nigeria. From a guy named Walter Nabanu.
OK, I don't have a new $3000. But I have a check that says it is worth $3000. But I'm not going to cash it.
How much does it cost to Fedex an envelope from Nigeria to the US?
At least FedEx made out on this d
Re:I am a victim! (Score:2)
OK, not a joke. Let me restate: despite significant evidence to the contrary, I continue to think that I am clever.
What worries me (Score:1)
What would be the best way to protect yourself against this? Is it possible to set up caching DNS to pool from multiple independent sources
Re:What worries me (Score:1)
Although I might be wrong on this...
Re: (Score:2, Informative)
Why do I never get Phished? (Score:2)
I have made numerous postings to Usenet and public email lists with some of those addresses.
I have a few email addresses in mailto: links on web pages.
I have about five times as many credit cards and bank accounts as the average person.
Some of my email aliases are six years old -- I don't think that any of my email addresses from > six years ago still forward to
Re:Why do I never get Phished? (Score:2)
Clearly.
I have one adress that's about 6 years old, use(d) it everywere, and it gets regular esp. 'Ebay' queries.
Some remarks... (Score:1)
There's almost zero chance the phishers knew the author had an account at his bank. They use spamming techniques and count on getting lucky.
Some financial institutions already do this but it is very expensive. Despite the
I'm so disappointed (Score:2)
Usually, no matter what the method of contact, all I get is an email reply with boilerplate info telling me how to protect myself against these scams. This is utterly stupid,
Re:I'm so disappointed (Score:2)
But essentially the gist was they need the fraud to occur in order to do anything about it. Their entire machinery for dealing with fraud requires that it has already happened, i.e. the money has changed hands. They start to act after the fraudulent transactions have been processed. Apparently they need that amount of concrete evidence in
Re:I'm so disappointed (Score:2)
poisoned DB attack (Score:2)
HTML Email (Score:2)
It's a slim chance, but if enough people get irritated enough from having to re-send enough email, then perhaps we can still get rid of this idiotic idea.
Re:Nothing to see here... (Score:3, Interesting)
Re:Nothing to see here... (Score:1, Redundant)
Its just aiming at the big players to maximise your audience.
Currently, more people will fall for something like a Citibank scam than a LocalYokelTownBank scam.
Yes, there will be gullible people in both groups, but a lot more with the larger bank.
Hook, line, sinker.
Re:Nothing to see here... (Score:2)
Re:Nothing to see here... (Score:2)
Could be, yea, that he just feels "special" 'cause these cunning Zimbabweans just happened to guess his bank.
Which could also mean that they are netting fewer people than he thinks...except that there are really not that many small banks anymore.
With only a group of maybe five or six major banks in the US, I am sure it isn't too hard to snag some morons every now and again.
Re:Nothing to see here... (Score:5, Funny)
Don't go to Nigeria to pick up your money (Score:2)