How the Phishing Biz Works 321
Carl Bialik from the WSJ writes "Christopher Abad has spent much of the past six months 'stalking the phisher underground,' Lee Gomes writes in the Wall Street Journal. 'The typical phisher, he discovered, isn't a movie-style villain but a Romanian teenager, albeit one who belongs to a social and economic infrastructure that is both remarkably sophisticated and utterly ragtag. If, in the early days, phishing scams were one-person operations, they have since become so complicated that, just as with medicine or law, the labor has become specialized.' For instance, a phisher in Romania who successfully scores account information for someone in the U.S. may go on IRC to seek out a 'casher' to withdraw money from the target's account, and send a cut back to the phisher."
Phishing for an FP (Score:3, Funny)
how the phising biz work? (Score:3, Funny)
Almost as informative... (Score:5, Informative)
Feh... (Score:2, Insightful)
Re:Feh... (Score:5, Interesting)
In these countries, a lot of shady property deals went down, people got screwed over, there was profiteering, extortion, and theft on a grand scale, but many of these crimes of greed were perpetrated by people who were already criminals, or former socialist potentates (or both). 'Harvard Business school types' had very little to do with it.
Re:Feh... (Score:2)
social protection systems (Score:5, Insightful)
Re:Feh... (Score:5, Insightful)
Uh, yeah, because under Ceausescu all these Romanian computer owners (with their free communications with the rest of the world) used their luxurious lifestyles for the betterment of the less fortunate...
Outsourcing (Score:3, Funny)
Re:socialism (Score:2, Offtopic)
Do a google search you xenophobic fucking idiot.
http://www.statcan.ca/english/Subjects/Labour/LFS
Wow it's 7% in Canada.
What's it in the USA?
http://www.bls.gov/ [bls.gov]
It's 5%.
Yeah, we're SOOO WORSE off here in Canada....
Tom
Re:socialism (Score:3, Insightful)
Tom
[I'm just messing around here, no "wanna fight about it" please...]
Re:socialism (Score:2)
Must be dark and smelly in there
A real person phished (Score:4, Interesting)
Re:A real person phished (Score:5, Insightful)
"What?" shriek the Slashbots, "If hot Brazilian chicks can't view the message HTML, traceroute the links and the redirects and WHOIS the resulting information, they shouldn't be allowed to use computers!" Perhaps, and perhaps me neither, but it doesn't surprise me that people get burned.
Re:A real person phished (Score:2)
Re:A real person phished (Score:2)
Then you go there and unwittingly give your password to some stranger. Now if you have a credit card or checking account tied to your paypal account you could be in trouble.
But yeah, forms that ask for personal information are easier to avoid. You know the same people that fill those out and click "send" would probably never give the same information out to a person stan
Re:A real person phished (Score:3, Interesting)
Re:A real person phished (Score:2, Insightful)
Another classic that hits my old neighborhood in st. louis every now and then. They put a letter on the doors of every house in the neighborhood proclaiming that their house represents a normal suburban dwelling and some movie producer in hollywood would like to do a test shoot to determine if they could use it fo
Re:A real person phished (Score:3, Insightful)
I don't understand why people think people in other countries are somehow fundamentally different.
People are people. Stupid, brilliant, funny, boring, fat, scrawny, beautiful, ugly etc, nationality doesn't enter into it.
Go pick up A Perfect Circle's eMOTIVe and become a dreamer.
Re:A real person phished (Score:4, Funny)
Movie style villain (Score:5, Funny)
A Romanian teenager is a typical movie style villain. Haven't they ever seen Blade?
Just Received My First Phishing Email (Score:4, Informative)
original message (i added spaces to urls so they wouldn't be links):
From : PayPal Inc.
Sent : Tuesday, June 14, 2005 3:58 PM
To : my_email@hotmail.com
Subject : Unauthorized Access: (Routing Code: P101-K001-Q-P090)
You have added funstuff12@aol.com as a new email address for your
PayPal account.
If you did not authorize this change or if you need assistance with
your account, please contact PayPal customer service at:
h ttps://www.paypal.com/cgi-bin/webscr?cmd=_login-r
Thank you for using PayPal!
The PayPal Team
Please do not reply to this e-mail. Mail sent to this address cannot be
answered. For assistance, log in to your PayPal account and choose the
"Help" link in the header of any page.
PROTECT YOUR PASSWORD
NEVER give your password to anyone and ONLY log in at
h ttps://www.paypal.com/.Protect yourself against fraudulent websites
by opening a new web browser (e.g. Internet Explorer or Netscape) and typing
in the PayPal URL every time you log in to your account.
PayPal Email ID PP1507
Re:Just Received My First Phishing Email (Score:3, Informative)
Re:Just Received My First Phishing Email (Score:3, Interesting)
Re: (Score:2)
Re:Just Received My First Phishing Email (Score:2, Insightful)
I figure someone, somewhere, must read the info, and at the very least, they get an earful (or an eyeful)
Re:Just Received My First Phishing Email (Score:2)
Re:Just Received My First Phishing Email (Score:3, Informative)
netname: FAL-NET
descr: FAL - FUNDICAO ALTO LIXA, SA
descr: Alto da Lixa - Lixa
country: PT
admin-c: PT4010-RIPE
tech-c: JMF13-RIPE
status: ASSIGNED PA
mnt-by: AS15525-MNT
source: R
Beats this article by far... (Score:4, Informative)
I've always thought (Score:4, Interesting)
Re:I've always thought (Score:3, Insightful)
Re:I've always thought (Score:2)
Re:I've always thought (Score:2)
The people who are on juries come from the same pool of people as phishing victims. If they're not smart enough to recognize the scam when it happens to them, do you really want them deciding your fate?
Courts and laws are very slow to change. The reason phishing and ID theft are so popular is that it's hard to convict someone of a crime you don't understand.
Re:I've always thought (Score:2)
Re:I've always thought (Score:2)
Re:I've always thought (Score:2)
Re:I've always thought (Score:4, Informative)
Unfortunately the problem with this approach is the collateral damage if the scam artists do not use their own machines to host the scam. The ISP or host company gets pummelled and if they didn't know anything about the scam, they're innocent bystanders.
Stereotype (Score:5, Funny)
This is a vast exaggeration. The image of an eastern europe, 'ragtag' social and economic infrastructure is, for example, in complete contrast to the well-dressed, hip, bling-bling superstars that make up my crew.
We call it Fly Phishing.
Read tfa, feeling hollow (Score:3, Insightful)
Also i have to say i doubt the notion that there are "phishers 'r us" websites/ lists/ organisattions that can a). operate for any decent lengh of time before going down by infighting and b). stay out of the public eye for however many years now?
What i'd really like to see though, is an effort by governments to curb this kind of criminal behavior first, and then going after petty internet crime like music piracy et al. Hell, if they can bust a warez ring, a phishers ring with real, tangible damage to both banks and customers would be even easier. Especially if they (supposedly) already have leaks, like Mr. Incredible here who used his massive skills to write a vague article that really doesn't tell us much.
Lots of easy ways to solve this... (Score:5, Informative)
There are some very simple ways to solve this, en-masse...
Set up a milter that calls HTML::Strip [cpan.org] to strip out all HTML from email. I don't want my webpages on port 25, just like I don't want my email on port 80. Users don't know or care anyway, set it up at the MTA side and they'll get clean emails.
Use a real MUA, like pine, mutt or other that allows you to see the actual content of the message, not its abstracted "rendered" equivalent. I simply hit 'h' in pine, and can see the resulting link that the phisher is trying to send me to... if it doesn't match the anchor tag, it gets deleted (and forwarded to spam-$USER, see dspam below).
Don't run Windows. Nothing need more be said here. When the same ActiveX control is used by Exchange to "render" email into your mailbox as MSIE to "render" maliscious HTML to your browser, you should be concerned.
Install and configure dspam [nuclearelephant.com]. Problem solved after only a few phish emails come through. Simply send them back to your internal spam-$USER address and you'll never see them again, including future ones that are similar. If you want to see them again, go into the web interface and send them to your mail, which will automagically re-score them lower so they get through. My users and I haven't seen a single spam get through to any of our mailboxes in MONTHS, not a single one. Beats the pants off of anything else out there that I've used.
Education. Teach your users that they should never respond or click URLs in email, ever, period. Show them that PayPal and eBay and other companies never ask you to log back in to verify any personal information. Show them how these systems work, and reinforce it all the time by asking them questions about it. Drill it into them.
HTML Email is good (Score:2)
And what is wrong with sending formatted text as email? Maybe all the HTML email you get is spam, but people actually use HTML email for real work (messages including tables, images, etc.). HTML email sure beats Microsoft Word attachments, which is what people would be using otherwise.
With a decent mail reader, this is not a problem either, since they disable remote images and render HTML in a way that prevents phishing attacks.
If w
Re:HTML Email is good (Score:3, Insightful)
I don't get HTML email, actually, because its automatically stripped at the MTA, same for all of my users, and I've never heard a single complaint yet.
I was being simplistic when I suggested using HTML::Strip. The ful
Stupid people, or stupid software? (Score:4, Insightful)
I see plenty of comments qualifying people who fall for these scams as "stupid people", "being ignorant by choice" or worse. I think we should remember a few things here:
Recently, there's a new, similar scam going on where I live: it's kind of real-world fishing. People install small cameras on those ATMs, and they glue little pass-through card readers on top of the slot where you insert the card. If you use such an ATM to get money, they can read out your card data using the reader and get your pin code using the camera. These things are made in such a way that they "blend" into the ATMs interface and look like they were actually part of the ATM. Do you honestly believe that you would notice this? Do you even think of checking for something like this before getting money? Do you think that everyone should know how the different ATMs look so that they notice it when such a device is installed on them? No? Then why do you expect non-geeks to be able to discern a real mail from Pay Pal from a scam mail? Legitimate mails from many money-related web sites contain clickable links.
Even if you accept that it's the person's own fault if he gives his data to a scam artist, you should grok that you simply can't solve the problem by educating people. That's simply impossible. This is a problem that must be solved using technology. Banks should sign their mails, and mail apps should clearly notify you if a mail is not from where it purports to be. Maybe it shouldn't let the user click on links if the user doesn't have the public key for the mail. Maybe there are entirely different solutions for this problem. But one thing is clear: Educating people won't work, no matter whose fault it is.
Advantages of a Distributed Crime Network (Score:4, Insightful)
why https in paypal phishing attacks? (Score:3, Funny)
Re:why https in paypal phishing attacks? (Score:3, Funny)
https://www.paypal.com/ [goatse.cx]
email problem (Score:2)
watch out for pop-ups from shopping cart provider (Score:2, Informative)
How the WebLoyalty scam really works (Score:5, Informative)
Here's the WebLoyalty online demo. [vcart.com]. This is triggered after checkout from some other store. All the customer provides is an E-mail address, or at least a click on the big red button below the E-mail address form. Their credit card information is taken automatically from the previous transaction.
The key to WebLoyalty is that it's embedded in VirtualCart, a popular shopping cart program, and is on by default. [vcart.com] It's quite possible for a merchant to be serving the WebLoyalty scam without even being aware of it. The merchant can't even turn it off directly. From the VirtualCart WebLoyalty FAQ: [vcart.com]
And there you have it, the world's most successful phishing scam, run by a Harvard MBA.
If you need to sue those guys, look them up at the Secretary of State of Connecticut [ct.gov], web site, which has their real address and the names and addresses of the corporate officers. Their actual business name is "WebLoyalty.com, Inc."
Phishing in general... (Score:5, Interesting)
"Dear eBay member, Yes, i can ship to your location, and i accept escrow for payment.
Thank you,cowboyup618"
Then, in a boxed message there was a button with the text "Please respond to the question on eBay by clicking the button below. You'll have the option to display your response directly on the listing."
If you notice, this simple message looks like it was from a seller and he had a bid from me. If I were an active bidder on eBay, I would be concerned that I had won a bid that I had forgotten about. It would be very easy for someone in this position to click on the button.
As phishing emails go, it was a pretty good try.
meta-phishing (Score:5, Funny)
Klingons also phish.... (Score:2, Funny)
UOPO has this class! (Score:3, Funny)
Why Romanian tenagers? (Score:3, Interesting)
Re:Before you dis romanians (Score:5, Funny)
Yeah, and before you diss Americans, that "Pocket Fisherman" you see advertised on TV late night was invented by Americans...
Re:Americans (Score:3, Insightful)
Not trying to be funny, but it's people innocence/ignorance that causes these problems. You don't have to be American to be stupid (despite some peoples feelings on the matter).
Take the phrase "it's on the internet, it MUST be true [google.com.au]" for example.
Re:How it works (Score:3, Insightful)
Re:How it works (Score:2)
Honestly give a deep look at what you're saying. You're saying people should buy 30,000$ cars without looking into them. They should spend 1000s of dollars on medical treatment without reviewing the facts....
What next, buy a $250K house without first stepping into it?
I think a little knowledge in the respective fields [even if just for the purchase] could be a very GOOD IDEA.
Besides, if you knew how your car works you'd probably get more out of it. For instance, what's th
Re:How it works (Score:2)
You're seriously sitting there and saying "knowing things is a bad idea"...
The parent's point was that you don't need to know the intricate working details of everything in order to be able to effectively use it. That's the whole point of technology, we put enough layers on top of all the nitty-gr
Re:How it works (Score:2)
If you call knowing how to decode a URL "nitty-gritty"
"You don't need to know how an internal combustion engine works to effectively drive a car. Someone purposefully put a lot of effort into making a car simple
Re:How it works (Score:2)
Re:How it works (Score:3, Insightful)
As far as driving goes, most of the "morons" I see on the road are those that think they know everything and they don't. (i.e., I'm the best driver in the world and everyone else is a moron). Their ability to actually handle an automobile has little to do with knowing how the innards work.
The point in computers is that they are supposed to be easy to use. While you might find it exciting to look at a URL and understand that it isn't actually
Re:How it works (Score:2)
If you want to sell a product, you adapt to your target audience. If you make your product so that they have to expend too much effort versus the potential gain from using it, they're not going to use it.
It's Linux' fatal flaw at the moment (with the "target audience" variable being debatable).
Re:How it works (Score:2)
To Joe Computer User, looking at a URL that says something other than http://www.google.com/ [google.com] might be considered "nitty-gritty." Just like to a heart surgeon picking the right knife to make that first cut with might seem to make perfect sense, I wouldn't have a clue what to do.
Re:How it works (Score:3, Insightful)
No, I'm not.
You're saying that it's the car owner's fault if they get tricked into a repair that wasn't necessary on their vehicle. I say if someone tricks them into buying new tires when the current ones are fine, the owner should have known better. But if a mechanic tells me that my timing chain is loose, should I know better? Should I know exactly how much slack there should be in a timing chain? For that matter, should I
Re:How it works (Score:2)
I would like to add, that in an increasingly complex world, it's becoming more and more difficult to be an informed consumer and citizen. The latter, I think, was the reason for AM radio's comeback. A lot of folks needed someone to boil the issues down to soundbites for quick consumption - like it or not.
As for me, I find that simplfying my life, as much as I can, is helping me to cope. It also helps me live below my means.
Re:How it works (Score:2)
I hope you check replies to your posts. Your journal is archived, which is teh ghey, cause I have all the GIS episodes, including the supplimental ones. I'm currently 7-zipping them, and I'll upload them to my website soon, please check back.
If you need to get in touch with me re: this, you can email spam(a)dunnclan*net
Re:How it works (Score:2)
Ok, here you go:
http://elvis.netmar.com/~will/geeks.7z [netmar.com]
I can't host that forever, I do have a limit on my bandwidth, but I'll leave it there for a week or two. It's going to take about 35 more minutes to finish uploading, but it should be done by 10:30 EST June 20.
~Will
Re:How it works (Score:3, Insightful)
I don't believe the phrasing 'know exactly how [insert item] works' was ever used ... but I shouldn't have to read anything and understand before repying should I? (OK ... I'll stop being a troll/flamebait and answer the questions)
Should everyone who doesn't have a medical degree and fully understand the human body avoid medical care?
No ... but they should not blame the doctor when they don't make any effort whatsoever to educate themselves, when they don't read literature given them or follow instruc
Re:How it works (Score:2)
Sure, I think that's something we can all get behind. But the post I replied to originally indicated that those who get tricked into having an unnecessary car repair done were the ones at fault, not the crooked mechanics. I'm simply arguing that 100% knowledge isn't possible in all areas, for anyone. And it shouldn't be expected. But despite a couple of rep
Re:How it works (Score:2)
I don't quite think so ... to quote ... from the original reply ...
It's just like the occasional garage or two that will break or "fix" additional things to raise up the bill just because the average car user doesn't know **** about how a car works let alone the current state of their car.
Being ignorant by choice is not intelligent. Su
The responsability is with the industry... (Score:2, Insightful)
People have difficulty learning technology because there is a tiered system of knowledge in anything computer/IT based, and understanding the technology at one level does not necessarily inspire one to learn the technology at a deeper level
Re:The responsability is with the industry... (Score:2)
Like you can make Outlook as exploitless as possible. If people just download and run random
You can make a car as safe as possible but if you drive it when it's all rusted out or in disrepair you're gonna put yourself at risk.
The problem is nobody wants to take responsibility for their actions. Let's keep in mind you have to GIVE your password to the phisher. It's no
Re:The responsability is with the industry... (Score:2, Insightful)
That being said, even when there's what I believe to be a satisfactory level of protection for the average user, there will still be plenty of people doing stupid things to expose themselves to risk. That can't be corrected entirely.
There's no one there forcing you to keep your seatbelt on, I jus
Re:How it works (Score:2)
What I said is people who CHOOSE to be ignorant deserve what they get.
If you get ramrodded on some obscure piece of information that a reasonable person who attempted to cover their bases misses
If you're just too lazy to take a semester of "outlook for dummies" at your local state college... then why bother using a computer at all?
By your logic, anyone should be able to hop into a plane and fly around. Afterall, forcing training and knowledge on people is
Re:How it works (Score:2)
Then it's reassuring to know you'll get yours, unless you're honestly stating that you're fully aware and informed about every aspect of your life, including those aspects you're probably unaware of.
"If you're just too lazy to take a semester of "outlook for dummies" at your local state college... then why bother using a computer at all?"
Hahahahahahaha, that's funny. Really. Here's one for you: True or False, the PC Revolution wou
Re:How it works (Score:2)
Should people take computer courses? Hell yes. Welcome to 2005. If you're not retired and plan to work for a living chances are you're gonna touch a computer.
You'll then tell me that many jobs don't use computers [short order clerks, clowns, prostitutes,
Well, they also don't use math.
Tom
Re:How it works (Score:2)
Stupid replying to zealots is taking up too much time...
Tom
Re:How it works (Score:2)
Re:How it works (Score:2)
And im a Physicist not a damned dirty Writer.
Re:They have the public.. (Score:5, Insightful)
for example, if a random stranger walked up to you on the street and said that they were a representative from your bank and said that they must verify your account information otherwise they will have to close down your account, you would tell them to fuck off, walk away, and maybe even call the police on them. now, that same person gets an email stating the same thing that the stranger on the street said, and suddenly they worry that "OMG i need to give this strange person all my data or they might close down my account."
they just need to learn to delete and ignore their email, similar to how they would have walked away from the stranger on the street.
Re:They have the public.. (Score:3, Insightful)
Re:They have the public.. (Score:5, Interesting)
And cluless people tend to associate email with letters. So its not unexpected that an email complete with official looking bank logos and graphics (and wording specifically designed to trick unsuspecting people into believing its genuine) would trick people into falling for it.
Here is a scheme that (if implemented) would almost completly stamp out phishing (for the bank that has implemented it anyway):
Each account that is enabled for online banking has a unique number generated for it, stored in the bank secure online banking database alongside the username and password. (call it S)
The customer is given a little device that would probobly look like a little calculator. This device contains an embedded copy of the number generated in step 1 along with simple logic to implement a hash algorthim and a keypad.
When you access the internet banking site, the bank displays the login and password prompt plus a randomly generated number and a box to put the output hash into.
The number is stored by the bank systems in a way that directly links it to the IP address of the machine logging in and also so that it is no longer valid after a very short period of time (e.g. 20 minutes or something). Refershing the login page would get a new different number.
You would input the number from the login page into your "calculator" thing which would combine it with the secret number inside the "calculator".
Then you input your username, password and the resulting hash into the login screen.
Assuming the hash generated by the "calculator" and by the bank (using the stored copy of the secret number) match, you would be allowed into the banking system.
The hash algorthim (call it F) would be chosen so that there is no number X such that F(S,X) = S for any significant number of values for S
If the "calculator" is stolen or lost or whatever, you could request a new one (with the old secret number being removed from the bank database for good)
Even if the fake login page talked to the banks servers and retrieved a real "challenge code" (to enter into the "calculator") it wouldnt defeat the system since it (and the resulting hash) would expire long before the phisher would actually be able to make use of it.
Another option would be one-time-use values that you get from your bank and use once to access online banking. Although this option would be less safe because of this:
Philsher makes fake login page
Bank customer goes into fake login page and types in username, password and one of their one-time-use values.
Bank customer gets message back saying "system is down". Now phisher has one of the one-time-use values (error message can be written so as to convince bank customer that the one-time-use value he just used is now "used up") and can grab contents of bank account.
Myself, if my bank (The National Australia Bank) implemented the "calculator" idea, I would accept it (even if it did mean more bank fees to pay for the "calculator" device)
Re:They have the public.. (Score:2)
Lucky me
Re:They have the public.. (Score:2)
they haven't?
must mean it is working!
Re:They have the public.. (Score:2)
In Germany (doing an exchange year here), it seems to
Re:They have the public.. (Score:2)
So, put gpg on a calculator... (Score:3, Informative)
BTW, you should also add a fingerprint or retina scan.
authentication:
Something you know: Your password
Something you have: Your secret key
Something you are: Your fingerprint/retinal blood vessel pattern.
The technical aspects of security are not the problem. They've been solved many times in many ways long ago. The problem is get
Re:They have the public.. (Score:2)
Email has now become the new phone call...
Jw
Re:They have the public.. (Score:2)
Re:They have the public.. (Score:2)
There are plenty of people who'se inbox isn't totally bogged down and corrupted. It's those that still trust email.
Jw
Re:They have the public.. (Score:3, Interesting)
Interestingly, Derren Brown [channel4.com], a fellow specialising in psychological manipulation and stuff like that, did a stunt in a seaside resort (the clip isn't to be found at the link I gave unfortunately)
Re:IRC Cashiers Karma (Score:5, Insightful)
How so? Their way of life didn't work and the system imploded on itself. Granted we did all we could to speed the process, but we weren't the cause.
Re:IRC Cashiers Karma (Score:2)
Re:IRC Cashiers Karma (Score:3, Insightful)
How is that "interesting" and not "-1 clueless?"
Communism did not work. Period. That's why it failed. It was our "way of life" because the alternative way of life was taken away. It was destroyed because it failed miserably. Actually, it destroyed itself. Yes, US probably helped (though proving it is hard), but the core reason why communism failed were its own inadequacies: if you destroy economic incentives, you are going d
Huh? (Score:2, Interesting)
So I guess you prefer the Absolutist [wikipedia.org] way?
Here's the apple: Communist Russia was one of the global super-powers. You are suggesting they got to that status by using a flawed system of government? It's views like yours that START COLD WARS.
The only flaw in Communism is that it can be corrupted and the greedy. But the same can be said about capitalism and democracy.
Re:Huh? (Score:3, Insightful)
Yes, and I do believe that you can become an absolute power with a flawed economic system and a flawed system of government. The problem is you cannot stay an absolute power. Here is how it worked: heavy industry was the way to go in the 20s and 30s. Let's invest all we have in coal, steel and whatever else we can
Re:Huh? (Score:3, Interesting)
Taking away freedom and destroying hope for a better tomorrow is not a flaw for you? I am sure you have never waited in line for 10 hours to get a piece of meat, right?
Hold on there. I agree with your post for the most part but correlation is not causation. Communism is not a form of government, only an economic model. It has been unfortunately paired with corrupt democracies and oligarchies in recent history. In truth neither capitalism nor communism is a workable system. Pretty much every governmen
Re:Huh? (Score:3, Insightful)
What does your commute have to do with capitalism?
Capitalism is almost as much a lie as communism. The people at the top completely get to screw over the ordinary worker.
In capitalism, there is no such thing as "the ordinary worker." If you're fed up with doing menial, unsatisfying work, then start your own business or find a job elsewhere that you like better. That's capitalism.
It may not lo
Re:IRC Cashiers Karma (Score:2)