Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security IT

FBI Cracks "Largest Phishing Case Ever" 132

nk497 writes "The FBI and Egyptian authorities have arrested 100 people in what they're calling 'the largest international phishing case ever conducted' as part of a wide-scale investigation called Operation Phish Phry. The criminals used phishing to get access to hundreds of bank accounts, stealing $1.5 million. 'This international phishing ring had a significant impact on two banks and caused huge headaches for hundreds, perhaps thousands of bank customers,' said Acting US Attorney George S. Cardona."
This discussion has been archived. No new comments can be posted.

FBI Cracks "Largest Phishing Case Ever"

Comments Filter:
  • by Bob_Who ( 926234 ) on Thursday October 08, 2009 @07:44AM (#29679761) Journal
    ....talk about damage control!
    • Re: (Score:3, Insightful)

      by erroneus ( 253617 )

      I think it goes to show what being personally involved and affected can do to job performance at the FBI. The previous story talks about why the FBI head guy doesn't do online banking... he was almost fooled by this sort of scammer. Suddenly they apply the weight of their position against the problem and come up with results.

      So when it comes to the many, many things that aren't be accomplished, I have to wonder if it's because they don't care.

      • Re:That was fast (Score:5, Insightful)

        by justinlee37 ( 993373 ) on Thursday October 08, 2009 @08:43AM (#29680365)
        If you had read the article, you'd notice that the FBI have been working on this particular case since 2007. The story about Mueller nearly falling for a phishing scam is from 2009. I don't think the two events have anything to do with each other.
        • by thijsh ( 910751 )
          Have you learned nothing at your work? The FBI was 'on the case' since 2007, probably outsourced the real work to some poor suckers in IT and just sat on their asses for two years. Until Mueller gave them an angry call why he was still being phished while they were 'fixing the problem'. From that moment they had to produce results fast to please the boss... they probably just arrested the first guys on the watch list compiled in 2007.
          • by MarkvW ( 1037596 )

            Wow! Great post! When are you starting your next conspiracy story?

          • they probably just arrested the first guys on the watch list compiled in 2007.

            In which case, I hope for the sakes of the ~100 people they've nailed so far that they managed to skim more than $1.5M between them. If they're all involved in the same scam, that's only $150K each, which is pretty much peanuts nowadays.

            If I were likely to do the same time in PITA jail for stealing $100 as I would for $100*10^6, I'd make damn sure I did the latter.
        • Re: (Score:1, Insightful)

          by Anonymous Coward

          If you had read the article, you'd notice that the FBI have been working on this particular case since 2007. The story about Mueller nearly falling for a phishing scam is from 2009. I don't think the two events have anything to do with each other.

          100 people stole $1.5 million over the course of two years. That's about $7500 per person per year. Phishing doesn't seem to be a very lucrative profession.

      • >>>I think it goes to show what being personally involved and affected can do to job performance at the [government]

        Fixed.

        You think it's coincidence that the roads leading into and out of D.C. are the smoothest in the whole nation? People in power fix what affects them directly, give a passing notice when constituents complain, and ignore all else. (Which is a good argument for why power & politicians should be concentrated *at home*, rather than 2000 miles away in some central capital.)

    • by A. B3ttik ( 1344591 ) on Thursday October 08, 2009 @07:58AM (#29679887)
      Lets set up our e-mail accounts to forward all Spam to the head of the FBI. If this story is any indication, it shouldn't take more than 45 minutes to get rid of the problem.
      • Re:That was fast (Score:5, Insightful)

        by Jurily ( 900488 ) <jurily AT gmail DOT com> on Thursday October 08, 2009 @08:23AM (#29680135)

        Your post advocates a

        ( ) technical ( ) legislative ( ) market-based (X) vigilante

        approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

        ( ) Spammers can easily use it to harvest email addresses
        ( ) Mailing lists and other legitimate email uses would be affected
        ( ) No one will be able to find the guy or collect the money
        ( ) It is defenseless against brute force attacks
        ( ) It will stop spam for two weeks and then we'll be stuck with it
        ( ) Users of email will not put up with it
        ( ) Microsoft will not put up with it
        (X) The police will not put up with it
        ( ) Requires too much cooperation from spammers
        ( ) Requires immediate total cooperation from everybody at once
        ( ) Many email users cannot afford to lose business or alienate potential employers
        ( ) Spammers don't care about invalid addresses in their lists
        ( ) Anyone could anonymously destroy anyone else's career or business

        Specifically, your plan fails to account for

        ( ) Laws expressly prohibiting it
        ( ) Lack of centrally controlling authority for email
        ( ) Open relays in foreign countries
        ( ) Ease of searching tiny alphanumeric address space of all email addresses
        ( ) Asshats
        ( ) Jurisdictional problems
        ( ) Unpopularity of weird new taxes
        ( ) Public reluctance to accept weird new forms of money
        ( ) Huge existing software investment in SMTP
        ( ) Susceptibility of protocols other than SMTP to attack
        ( ) Willingness of users to install OS patches received by email
        (X) Armies of worm riddled broadband-connected Windows boxes
        ( ) Eternal arms race involved in all filtering approaches
        ( ) Extreme profitability of spam
        (X) Joe jobs and/or identity theft
        ( ) Technically illiterate politicians
        ( ) Extreme stupidity on the part of people who do business with spammers
        ( ) Dishonesty on the part of spammers themselves
        (X) Bandwidth costs that are unaffected by client filtering
        ( ) Outlook

        and the following philosophical objections may also apply:

        ( ) Ideas similar to yours are easy to come up with, yet none have ever
        been shown practical
        ( ) Any scheme based on opt-out is unacceptable
        ( ) SMTP headers should not be the subject of legislation
        ( ) Blacklists suck
        ( ) Whitelists suck
        ( ) We should be able to talk about Viagra without being censored
        ( ) Countermeasures should not involve wire fraud or credit card fraud
        (X) Countermeasures should not involve sabotage of public networks
        ( ) Countermeasures must work if phased in gradually
        ( ) Sending email should be free
        ( ) Why should we have to trust you and your servers?
        ( ) Incompatiblity with open source or open source licenses
        (X) Feel-good measures do nothing to solve the problem
        ( ) Temporary/one-time email addresses are cumbersome
        (X) I don't want the government reading my email
        ( ) Killing them that way is not slow and painful enough

        Furthermore, this is what I think about you:

        (X) Sorry dude, but I don't think it would work.
        ( ) This is a stupid idea, and you're a stupid person for suggesting it.
        ( ) Nice try, assh0le! I'm going to find out where you live and burn your
        house down!

  • Hmmm. (Score:2, Funny)

    by Flowstone ( 1638793 )
    Always been more of a sushi guy myself, guess i'll have to wait for operation bonzai.
  • by ubrgeek ( 679399 ) on Thursday October 08, 2009 @07:48AM (#29679809)
    The one about "Why the FBI Director Doesn't Bank Online"?
  • Seriously.... the FBI would obviously be much more productive
  • Quick! (Score:4, Funny)

    by bryanp ( 160522 ) on Thursday October 08, 2009 @07:59AM (#29679891)

    Someone tell the FBI director it's safe for him to log on again.

    • Re:Quick! (Score:4, Funny)

      by The New Andy ( 873493 ) on Thursday October 08, 2009 @08:11AM (#29680021) Homepage Journal
      What's his email? I'll send him a link so he can reactivate his account and get going again.
      • Re:Quick! (Score:5, Funny)

        by L4t3r4lu5 ( 1216702 ) on Thursday October 08, 2009 @08:30AM (#29680209)
        Don't forget that he'll need to re-validate his security credentials at http://confirm.credentials.here.genuine.yourbank.fsdnp4895.imgonnagetyourmoney.com/bankbanksecurity.html [imgonnagetyourmoney.com]
        • Re:Quick! (Score:5, Insightful)

          by TheRaven64 ( 641858 ) on Thursday October 08, 2009 @09:01AM (#29680581) Journal

          http://confirm.credentials.here.genuine.yourbank.fsdnp4895.imgonnagetyourmoney.com/bankbanksecurity.html [imgonnagetyourmoney.com]

          Am I the only one that thinks it's sad that Slashdot's code for avoiding accidental goatse clicks is better than many mail client's code for avoiding having someone steal all of your money?

          • Honestly, I don't know why mail readers don't simply disable, or not link to urls with more than 3 dots in the hostname portion, or are an IP address. I mean, is there *REALLY* a need to have more than four points in a domain for an emailed URL... sub.section.your.domain is enough... if there's more, you can always copy/paste, but this might get people to think twice, not to mention catch the people who paste URLs into their google/yahoo/bing search page instead of the URL input.

            • by ais523 ( 1172701 )
              The homepage of the place I currently work has four dots: "www.department.organisation.secondleveldomain.country". Of course, pretty much everyone here will know that it's hugely crazy that the site doesn't work without the www, but there's often legitimate need for URLs like those. (You probably forgot that country codes are used in many non-american domains...)
              • then users could cut/paste direct links, or you could use a shortening tool like tr.im or bit.ly ... which for a bank/paypal scam would be obvious.

            • How about this?

                http ://www.yourbank.com@mydomain.com/bankbanksecurity.html ?

              Does it pass the "more than 3 dots" test?

              • Just wondering what slashdot does without the extra space:
                http://mydomain.com/bankbanksecurity.html [mydomain.com]

                Looks like it detected and trimmed it, which is why you had to put a space in there. So the answer is yes, goatse turned out to be helpful, giving us the tools we need to prevent phishing attempts.

          • Am I the only one that thinks it's sad that Slashdot's code for avoiding accidental goatse clicks is better than many mail client's code for avoiding having someone steal all of your money?

            Obviously you've never clicked on a goatse link at work or while your girlfriend was looking over your shoulder. It may be painful, but you can recover from online identity theft.In the long run, however, no amount of psychotherapy and pills will eliminate that terrible image from being permanently scalded into your brain cavities. Nor will it restore your job or help you ever live down the fact that you once got dumped for, "being into extreme male anal fetishes." =P

    • Re: (Score:1, Flamebait)

      by elrous0 ( 869638 ) *
      It's probably best that he stay off the internet. Of course, it's probably also best that he not be the head of the FBI either.
  • Best use of money? (Score:2, Interesting)

    by yamfry ( 1533879 )
    They spent 2+ years of US and Egyptian government resources to prosecute 100 people for tricking other people out of 1.5 million dollars. They will spend more resources on each of the 100 peoples' court cases. If their cases hold up in court they will spend more government resources to keep them in jail for up to 20 years each. They didn't state a dollar amount spent on this initiative in TFA, but wouldn't it be more efficient to use that money to educate online banking users on how to avoid phishing scans?
    • by Kokuyo ( 549451 ) on Thursday October 08, 2009 @08:06AM (#29679977) Journal

      Thereby teaching people it's okay to scam away as long as they just get a few million out of it. So when about a thousand different people do it independently, you're looking at total damages of 1.5 BILLION all of a sudden.

      Sure, hte effort cost a lot of money but imagine what would happen if people started to believe they can get away with this sort of thing.

      • It took 2 years to build a case against 100 of these people, and I'd be incredibly surprised if 100 people even amount to 1% of all phishers. I'd say that that the other 99% have pretty much gotten away with it.
      • by yamfry ( 1533879 )
        Well, that depends on what we would like the purpose of punishment to be. If we want to put these people in jail to get revenge on them for stealing money then cost is not an issue. If we want to decrease the money lost in phishing, then we can focus efforts on making it more risky for people to steal or teach people and banks how to prevent theft.
        If we want to make it more risky, here's some calculations based on a minimum of research [emphasis on minimum]: Total annual amount lost in phishing in the US
        • Don't forget the "it'll never happen to me" attitude that allows people to ignore the risks and do phishing anyway.
          There will never be a short supply of people desperate enough to become phishers, just like house robberies are still an issue (despite, I am assuming, higher arrest rates).
    • by Krneki ( 1192201 )

      but wouldn't it be more efficient to use that money to educate online banking users on how to avoid phishing scans?

      If the FBI director (almost) falls for it, what are the chances Joe will spot the difference?

      The techniques used gets better and better and you really must know what you are doing and be focused to avoid the scam. But maybe a better technique would be to give banks a rating, so we know which one has the highest amount of successful online scams.

      • Re: (Score:3, Interesting)

        by Bigbutt ( 65939 )

        I'd expect higher level managerial types to be just as likely as the average Joe on the street really. There's nothing technically special about managers. Heck, my wife has been just as close to falling for a phishing scam. Maybe he has a postit note on his monitor too. The one that says "Don't click on links in e-mails!" :)

        [John]

        • by craagz ( 965952 )
          Maybe because the managerials types are from another generation. Not used to the varied ways of the tubes.
          • by Bigbutt ( 65939 )

            Well, perhaps the higher level ones like Mueller. He's likely 15 years or so older than me.

            [John]

      • The old boss of GCHQ [wikipedia.org] was Director of Personnel and Director of Finance before taking over the top job for the Home Office. Consider; He only has to be a good manager / director, not a good intelligence expert.
      • If the FBI director (almost) falls for it, what are the chances Joe will spot the difference?

        You're right. Joe Sixpack is much smarter than the director of the FBI.

    • Re: (Score:2, Insightful)

      by thepooh81 ( 1606041 )

      This is a great point. Although educating online banking users might not be the answer. Why don't banks have a 2-phased authorization type system (i.e. What you have and What you know)? I would gladly pay $5-$20 to have a PRNG pass-key (What I have) used in conjunction with a PIN (What I know) and have a more secure online banking system.

      INGDirect uses a fairly good system by having a personalized phrase & picture displayed every time you log in while you click on the number images to input your PIN to

      • Re: (Score:2, Interesting)

        by Hinhule ( 811436 )

        My bank has had this for years.

        To log on you enter your SSN, you get a random number. You take your pass generator, enter the pin then the random number number. You get a new number which you use as the password.
        Also, new recipients must be authenticated in the same way, which makes it much less likely a program running on your computer can add a transaction once you have logged on.

      • Both of my banks have this, however, the basic service is a card with 20-30 passwords on it.
        To log in, you need to type your user number, regular password and one password from the card. 3 failed attempts and your access is blocked (you need to go to the bank to reactivate it).
        If you want to transfer money to some account that does not belong to you, you also need to enter one password from the card.

        For some money you can get a password generator which you use instead of the card.

      • my world of warcraft account is now more secure, courtesy of the iphone authenticator, than my real bank account. this is pathetic.
      • by Dahan ( 130247 )

        This is a great point. Although educating online banking users might not be the answer. Why don't banks have a 2-phased authorization type system (i.e. What you have and What you know)? I would gladly pay $5-$20 to have a PRNG pass-key (What I have) used in conjunction with a PIN (What I know) and have a more secure online banking system.

        Bank of America [bankofamerica.com] offers that. You can either have them send an SMS to your phone with a number that you have to enter on the website; or you can buy a hardware token for $20.

    • You forgot to take into account the number of thefts that WON'T happen because of one of the following:

      1) assholes who are sent to jail and knocked out of the fraud business by virtue of being behind bars
      2) would-be assholes who get spooked out of the fraud business by virtue of being scared of going to jail

  • The FBI director actually fell for a previous phishing scam and this was REVENGE!!!
  • Way to reel 'em in!
  • by TwistedGreen ( 80055 ) on Thursday October 08, 2009 @08:06AM (#29679983)
    Shouldn't this have been handled by the Department of Phisheries?
  • by Danathar ( 267989 ) on Thursday October 08, 2009 @08:27AM (#29680177) Journal

    I think Fried Phish would of been better.

  • We just wait for the Al Quaida to attack the FBI director and the FBI will finally start to bring them down the next day.
  • There was a guy arrested in Brazil a couple of years ago that scammed over 10 million dollars.

  • by david.emery ( 127135 ) on Thursday October 08, 2009 @08:37AM (#29680303)

    I was pretty religious about forwarding all the phishing emails I got purporting to be from Bank of America to BOA's fraud line.

    Lately I'm getting swamped by IRS phishes "notice of underreported income" (perhaps 100 of them so far), that I've been sending to the phishing mailbox at irs.gov. Hopefully that'll help close that particular scheme.

    How about capital punishment for widespread internet fraud???

    • Re: (Score:3, Funny)

      by Java Pimp ( 98454 )

      Lately I'm getting swamped by IRS phishes "notice of underreported income" (perhaps 100 of them so far), that I've been sending to the phishing mailbox at irs.gov.

      Wait... those aren't Phishes... I was doing the same thing for a while... then the IRS just started showing up at my house in person. They didn't buy it when I tried telling them I thought someone was trying to scam me... Bad times those were... Bad times...

      • by PPH ( 736903 )

        Wait... those aren't Phishes... I was doing the same thing for a while... then the IRS just started showing up at my house in person.

        Get a PO Box dude! The IRS has no idea where I am.

        It also helps to have a residence with an "undeliverable" address.

    • by Gilmoure ( 18428 )

      Yeah, I keep getting some kind of phishing email saying it's from Southwest Airlines and that the TSA wants me to 'update' my info.

      Yeah, I'll get right on that one.

  • Codename (Score:5, Funny)

    by MBGMorden ( 803437 ) on Thursday October 08, 2009 @08:44AM (#29680371)

    I swear I would have never believe that the FBI had it in them to pick a name as cool sounding as "Operation Phish Phry".

  • Start charging (Score:3, Insightful)

    by m0s3m8n ( 1335861 ) on Thursday October 08, 2009 @08:51AM (#29680455)
    This is not a popular idea and most say it is a fail, but we need to start charging for each email sent, not much, but enough so that zombie box owners will wake up when their next monthly bill arrives. But the email charge must be ultimately paid by the ISPs who are the actual gateways onto the net. This way they too have an incentive to stop the flow of spam. And since the ISP must pay or be disconnected, third-world spam would dry up too. Use the money generated for backbone maintenance/improvement. Flame on.
    • Re: (Score:1, Insightful)

      by Anonymous Coward

      Your post advocates a

      ( ) technical ( ) legislative (x) market-based ( ) vigilante

      approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

      ( ) Spammers can easily use it to harvest email addresses
      (x) Mailing lists and other legitimate email uses would be affected
      ( ) No one will be able to find the guy or collect the mone

    • by spidkit ( 992102 )
      We already get a bill for internet services. It's not complicated to send each email account holder the total quantity of emails sent as part of their monthly bill. Surely that approach should twig a compromised machine owner to action if their box sent 1000's of emails.
      • Very small amounts of the spam is sent though the ISP mail gateway. To get a mildly accurate number the ISP would need to deep packet inspect all traffic to the standard mail gateways ports. While this is possible there is very little immediate benefit to the ISP. As the infrastructure cost is immediate most ISPs only deploy a trial to benchmark the system before abandoning the project.

        I am also fairly sure that most people only glance at their bills for the amount due.

      • by cdrguru ( 88047 )

        So let's see what happens if your neighbor gets a bill in the mail indicating that they used 34 thousand quadriloons. There are only two possible responses:

        1. Wow. That's nice.
        2. Frantically calls ISP believing they only used 22 thousand.

        End result? Nothing happens. We are talking about something that makes as much sense to your neighbor as "34 thousand quadriloons". The truth is that these people are incapable of "administering" their computer system and what we have are general-purposes computer syst

    • then take all that cash, and invest it in third world communication infrastructure. that should shut the critics up

    • Your post advocates a

      ( ) technical (*) legislative ( ) market-based ( ) vigilante

      approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

      ( ) Spammers can easily use it to harvest email addresses
      (*) Mailing lists and other legitimate email uses would be affected
      ( ) No one will be able to find the guy or collec
  • ...if the offenders are stuffed and mounted. Maybe they can be implated with cheesey electronics and form a choir of Billy Bass!
  • Contrary to popular opinion on Slashdot, I believe the Mueller story was a classic bait to raise interest and to be followed by this real story.

    Think about it - mainstream media ignores tech stories or buries them somewhere no one reads them. Meanwhile, stories about people affected by a problem are always given prominence.

    Let me put it this way:
    1. Put out a sensationalistic story about how no one (not even the head of FBI) is safe from phishing - raise fear, uncertainty and doubt.
    2. Get the real story out

  • by hesaigo999ca ( 786966 ) on Thursday October 08, 2009 @09:45AM (#29681113) Homepage Journal

    They let this go on, because they think the cost of ruining a few lives is ok, as long as in the end they make their bust and all is ok in coptown. Problem is , real time transactions are happening while they study the case, and letting 1.5 million slip through in order to follow the trace back to the top. Like a guy holding a camera while someone is being mugged by a lynch mob and doing nothing, should there not also be consequences especially when FEDS (of all people) let something like this happen,
    when they have the power to stop it in its tracks....instead of letting it go on, and on, how long was this case going on for...?

    Hard decisions, but sometimes the ends do not justify the means.
    I had a ticket once for running through a stop sign, although it was covered almost 100% behind a tree, as I mentioned this to the cop, they told me to just say that in court as they knew many people would run through, instead of just telling the city to fix the problem....however I felt very frustrated, should there have been a kid playing nearby and I had not seen the sign, I would have maybe run him over by accident, then the cop would have been responsible for his life being lost, because instead of directing traffic (like when an intersection is burned out) they were using the hidden stop sign to generate revenue....very depressing!

    • Yeah, I got a ticket like that once, too. Wasn't in Glendora, CA, was it? :p

      I'm in the vendor side of anti-phishing, and I've got to challenge the idea that the FBI had the power to stop those events in their tracks. Sure, they could have busted a small number of low-level criminals early in the investigation, but that wouldn't have stopped anything. The higher-level criminals would have continued as usual, made more wary by the bust of a few small fish. To fully investigate and to build a case that will w

    • by JSBiff ( 87824 )

      "They let this go on, because they think the cost of ruining a few lives is ok, as long as in the end they make their bust and all is ok in coptown."

      How are they *supposed* to stop it if they don't know everyone involved? Busting one punk out of a group of 100+ conspirators won't even put a dent in the fraud. The only *way* to stop the fraud is for them to take the time to trace out the whole network.

      "when they have the power to stop it in its tracks."

      That's a bold statement. How do they stop it in it's tra

      • Probably, but at least offer to help rebuild the damages caused by your lack of action.
        I know a few people who got stung by identity theft and still have problems today because of it, and yet, you would think with the power that the FBI has, they could write up a sort of side note on that person's record that would help rectify any problems associated with this type of activity, on that person's account.

        Of course not, that would mean they accept responsibility for their actions...which they never do, siting

  • The ultimate credit collection is now for sale. For 10 million dollars ($10,000,000.00), plus $500,000 copying and media fees, you can be the exclusive buyer of this collection. That's right. This is the ULTIMATE credit card number collection. There is no collection any larger. Only ONE copy will be sold to the lucky buyer. This is actually a lower cost than any other offer by any other credit card list provider. This is an amazing 10 million (10,000,000) card numbers per penny ... a total of ten qua

  • Are you down with the O.P.P.?

    O is for Operation, P is for Phish don't you know,
    The last P, well that's not so simple bro ...

  • My goodness that is about as dumb as an undercover officer wearing one of those tee-shirts that says "Police" on it! I mean, if I were into malicious computer activity, (disclaimer: I am not involved in malicious computer activity, nor do I condone or recommend it, and know of no one who is, nor have I ever knowingly engaged in it) I sure as heck would not name my activity after what I am doing. Let's call it the "Biggest Worm Ever", think we'll get caught???!!! Dumb, just palin (not a typo) dumb!
  • almost getting into a car accident and saying "I'll never drive again"...
  • This may be having an effect. I'm seeing a small decline in major domains being exploited by phishing scams. [sitetruth.com] That monitors phishing attacks which use major domains to give themselves convincing-looking URLs.

    In the year and a half we've been monitoring this, the number of sites being exploited has dropped from 174 to today's value of 37. We nag sites that have problems to tighten up their security. It's working. Ebay used to have a security hole which allowed creating URLs under "ebay.com" that redir

  • ... you should have seen the size of the one that got away!

Technology is dominated by those who manage what they do not understand.

Working...