Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How Phishers Think, Act, and Make a Profit

timothy posted more than 6 years ago | from the good-laugh-at-your-expense dept.

Security 133

whitehartstag writes with a write up of "the excellent session at Black Hat that detailed 'how phishers create sites, share info and code, and basically are lazy.' They store their stolen data 'on websites that they have hacked into, or on [publically available] sites like guestbooks. And even worse, they are not protecting their stolen data ... which means that all one needs to do to find this info is to reverse engineer a real phisher's website, look at their PHP script, and find out where they are storing the data.'"

Sorry! There are no comments related to the filter you selected.

first post (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#24519793)

Reporter: I'm here with Tucker Max, author of "I Hope They Serve Beer in Hell." The book is a New York Times best-seller and soon to be made into a movie. Tucker and his co-writer Nils Parker are lounging out in their Hollywood apartment, and have been nice enough to grant us an interview. So what is it like to be Tucker Max?

Tucker: I don't have enough dicks for all the pussy that is being thrown at me.

Reporter: Oh...kay. Let's go back a bit to how this all got started.

Tucker: I made a fucking website as a fucking dare to my friendsses. I put up a date applications, and then started send these really fucking funny emails about true stuff that was happening to me. And I'm not even the coolest one of my friends.

Reporter: I see. And this snowballed into the book?

Tucker: Well I had a few other books too which were also bestsellers.

Reporter: Really? Where can I get them?

Tucker: They're not available. Since they were selling so fucking well, I decided it was best to pull them from the marketplace.

Reporter: Sort of an odd financial plan, eh?

Tucker: I'm Tucker Max.

Reporter: I can't help but notice that you and Nils and your friends wear a ton of flip flops and elastic shorts. Did you rob a Sports Chalet?

Tucker: I sleep with so many chicks that I need to have quick accesses to being naked.

Nils: I just do it because Tucker does it... and I decided to get engaged right before I become famous -

Tucker: Shut the fuck up Nils, you fat bastard.

(Nils hang his head and goes into the Kitchen. He folds a large DiGornio Pizza in half and inhales it.)

Reporter: I see here that you appeared on MTV?

Tucker: They actually appeared on me once- Projected right onto my Frankenstein like forehead. It was awesome. And then I agreed to let them film a show about me. Highest ratings I think ever for their network.

Reporter: So they must have made a series out of it?

Tucker: Fuck MTV. They are a small network with no real market or business models.

Reporter: I think they're a global network.

Tucker: I'm Tucker Max.

Reporter: So lets' talk about the book. What are some of your favorite stories?

(The Bunny arrives bringing the boys sandwiches - Tucker inspects his sandwich closely)

Tucker: You fucking stupids cunt. I said NO TOMATO!

Bunny: Can't you just remove them?

Tucker: You fucking worthless cum dumpster - they touched the fucking meat. Get me a new one now or I'll knock the shit out of you!

(Bunny bursts into tears, drinks a bottle of Zinfandel, pops three pills and runs out)

Reporter: Is this a bad time?

Tucker: For what?

Reporter: Right... um, the book. What are your favorite stories?

Tucker: Tucker Tries Bufthsects!

Reporter: I'm sorry. Bus sexs?

Tucker: Bufthsects!

Reporter: Bug Heads?

Tucker: Bufthsects!!!

Reporter: ... um, let's move on. This isn't your first time in Hollywood right?

Tucker: Comedy Centrals bought a show from me, but the stupid dumb cunt I was working with tried to hire professional staff and I told them where they could go. I'm Tucker Max, and a character like me has never been created in Hollywood. I'm a brand.

Reporter: I think I've seen your character about 947 times.

Tucker: You're 100% wrong. This movie is revolutionary and will change Hollywood.

Reporter: That's a bold claim. It must be some screenplay.

Nils: I wrote it and gave it to Tucker.

Tucker: I fixed it and made it work.

Nils: He changed one sentence.

Tucker: Shut the fuck up you fat asshole. I made you and I can destroy you, dropout!

(Nils hangs his head and goes to kitchen and smashes a full bag of Chips 'ahoy. He then pours the crumbs on to a cutting board and snorts them using an empty paper towel tube.)

Reporter: Sounds like quite the writing process.

Tucker: Yeah, we fucking analyzed every word, every sentence. There was this one scene where we were looking for a really pretentious sounding name for a fucking character that Tucker absolutely decimates, so I call Nils and said "Hey it's Tucker. Gives me the dickiest name you can think of, Nils" We picked Logan. And that has never been done before. Ever.

Reporter: You are aware that movies get made everyday, right? Even ones about real people. They are sometimes called biographies or bio-pics.

Tucker: 100% wrong you are. This movie is doing things that have never before ever been done. We have food on the set.

Reporter: It's called catering.

Tucker: I'm fucking Tucker Max.

Reporter: I got that part... Are you excited about the soundtrack for this movie or are you not involved in that?

Tucker: I am involved with everything in this movie. It's my movie about me. It's fucking awesome. And the soundtrack is fucking off the charts. We got Paul Wall to contribute.

Reporter: Who?

Tucker: Paul Wall.

Reporter: I'm sorry, I though you said Paul Wall. I don't think I know who he is.

Tucker: Paul Wall is a Garillionaire. I'm throwed Baby Baby.

Reporter: You are aware that you are a rich white kid living in vacuum, right?

Tucker: I'm Tucker Max.

Reporter: I have time for a few more questions, but if you want to end this I understand because it's not going that well.

Tucker: There is no such thing as bad press.

Reporter: What about those script pages that were leaked on Gawker?

Tucker: Oh that "leak." I guess they somehow "got there." And I somehow got $25,000,000 worth of free press. I certainly didn't do that because I am not that "smart."

Reporter: Actually, you had nothing whatsoever to do with those script pages being leaked, and the end result was extremely hurtful to the credibility of your screenplay and the market for this film.

Tucker: Yeah. I "wonder" how those pages "got there."

Reporter: You can keep "talking in quotes" till Nils grows a tenth chin, it will never change the fact that actual script pages from the shooting script of your film were released and met with painful silence by the masses.

Tucker: "Gee" I hope that never "happens" again because that would mean people would be "talking" about "my movie."

Reporter: People talk about herpes. It doesn't mean they want them. Your logic that being the most hated man on the planet could backfire.

Tucker: I have never once failed.

Reporter: That test radio show you did two years ago?

Tucker: Highest rated show ever in the history of radio.

Reporter: Your appearance on Opie and Anthony?

Tucker: Never happened.

Reporter: You do realize that telling yourself lies doesn't change the truth?

Tucker: I'm Tucker Max.

(Bunny arrives with NEW food for Tucker - Will she get beaten? )

----- END PART OF PART ONE ----

Re:first post (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#24520535)

Damn that's some funny shit. Funnier than anything he's ever written.

Re:first post (1, Funny)

Anonymous Coward | more than 6 years ago | (#24521983)

Yeah, there's something wrong with the world when the trolls are more interesting than the on-topic posts.

"think" (1)

inTheLoo (1255256) | more than 6 years ago | (#24519877)

Cockroaches have group based decision making that can be compared to thought. I'm not sure the same can be said of phishers and the bohearder crowd.

How is this useful for law-abiding citizens? (4, Interesting)

Enderandrew (866215) | more than 6 years ago | (#24519893)

I wish the article had good suggestions for how to prevent phishing attacks. Instead, it seems like this article is suggesting I can easily steal already stolen credit-card data.

Re:How is this useful for law-abiding citizens? (2, Funny)

AceofSpades19 (1107875) | more than 6 years ago | (#24519921)

You can start phishing phishers and get your sweet sweet revenge

Re:How is this useful for law-abiding citizens? (5, Interesting)

davester666 (731373) | more than 6 years ago | (#24520027)

Offhand, the only 'good' thing you could do would be to hoop the database. If it's poorly secured, you could get it to delete all the current records. If it's more secure, you could fill it with slightly bogus data [like real names and addresses, but phony credit card numbers.

This could result in:
-fills up the drive on the computer it's stored on, which would at least temporarily halt more stupid people from adding their data to it
-make it difficult to filter out good entries from bad. The data is kind of correct, they might have to actually pass it to the credit card company to actually check if it's good or not
-if they can't filter out the bad entries, it makes using the database to do 'bulk' transactions easier for the credit card companies to notice [assuming they put much effort into it instead of just passing the cost onto merchants] as it happens, instead of 30 days later when people complain.

Re:How is this useful for law-abiding citizens? (1)

xristoph (1169159) | more than 6 years ago | (#24520575)

that might work... if they're not logging database accesses, which would make it relatively easy to filter out the good data again...

Re:How is this useful for law-abiding citizens? (3, Informative)

davester666 (731373) | more than 6 years ago | (#24521367)

Maybe, but you could spoof the IP and/or MAC address of the phishing site, and you've got the code the guy is using to update the database, so you could probably get really close to looking like the real phishing site.

Of course, if the phisher is storing the data on some 3rd party guestbook, you may not want throw thousands of entries a second at it...

And this could easily cross over to the illegal side... Technically, it probably is illegal to write bogus entries into a hackers data, as it would be gaining improper access to a companies information [probably some federal statue].

Re:How is this useful for law-abiding citizens? (4, Informative)

janrinok (846318) | more than 6 years ago | (#24521489)

Certainly over here in Europe you will have just committed an offence. The unauthorised access of someone else's computer is illegal, yes, even those computers being used by criminals. There is no "Robin Hood Excuse" that will change the fact that your actions are illegal. Now, as the US has just been successful in claiming the extradition of a British cracker, I'm sure that the US will be equally happy to extradite all those Americans who hack into European criminals' computers to face charges over here. Alternatively, you might have been suggesting that all phishers are American and that as long as such actions are contained inside the USA it is all entirely acceptable.

That's one of the problems of being a vigilante, you often have to be a criminal to do what you 'believe' to be justice. It doesn't make the vigilante any better in my eyes.

Re:How is this useful for law-abiding citizens? (2, Interesting)

Eskarel (565631) | more than 6 years ago | (#24521625)

I really don't think legality is all that much of an issue. You're looking at more risk of them sending hired goons than the police.

Remember illegal access to a computer is illegal, but anyone running a database full of stolen credit card numbers is probably not going to call the cops on you, especially since to prove you access the system they'd have to keep it pretty much intact.

Re:How is this useful for law-abiding citizens? (4, Insightful)

rapiddescent (572442) | more than 6 years ago | (#24521813)

legality is an issue - why should *you* make the judgement on whether that data is in fact stolen - perhaps that data has been placed their by banking regulators/NHTCU using 'honeypot' card numbers so that tracing can occur to recover funds.

A well known Scottish bank (that I used to work at) were well known for chasing money launderers who have (ab)used their systems to the ends of the earth - often spending more than the consequential fraud loss to do so. In the old days, they used to use marked cheques - nowadays they have hotscan products that will trace payments to affiliated payment networks across international borders.

Yeah, breaking into phishing sites is a lot of fun, but before you "drop table", think about your actions and whether you are breaking the computer misuse act (UK) [opsi.gov.uk] or the Police and Justice Act (Scotland) [opsi.gov.uk] or indeed any law from the host nation.

The Gary MacKinnon [wikipedia.org] case has shown that a rather underrated cracker (poking around with Term Services looking for blank passwds -- for FS!) can cause an extradition to a foreign country well known for its human rights abuses - is just shocking.

Re:How is this useful for law-abiding citizens? (3, Insightful)

Fred_A (10934) | more than 6 years ago | (#24522449)

Remember illegal access to a computer is illegal, but anyone running a database full of stolen credit card numbers is probably not going to call the cops on you, especially since to prove you access the system they'd have to keep it pretty much intact.

There is however a marginal risk that the legitimate owner of the system would notice you instead of the phisher. And call the relevant authorities on you. Which might prove uncomfortable.

Re:How is this useful for law-abiding citizens? (0)

Anonymous Coward | more than 6 years ago | (#24522125)

Phishers store IP of people loging in, filling phishers database with bogus from one ip does not damage the rest of the data because it's easy to filter out the bogus data.
g

Re:How is this useful for law-abiding citizens? (5, Informative)

urcreepyneighbor (1171755) | more than 6 years ago | (#24519937)

I wish the article had good suggestions for how to prevent phishing attacks.

Super secret information! Don't share with anyone! Majestic Clearance only! [google.com]

Re:How is this useful for law-abiding citizens? (0)

Enderandrew (866215) | more than 6 years ago | (#24519981)

Sorry, I'm terrified of clicking on links for fear of being phished. Perhaps I'll go search on MSN for how to prevent phishing. Oh wait, it says to exclusively use IE and then I'll be magically safe from all phishers!

Now I feel safe and secure!

(Yes, I'm being facetious).

I know I can Google for information on phishing, but why post this article on Slashdot? It seems like the only point of this article is to encourage theft of data. I didn't think that was the norm for the editors here.

Re:How is this useful for law-abiding citizens? (2, Interesting)

maxume (22995) | more than 6 years ago | (#24520403)

So the only thing keeping poor Billy from stealing data is that he hasn't thought about it and a timely article on /. is going to push him over the edge?

Probably not.

Re:How is this useful for law-abiding citizens? (1)

cduffy (652) | more than 6 years ago | (#24520641)

The article increases awareness of a security vulnerability.

Awareness means people can reprioritize how important it is to fix something: ie. if phishers handle private data so carelessly that it can be stolen by more parties than just that initially gathering it (and the party they sell it to), that provides a justification for even more vigilance than would otherwise be used, and a talking point to use when telling people how important it is to be cautious about potential phishing sites.

Re:How is this useful for law-abiding citizens? (0)

Anonymous Coward | more than 6 years ago | (#24521943)

I wish the article had good suggestions for how to prevent phishing attacks.

Super secret information! Don't share with anyone! Majestic Clearance only! [google.com]

Yeah sure. Like I'm really going to click that link. Do you think I was born yesterday?

Re:How is this useful for law-abiding citizens? (0)

Anonymous Coward | more than 6 years ago | (#24519947)

Well, this is the BlackHat conference, not the White Hats after all :)

don't forget the microsoft's Blue Hat (1)

CDMA_Demo (841347) | more than 6 years ago | (#24520543)

and apple's mighty iHat as well

Re:How is this useful for law-abiding citizens? (4, Insightful)

LostCluster (625375) | more than 6 years ago | (#24519973)

Isn't that the reason they call it "Black Hat" instead of "White Hat"?

Re:How is this useful for law-abiding citizens? (0)

Anonymous Coward | more than 6 years ago | (#24520231)

So then when do you break out the "Red Hat"? When you're stealing from the phishers and returning the stolen information to their rightful owners? Though I could've sworn Robin Hood wore a "Green Hat"...

Re:How is this useful for law-abiding citizens? (2, Informative)

Gyga (873992) | more than 6 years ago | (#24520317)

I think it is gray hats who break the law for ethically okay reasons.

Re:How is this useful for law-abiding citizens? (1)

Minwee (522556) | more than 6 years ago | (#24520753)

Then who are the "Jimmy Hat"s?

Re:How is this useful for law-abiding citizens? (1)

Clock Nova (549733) | more than 6 years ago | (#24520843)

They're what you wear before sleeping with Mr. Bishop's wife and daughter. Never know where them New Reno chicks have been.

Re:How is this useful for law-abiding citizens? (1)

Darkness404 (1287218) | more than 6 years ago | (#24520893)

Nah, I only break out a Red Hat for the few occasions I work with RPMs. Or when I feel like switching to Fedora for a weekend.

Re:How is this useful for law-abiding citizens? (0)

Anonymous Coward | more than 6 years ago | (#24521501)

you break out the "Red Hat" when you pay hundreds of dollars for "free" software.

Re:How is this useful for law-abiding citizens? (1)

Majik Sheff (930627) | more than 6 years ago | (#24521371)

The conference on phishing and spamming should be called the Ass Hat conference.

Re:How is this useful for law-abiding citizens? (3, Insightful)

teh moges (875080) | more than 6 years ago | (#24520191)

This article isn't about that, its about how they think. The information it does have, while brief, is exactly the type of information that I was expecting when I clicked the link.

How to prevent phising attacks. (5, Insightful)

Anonymous Coward | more than 6 years ago | (#24520251)

Engage brain before clicking.

Re:How to prevent phising attacks. (2, Interesting)

CDMA_Demo (841347) | more than 6 years ago | (#24520561)

Engage brain before clicking.

I think you proved subtly that we have a Darwinian mechanism at work through phishers and crackers.

Re:How to prevent phising attacks. (0)

Anonymous Coward | more than 6 years ago | (#24520755)

Insinuating that only stupid people become phishing victims is like saying only whores are raped.

Re:How to prevent phising attacks. (1)

Darkness404 (1287218) | more than 6 years ago | (#24520905)

Really, most phishing attacks can be stopped with 2 things A) Making sure that it is the correct site and B) Making sure that it is HTTPS and the certificate is valid. If you do those two things, you have a good possibility of not being phished. Now, if the DNS servers gets cracked or other things like that, you might, but for 99.99999 percent of the time, doing those two things should protect you. Oh, and use a decent browser like Firefox.

Re:How is this useful for law-abiding citizens? (1, Interesting)

Anonymous Coward | more than 6 years ago | (#24520357)

A lot of phish sites using php are sending the captured info to email accounts (gmail and yahoo seem to be the most popular).

While there are times when you can find credit card or login info in txt files stored on a hacked server, I see them using email as a dumping ground more often, and keeping an actual database on the same server as the site is hosted seems far too dumb to be very common.

As a side note, I try to report these email accounts when I find them and while I can't say what gmail has done with the reports I've sent them, I can say that yahoo has been completely impossible to work with. The last time I tried, I even got a response back but they misunderstood (obviously didn't bother to fully read) my email. Even after going back and forth with them two other times, and trying everything I could to explain it clearly they didn't get it.

They kept thinking I was trying to report spam I had seen sent to me from a yahoo account and they wanted headers.

AC? (2, Interesting)

funkdancer (582069) | more than 6 years ago | (#24521295)

How long until some jokester does a phishing attack that submits the info to random slashdot threads?

Re:AC? (1)

dotgain (630123) | more than 6 years ago | (#24521473)

We've had worse.

Re:How is this useful for law-abiding citizens? (2, Interesting)

jschottm (317343) | more than 6 years ago | (#24521491)

I wish the article had good suggestions for how to prevent phishing attacks.

But it does. Given that the miscreants are apparently posting information into public forums, simply enter your credit card number into a google search from time to time and see if it turns up. (Note for those without a sense of humor: don't do that.)

Seriously, what did you expect from a two paragraph writeup (one of which isn't actually about phishing but sale of CCs) of a talk at a conference that says with a wink and a nudge that they cater to the bad guys? There's not actually enough information in the blog (not that there's supposed to be) to warrant getting on slashdot. There's a bunch of resources [google.com] available discussing the subject if you really need information on the subject.

Google (0)

Anonymous Coward | more than 6 years ago | (#24519925)

If you want credit card numbers, just Google for them. Why bother buying them from a fisher?

Re:Google (2, Funny)

ya really (1257084) | more than 6 years ago | (#24520225)

Let me get you started, 4111 1111 1111 1111. It even passes the mod 10 check!!

Re:Google (1)

Daniel Weis (1209058) | more than 6 years ago | (#24520281)

What's the credit limit on a trout's account? How about a whale?

Re:Google (1)

ya really (1257084) | more than 6 years ago | (#24520325)

Make sure you ask for the mother whale's name (mwn), I hear that's pretty important.

Hmm (2, Funny)

areusche (1297613) | more than 6 years ago | (#24519951)

Hackers hacking hackers? That's a mouthful! What's next? Bankers banking bankers?

Re:Hmm (5, Funny)

Eudial (590661) | more than 6 years ago | (#24520105)

The next logical step would be hackers hacking hacker-hacking hackers.

Re:Hmm (2, Funny)

Shajenko42 (627901) | more than 6 years ago | (#24521087)

Luckily, I have a Trace Buster-Buster-Buster.

Re:Hmm (0)

Anonymous Coward | more than 6 years ago | (#24521471)

From the main article:

...To sell things like credit cards, they showed a site called vipdump where you can buy a stolen US credit card number for $20 each...

Next step is phishing a phisher about the $20 by redirecting him/her from that 'vipdump' to a page to get his/her credit card. The screw keeps on turning.

Ah, and by the way, I think it's time to put clear that by phisers nobody is referring to Trey Anastasio's band fans.

Re:Hmm (0)

Anonymous Coward | more than 6 years ago | (#24520455)

Of course. Police police police police.

Re:Hmm (3, Funny)

Mesa MIke (1193721) | more than 6 years ago | (#24520519)

Re:Hmm (3, Funny)

Clandestine_Blaze (1019274) | more than 6 years ago | (#24521133)

Oh yeah? Well I see your smelly Buffalo, and raise you a James while John had had had had had had had had had had had a better effect on the teacher [wikipedia.org]

I wish I knew about this while I was in high school and had to write boring 500 word essays. A few of these and I would be nearly done! :D

Re:Hmm (0)

Anonymous Coward | more than 6 years ago | (#24522063)

GNU

Re:Hmm (0)

Anonymous Coward | more than 6 years ago | (#24522521)

am i the only one who only understand 5/8th's of that?

Hey! (5, Funny)

Vectronic (1221470) | more than 6 years ago | (#24519963)

"...[Phishers] basically are lazy"

I'm lazy, maybe I could be a phisher king...

"...all one needs to do to find this info is to reverse engineer a real phisher's website, look at their PHP script..."

Shit, I instrinsically fail.

Re:Hey! (1)

cthulu_mt (1124113) | more than 6 years ago | (#24520061)

The Batman version:

"...Hackers are a cowardly and superstitious lot...also lazy"

Re:Hey! (0, Offtopic)

ChuckSchwab (813568) | more than 6 years ago | (#24520069)

Um, you ... do realize, don't you, that evolution is just a theory, right? THEORY. As in ... it hasn't actually been proven yet?

Yeah ... *that* kind of theory.

Re:Hey! (1)

brunokummel (664267) | more than 6 years ago | (#24520151)

"...[Phishers] basically are lazy"

I'm lazy, maybe I could be a phisher king...

"...all one needs to do to find this info is to reverse engineer a real phisher's website, look at their PHP script..."

Shit, I instrinsically fail.

Well ..That's the easier part, since the poster of TFA already figured out the much harder "..." part of the sequence:
1 - Think
2 - ....
3 - Profits

The Phisher Job Description (3, Funny)

Nymz (905908) | more than 6 years ago | (#24520093)

...does involve 'securing' data, just not in the way you think it does.

It's easy to phish! (0, Offtopic)

MyOtherUIDIsLower (1332331) | more than 6 years ago | (#24520095)

1. Think 2. Act 3. ??? 4. Profit!

Phishers Are Lazy Because People Are So Dumb (1)

curmudgeon99 (1040054) | more than 6 years ago | (#24520113)

How many thousands of times have you received emails from Nigerian Princes and banks you have never heard of? Enough, right, to know that you're an idiot to click on them. Then, add in lazy, persistent, digitally-amplified slackers trolling for information, and you have The Perfect Storm. These lazy phishers are making money because Joe Sixpack and Mary Hausfrau are so utterly stupid. We're doomed.

Re:Phishers Are Lazy Because People Are So Dumb (1)

ILuvRamen (1026668) | more than 6 years ago | (#24520343)

What do you mean "we're" doomed? More like people that dumb are doomed. We're just gonna hit the delete button on those dumb e-mails. Or OMG maybe even look at the status bar to see where links go.

Re:Phishers Are Lazy Because People Are So Dumb (1)

kent_eh (543303) | more than 6 years ago | (#24520853)

What do you mean "we're" doomed?

I expect he means that large numbers of stupid people doing especially stupid things can cause significant negative effect on the economy.
Or cause draconian reactions from the financial sector and/or governments.

That affects us all.

Re:Phishers Are Lazy Because People Are So Dumb (2, Interesting)

DaveWick79 (939388) | more than 6 years ago | (#24521007)

No, it most certainly affects everybody, because if the phisher is good enough he is going to dupe many merchants out of thousands of dollars, and when the credit card companies issue chargebacks, it will put small businesses out of business, take those thousands of dollars out of the hands of the middle class and put them in the hands of some worthless hacker who is probably going to blow it on dope. It has a far reaching effect.

Re:Phishers Are Lazy Because People Are So Dumb (1)

McGiraf (196030) | more than 6 years ago | (#24520833)

And who end up footing the bill? ... yeah. It raises the cost for everyone else like shoplifting and any kind of fraud does.

Old Hat (5, Funny)

Pandare (975485) | more than 6 years ago | (#24520133)

This article is an old Trope. In fact, Confucius once said: "Give a man a fish, he eats once. Teach a man to phish and he gets a post in /."

Re:Old Hat (2, Funny)

Anonymous Coward | more than 6 years ago | (#24520257)

Confucius say:

There is black hat and white hat, but your sig is just old hat.

Re:Old Hat (4, Funny)

Yvan256 (722131) | more than 6 years ago | (#24520577)

Give a man fire and he'll be warm for a day. Set him on fire and he'll be warm for the rest of his life.

Re:Old Hat (4, Funny)

Darkness404 (1287218) | more than 6 years ago | (#24520931)

But give a man Ramen Noodles and you don't have to teach him anything.

Re:Old Hat (1)

caluml (551744) | more than 6 years ago | (#24522109)

A bunch more here [calum.org] :)

Actually... (0)

Anonymous Coward | more than 6 years ago | (#24520211)

In my experience, most small-scale phishing operations simply email the info to a throw away free email (the email will outlast the site in almost 100% of cases).

One time... (1, Interesting)

JimboFBX (1097277) | more than 6 years ago | (#24520227)

One time I received an e-mail saying my account at a local credit union had been compromised (he was using the university's public ability to look up people to attack their e-mail address). The thing was I didn't have an account at that credit union. I knew it was a phishing scheme, so I clicked the link and intentionally made up a user name said my password was "the FBI is coming". Of course, it went to the next page to re-affirm my personal information.

I e-mailed the real credit union, told them about it, told them the link, and even who-is'd him for them in the e-mail (it appeared to be an Indian name). They told me they were looking into it. 4 months later I got the same e-mail, same website. A third e-mail showed up next year as well.

The funny thing is that in the local college newspaper there was a guy who said he'd charge $35 to install Windows Vista on people's computers if they were a college student. Windows Vista was offered for free to individuals of the university, you just had to go download the installer. I called the number on the ad, being pissed off at how he was trying to rip people off, to give him a fake place to show up at. It went to his voice mail.

He had a thick Indian accent. Same guy? Coincidence? No idea. I ended up not leaving a message.

I still have the e-mail message. The domain he used is no longer registered to anyone. I hope they nabbed him.

Re:One time... (0)

Anonymous Coward | more than 6 years ago | (#24520285)

I traced a phisher who tried to hex encode his ip address... He was using some cities local news website (mail function) to e-mail himself the information.

Re:One time... (1)

maxume (22995) | more than 6 years ago | (#24520429)

I've gotten phishing emails, notified the registrar (basically, if it makes it past gmail, I take it as being more 'lively') and watched the domain disappear within 48 hours. I don't have any illusions that it must have been my notification that made things work (I've also had registrars act like it isn't any of their business that their clients are pissing in the pool), but getting the domain pulled is the one thing that is going to prevent anything from happening.

Re:One time... (3, Interesting)

c0nsole (1164167) | more than 6 years ago | (#24520459)

Sounds like a coincidence to me. I charge way more than that to install any OS on any computer, as the job usually involves backup and migragation of the client's files, tracking down drivers, and other mundane stuff. For $35 it sounds like the guy was just trying to pickup some cash on the side. Even in the technical fields at my university I know there were *many* people who would never attempt something as trivial as installing an OS. Downloading and installing a printer driver is voodoo to those people, even though they themselves installed the printer via the 'quick setup poster' that came with it when it was new. Trying to show these sorts of people how to do this stuff themselves is an exercise in futility. I doubt the phisher in question would have the know-how to even be able to install Vista anyways...I heard they're quite lazy. :)

Re:One time... (1)

Brain Damaged Bogan (1006835) | more than 6 years ago | (#24520471)

seems to me he was charging for the service of installing vista, not charging them for vista, hence why he'd only do it "if they were a college student", because they apparently got the licence for free from the college.
not everyone in this world can install an operating system in their sleep.

Re:One time... (5, Funny)

Anonymous Coward | more than 6 years ago | (#24520743)

"even who-is'd him for them in the e-mail (it appeared to be an Indian name).... I called the number on the ad... He had a thick Indian accent. Same guy? Coincidence?"

No way that was a coincidence. I mean, how many Indians are there?

Re:One time... (0)

Anonymous Coward | more than 6 years ago | (#24520907)

Giving him a fake place to show up?

Sounds like you're the asshole.

$35 isn't all that bad a price to install an OS. I can charge over 5 times that (Debian) and people are happy, because they need it done, don't have the time or inclination to do it themselves.

Re:One time... (1)

ajlisows (768780) | more than 6 years ago | (#24521269)

I'm a little disturbed by your post on two levels. The first is that you think charging $35 to install Windows is somehow "Ripping people off". Sure, they let you download the installer for free. How many people, even college students, necessarily know what to do next.

By the time you go through the long Vista install process, download the newest patches, hunt down drivers that didn't get installed automatically, and whatever else you can end up having spent a good 3 hours worth of your time.

Take the same installer to Best Buy and ask them how much to install Vista for you. I guarantee it is more than $35.

The other disturbing part is that when dealing with a known fraudster, you assumed he used his real name to register the web site where he set up his scam.

You know, this one time... (4, Funny)

patio11 (857072) | more than 6 years ago | (#24521309)

... I saw two white guys in a day. And was like, whoa -- are you folks following me?

Then I saw another one. I knew it. Never trust white guys.

-- A white guy (but just because I'm paranoid doesn't mean I'm not out to get me!)

Re:One time... (0)

Anonymous Coward | more than 6 years ago | (#24521451)

An Indian accent? Ripping people off? Fake address. lol, you are an idiot.

Re:One time... (1)

JimboFBX (1097277) | more than 6 years ago | (#24521483)

Because obviously everyone has to nick-pick every fact...

The ripping people off part of the $35 deal is that you can call the university's helpdesk and have them help you for free. Its a service provided by the university. I knew people who worked at it and they flat out said "That's a rip off because we'd help people do that". Secondly, the ad's language carried the implication that for $35 he would TELL you where you could get the installer for Vista (I don't remember the exact words, but I think it was something like "Hey students! Find out how you can get Vista Professional! $35"). It wasn't clear if they would actually install it for you, which is part of the reason I was calling. As many have pointed out, if they do install it for you that is not entirely an unreasonable price (well, from a business stand-point, but not from a college student's standpoint, especially when your surrounded by a lot of people who'd help you with that for free).

Re:One time... (1)

omuls are tasty (1321759) | more than 6 years ago | (#24522001)

Apu, there are rumors that you are a Hindu. Is this true?

By the many arms of Vishnu, I swear it is a lie.

Re:One time... (1)

mcrbids (148650) | more than 6 years ago | (#24522035)

Don't take this as an attack. We all make mistakes sometimes.

But wow. Pitiful that you'd think that two people with "fer'n acksents" would be the same guy. As if 5.75 billion of the world's 6 billion people sounded "fer'n".

For a while, I did as you did, although I amped it up a bit. Rather than submit a single form, I reverse-engineered the submission form, then write a PHP shell script to auto-submit random (crap) data into the form with several connections at once. Then I'd fork a hundred or so processes to run the script in a loop. Over a few hours, I'd submit a few hundred thousand submissions to the phisher, data that appeared legit, but wasn't.

Until it bored me. You do it for a while, but the next day, there's another phisher, another form to reverse engineer. So you do it again, and again, and again, until... ?

So I don't bother anymore. I delete the messages.

Apologies to Juvenal (1)

agendi (684385) | more than 6 years ago | (#24520299)

But who phishes the phishers?

Article summary (0, Offtopic)

Soulshift (1044432) | more than 6 years ago | (#24520415)

How to profit as a phisher -

1. Think
2. Act
3. ???
4. Profit!

I have to know (2, Interesting)

zappepcs (820751) | more than 6 years ago | (#24520437)

The title and summary suggest that phishers are somehow less. Lazy? What, are drug dealers not lazy? Pimps more business savvy?

That is just bothering me. Anyone else think that is just wrong? Lazy? WTF exactly would a non-lazy phisher do? Setup a data center in the Caymans? Seriously!

Bad summary (0)

Anonymous Coward | more than 6 years ago | (#24520517)

the excellent session at Black Hat that detailed 'how phishers create sites, share info and code, and basically are lazy.'

Um, the article is clearly about social networking sites.

tr0ll (-1)

Anonymous Coward | more than 6 years ago | (#24520567)

of Jordan Hubbard was after a long maggot, vomit, shit people playing can ~280MB MPEG off of were taken over of reality. Keep project. Today, as there are continues toChew perspective, the the deal with you First, you have to wasn't on Steve's Despite the to its laid-back Previously thought of HIV and other GNAA (GAY NIGGER one common goal - AT&T and Berkeley found out about the poor dead last dead. It 1s a dead Achievements that free-loving climate survey which Though I have never move any equipment fear the reaper OPEN PLATFORM, superior to slow, every chance I got our ability to

The law will protect us! (2, Funny)

Jah-Wren Ryel (80510) | more than 6 years ago | (#24520571)

And even worse, they are not protecting their stolen data

Clearly, the answer is to pass a law requiring that phishers disclose all breaches of the personal data they have collected. That will undoubtly shame them into increasing their security to better protect our personal information.

And even worse (3, Funny)

narcberry (1328009) | more than 6 years ago | (#24520713)

...they aren't protecting it? The fact that my personal information is in the hands of people with intentions of using it, is not as bad as them not protecting it? I'd hate to imagine the kinds of people that might get their hands on my personal information!

To summarise drastically ... (0, Redundant)

ezzthetic (976321) | more than 6 years ago | (#24520849)

Phishers

1. Think
2. Act
3. ...
4. Profit!!

Horribly Insecure (0)

Anonymous Coward | more than 6 years ago | (#24520881)

Followed a link in a phishing email, to a fake Paypal home page. Noticed the page wasn't in the root directory of the site, so I went quickly checked out the parent directory. A file in there caught my eye, a text file that began with "cc_". Opening it revealed about a hundred and fifty sets of email addresses, mailing addresses, full names, Paypal passwords, credit card numbers, and secret codes from the back of the credit card.

Sent an email to Paypal. Also sent one to every email address on that list that wasn't obviously phoney, telling them to cancel their credit card, change their Paypal and email account passwords.

The server was located in North Korea, I believe, so there wasn't much that could be done to shut it down. The IP address wasn't registered to a domain name either, so good whois information was out of the question.

Four days later, the site was gone, likely just using another IP address.

Makes me wonder how many other people discovered the list of information and what they decided to do with it.

Phishers ain't more techsavvy than the average Joe (3, Interesting)

Opportunist (166417) | more than 6 years ago | (#24520899)

With the advent of MPack and other tools from the RBN, it doesn't take a "hacker" anymore to phish. You buy a toolkit, you buy the exploit, you buy a trojan and the scripts for your server, and off you go. The reason why it's successful is simply that there are people who know less than the attacker about security.

Detach yourself from the idea that phishers are in any way required to be security gurus, or that they're in some way intimate with the inner workings of PCs or networks. Those that know how to code don't attack anymore. They sell their attacking toolkits to others who then conduct the attacks.

"non-cisco vpn" client? (1)

vic-traill (1038742) | more than 6 years ago | (#24520933)

So TFA says that"

An (sic) live exploit was demoed using a non-cisco sslvpn vendor during the session.

I guess I'm not afraid to demonstrate my incompetence before the entire world, but I searched for results in the two months for i) generic ssl vpn fix, ii) nortel ssl vpn fix and iii) microsoft ssl vpn fix, and came up empty handed.

Or are they talking about the Debian OpenSSL key debacle? Or maybe I should drop the "fix". :)

Re:"non-cisco vpn" client? (2, Informative)

Eskarel (565631) | more than 6 years ago | (#24521709)

Basically a vpn(virtual private network) is a way of connecting securely to a network remotely. In essence it makes you appear as if you are on the remote network even when you're not.

This like pretty much every other networking task imaginable requires a client(it connects the ssl connection and handles the routing as appropriate).

Cisco makes one, as do a number of other vendors(CheckPoint comes to mind, but only because it's the client I have to use for my work vpn connection).

All they're saying was that one of the vpn client vendors has a bug which allows an exploit of some description. If you don't have one, don't worry about it, if you do have one check yours and don't worry about anyone elses.

Re:"non-cisco vpn" client? (1)

widman (1107617) | more than 6 years ago | (#24522273)

That was for the ActiveX exploit. The SSL man-in-the-middle applies to all SSL VPN vendors and isn't fixable unless they add some extra server authentication.

The Perfect Crime (2, Insightful)

v(*_*)vvvv (233078) | more than 6 years ago | (#24521211)

Idiots fooling around do all the dirty work, and the serious crooks just snatch all their work without them even knowing it.

I am guessing phishing is risky. I am guessing that only phishing can gather information in such a large scale. If this is true, then while the idiots are getting caught, the really smart people and gaining a ton of really useful information as we speak.

If this is the case, I would be *very* worried.

People who steal are lazy (2, Interesting)

houghi (78078) | more than 6 years ago | (#24521633)

Who would have thought such a thing? I thought that people who steal would make specific GUI's for them selves like you see in the movies and do all that other stuff.

OK, end the sarcasm. People who steal want to take a shortcut to the money. They want to have the money with the least possible effort. As the data they stole is not theirs and protecting them will take effort, why would they do it?

It is as if saying that you are surprised that if people rob your house they make a mess of it. Why would they not?

XLNT BUSNESS OPORTUNITY [sic] (1)

Crash Culligan (227354) | more than 6 years ago | (#24522351)

houghi: Who would have thought such a thing? I thought that people who steal would make specific GUI's for them selves like you see in the movies and do all that other stuff.

Now, now... don't dismiss that sarcasm so easily. We've established that they're lazy and don't pay much attention to security. But you're onto something there, man. We just have to coax the idea into full reality.

Sure, they're lazy. Either they write the minimum code they need to in order to get their job done, or they buy off-the-shelf toolkits that have what they need. If the toolkit is cheap enough, they would gladly spend a little money in order to make a lot of money.

And that's where the fun begins.

Imagine a craigslist advertisement for such a toolkit with a friendly and easy-to-use back-end interface and innocuous-looking login mechanism so nobody can waltz in and steal or contaminate the collected data. The person who sets that up could make a few bucks on the side...or collect the names and addresses and turn the list over to the FBI...or distribute a program that contains some sort of sleeper malware that lies dormant for a while before it springs into action. How bad do you think the problem of software piracy is among those people, hmmm?

Of course, word of mouth won't be enough. We'll have to start sending out advertising emails. Lots of them. And possibly take out advertisements on those websites that cater to that sort of clientelle. After all, running a board like that probably costs money. The operators should be grateful for any recompense they get. Advertising is an excellent way to make money on a website. Big, flashing banner advertisements in noxious colors, telling them that they've won a free copy of PhishPharmrâ and that all they have to do to claim their prize is enter a little personal information.

Just remind yourself that the point of this exercise is education, not necessarily profit. Some people steadfastly refuse to admit what kind of trouble they cause until they get caught it something like it themselves.

So simple (0)

Anonymous Coward | more than 6 years ago | (#24521851)

1) Think
2) ...
3) Profit !!!

In related news ... (1)

tukang (1209392) | more than 6 years ago | (#24521955)

How suckers think, act, and lose their shit

How Phishers Think, Act, and Make a Profit: (2, Funny)

Conanymous Award (597667) | more than 6 years ago | (#24522025)

1. Hmmm, I want me some profit
2. Somebody set up us the phishing website
3. ???
4. Profit!
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?