Anti-Phishing Tools

mikeage writes "PCWorld has an article about an anti-phishing tool available that tries to detect fake websites." This is about Web Caller-ID already in use by eBay's custom user toolbar. The article also talks a bit about the incredible increase in phishing scams.

Huh

[Lord Grey]

Unless I missed something, neither the article nor the summary provides a link to the product. Here is what I found: Web Caller-ID [wholesecurity.com]. That link contains this paragraph:

Web Caller-ID's detection engine includes hundreds of routines that examine the elements of a web site, ranging from the site's content and links to its page history, and then determine if they are indicative of a spoof. For example, the URL of a particular site might be analyzed for phishing characteristics, such as the inclusion of an IP address at the beginning of the URL, or the source code might be analyzed for calls to a different web site. In production environments, Web Caller-ID consistently detects more than 98% of previously unknown spoof sites using behavioral technology.

This product sounds interesting at first blush, but don't most phishing scams begin with an email? Web sites that support phishing aren't going to have as many of these charactistics as the email that lured the victims there to begin with. I have to wonder just how well this really works, despite the, "consistently detects more than 98% of previously unknown spoof sites" quote.

Email Phishing

[TheOtherAgentM]

From what you and I probably see, yes. Phishing begins with an email, because we probably don't browse shady sites regularly. I don't know what the average user sees in their regular browsing. I can't even figure out where people get all the spyware from in the first place. As far as phishing emails, I know I get one email regularly that looks like a CitiBank email, but it is a .jpg file embedded. The URL has citi in it, but if you look closer, it's obviously not the right sight. I'd report it, but Citi Bank's online reporting sucks.

Re:Email Phishing

[Theatetus]

I got it too, though thunderbird marked it as spam and my anti-phishing tool in firefox told me "you are at 31337.h4x0rz.cn" or wherever. I'm not sure what good it would do to report it to citi since there's nothing they can do about it except maybe send out emails to everyone in the world telling them not to believe emails claiming to be from them.

Re:Email Phishing

[james_marsh]

I'm not sure what good it would do to report it to citi since there's nothing they can do about it except maybe send out emails to everyone in the world telling them not to believe emails claiming to be from them.
There's just a slight flaw in that logic...

Re:Email Phishing

[Anonymous Coward]

> There's just a slight flaw in that logic...

No there isn't.

You receive an email supposedly from Citibank, telling you not to trust emails from Citibank.

If it's a fake email, it means you can't trust emails claiming to be from Citibank anymore, because someone's faking them.

If it's legit, it's telling you not to trust emails from Citibank, so you'd better not.

So, for this particular message, it doesn't matter whether it's fake or for real - you still know not to trust any more emails.

So how do the

Re:Email Phishing

[realdpk]

Actually, as someone who's working at a web host, I can tell you Citibank does take this sort of thing seriously, and they are interested to know where the sites are being hosted.

Who knows what they do with that information. Maybe nothing. Still, it's worth reporting, if only to show that the community is against these frauds.

Re:Email Phishing

[Andrewkov]

I reported one of these scams to Citibank through their website (I'm not even a customer, just a nice guy). They didn't even ackknowledge my report, let alone fix it.

Re:Email Phishing

[pnutjam]

I saw a similar one, if you look closely they are using frames. The one I had was a 3 frame page, top and bottom frames were the actual website, so it showed that in the address bar, only the middle frame was haxor.ru or some such crap.

Re:Email Phishing

[aussersterne]

Citibank can't do anything about it anyway; they're not law enforcement, and even if they were, what exactly do you see law enforcement doing about SPAM or phish emails? Nada.

I used to work at eBay and the phishing problem was terrible (though I didn't deal with it directly, that wasn't my department). When users would find out, they'd demand to know why eBay didn't do something about it. The people who worked on that floor would stand around in the smoking shed and bitch, "What do they want us to do, buy some guns and go to Romania and raid the guy's house wearing little eBay uniforms?"

Re:Email Phishing

[the unbeliever]

It would be fucking awesome if they did, in a very frightening way.

It leads me to think of the dystopia that is Shadowrun's game world, where corporations have their own standing armies.

Re:Email Phishing

[Ra5pu7in]

They can't do much about it upfront. However, as soon as it involves withdrawals from customer's accounts it moves over into fraud ... which they can do something about (via usual legal means). Neither Citibank, nor any of the others (I've seen BofA, Wells Fargo, and others) are going to acknowledge all the emails they get reporting these scams. Instead, the data is accumulated and those that report they lost money this way will be prioritized because these can be used for prosecution.

Personally, I'm waiting for the point where we can have a Darwin's Award for the idiots who answer those emails ... y'know the point when one of them loses every last dime in a scam and commits suicide, dies from a badly produced batch of V@l1um or V1agr@, or tries to gain or lose inches and has an accident with the means thereto. When this garbage produces 0 results, no matter how many millions are sent out, it will self-destruct.

Re:Email Phishing

[Volmarias]

You know? That would be absolutely delightful. Hell, I'm sure there would be legions of geeks willing to ensure that the information entered into their systems wasn't "Murder", but "Tickling with fluffy bunnies" instead.

I've always wondered just what law enforcement would do if someone started to serially hunt spammers, and I keep coming to the conclusion that all you need to keep the trail cold is leave a note saying "This man sent your daughter emails about zoo porn"

Re:Email Phishing

[Anonymous Coward]

"What do they want us to do, buy some guns and go to Romania and raid the guy's house wearing little eBay uniforms?"

How about persuading the government to put pressure on the foreign country's government until they sort the problem out? If the MPAA can get "DVD Jon" arrested all the way over in Norway, surely eBay can get some spammers arrested?

Re:Email Phishing

[glesga_kiss]

"What do they want us to do, buy some guns and go to Romania and raid the guy's house wearing little eBay uniforms?"

That's not all that far from the real world. Goverment is corporations; corporations is government.

At Least inform the public about this

[charliekowalchuk]

I've bought some large items on ebay, but the best place to find scammers is when your buying expensive laptops. I've seen a lot of phishing for ebay. I saw a recent report, in which perdicted that for every legit technology buisness, there are two scam ones.

The most important thing, Citibank and Ebay and the others is to inform their current and future customers about problems such as this. The worst thing they can do is not talk about it, pretend the problem will go away, or it is an isolated innceden

Re:Email Phishing

[jlechem]

I too used to work for eBay and in that very department and know this smoke shack you speak of. The phishing problem there was terrible but they were getting better. And not only was there phishing but a big problem was assholes that would embed torjan viruses in their auction listings that would install keystroke loggers, etc on peoples machines. But that is another post and whole other thread.

I know how the toolbar program worked. It worked on scanning the HTML source and based on various factors wo

Re:Email Phishing

[Traa]

I got several of those. The first one was an eye opener to the world of phishing for me. I did actually report it to Citi Bank through their online reporting mechanism. I'm hoping they are working with law enforcement to go after the purpetrators....ok, just kidding. At least I'm hoping that if enough people complain they might just have to come up with something that helps their real customers. I dunno, send out an 'awareness email', I know that my parents don't have a clue when it comes to phishing, they

Re:Huh

[lukewarmfusion]

I thought this at first as well... but considering that those phishing emails usually end up sending you to a website, I think it might help.

I'm skeptical about the 98% thing as well.

Re:Huh

[beh]

There is, of course, another issue as well - if you eliminate 98% of the phish scams - that'll probably also mean that people will start paying less attention to the problem at hand and might hence become less careful about those phish scams that DO make it into their inbox.

This might be in a way comparable to the rates of HIV/AIDS spread during the late 80s/early 90s when there was LOTS of media attention to the issue, and people would actually think about what they were doing. Now, a couple of years after the height of media attention to it, the problems are rising again (simply because people no longer think about the issue).

In the same way, I would guess people might fall more easily for phish scams, once the become more rare again.

Re:Huh

[Glog]

Which moon do you live on? Think about spam for a second - it's been around for years and it almost doubles every year. It's become like the most-reviled thing on the internet. And there are STILL people who buy things through spammed ads.

I don't believe the general populace will get the danger of phishing even if you aired 2 minute warnings every hour on the hour for a month during prime time TV.

There's always going to be some sucker who falls for a phishing scam. They've become too sophisticated for the

Re:Huh

[Mysticalfruit]

Actually there have been a large number of cases where an ISP's DNS server has been poisoned so users type in the legimate www.somehugebank.com and it brings them to a proxy mirror image of the site where you gleefully login in and they scarf your information.

Educate

[Klar]

However, better user education and stronger security from online retailers, banks, and financial institutions is also needed to protect technically unsophisticated consumers from complex online cons like phishing attacks, Schmidt says.

I have to say that I agree. These tools are great for newbie computer users. But I really think educating people on how to read a URL and not have to rely on a tool like this. If they don't understand the URL, using a 'caller id' program may not always be affective at preventing scams.

Also, I would like to see a program that would pre-scan a URL and if it appears to be a fake Paypal or Visa site to put the actual domain, and display a warning to alert newbie users.

Re:Educate

[Klar]

Ignore my last paragraph, and read Lord Grey's post above :$

Re:Educate

[Anonymous Coward]

I've seen some intense scam sites where a graphic covers the address bar, and it looks like you are really at citibank. I was actually taken back for a few seconds. I KNEW I was on a phishing site, but the URL was clearly citibank's (I have accounts there). Played with the address bar, and noticed... hmmm.

This would fool 98% of semi-experienced users.

Re:Educate

[Mouse42]

98%, eh? heh.

One other problem companies have is changing their website's appearance. For example, CapitalOne recently changed their homepage and I was actually too nervous to log in for a few days.

Also, a poor quality website can make people suspicious. A friend of mine asked me to inspect his cable company's website to see if it were real or not because it was so poorly designed. I told him since it was so poorly designed to not trust it's security, either, and not bother doing the online bill pay.

Re:Educate

[donnyspi]

This Citibank one's even more sophisticated than having an image cover the address bar: http://www.antiphishing.org/phishing_archive/07-05 -04_Citibank_(Citisafe_by_Citibank).html

Re:Educate

[psin psycle]

Education will only help so long. What happens when someone writes a worm/virus that replaces the /etc/hosts file with one hacked up to send people to phishing sites instead of banking sites? Not only could the phishing websites capture account data, they could also forward the user on to the correct site so they don't even notice a problem. Who's going to check their /etc/hosts file to make sure this isn't happening!

Glasses

[jobeus]

Glasses would be a good anti-phishing tool... Seems almost 95% of the sites I come across just replace a . with a - somewhere. If people could see it more clearly......... :D

Re:Glasses

[Rosco P. Coltrane]

Glasses would be a good anti-phishing tool... Seems almost 95% of the sites I come across just replace a . with a - somewhere

A normal-sized brain behind the glasses would work very well too. I mean, for example, the Microsoft-looking emails that require you to give a password, or a CC number or something: who the hell with a normal intelligence would fall for that one?

Most scams look exactly like that: scams. They're so easy to spot with a vaguely critical eye that it's not funny. The problem is, who will educate a public that doesn't understand much about computers in the first place?

Re:Glasses

[wan-fu]

While I agree that helping people understand computers is partly the issue here, there's an even bigger issue and that's educating the public in general to be more aware of scams. Remember, though the internet is a haven for scammers, there are plenty of them out there sending direct mailings or using infomercials. People still fall for those and not just the tricks on the net.

I think a big part of it is people are simply more lazy these days. As a result, they are more willing to believe in a get-rich quick scheme or an identification check for a bank or sweepstakes or whatever (especially the old who are more trusting). But who knows, maybe it's not that, it could very well be that people are just stupid and gullible by nature (which many /.'ers seem to think given the number of times I've seen references to "sheeple" and the like).

Already sluggish...

[La_Boca]

Does That Web Site Look Phishy?

WholeSecurity's new software claims to identify fraudulent sites.

Paul Roberts, IDG News Service
Monday, August 16, 2004

A new software tool from WholeSecurity can spot fraudulent Web sites used in online cons known as "phishing" scams, according to a statement from the company.

Advertisement

The new product, called Web Caller-ID, can detect Web pages dressed up to look like legitimate e-commerce sites. WholeSecurity is marketing the technology to banks, credit card companies, and online retailers as a way to prevent unwitting customers from accessing false sites, to reduce fraud, and increase confidence in online commerce, the company says.

Phishing scams are online crimes that use unsolicited commercial, or "spam," e-mail to direct Internet users to Web sites controlled by thieves, but are designed to look like legitimate e-commerce sites. Users are asked to provide sensitive information such as a password, Social Security number, bank account, or credit card number, often under the guise of updating account information.

Already in Use

A version of Web Caller-ID is already being used by EBay in a feature called Account Guard, part of an EBay Web browser toolbar that users of the online auction site can download for free. The feature detects suspicious behavior, such as Web URLs that disguise the true Internet address of the site the user is visiting.

Companies can license a Web browser plug-in from WholeSecurity, which can then be distributed to customers directly or as part of a Web browser toolbar. Alternatively, companies can sign up for an e-mail processing service from WholeSecurity that harvests information on phishing scams from spam e-mail or customer complaint e-mail sent to the company, WholeSecurity says.

A Web browser-based management console lets administrators view suspected phisher sites, file complaints against spoof Web sites, or fine-tune the Web Caller-ID technology to adapt to their company's Web site.

On the Rise

Reports of phishing attacks have skyrocketed in recent months, according to the Anti-Phishing Working Group (APWG), a joint industry-law enforcement group.

There were 1422 new, unique attacks reported to the APWG in June, a 19 percent increase over the previous month. Since the beginning of 2004, reports of the attacks have grown by 52 percent a month on average, the group says.

A survey of 5000 adult Internet users by research firm Gartner released in April found that the number of phishing attacks spiked in the last year and that around 3 percent of those surveyed reported giving up personal financial or personal information after being drawn into a phishing scam. The results suggest that as many as 30 million adults have experienced a phishing attack and that 1.78 million adults could have fallen victim to the scams, Gartner says.

Taking the First Step

Web Caller-ID is not a cure-all for the phishing problem, but is a good first step to provide comprehensive protection from the scams, says Howard Schmidt, former White House cybersecurity advisor and the current chief information security officer at EBay.

"These are some of the things we need to do moving forward--getting technology built into the Web browsers themselves to do these things," he says.

However, better user education and stronger security from online retailers, banks, and financial institutions is also needed to protect technically unsophisticated consumers from complex online cons like phishing attacks, Schmidt says.

"You can't put somebody in a car and tell them to drive, but not tell them what the brake and gas pedal are for," he says.

Re:Already sluggish...

[JohnGrahamCumming]

Look if you are going to post the text of an article here, at least include the relevant URLs. The ad has been replaced by

Advertisement

Now how I'm I supposed to click through to the exciting, not to be missed, opportunity that the advertiser paid for!

John.

Re:Already sluggish...

[LiquidCoooled]

Sorry!

Here you go, just go here http://www.advertysement.com/ [advertysement.com] and enter your credit card details, we will gladly show you the missing content. ;)

Technological solution to a social problem

[wheany]

I thought the general consensus was that technological solutions to a social problems don't work.

Re:Technological solution to a social problem

[MindStalker]

Hu? No, the general consensus was you can't legislate these problems away, ie spam, phishing etc.
User education is the most important, but technical solutions have to be used. Thats like saying you shouldn't bother with having a virus scanner, because people should all be taught to avoid viruses.

Re:Technological solution to a social problem

[Yewbert]

My anti-Phishing tool-kit:

Deodorant

A razor

A comb

Air-freshener

A sign that says, "No camping allowed."

Oh, wait - that's my anti-Phish-FAN tool-kit.

(Before ya get your mellow all harshed, I AM a Phish fan, to a degree. ;-) )

Anti-phishing toolbar for FireFox

[NewbieV]

Spoofstick [corestreet.com] is a plugin for FireFox or Internet Explorer that can help identify 'phishy' sites while surfing.

It does take a little more real estate out of the browser's window, but it's a pretty useful tool when teaching people about the dangers of clicking links blindly.

Re:Anti-phishing toolbar for FireFox

[TheOtherAgentM]

The problem arises with this when a website has multiple domains to cover their content. That can confuse users. Multiple domains shouldn't be used just to serve media from another server, but I've seen it done. Also, what happens when you are drawing content from other domains? Will Spoofstick list all the domains?

Re:Anti-phishing toolbar for FireFox

[Wizzo1138]

Sites like apple use other domains for their images. It looks like apple has recently changed a bit though. Instead of all images coming from akamai directly, they come from images.apple.com.

But...

ping images.apple.com
PING a932.g.akamai.net (38.115.177.150) 56(84) bytes of data.
64 bytes from 38.115.177.150: icmp_seq=1 ttl=57 time=30.6 ms

Re:Anti-phishing toolbar for FireFox

[PitaBred]

Still, you're relying on the DNS of apple.com being correct. The root domain.
The problem comes when apple.com loads images from images-apple.com or something that's a separate domain, rather than simply a sub-domain.

You mean...

[Black Parrot]

...I wasn't supposed to give s1ashdot my credit card number to read this story?

Wrong Solution

[Anonymous Coward]

The proper solution to phishing scams is
1) Educate everyone not to give out confidential information to anyone.
2) Track the phishing sites and publically hang the owner. These things are not difficult to track by the very nature of the scam.

Re:Wrong Solution

[MindStalker]

In the US or UK maybe, but many of these sites are located in parts of the world where you can get anonymous internet access.

Re:Wrong Solution

[Wizzo1138]

Can you get a anonymous access with enough bandwidth to run a server? Or maybe they don't expect to have enough hits at any one time to actually care.

Re:Wrong Solution

[foidulus]

Well, if they are expert phishers, then they probably have a few spare identities they can use to set up the server. And even if they aren't annonymous, you stll have the problem of the host country actually being able to/wanting to prosecute them. that isn't always a given....

Re:Wrong Solution

[gcaseye6677]

Also important: educate companies who do business on the web to never send out legitimate requests for account updates via email. Most large companies would not do this, but some of the smaller players do not think about how this could cause major confusion and problems for users.

Re:Wrong Solution

[PsiPsiStar]

Or

b. Send out a massive phishing e-mail and scold anyone who falls for it.

Re:Wrong Solution (need PK crypto)

[j1m+5n0w]

The proper solution to phishing scams is 1) Educate everyone not to give out confidential information to anyone. 2) Track the phishing sites and publically hang the owner. These things are not difficult to track by the very nature of the scam.

Don't forget

3) Use public key cryptography to verify the authenticity of sites you do business with.

-jim

My rule is usually fairly simple

[tekiegreg]

Just don't click on any links via email to anything unless you solicited it (such as an email verification to a mailing list you're subscribing to). When I'm in doubt, all I do is type in the URL to the bank/brokerage/etc. web site myself (fire up browser and type in homepage URL), log in and find out if there is anything going on. Most such websites have a way to look at everything and take any needed action right away after you type in a user/pass.

*sigh* and on that note there is a sucker born every minute I suppose.

Re:My rule is usually fairly simple

[Awptimus Prime]

No kidding, Email should go back to being a text only messaging system. Strip out all the html, urls, and binary attachments and watch the world become a better place.

Then again, I work in the security sector so all these flaws bring home the bacon. It is still frustrating to watch such broken systems dominate the world.

phishing automated reply

[djtech]

What we need is a way to automatically reply to these phishing scams with bogus information. I'd like to be able to order everything sent in a spam message too with bogus information. Beat them at their own game!

Re:

[account_deleted]

Comment removed based on user account deletion

Re:phishing automated reply

[bmwm3nut]

i would like to have a central list that we can send the links to phishing websites. then someone smarter than me could write a script that just goes through the sites and enters bogus info (that looks real). if we reduce their signal to noise, it'll become much less profitable for them.

Re:phishing automated reply

[The Ultimate Fartkno]

It's for mortgage spammers and not phishers, but I'm a fan of the Unsolicited Commando [astrobastards.net] project. It's a little Java app that spends its day filling out mortgage applications on spamvertised sites with completely believable - but totally bogus - personal data. The source is available so perhaps a clever person could randomly generate credit card numbers and adapt the program to attack phish sites.

Will this reach the intended users?

[broothal]

People who are likely to fall for the usual phishing techniques are, unfortunately, not likely to install any tools to prevent phising. Odds are, that they never knew it existed before they fell for it.

fake anti-phish

[DumbSwede]

Worse yet, Malware makers will switch to disguising their downloads as anti-phish tools.

Novice users hear about phishing, will think any old anti-phish tool will do.

phishers of men

[celeritas_2]

I've tried to actually reply to some of the money-caught-in-forign-bank phish attempts and the only thing i get back is more and more phishing. I've failed to reach the point where they ask for your SSN credit card or my first born child. Either they're stupid and don't want my information, or they're smart and realize i know what they're up to.

Re:phishers of men

[berkowow]

It is a major misconception that the Nigerian e-mail scammers are after your bank account information. What they are actually running is an "advance-fee fraud." After you give them your account info and all the rest of that stuff, they will tell you that they were just about the send you the money, but that the bank needs you to pay a $500 fee to get the money out of escrow. If you wire them the $500 over Western Union, they'll come up with something else which needs to be done, e.g. a sick relative, a b

Re:phishers of men

[Sarastrobert]

It might be worth mentioning (not that I think you are serious or anything) that people have gone down to Nigeria to get their money back, and have been murdered by the scammers.

I wouldn't go there even with 10 bouncer friends, but then again, I wouldn't fall for a Nigeria letter either.

I have a fairly good anti-phishing tool

[JosKarith]

It's called a healthy dose of cynicism.
If somebody I have financial dealings with contacts me out of the blue to check my password/account number/mother's maiden name etc. I contact them back - not using the linkback on that e-mail but using the contact details from the documentation I got when I signed up. And I ask them if it's a scam or not.
And I don't reply until the bank/whatever has got back to me.

Here's my Anti-Phishing tool

[Chanc_Gorkon]

My Anti Phishing tool is my brain. I mean sometimes these phishing e-mails are nto even spoof so that they appear to come from the company that they are spoofing. Sometimes the website has graphics for the company they are trying to appear as and the URL is in CHINA! First off, No company shuld EVER ask you to click on a link and enter personal information for things. No mortgage company I know of will actually advertise in a spam and if they do, then your alert flag should go up. If you just use common sense, you should be more then able to determine if a web page or e-mail is a phishing attempt. Unfortunately, your grandma or your mom may not. I think that companies liek AOL need to add more training wheels to their service so to speak and help them with determining if something is legit or not. Would I ever load such software? No I would not because I don't need it....but my mom might.

Hmmm

[Anonymous Coward]

My Anti Phishing tool is my brain. I mean sometimes these phishing e-mails are nto even spoof so that they appear to come from the company that they are spoofing. Sometimes the website has graphics for the company they are trying to appear as and the URL is in CHINA! First off, No company shuld EVER ask you to click on a link and enter personal information for things. No mortgage company I know of will actually advertise in a spam and if they do, then your alert flag should go up. If you just use common se

AntiPhishiing.org

[hot_Karls_bad_cavern]

Here is more information [antiphishing.org], the SANS Internet Storm Center has seen much activity (and growing) of this shit.



--------

so the cure to prevent phishing

[Anonymous Coward]

is to install a spyware toolbar ?

i have enough trouble persuading users NOT to install crappy toolbars and plugins as it is without people reccomending that they do,
MS ActiveX and to a lesser extent Mozilla's XPInstall xpi features coupled with uninformed users are the main reason spyware/malware exists and is so easy to exploit, can you explain the difference to a (l)user between a good plugin/toolbar and a bad one ?

security should be built into the browser

Phishing is a big problem for hosting companies

[gtrubetskoy]

Phishers need a place to host their fake sites, and hosting companies like ours are prime targets for phishers to set up their "collection points", and we see a lot of those.

My theory is that unlike the script-kiddies of the old days, 99% of all phishing is work of organized crime. I believe that they recruit users at ISP's in places where internet (or any for that matter) law is not enforced (like Kosovo), they provide people simple step-by-step instructions on what to do, give them lists of fake card numbers and pay them based on the number of accounts hacked (e.g. $1 for every 50 good passwords). The actual cleaning out of the accounts probably happens elsewhere and at a much higher level because you need a much more elaborate system for it (off-shore bank accounts, etc). At least if I was doing it, this is how I would set it up. The users appear to be not very smart - we often see weird typos, names spelled in all caps and other dead giveaways - why would ANNE FISHER from Ohio signup for a year of virtual hosting and register a domain XABCDFERNG.COM for 10 years?

We see that they are getting more elaborate in their attempts to sign up for an account. They try to use proxies or zombies now (because most same companies will flat out refuse any attempts to sign up from Indonesia, Romania, etc.).

A funny side note - we got a copy of a credit card statement from one of the unfortunate cardmembers whose card's been stolen as part of the "chargeback" report, and among various hosting accounts they signed up for, there was an $20 contribution to moveon.org - go figure!

Right now the best way to fight off phishers is to attempt to speak to the customer in person, it has worked 100% for us so far. But since this phishing thing is probably big money for some mafia boss, I think the motivation is there for them to get more technologically advanced, and I wouldn't be surprised if we start seeing fake VoIP phone numbers provided where the criminals would answer the phone in English and pretend to be cardmembers.

Another very unfortunate side-ffect of this is that it's the merchants who east the cost of it. For every instance of fraud, we get the funds withheld and transferred back to the cardmember (don't be fooled by those reports of "poor" cc companies bearing the cost of fraud!) AND we get slapped with an $25-$50 penalty by the CC processing company AND our rates go up. So it's almost in their interest that cards get stolen, it simply means more revenue for them. Now our services are "virtual", but for those who actually ship something physical (like a shirt), they get to eat the cost of that as well.

Re:Phishing is a big problem for hosting companies

[Kenja]

"My theory is that unlike the script-kiddies of the old days, 99% of all phishing is work of organized crime."

This is very true, not only of Phishing but also of eBay scams and the like. Most of the "Work At Home for $$$$" style of adds are buying and selling items for the Russian mafia.

Re:Phishing is a big problem for hosting companies

[swb]

I've always found the credit card companies and banks ability to shift the financial responsibility onto merchants and users for their insecure system to be one of the greatest ripoffs in history. Merchants in particular take it up the dirt road -- chargebacks, penalties AND rate increases! And zero incentive for the people who created and control the system to do anything about it.

I hate to say "they should pass a law", but they SHOULD pass a law that pushes the cost of CC fraud back onto banks and the

Re:Phishing is a big problem for hosting companies

[JoeBuck]

Every phishing scam I've seen get through my spam filters gave itself away, because the e-mails are all written by people who are either not fluent in English or who are too illiterate to get a job as a junior secretary in any English-speaking country.

The biggest threat would be if any of these guys ever hires a native English speaker who can write, and thinks a bit about what a real e-mail from a big corporation might look like.

Backwards

[RU_Areo]

You can't put somebody in a car and tell them to drive, but not tell them what the brake and gas pedal are for

I think this statement is completely backwards. You can give someone the tools; ie. tell them what the gas and brake are for, but under no circumstances can you make them use them (properly) or understand the full consequences of not using them this is especially true for users who are not technically inclined.

Kaput?

[BigBadBus]

Is this the "eBay custom user toolbar" thats been broken by XP SP2?

List of IPs used by phishers

[Anonymous Coward]

Phish Net [spamfo.co.uk]

Some folks here may find it usefull.

I just looked at the list

[G27 Radio]

There are not many unique addresses in the list; most are repeated many times throughout the it. And there are a couple that just aren't valid IP addresses at all. Not much of a list yet, but good luck with it anyway.

Cool phishing detection quiz

[frozenray]

This [mailfrontier.com] nifty quiz can help you assess your phishing detection abilities. Recommended.

Re:Cool phishing detection quiz

[lpangelrob2]

I did pretty good on that quiz, but the only one I got wrong was #4 (the U.S. Bank one). Interestingly enough, I don't really know why, unless it's because U.S. bank doesn't exist. The URL looks valid (it's of the form https://*.usbank.com/*), and the format of the quiz means you can't see where that URL is actually pointing to.

Is there something I can be doing better?

Re:Cool phishing detection quiz

[switcha]

look again at the URL. www4?

I got suckered by the earthlink one. The address looked valid, although, if I got this, I would never use the link.

My rule is to navigate to my providers website myself, log on, and see if there was anything that needed updating.

Re:Cool phishing detection quiz

[Anonymous Coward]

100% .. was not that hard. Of course I stop phishing for a living. I only got the hotmail one because it was professionally written and mentioned only losing messages and addresses, something I know to be a fact of life about account expiration on hotmail and yahoo mail both. That it didn't say "your account will be suspended" or some other stern warning made it look less like a phish. All the others were just dead giveaways.

No one who wants your business is going to waggle their finger and scold you a

Re:

[account_deleted]

Comment removed based on user account deletion

should be a firefox plugin

[jdkane]

Someone should create a phishing-detection extension for Mozilla. Does anybody have any ideas about how that would work efficiently/effectively? Same as EBay technology?

Re:should be a firefox plugin

[jdkane]

I should have added "free" extension, not restricted by licensing and/or money in general.

Re:should be a firefox plugin

[Cheerio Boy]

The Firefox plugin you're looking for is Spoofstick. [corestreet.com]

A little simple but it tells you exactly what site you're on.

They also have one for IE.

Firefox/IE

[mrseigen]

I've noticed that neither Firefox nor new versions of IE let you do the www.cnn.com@http://myattackersite.com phishing vulnerability; Firefox warns you (as long as myattackersite.com doesn't request authentication), IE just doesn't let you do it as far as I've seen (but this is hearsay; I haven't used IE in years).

Re:Firefox/IE

[julesh]

Just tested on IE 6.0 on Windows 2000. It allows you to click on such a link without any warnings, but the '...@' section disappears from the URL when it is displayed in the address bar, which ought to give you at least some feedback.

SPF for Websites

[jeffy210]

What about using something similar to the Sender Policy Framework (SPF) [pobox.com] for web sites. Create a list of known good websites for your company, and if the browser attempts to access something say eBay related, it will look at eBay's SPF list and see wether it's an authorized server or not.

needs to happen

[Chuck Bucket]

this needs to happen, but it's like a spam Blacklist, it's pretty much out of date once it's created! better would be to have ISPs build a lists and flag certain sites as possible phishing grounds, but there again, how up to date would they be?

Bottom line is, all of our parents/kids/friends need to know; don't give info out online unless YOU initiated the contact.

CB#__8&*(#@

A better start

[portwojc]

Web Caller-ID is not a cure-all for the phishing problem

How about actually going after the people doing the scams as a solution. Also the providers who don't shut them down.

I must have missed that part in the article. This is going to be just like the spam problem. It's a problem that the end user needs to deal with and not something to be corrected at the source. Well not until at least it gets to epidemic proportions.

Anti-Phishing Tool

[sulli]

Mud and police roadblocks? [boston.com]

Had a bit of a scare, recently

[TomorrowPlusX]

I got an email from Earthlink that looks SO MUCH like a textbook Phishing scam ( your credit card number's going to expire... ) that I deleted it the first couple times it came my way.

It kept on coming, however, and I decided to go to earthlink myself ( e.g., not clicking the link ) and see what the deal was.

Turned out, it was legit. Amazing.

The trouble here, really, is how do we handle legitimate email from banks, ISPs, etc?

What banks *should* do!

[callipygian-showsyst]

What banks (and eBay) should do is NEVER, EVER send an email to customers. Period.

And on their websites they should say on top: "REMEMBER: WE *NEVER* SEND YOU EMAIL ABOUT ANYTHING."

If you want to know something, you just visit eBay or your bank account.

Re:What banks *should* do!

[TrumpetPower!]

What banks (and eBay) should do is NEVER, EVER send an email to customers.

What a shame that it's come to this. Once upon a time, we were all clamoring for all correspondence to be moved to email--and for good reason, too.

sigh

b&

Simple idea.

[JessLeah]

When you get an email, at the top, 'caller ID' shows up (e.g. "This email was sent from: SOMEWHERE IN CHINA", vs. "This email was sent from: CITIBANK'S servers")

When you mouseover a link, a LARGE JavaScript thingy pops up saying "This link is to: SOMEWHERE IN NIGERIA" or "This link is to: CITIBANK'S site"

Here's a good way...

[veritron]

Phishing scams have no way to determine whether the password you enter is correct or incorrect.

If you enter in an incorrect password/username combo and the site redirects you to the real site's password and login prompt or does something other than telling you your username/password combo is incorrect, then you're definitely dealing with a phishing scam.

Of course, you can be clever and have the scam always return "wrong username/password." If the scam's set up to do that, the only way to tell that it's a scam is to enter... your correct password and username. Clever, eh?

So if your password "doesn't work" for an indefinite period, and then suddenly starts working again when you actually go to the site that requires your name/password via google, do yourself a favor and change your damn password.

Re:Here's a good way...

[dozer]

Phishing scams have no way to determine whether the password you enter is correct or incorrect.

You're wrong. The phisher's site can immediately attempt logging into the legit site with the stolen credentials, then return an appropriate response to your browser. To you, at worst, it would look like typical net lag. This is so trivial to do that some phishers must already be doing this.

In fact, they could just proxy your connection to the original site. This way, you would actually be using the legimat

How is this better than SSL?

[BilSabab]

Let's make a couple of risky assumptions

1) That as an educated user I only submit sensitive information over an SSL encrypted connection using an SSL certificate signed by a third party.

2) That I check that the certificate corresponds to the site I'm visiting.

This should prevent me from submitting any information to a phishing scam provided that I'm using a browser which correctly implements the SSL/TLS exchange.

So why would a hosting company or a user bother with Web caller ID? A properly configured browser and SSL should prevent phishing attacks. Correct?

--- Friends don't let friends sig

Re:How is this better than SSL?

[athakur999]

Would a certificate authority refuse to issue a certificate to a website called "services-paypal.com"? If not, then just checking for an SSL icon wouldn't do much. If people are fooled by "services-paypal.com" in the address bar, they'll probably be fooled by it again in the SSL information dialog box.

Unfortunatly...

[Phil John]

...a large proportion of people using the internet don't even know what SSL means (or is), let alone what to check for. They just look for a padlock and think they're safe (many don't even do this).

Users normally glaze over when they hear about certificate signing and how to check site authenticity and it's not like it's particularly hard (or expensive) to get an SSL cert these days, the last one I purchased only performed the bare minimum of checks (that I had an invoice for the server I was using to "p

Re:How is this better than SSL?

[julesh]

SSL doesn't help against lookalike domain names. Of course, anyone with eyes and abrain ought to be able to spot that, but most people need something a little more blatant.

phishing

[ajs318]

Most of the scam e-mails don't render properly in KMail -- which is what I mostly use -- anyway. But if they did, I'd probably go ahead and fill in a whole bunch of bogus details anyway. Can't be too hard to write a script that does a HTTP GET on the site URL, then submits random data. Preferably plausible data ..... maybe we could borrow the spammers' trick of picking words that seem to go together? And, of course, credit card numbers that pass The Test ..... not difficult, you just generate a 15 digit random string, and calculate the check digit.

IMHO the only thing missing from KMail is the ability to turn on and off off HTML rendering and image loading on a folder-by-folder basis (so I can view known "ham" e-mail in the format it was sent; but my brain already renders HTML so well that <em>this looks a bit slanty</em>).

First step

[bigberk]

The first step is obviously to check the headers of an email you receive. Just see who sent you the damn thing (from Received headers). Was it actually an IP belonging to .paypal.com? This is easy to check using 'whois'. If the whois lookup shows the IP delivering you the email is from the company you expect (VISA, Paypal, Ebay) then it's fine.

OK, how about an example. Take this US Bank phishing scam, here are the Received headers:

Received: by mail.pc9.org (Postfix, from userid 82)
id 2E7E6AC1B; Tue, 17 Aug 2004 07:13:50 -0700 (PDT)
Received: from usbank.com (unknown [211.209.208.87])
by mail.pc9.org (Postfix) with SMTP id BCF24AC03
for <bigberk@users.pc9.org>; Tue, 17 Aug 2004 07:13:47 -0700 (PDT)
Received: from 0.212.252.18 by 211.209.208.87; Tue, 17 Aug 2004 09:08:18 -0600

The first Received hop is my ISP. The second Received hop is the only important one; it describes the connecting host. Note that the host here pretended to be usbank.com but that name is a sender-supplied ID; it's worthless. What you're looking for is the IP address between square brackets, which can not be forged. Now just check 211.209.208.87 using whois

$ whois 211.209.208.87
...
[ Organization Information ]
Organization ID : ORG3930
Org Name : Hanaro Telecom Inc.
State : SEOUL
Address : Shindongah Bldg., 43 Taepyeongno2-Ga Jung-Gu
Zip Code : 100-733
...

See, easy. This email came from Korea, not US Bank. It's a scam!

Re:Nice try, indeed.

[teamhasnoi]

% perl -e 'print teamhasnoi.hasSenseOfHumor()'
0
%

Stop trying to infect me with your spyware! I'm wise to your tricks!

Re:Another poor metaphor....

[thebatlab]

Metaphors and analogies don't always have to have a one-to-one relationship. He was simply saying to get people out of the get-on-the-net-and-go mindset and make them more aware of when to slow down and think. Geez. Someone had some Kellog's Frosted Bitchy Flakes for breakfast.