FBI Cracks "Largest Phishing Case Ever" 132
nk497 writes "The FBI and Egyptian authorities have arrested 100 people in what they're calling 'the largest international phishing case ever conducted' as part of a wide-scale investigation called Operation Phish Phry. The criminals used phishing to get access to hundreds of bank accounts, stealing $1.5 million. 'This international phishing ring had a significant impact on two banks and caused huge headaches for hundreds, perhaps thousands of bank customers,' said Acting US Attorney George S. Cardona."
That was fast (Score:5, Funny)
Re: (Score:3, Insightful)
I think it goes to show what being personally involved and affected can do to job performance at the FBI. The previous story talks about why the FBI head guy doesn't do online banking... he was almost fooled by this sort of scammer. Suddenly they apply the weight of their position against the problem and come up with results.
So when it comes to the many, many things that aren't be accomplished, I have to wonder if it's because they don't care.
Re:That was fast (Score:5, Insightful)
Classic boss scenario (Score:2, Insightful)
Re: (Score:2)
Wow! Great post! When are you starting your next conspiracy story?
Re: (Score:1)
In which case, I hope for the sakes of the ~100 people they've nailed so far that they managed to skim more than $1.5M between them. If they're all involved in the same scam, that's only $150K each, which is pretty much peanuts nowadays.
If I were likely to do the same time in PITA jail for stealing $100 as I would for $100*10^6, I'd make damn sure I did the latter.
Re: (Score:2)
Re: (Score:1, Insightful)
100 people stole $1.5 million over the course of two years. That's about $7500 per person per year. Phishing doesn't seem to be a very lucrative profession.
Re: (Score:2)
>>>I think it goes to show what being personally involved and affected can do to job performance at the [government]
Fixed.
You think it's coincidence that the roads leading into and out of D.C. are the smoothest in the whole nation? People in power fix what affects them directly, give a passing notice when constituents complain, and ignore all else. (Which is a good argument for why power & politicians should be concentrated *at home*, rather than 2000 miles away in some central capital.)
Re: (Score:2, Informative)
Re: (Score:2)
Perhaps it's because you've never driven anywhere else? DC's I-95, I-295, I-66, and I-270 are like glass compared to the terrible pothole-ridden interstates leading into or out-of Philadephia, New York, Boston, Chicago, Seattle.
And the absolute worst interstate I've ever driven was I-40 through Oklahoma City which feels like your car's going to shake to pieces. The highways/interstates leaving D.C. truly are the best in the whole nation, because that's the center of power and Congressmen would not stand
Re: (Score:1)
You're wrong on this one.
I can easily think of 3 states off the top of my head with better roads: California, Colorado, and Texas.
DC highways are not bad, but if you haven't been here in a few years, you might wanna go take a run around the 495 loop and tell me how smooth those highways are.
(Nevermind the constant lane closures for "construction".
Re: (Score:2)
Re:That was fast (Score:5, Funny)
Re:That was fast (Score:5, Insightful)
Your post advocates a
( ) technical ( ) legislative ( ) market-based (X) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
(X) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
(X) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(X) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(X) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(X) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(X) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
Re: (Score:2, Insightful)
You have a lot of time on your hands, don't you?
Re:That was fast (Score:4, Funny)
Re: (Score:3, Informative)
But "here" was new as well (actually non existing) when these forms first appeared on the Usenet.
This particular form is quite right and not just funny.
There are others, especially of flamebaiting nature, which are really creative.
Re: (Score:1)
Re: (Score:2)
Is there a known online repository of other forms similar to this somewhere?
Re: (Score:2)
( ) Asshats
There must be something wrong with you: I've never seen one of these forms before where "Asshats" wasn't ticked.
Re: (Score:2)
Dear sir or madam,
Your post
(x)woosh'd
(x)intentionally woosh'd
( )runs linux
(x)was copy pasted with a few X filled in
(x)was funny
( )???
( )profit
Hmmm. (Score:2, Funny)
Is this related to the next story? (Score:3, Interesting)
Re:Is this related to the next story? (Score:4, Insightful)
Re: (Score:1)
Re: (Score:3, Insightful)
Re: (Score:1)
If only Robert Mueller got more spam... (Score:1)
Quick! (Score:4, Funny)
Someone tell the FBI director it's safe for him to log on again.
Re:Quick! (Score:4, Funny)
Re:Quick! (Score:5, Funny)
Re:Quick! (Score:5, Insightful)
http://confirm.credentials.here.genuine.yourbank.fsdnp4895.imgonnagetyourmoney.com/bankbanksecurity.html [imgonnagetyourmoney.com]
Am I the only one that thinks it's sad that Slashdot's code for avoiding accidental goatse clicks is better than many mail client's code for avoiding having someone steal all of your money?
Re: (Score:2)
Honestly, I don't know why mail readers don't simply disable, or not link to urls with more than 3 dots in the hostname portion, or are an IP address. I mean, is there *REALLY* a need to have more than four points in a domain for an emailed URL... sub.section.your.domain is enough... if there's more, you can always copy/paste, but this might get people to think twice, not to mention catch the people who paste URLs into their google/yahoo/bing search page instead of the URL input.
Re: (Score:2)
Re: (Score:2)
then users could cut/paste direct links, or you could use a shortening tool like tr.im or bit.ly ... which for a bank/paypal scam would be obvious.
Re: (Score:1)
How about this?
http ://www.yourbank.com@mydomain.com/bankbanksecurity.html ?
Does it pass the "more than 3 dots" test?
Re: (Score:2)
Just wondering what slashdot does without the extra space:
http://mydomain.com/bankbanksecurity.html [mydomain.com]
Looks like it detected and trimmed it, which is why you had to put a space in there. So the answer is yes, goatse turned out to be helpful, giving us the tools we need to prevent phishing attempts.
Re: (Score:2)
Am I the only one that thinks it's sad that Slashdot's code for avoiding accidental goatse clicks is better than many mail client's code for avoiding having someone steal all of your money?
Obviously you've never clicked on a goatse link at work or while your girlfriend was looking over your shoulder. It may be painful, but you can recover from online identity theft.In the long run, however, no amount of psychotherapy and pills will eliminate that terrible image from being permanently scalded into your brain cavities. Nor will it restore your job or help you ever live down the fact that you once got dumped for, "being into extreme male anal fetishes." =P
Re: (Score:1)
Re: (Score:1, Flamebait)
Best use of money? (Score:2, Interesting)
Re:Best use of money? (Score:4, Insightful)
Thereby teaching people it's okay to scam away as long as they just get a few million out of it. So when about a thousand different people do it independently, you're looking at total damages of 1.5 BILLION all of a sudden.
Sure, hte effort cost a lot of money but imagine what would happen if people started to believe they can get away with this sort of thing.
They can't? (Score:1)
Re: (Score:1)
If we want to make it more risky, here's some calculations based on a minimum of research [emphasis on minimum]: Total annual amount lost in phishing in the US
Re: (Score:2)
There will never be a short supply of people desperate enough to become phishers, just like house robberies are still an issue (despite, I am assuming, higher arrest rates).
Re: (Score:2)
but wouldn't it be more efficient to use that money to educate online banking users on how to avoid phishing scans?
If the FBI director (almost) falls for it, what are the chances Joe will spot the difference?
The techniques used gets better and better and you really must know what you are doing and be focused to avoid the scam. But maybe a better technique would be to give banks a rating, so we know which one has the highest amount of successful online scams.
Re: (Score:3, Interesting)
I'd expect higher level managerial types to be just as likely as the average Joe on the street really. There's nothing technically special about managers. Heck, my wife has been just as close to falling for a phishing scam. Maybe he has a postit note on his monitor too. The one that says "Don't click on links in e-mails!" :)
[John]
Re: (Score:1)
Re: (Score:2)
Well, perhaps the higher level ones like Mueller. He's likely 15 years or so older than me.
[John]
Re: (Score:2)
Re: (Score:1)
If the FBI director (almost) falls for it, what are the chances Joe will spot the difference?
You're right. Joe Sixpack is much smarter than the director of the FBI.
Re: (Score:2, Insightful)
This is a great point. Although educating online banking users might not be the answer. Why don't banks have a 2-phased authorization type system (i.e. What you have and What you know)? I would gladly pay $5-$20 to have a PRNG pass-key (What I have) used in conjunction with a PIN (What I know) and have a more secure online banking system.
INGDirect uses a fairly good system by having a personalized phrase & picture displayed every time you log in while you click on the number images to input your PIN to
Re: (Score:2, Interesting)
My bank has had this for years.
To log on you enter your SSN, you get a random number. You take your pass generator, enter the pin then the random number number. You get a new number which you use as the password.
Also, new recipients must be authenticated in the same way, which makes it much less likely a program running on your computer can add a transaction once you have logged on.
Re: (Score:2)
Both of my banks have this, however, the basic service is a card with 20-30 passwords on it.
To log in, you need to type your user number, regular password and one password from the card. 3 failed attempts and your access is blocked (you need to go to the bank to reactivate it).
If you want to transfer money to some account that does not belong to you, you also need to enter one password from the card.
For some money you can get a password generator which you use instead of the card.
Re: (Score:2)
Re: (Score:1)
This is a great point. Although educating online banking users might not be the answer. Why don't banks have a 2-phased authorization type system (i.e. What you have and What you know)? I would gladly pay $5-$20 to have a PRNG pass-key (What I have) used in conjunction with a PIN (What I know) and have a more secure online banking system.
Bank of America [bankofamerica.com] offers that. You can either have them send an SMS to your phone with a number that you have to enter on the website; or you can buy a hardware token for $20.
Re: (Score:2)
You forgot to take into account the number of thefts that WON'T happen because of one of the following:
1) assholes who are sent to jail and knocked out of the fraud business by virtue of being behind bars
2) would-be assholes who get spooked out of the fraud business by virtue of being scared of going to jail
You know why this was? (Score:2)
Good job, guys! (Score:1)
Jurisdiction (Score:5, Funny)
Re: (Score:1)
Sorry, didn't mean to be a pedant, but I was curious exactly who regulates the fisheries.
There are so many Government agencies that regulate shit, it's hard to keep track and it does occasionally come in handy - like when a bank screws you the folks that they are afraid of is the Office of the Comptroller of the Currency. occ.treas.gov [treas.gov]
Re: (Score:2, Funny)
There are so many Government agencies that regulate shit
No, I think that would be your local government/water utility.
Re: (Score:2)
Sorry, didn't mean to be a pedant, but I was curious exactly who regulates the fisheries.
The Ministry of Agriculture.
Re:Jurisdiction (Score:4, Informative)
I thought it was The Department of Phish and Game.
[John]
Oh yeah .... (Score:1)
They spelled phish wrong - they spelled it with an 'F' - that's government for you!
Re: (Score:1)
Re: (Score:2)
Rather than the current Department of Philistines?
Operation code name (Score:3, Funny)
I think Fried Phish would of been better.
Re: (Score:2)
I think "would've" would have been better.
I finally know how we can win the "war on terror"! (Score:2)
Largest phishing case ever? (Score:1)
There was a guy arrested in Brazil a couple of years ago that scammed over 10 million dollars.
Hope those 'BOA' Phishes I forwarded helped (Score:3, Interesting)
I was pretty religious about forwarding all the phishing emails I got purporting to be from Bank of America to BOA's fraud line.
Lately I'm getting swamped by IRS phishes "notice of underreported income" (perhaps 100 of them so far), that I've been sending to the phishing mailbox at irs.gov. Hopefully that'll help close that particular scheme.
How about capital punishment for widespread internet fraud???
Re: (Score:3, Funny)
Lately I'm getting swamped by IRS phishes "notice of underreported income" (perhaps 100 of them so far), that I've been sending to the phishing mailbox at irs.gov.
Wait... those aren't Phishes... I was doing the same thing for a while... then the IRS just started showing up at my house in person. They didn't buy it when I tried telling them I thought someone was trying to scam me... Bad times those were... Bad times...
Re: (Score:2)
Wait... those aren't Phishes... I was doing the same thing for a while... then the IRS just started showing up at my house in person.
Get a PO Box dude! The IRS has no idea where I am.
It also helps to have a residence with an "undeliverable" address.
Re: (Score:2)
Yeah, I keep getting some kind of phishing email saying it's from Southwest Airlines and that the TSA wants me to 'update' my info.
Yeah, I'll get right on that one.
Codename (Score:5, Funny)
I swear I would have never believe that the FBI had it in them to pick a name as cool sounding as "Operation Phish Phry".
Re: (Score:1)
Well, they did have two years to come up with the name.
Start charging (Score:3, Insightful)
Re: (Score:1, Insightful)
Your post advocates a
( ) technical ( ) legislative (x) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the mone
Re: (Score:1)
Re: (Score:1)
Very small amounts of the spam is sent though the ISP mail gateway. To get a mildly accurate number the ISP would need to deep packet inspect all traffic to the standard mail gateways ports. While this is possible there is very little immediate benefit to the ISP. As the infrastructure cost is immediate most ISPs only deploy a trial to benchmark the system before abandoning the project.
I am also fairly sure that most people only glance at their bills for the amount due.
Re: (Score:2)
So let's see what happens if your neighbor gets a bill in the mail indicating that they used 34 thousand quadriloons. There are only two possible responses:
1. Wow. That's nice.
2. Frantically calls ISP believing they only used 22 thousand.
End result? Nothing happens. We are talking about something that makes as much sense to your neighbor as "34 thousand quadriloons". The truth is that these people are incapable of "administering" their computer system and what we have are general-purposes computer syst
even just a fraction of a penny would work (Score:1)
then take all that cash, and invest it in third world communication infrastructure. that should shut the critics up
Re: (Score:1)
( ) technical (*) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(*) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collec
Re: (Score:2)
I still say require the sender's email domain to match credentials in DNS.. hard SPF rules basically... then combined with black/white-lists it could get better... if MS, Yahoo, Google, and a few of the larger ISPs would get together and require strong SPF records, rejecting mails without them it would get implemented fairly quickly. Of course none of them can make money off of everyone else using this concept so they'll never do it...
Wouldnt it be nice... (Score:2)
What actually happened (Score:2)
Contrary to popular opinion on Slashdot, I believe the Mueller story was a classic bait to raise interest and to be followed by this real story.
Think about it - mainstream media ignores tech stories or buries them somewhere no one reads them. Meanwhile, stories about people affected by a problem are always given prominence.
Let me put it this way:
1. Put out a sensationalistic story about how no one (not even the head of FBI) is safe from phishing - raise fear, uncertainty and doubt.
2. Get the real story out
Problem with this business model is... (Score:3, Interesting)
They let this go on, because they think the cost of ruining a few lives is ok, as long as in the end they make their bust and all is ok in coptown. Problem is , real time transactions are happening while they study the case, and letting 1.5 million slip through in order to follow the trace back to the top. Like a guy holding a camera while someone is being mugged by a lynch mob and doing nothing, should there not also be consequences especially when FEDS (of all people) let something like this happen,
when they have the power to stop it in its tracks....instead of letting it go on, and on, how long was this case going on for...?
Hard decisions, but sometimes the ends do not justify the means.
I had a ticket once for running through a stop sign, although it was covered almost 100% behind a tree, as I mentioned this to the cop, they told me to just say that in court as they knew many people would run through, instead of just telling the city to fix the problem....however I felt very frustrated, should there have been a kid playing nearby and I had not seen the sign, I would have maybe run him over by accident, then the cop would have been responsible for his life being lost, because instead of directing traffic (like when an intersection is burned out) they were using the hidden stop sign to generate revenue....very depressing!
Re: (Score:1)
Yeah, I got a ticket like that once, too. Wasn't in Glendora, CA, was it? :p
I'm in the vendor side of anti-phishing, and I've got to challenge the idea that the FBI had the power to stop those events in their tracks. Sure, they could have busted a small number of low-level criminals early in the investigation, but that wouldn't have stopped anything. The higher-level criminals would have continued as usual, made more wary by the bust of a few small fish. To fully investigate and to build a case that will w
Re: (Score:2)
"They let this go on, because they think the cost of ruining a few lives is ok, as long as in the end they make their bust and all is ok in coptown."
How are they *supposed* to stop it if they don't know everyone involved? Busting one punk out of a group of 100+ conspirators won't even put a dent in the fraud. The only *way* to stop the fraud is for them to take the time to trace out the whole network.
"when they have the power to stop it in its tracks."
That's a bold statement. How do they stop it in it's tra
Re: (Score:2)
Probably, but at least offer to help rebuild the damages caused by your lack of action.
I know a few people who got stung by identity theft and still have problems today because of it, and yet, you would think with the power that the FBI has, they could write up a sort of side note on that person's record that would help rectify any problems associated with this type of activity, on that person's account.
Of course not, that would mean they accept responsibility for their actions...which they never do, siting
4 sale: the ultimate credit card collection (Score:2)
The ultimate credit collection is now for sale. For 10 million dollars ($10,000,000.00), plus $500,000 copying and media fees, you can be the exclusive buyer of this collection. That's right. This is the ULTIMATE credit card number collection. There is no collection any larger. Only ONE copy will be sold to the lucky buyer. This is actually a lower cost than any other offer by any other credit card list provider. This is an amazing 10 million (10,000,000) card numbers per penny ... a total of ten qua
Old School Rap, Vol 5 (Score:2)
Are you down with the O.P.P.?
O is for Operation, P is for Phish don't you know, ...
The last P, well that's not so simple bro
Operation Phish Phry???!!! (Score:1)
It's like (Score:1)
Some kinds of phishing down a bit (Score:2)
This may be having an effect. I'm seeing a small decline in major domains being exploited by phishing scams. [sitetruth.com] That monitors phishing attacks which use major domains to give themselves convincing-looking URLs.
In the year and a half we've been monitoring this, the number of sites being exploited has dropped from 174 to today's value of 37. We nag sites that have problems to tighten up their security. It's working. Ebay used to have a security hole which allowed creating URLs under "ebay.com" that redir
Yeah but ... (Score:2)
Re: (Score:1, Offtopic)
Re: (Score:1)
I think they did that for themselves by attempting to play music.