Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Government Spam The Almighty Buck The Courts News

Phishing In The Channel 199

Rick Zeman writes "A Washington Post story details the relationships between phishers, IRC, plug-and-play phishing toolkits, and phantom web sites. 'For the past few months we've started to see phishing attacks from subcontractors, people who buy and use ready-made phishing toolkits and e-mail lists,' Orad said. 'It's gotten to the point where you don't need to know anything about spamming or computer programming to pull this off.'"
This discussion has been archived. No new comments can be posted.

Phishing In The Channel

Comments Filter:
  • Great (Score:5, Funny)

    by Anonymous Coward on Tuesday January 18, 2005 @04:13PM (#11400664)
    Now we have phishkiddies
  • Urmm... (Score:2, Interesting)

    by Anonymous Coward

    It's gotten to the point where you don't need to know anything about spamming or computer programming to pull this off.'

    So phishing is just as easy as using Windows... Think about it.
  • by Neil Blender ( 555885 ) <neilblender@gmail.com> on Tuesday January 18, 2005 @04:15PM (#11400704)
    Now people who know nothing about ripping people off can rip off people who know nothing about being ripped off.
  • by x.Draino.x ( 693782 ) on Tuesday January 18, 2005 @04:16PM (#11400707)
    There was a system crash this month. You may have noticed our system has been running slowly. If you are receiving this email, we have lost some of the information for your account. Please click on the following link and fill in all of your information to make sure your account does not get suspended. We appreciate your time, and sorry for the trouble. Click here to fill in your info! [stealing.your.money] Your friends, at Ebay/PayPal.
  • Well... (Score:2, Informative)

    I remember using pre-made "proggies" on AOL back when it was new to phish users Passwords.

    So, this is nothing new and people are still naive. Hopefully, though, the more it hits peoples back-pocket then more savvy they will get.

    • I don't think AOL existed when it was new to phish people's passwords.

    • AOHell. That was more fun than a barrel of CGA porn.

      best... splashscreenmusic.. ever.
      (the nuttin but a g thang riff)
      'slike dis an' like dat and this an' uh...
  • Dear world, (Score:3, Funny)

    by Anonymous Coward on Tuesday January 18, 2005 @04:18PM (#11400730)

    www.secure-ebay-transactions.ru is NOT ebay.

    You have been warned.

    Sincerely,
    The Internet.
    • Re:Dear world, (Score:3, Informative)

      by ftzdomino ( 555670 )
      Typically a phisher takes advantage of the IE exploit to fake the URL also, so a vulnerable user thinks they are at a legit URL.
      • Re:Dear world, (Score:3, Informative)

        by eggoeater ( 704775 )
        It doesn't even have to be that complicated... typically the URL in the email is "correct" but the underlying link is to another site....most lusers never look at the address in the status bar.
        http://www.ebay.com/ [ripyouoff.ru]
        This is why /. puts the domain in brackets after the link.
        • by Anonymous Coward
          This is why /. puts the domain in brackets after the link.

          Slashdot puts the domain in brackets to keep your eyes from getting burned, not your wallet.
        • I got a couple of Washington Mutual phishes that a URL like http://www.wamu.com/chooseyourstate.asp?redirect=h ttp://some.ip.address/~username/.wamu/index.html, so the initial link actually did go to the right site. Probably sneaky enough to lure in my parents, unfortunately.

          Oh, and no, I haven't verified even the Washington Mutual part of the URL.
          • " I got a couple of Washington Mutual phishes that a URL like http://www.wamu.com/chooseyourstate.asp?redirect= h ttp://some.ip.address/~username/.wamu/index.html, so the initial link actually did go to the right site. Probably sneaky enough to lure in my parents, unfortunately. Oh, and no, I haven't verified even the Washington Mutual part of the URL."

            I think WAMU customers deserve to get hit by these things because their bank is so stupid and because the fraudsters actually created quite a good replic

  • IRC? (Score:4, Insightful)

    by Anonymous Coward on Tuesday January 18, 2005 @04:18PM (#11400743)
    IRC is like a communication medium, its irrelevant in this discussion. As irrelevant as telephones being 'used' by thiefs to communicate. Holding IRC responsible is pointless.
    • Re:IRC? (Score:2, Interesting)

      by Nosf3ratu ( 702029 )
      Overstating the obvious is also pointless. You fail it.
    • Rarely do you see an article on hackers/phishers/lan janitors in the mainstream press that doesn't include some mention of the "underground world" of IRC. It's only a matter of time before it's shut down because it is obviously a dastardly world of evil-doers and suiciders running rampant.
    • Re:IRC? (Score:3, Funny)

      by nasor ( 690345 )
      Any time I start to develop the slightest faith in the goodness of my fellow man, I just type /list into IRC. That clears it right up.
      • That's funny, but it's true. Everyone screams, "it's not IRC, it's the criminals!" But yeah, IRC has been a festering pit of illegal shit for YEARS. Sure, tons of it is good productive stuff. No,nobody could or will "shut down" IRC. But damn,a LOT of people would be less secure about their antisocial behavior if it weren't around.
  • by teiresias ( 101481 ) on Tuesday January 18, 2005 @04:19PM (#11400750)
    While it has become easier for phishers (and now apparently nonphishers) to prey upon mom and pop internet surfer, it still comes down to personal security. Mom and pop internet surfer won't give their ATM pin or their credit card number to a guy on the street but for some reason, the authority of the Internet removes those safeguards.

    Next time you see your parents or someone who is a likely phishing canidate, please, don't roll your eyes. Warn them and try to explain the difference.

    • by Billly Gates ( 198444 ) on Tuesday January 18, 2005 @04:29PM (#11400931) Journal
      Phishing works in numerous ways like creating fake websites like www.payypal.com which is a close of replica of paypal to trick mom and pop.

      Also many malware type apps which install themselves through javascript exploits may install a keyboard logger, or even change the address bar when a user types "www.amazon.com". IE will display the correct URL but will go to a hacked copy of the site while the user is unaware.

      Also most stolen credit cards are from legitimate businesses which their minimium wage employees steal and post to the net for profit. I use to work at Staples and a former supervisor was caught doing this with over 50 credit card holders.

      Last, its not the user who compromises but rather the merchant who compromises. IIS is the default most popular web software for corporate America and ecommerce sites. A hacker who gain infiltrate a database with thousands of email addresses and credit numbers has a potential gold mine.

      Its more complex than just protecting yourself.

      The internet today is getting worse and worse and is turning into the wild west. Its a dangerous place where new pc's can get infected within 3 to 4 minutes, billions of spams go out each day, to phishing.

      I was reading an older story here about the google archive of usenet including the first spam and how everyone was so shocked the internet could turn into a profit making scheme. Boy, the old internet users had no idea what was coming.

      • IE will display the correct URL but will go to a hacked copy of the site while the user is unaware.

        Not just IE! If the malware can edit the hosts file, it could make www.amazon.com point to a phishing site for everything on the system (IE, Firefox, even "ping"). Messing with the hosts file is quite a common adware trick, to allow banner ads on sites to be taken over I would guess.
      • I use to work at Staples and a former supervisor was caught doing this with over 50 credit card holders.

        How much prison time did he get? My guess, 0. How much fines did he get? My guess, 0.

        My guess is he got promoted, not fired. Correct?
        • Actually the fbi called the store manager and he did an investigation.

          Unfortunately he didn't have enough evidence to press charges so instead found some dumb reason to fire her.

          Several months later we found boxes from tens of thousands of dollars worth of stolen merchandise hidden within a wall of the store. She probably engineered that too since PDA's and other high ticket items require a supervisor key.

      • "Also many malware type apps which install themselves through javascript exploits may install a keyboard logger, or even change the address bar when a user types "www.amazon.com". IE will display the correct URL but will go to a hacked copy of the site while the user is unaware."

        Sounds complicated. Couldn't they just put their own entry for ebay.com into the hosts file?
      • Actually, this reminds me.... Not too long ago, I was on Undernet IRC chat and out of boredom, requested the complete list of active channels. A couple channels caught my attention as being places to actively trade (or buy/sell) credit card numbers. I forget the exact channel names right now, but I suppose they may change names every so often to avoid detection anyway? They were names something like #ccard though...

        The slightly scary part is, they seemed to be populated with at least 50 or 60 users each
    • Mom and pop internet surfer won't give their ATM pin or their credit card number to a guy on the street but for some reason, the authority of the Internet removes those safeguards.

      The problem is that the internet phishers are often times indistinguishable from their real life counterparts. To use your ATM anology, it's like seeing an ATM that says Bank of America, has all the right logos, and seems to be standing outside of a B of A branch. It's very hard to tell the difference, even for the technically m
    • >Mom and pop internet surfer won't give their ATM pin or their credit card number to a guy on the street

      not if someone dressed as a "trusted" merchant or a "citibank representative" come knocking on your door... then some will probably volunteer such information.

      these fake websites are fairly well made quite often. it's not like these people are so dumb that it's akin to giving those information to complete strangers on the street.

  • It amazes me that a few months after breaking up Phish is still as popular as ever. Damn you, hippies!
  • by suso ( 153703 ) on Tuesday January 18, 2005 @04:21PM (#11400798) Journal
    I have been wondering when I would start to see these alternate character set domain names that you can get now play a role in this. You know, like someone registers cnn.com, but the c is not the latin character set c but one from another character set. Or something that almost looks like a c.

    Then, without even hacking DNS, you can simply make someone or a group of people think that they are on cnn.com when they are really not. This could be used for things like fake news reports, etc. that make people panic.

    Has anyone seen anything like this yet?
  • ... profit! (Score:2, Funny)

    by phyruxus ( 72649 )
    from article: "Thomas was stunned that her data was being openly traded online.

    "I can't believe that people are allowed to do this kind of thing," she said. "Why can't [the authorities] do anything about this?"


    The answer may be that the economics of online fraud -- which has such low start-up costs that luring only a few victims to divulge personal financial data can turn a huge profit for the perpetrator -- are so much in favor of the criminals that, at least for now, a continued increase in phishing ac

  • Familiar? (Score:4, Funny)

    by nicklott ( 533496 ) on Tuesday January 18, 2005 @04:24PM (#11400840)
    'It's gotten to the point where you don't need to know anything about spamming or computer programming to pull this off.'
    Hey sounds like IT management to me!

    boom boom

  • by bsd4me ( 759597 )

    This, along with the fact that a lot of botnets are IRC controlled, is one of the reasons I declared IRC verbotten on our LAN and am now using the bleeding-snort IRC rules. I know they won't catch all IRC traffic, but in my mind they are worth the extra cycles.

  • by ackthpt ( 218170 ) * on Tuesday January 18, 2005 @04:30PM (#11400947) Homepage Journal
    This underscores the problem with these schemes, laws don't mean a thing if there's no enforcement. Most of the spam I see phishing should be able to be tracked down quickly enough to catch perps, but either law enforcement is bogged down with other things or it's just not really much of a priority.

    Many people complain about there not being enough cops on the street (unless they've just been pulled over), which I've been informed in my area, is due to most calls are domestic disputes. Police don't have the time to catch all the burglars and bicycle thieves because someone is slapping someone else around (IMHO the first offense should land people in a cooler for at least a month.)

    Regarding the agencies which should be chasing spammers and scammers, that's probably the FBI, which is too busy being reorg'd and chasing terrorist threats.

    • by Skevin ( 16048 )
      I simply gave up and started to take matters into my own hands.

      I'm creating minor software package called Dolfin, to combat Phishing scams. It just some basic Python with a MySQL backend, and it works like this: I have a huge list of common first names and a huge list of common last names. When I find a Phishing page, I pull up a random last name, a random first name, and create a random 16-digit Visa Number, complete with a random expiration date... plus any other random data a Phishing form might ask f
  • I was under the impression you didn't even need to know hoe to turn on a PC to be a spammer. Slip the first guy a grand or two and promise him 5% of the profits, set up a bank account and you're done.

    I mean you're already breaking the law with spam, why pass on a little fraud too?
  • I wonder if i could phish for credit card details by sending out email advertising my ub3r l33t ph1$in kit.

    Wonder if they'd fall for it, or if the average phisher is just as stupid as the phish.
  • You still need to know enough about money laundering and electronic transactions to not get caught!
  • Of course online fraud doesn't end with merely collecting credit card numbers.

    Next, a network of illdoers must convert this stolen cash into something much less traceable. They enlist the help of folk running a variety of instant messenging programs.

    Why, just this morning I received this gem on ICQ:

    268-919-230 (9:13 AM) :
    Hi there! where you disappeared?!
    268-919-230 (9:13 AM) :
    yes, I haven't been here for long, too - was busy working on Alfa Trans
    268-919-230 (9:14 AM) :
    by the way, I'd recommend you to ch
  • the story suggests the scammers are just as busy scamming each other. my favorite quote:

    Marcus Sachs, a former cyber-security adviser to the White House who now directs the Bethesda, Md.-based SANS Internet Storm Center, said that if the information posted by the IRC channel operators is legitimate, then they are likely working with people on the inside at the major credit card issuers.

    But Sachs said he suspects that by "verifying" credit card information posted by other chat room members, those runnin

  • I recently had some homeless fellow steal my trash before garbage day. Normally this wouldn't concern me, but one of bags was full of credit card receipts that I was not able to shred because my shredder stopped working. Many merchants here in Canada still print the full credit card number of the receipt, so I thought it would be best if I canceled the card. I called up my bank manager and somehow we got to talking about phishing. She told me that there is an inverse correlation between the frequency of arm
  • That's the point at which it becomes clear that phishing (or anything else) isn'y a computer problem, but a people problem, or a banking/business/whatever problem. Though computers might offer some tech solutions. But tech solutions dialectically bring their own new tech problems - which are usually really still people problems. That's why we have laws, police and courts. Engineers just work for them, on these problems. Those law nerds have to take the blame when the problems don't stop.
  • The basic problem is that the whole idea of authenticating transactions with no more than static account information is fundamentally insecure. And that's why retailers love it.

    It's easy for consumers to buy. It's easy for a retailer to set up a recurring charge. The sales process involves only the retailer.

    There are many other ways this could work. When you attempted to buy something online, your bank would contact you in some online way, showing you the transaction details and requiring you to conf

  • While there's been plenty of talk about responsible protection of one's personal data (being careful about supplying information to an online site, for example), it sure seems like there are two areas of responsibility that are being overlooked.

    First, it's about time for the financial services industry to step up and take responsibility for designing a payment infrastructure that can accomodate the current threat environment. A sixteen-digit reuseable number isn't the answer, even when coupled with real-ti

  • In most cases, the operator responds instantaneously with the requested data, notifying the poster whether the card is still active, its spending limit...


    The author of the article doesn't seem to understand the concept of bots operating channels too well...
  • Anybody remember this (I doubt there are many AOL users here, but maybe). It was a collection of utilities to mess with AOL like a tool to spam chat rooms, a way to fake like you are someone else in a chat room, and a phishing tool to send an IM to everyone in the chat room that said something along the lines of "I am an administrator. Please verify your password." You would be amazed at the number of people who would respond with a password. I now realize how much of an a**hole I was being by using clueles

Reality must take precedence over public relations, for Mother Nature cannot be fooled. -- R.P. Feynman

Working...