Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Fishing for Phishers

CmdrTaco posted more than 9 years ago | from the stuff-to-think-about dept.

Security 152

mleachpdx writes "This blog entry probes into the details of an online banking phishing scam and suggests some fraud deterrence and detection measures."

cancel ×

152 comments

Sorry! There are no comments related to the filter you selected.

I still can't comprehend it (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10746425)

Ever since 2nd November I haven't been able to sleep or eat properly. My mind is tortured by desperate questions: How could it all end like this? How is it possible that the heart of America has become a big gaping red wound [bbc.co.uk] ? Why did 50 million people vote for christian puritanism at home and a policy of arrogant bloodshed abroad?

I fear for our country. The war on terror is not working for us - it's working against us by creating millions and millions new Osama bin Ladens that will haunt us in decades to come.

I fear for my friends. I have homosexual, muslim, atheist and liberal friends and it's becoming ever clearer that such people will not be tolerated in the new, brave Bushland. I fear for my family. I fear that my doing volunteer work for women's rights and homosexual groups is going to make them targets for harrassment or worse.

I fear for myself. I already fear to express my political opinions in public and whenever I gather enough courage to speak, I get shouted down for being "unpatriotic" and told to "Move to France". What's next? Stoning or a free trip to a re-education camp?

Re:I still can't comprehend it (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10746438)

I'm ashamed to be an American.

Have no doubt, this is a war for America. Are we going to let the Jesus-freaks of the bible belt win? I'm not sure that there is much we can do. They have the numbers. Christians are morons, but they are good at getting out the vote.

I don't want to live in JesusLand!

Re:I still can't comprehend it (-1, Offtopic)

Ash-Fox (726320) | more than 9 years ago | (#10746452)

And as we all know, christians are cruel [infidelguy.com] .

Stupid fuck (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10746465)

Ever since 2nd November I haven't been able to sleep or eat properly.

Oh my heart just bleeds for you, jerk-o.

Why did 50 million people vote for christian puritanism at home and a policy of arrogant bloodshed abroad?

50 million people voted for decent Christian morals which this country was founded upon. They also voted for security. I don't see how anyone in their right mind could have problem with this.

I fear for our country. The war on terror is not working for us

Yeah, right. 10 out of 10 terrorists agree: no more Bush.

I fear that my doing volunteer work for women's rights and homosexual groups is going to make them targets for harrassment or worse.

Well, you reap what you sow.

"Move to France"

Well, what are you waiting for?

Coward.

Re:Stupid fuck (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10746481)

God, I fucking hate Christians.

I'm going to do everything I can to make Christians' life hard. Fucking Jesus freaks.

I'm going to start by getting that motherfucker that leaves Jesus pamphlets in the bathroom fired.

Re:Stupid fuck (0, Offtopic)

natalia_hill (679409) | more than 9 years ago | (#10746548)

Amen Brother Ben. Stupid fuckers, all of em.

deterrent (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10746428)

The best deterrent would be drive-by shootings!

Where are the gang-bangers when you need them??

Nothing to see here... (-1, Flamebait)

mat catastrophe (105256) | more than 9 years ago | (#10746431)

Don't trust emails from "banks," don't click links from said emails. Everyone in Zimbabwe is a cunning and ruthless online thief.

And, since the scammers knew what bank this guy used, I'd say he already has a security problem.

Re:Nothing to see here... (3, Interesting)

clodney (778910) | more than 9 years ago | (#10746455)

The FA didn't give any reason for why he thought the phish was targeted at him. Without an explanation, I'm sceptical that it was targeted in any way. I get phishing mails all the time - most commonly aimed at Citibank or Paypal, neither of which I do business with. I don't know why the phisher would bother to target them. Seems like more effort than it is worth.

Re:Nothing to see here... (1, Redundant)

LiquidCoooled (634315) | more than 9 years ago | (#10746476)

I agree with you here.

Its just aiming at the big players to maximise your audience.
Currently, more people will fall for something like a Citibank scam than a LocalYokelTownBank scam.
Yes, there will be gullible people in both groups, but a lot more with the larger bank.

Hook, line, sinker.

Re:Nothing to see here... (1)

jobugeek (466084) | more than 9 years ago | (#10746918)

Funny you mention that because just the other day I got a scam email posing as Citibank. About 30 seconds later, I got one from some local bank in North Carolina. I guess they are trying to cover all the bases.

Re:Nothing to see here... (1)

mat catastrophe (105256) | more than 9 years ago | (#10746479)

Could be, yea, that he just feels "special" 'cause these cunning Zimbabweans just happened to guess his bank.

Which could also mean that they are netting fewer people than he thinks...except that there are really not that many small banks anymore.

With only a group of maybe five or six major banks in the US, I am sure it isn't too hard to snag some morons every now and again.

Re:Nothing to see here... (0)

Anonymous Coward | more than 9 years ago | (#10746524)

What the statistics do not tell you is that most phishing schemes originate in India and China. Especially since China does not have an extradiction treaty with the USA, there is no way to catch the bulk of the culprits. Phishing schemes and junk mail go hand in hand. China is the king in terms of generating the most junk mail targetting North American Internet users.

The only way to stop the problem is the encourage American vigilantes to enter China and to go on a hunting expedition -- if you get my drift.

P.S.
The vigilantes could also kill a couple of Chinese thugs in Tibet. The Tibetans would certainly appreciate the help [tibet.org] .

Re:Nothing to see here... (4, Funny)

Registered Coward v2 (447531) | more than 9 years ago | (#10746537)

I fell for a phishing scam once. I just hope when Mr Hitler tried to get a new password from tech support they didn't give one out.

More Info Available here (5, Funny)

LiquidCoooled (634315) | more than 9 years ago | (#10746442)

Full article mirror here:
mirror.slashdot .org article [slashdit.com]

Theres currently a problem with our server, you will have to login again to see the details.

(yes this is only a joke)

Or.... (4, Informative)

jmcmunn (307798) | more than 9 years ago | (#10746446)

From the article: "The home page of the phishing site looked identical to the actual online banking site. I was impressed. Someone had spent a considerable amount of time mirroring the entire look and feel."

Or they just used the Spiderzilla extension for FireFox and downloaded the entire site. Wow, that scammer went to a lot of work. I have gotten these scams before though, and it is no laughing matter that they go to a lot of trouble to look legit. And I bet the estimate of 15% of people who fall for it listed in the article is actually a little low.

ROI (4, Informative)

Gary Destruction (683101) | more than 9 years ago | (#10746517)

The scammer went to alot of work because the Return on Investment was so high. For a few hours of work, he probably a substantial amount of cash.

How is it possible to make money? (1)

Futurepower(R) (558542) | more than 9 years ago | (#10746729)


How is it possible to make money, knowing the login name and password for a bank's customer? The only actions allowed are transferring money from one account to another, ordering new checks, and finding the check amounts and account balance.

Re:How is it possible to make money? (2, Insightful)

stoborrobots (577882) | more than 9 years ago | (#10746794)

The only actions allowed are transferring money from one account to another

Like from your account to mine...

Re:How is it possible to make money? (1)

russint (793669) | more than 9 years ago | (#10746937)

Like from your account to the estonian bank account that the scammer set up using fake a id (just clarifying).

Transfers are between your own accounts. (1)

Futurepower(R) (558542) | more than 9 years ago | (#10747047)


You can ONLY transfer money from one of your own accounts to another of yours.

Re:Transfers are between your own accounts. (3, Informative)

stoborrobots (577882) | more than 9 years ago | (#10747176)

Which bank does not allow you to make payments to other people? What is the point of online banking if you can only shuffle money between your own accounts.

Of the four banks with which I have bank accounts, all allow me to make payments to anyone else whose account details I know. I can also make SWIFT [swift.com] (i.e. international) transfers to any account worldwide, by providing branch SWIFT code and account number.

Re:Transfers are between your own accounts. (1)

Eggplant62 (120514) | more than 9 years ago | (#10747519)

Where I bank, the online facility allows me to write a check to anywhere I damned well please. *That* is what scares me about these bank phishers. There are too many gullible sheeple out there that would fall for it and end up with empty bank accounts.

Re:Or.... (1)

davesplace1 (729794) | more than 9 years ago | (#10746603)

It is scary when the phisher can make it look so real. I get so many emails from "banks" that if my real bank every sent a email it would get deleted.

Solution: You authorise the bank first (5, Interesting)

Anonymous Coward | more than 9 years ago | (#10746453)

When you sign up, the bank asks you for your 'personalised code', and that will be displayed in every email you recieve from the bank.

If you dont see that code in your email, or it's wrong, you know its fraudulent.

Re:Solution: You authorise the bank first (4, Interesting)

BobTheLawyer (692026) | more than 9 years ago | (#10746572)

Do any real banks send e-mails to customers? As far as I know, no UK bank does.

Re:Solution: You authorise the bank first (1)

torenth (172029) | more than 9 years ago | (#10746605)

Mine certainly doesn't, for which I'm glad.

Re:Solution: You authorise the bank first (1)

ScrewMaster (602015) | more than 9 years ago | (#10748709)

Mine has the option to send what they call "email alerts", for example if your balance goes below a certain point they send you a quick note. There's a whole bunch of different triggers you can set online to determine what kinds of alerts you get. Kind of handy, actually. But they're strictly informative messages: no requests for passwords or anything like that. Of course, they all come addressed from "The Financial Team" which my spam filter decided was too spam-like and proceeded to remove them.

Re:Solution: You authorise the bank first (2)

gl4ss (559668) | more than 9 years ago | (#10746588)

the *REAL* solution: don't email the customer EVER.

My bank doesn't even HAVE my email.

Re:Solution: You authorise the bank first (2, Interesting)

fbjon (692006) | more than 9 years ago | (#10747680)

Good point, but suppose this happens:

Your DNS, or the DNS for your area, is hijacked, and everybody who use that DNS is called up and told to log on to their bank in order to do something important?

Second solution is:
One-time passwords. I have a long list of login passwords and confirmation passwords, and a numerical customer ID known only to me. When they start running low, I can easily get a new one (mailed to me). So what if I happen to login to some fake site? The worst that can happen is that I waste some time and a little bandwidth, since they can't do anything with only one part out of three (the ID), and anything I do with the fake stuff won't happen anyway. Besides, I'd be mighty suspicious if the balance of the account(s) isn't correct, since that is what I see the moment I login.

Re:Solution: You authorise the bank first (2, Interesting)

gl4ss (559668) | more than 9 years ago | (#10747914)

the way it's been done here for almost a decade is this.. you have login and a password(which happen to be numbers) which you use to 'get in'.

then to do any transactions, to open any accounts, to apply for a loan or just about anything other than just checking how much cash you have the system asks a number from a list of one-time passcodes they've sent to you through regular mail(basically "enter the number pair for the number 4323 on your number card").

the card with the one-time-use passcodes is a plastic credit card shaped one, too. easy to have in the wallet, but totally useless without the other codes needed to get into the site.

Re:Solution: You authorise the bank first (2, Interesting)

fbjon (692006) | more than 9 years ago | (#10748033)

Sure, I'd say that's good enough, but someone could still check you account balance whenever he wants. (I'm assuming the login thing never changes) In my case, you need the one-time pass even before that, and the paper they come on can be folded and put in the wallet too :). After doing your business, you confirm with a pass from a second list, that you can store separately if you want.. you could for example do all money transfers from one location, and then confirm everything from another computer/city/country entirely. I don't know if knowing the balance is a significant risk of anything though..

Re:Solution: You authorise the bank first (4, Insightful)

legirons (809082) | more than 9 years ago | (#10746614)

"When you sign up, the bank asks you for your 'personalised code', and that will be displayed in every email you recieve from the bank. If you dont see that code in your email, or it's wrong, you know its fraudulent."

And this code would be sent through which secure email-delivery system exactly? Plaintext SMTP on the internet, like all the other emails from your bank?

Hell, banks don't even sign their emails. Many of them don't even know what PGP is. How many of us have had conversations with our banks along the lines of:?

You: I just got an email purporting to be from you

Bank: Yes, that's right

You: So how do I know it's real without phoning you

Bank: Because it's got our name in the From field

You: Did you ever consider signing your emails

Bank: OUR INTERNET IS SECURE, WE USE HTTPS WEBSITE!!!

Re:Solution: You authorise the bank first (0)

Anonymous Coward | more than 9 years ago | (#10746700)

What the hell has secure-email delivery got to do with it? Unless the phishers have somehow gotten hold of an email from your bank to you, they wont know your phrase, simple as that.

Re:Solution: You authorise the bank first (2, Insightful)

legirons (809082) | more than 9 years ago | (#10746851)

"What the hell has secure-email delivery got to do with it? Unless the phishers have somehow gotten hold of an email from your bank to you, they wont know your phrase, simple as that."

Okay, and how do the spammers get somebody's email address to start with? Oh yes, a virus emails the contents of their inbox to a russian server"

Along with your special code.

And don't pretend that you can just secure your computer -- there have been 5 major windows viruses already this year, and as far as I can tell, nearly every windows user I know has been infected.

As to secure delivery, have you noticed the number of people buying wireless networking kit? Most of those people are transmitting their POP and IMAP connections in cleartext to anyone within range. Dumpster-diving doesn't even require getting dirty any more.

A code could work well, I admit. But it might need some small changes, such as sending a numbered list of codes in the mail, and writing something like "this is email #403 from us and code 403 is blah" in each email. But anything which relies on computers, inboxes, and emails being perfectly secure starts to sound like a bad idea when you mix it with banking.

Customer details (4, Interesting)

metlin (258108) | more than 9 years ago | (#10746456)

Limit access to customer records. This is pretty much standard practice in the banking industry anyway, but I found it eerie that my phisher knew what institution I did banking with. How did they know this?

Well, I've received several of these mails, but I do not really think they go by any kinda cue -- I've received mails from various banks from around the US, so I think these guys randomly see where you are, make a wild guess at the likely bank and send you one.

For instance, several students at GTech (where I study) have their bank accounts in a certain bank (which we shall call W) -- and a lot of these scams are directed at GT students pretending to be from W.

However, that said -- I'd not be surprised if they acually did some dumpster diving and found out these kinda details. Spooky, man.

Re:Customer details (1)

metlin (258108) | more than 9 years ago | (#10746469)

Okay, I realized that I contradicted myself a little up there -- I meant that these guys don't go by any cue based on any serious evidence (like your statements or insider operations) -- they probably look up your e-mail address from your website or Blog or whatever, guess where you are from and use that information to target the bank you're likely to be from.

Because, I'd a page at which listed me as working in a certain lab that I used to work at - and some of these scams used to contain spoof elements of those banks, too.

Not to mention the eBay spams that I seem to be getting lately. Sheesh.

Most Phishing Schemes Originate in India/China (0)

Anonymous Coward | more than 9 years ago | (#10746488)

What the statistics do not tell you is that most phishing schemes originate in India and China. Especially since China does not have an extradiction treaty with the USA, there is no way to catch the bulk of the culprits.

Phishing schemes and junk mail go hand in hand. China is the king in terms of generating the most junk mail targetting North American Internet users.

The only way to stop the problem is the encourage American vigilantes to enter China and to go on a hunting expedition -- if you get my drift.

P.S.
The vigilantes could also kill a couple of Chinese thugs in Tibet. The Tibetans would certainly appreciate the help [tibet.org] .

Re:Customer details (1)

moonbender (547943) | more than 9 years ago | (#10746578)

That startled me, too. Phishers don't typically target individual users, they send out the same mail to every address they can get hoping that some percentage will actually have an account with that bank.

I've also gotten scam mails for various banks. The sophisticated ones took into account that my address is German (ends in .de), but I also get some for American banks. Some of the German ones actually got the institution right, but that's not too hard: there are a couple of really large names that probably cover about 90% of the German private bank accounts.

If there are more reasons to believe that they know more about him, he didn't mention them. The fact that they "got it right" the first time isn't enough, though, and I wouldn't be surprised if he gets more scam mails for other banks in the future.

They don't know who you are (4, Informative)

Space cowboy (13680) | more than 9 years ago | (#10746458)

I must have got a dozen or so of these in the last few days, my spam appears to go in phases... either I'm in dire need of sexually-enhancing drugs, about to die from malnutrition, or they're all just after my CC details...

It's just a blanket 'attack'. Email is cheap, and they're not trying to be smart because they don't need to be.

Simon

Re:They don't know who you are (1)

theCoder (23772) | more than 9 years ago | (#10746877)

I got one recently from someone who proported to be my phone company telling me that my bill was due in a few days and that I should go pay it online. It actually seemed legit because it had my phone number in it and it was to an email account I had given the phone company. However, the bill due date was wrong, and I had already paid the bill for the month. So I put it in the "deal with later" pile.

It wasn't until later that I realized that it might be a phishing scam. Further research indicated that it probably was, but I didn't get anything conclusive. I tried going to the website given (but not the random URL in the mail -- I didn't want to tip them off), but that just redirected to the phone company's site.

I did try to report the scam to the phone company, but I never heard back. They probably don't care.

What's scary, though, is that I didn't even think it might be a scam until much later. And I should know better. What chance to people who don't think about these things have?

ways to prevent online fraud? (5, Insightful)

Anonymous Coward | more than 9 years ago | (#10746461)

why not give consumers one time access (through pads)?
This is done in Japan and works well there. Maybe consumers here would lose their card? The card isnt electronic its just card with pin numbers that you scratch off each time you use the PIN number.

Banks should STRONGLY educate consumers to never expect emails from the bank that contain links.

Re:ways to prevent online fraud? (2, Interesting)

LiquidCoooled (634315) | more than 9 years ago | (#10746494)

I posted a comment a few days ago regarding how my bank secures online access.

The gist of it is a longer code that I arrange with them in person, and when I go online with them, they ask for random portions of that code.

I would have to be scammed multiple times before anyone had access to my banking.

The comment is here: http://slashdot.org/comments.pl?sid=128336&cid=107 16472 [slashdot.org]

Re:ways to prevent online fraud? (1)

legirons (809082) | more than 9 years ago | (#10746782)

"Why not give consumers one time access (through pads)?"

Ok, look at the story from the perspective of a real-world bank, rather than a mythically secure one.

There's a bank in the UK called cahoot (part of abbey national) which offers one-time credit cards that you can use over the internet. For those of us who use the same card for foreign pr0n sites, that sounds quite useful, right?

That's the smart bit. That was the good idea. Their security goes downhill for the rest of the story.

It's an unencrypted website, and the browser requirements are Internet Explorer 5 or later. From their email: "If you are using Netscape 6.0, you will not able to use the cahoot webcard". So, they require a known-insecure browser. I'm starting to have bad feelings already about their lack of clue.

To use the 'webcard' facility, you need to have Flash installed. The web-form isn't HMTL, it's flash. As most of us know, the encryption status of plugins on a page won't show-up in the padlock icon. Nor will it show-up when looking at the page's certificate.

In fact, their pages open in a new borderless window, so the security information, menus, and tools in your browser just aren't available. And like all popups, you have no real idea which website launched it. There's no URL bar, so even if you're using a non-Microsoft browser where the URL is trustworthy, you won't see it. It's a full-page flash animation, so no right-click menu to check who the page is.

Alternatively, you can download special software to access their website. "Currently, the cahoot webcard download software is not compatible with computers running Unix or MacOS." Uh-huh. Not compatible with MacOS? I think you misspelled "REQUIRES WINDOWS XP WITH IE6"

Oh, if you want a good laugh, email customer services. They have an email disclaimer like this:
Internet communications are not necessarily secure and may be intercepted or changed after they are sent. cahoot does not accept liability for any such changes. If you wish to confirm the origin or content of this communication, please contact the sender using an alternative means of communication."

Phishing alert anyone? Even the bank itself acknowledges that their internet-security is non-existant, yet they still use it!!! I think it was the cheek of demanding that their users take responsibility for their lack of security which astounded me.

Re:ways to prevent online fraud? (1)

fbjon (692006) | more than 9 years ago | (#10747923)

What the hell? My Real-World bank gives me encrypted communications, works perfectly in any browser, although they recommend the lates version that supports SSL (obviously). Hell, they even say that if you're behind a slow connection, Opera would be the best alternative. The pages use Javascript, but don't require it. AND, I have a long list of one-time login passwords, complemented by a bunch of reusable confirmation passwords (that I could memorize if I really wanted, but they change with every list of login passswords). And the login ID is not connected to my name, my account numbers, or anything related to me, it is random, as far as I'm concerned. The server OS is BSD. So there. The only question mark is the server itself, Netcraft says it's running TANTAU Application Server/2.1.1 [netcraft.com] . Googling for it doesn't return much, seems like a custom job... does anyone know what it is?

Re:ways to prevent online fraud? (0)

Anonymous Coward | more than 9 years ago | (#10748654)

Pretty impressive -- almost 4 years uptime, running the whole place on a single BSD server?

Just looked at www.natwest.com for comparaison, and it's Windows 2000 with an average uptime of 5 days.

How to annoy phishers (4, Interesting)

DrXym (126579) | more than 9 years ago | (#10746462)

Drown them in noise. Everytime you get one of these emails, visit the site and enter bogus information. That's what I do. It might not be enough to get the scumbags caught but it must certainly be an annoyance to them. And who knows, a few bogus logins might be enough to get alarm bells ringing at the bank.

I reckon banks could do something similar too. Create some honeypot accounts, and track how the criminals attempt to access it. I'm sure they could play a few tricks with a seemingly big fat balance that could make the criminals reveal their hand.

Re:How to annoy phishers (2, Interesting)

LiquidCoooled (634315) | more than 9 years ago | (#10746509)

Username "PHISHINGSCAM"
Password "QUICKGETEM"
Name "CALL SECURITY"
DOB "01/01/1337"

This would be cool to try.
But tbh, I recon they would just take the list and try those that look legit.

What we could do is simply forward any phishing scam mails to a central phishing clearing house.
The banks could fund a small team to handle collective online fraud.

Re:How to annoy phishers (3, Informative)

LiquidCoooled (634315) | more than 9 years ago | (#10746519)

Just below this comment a poster has given a link to a phishing central source :)

Looks like its already in action :)

http://www.antiphishing.org/ [antiphishing.org]

Re:How to annoy phishers (2, Interesting)

DrXym (126579) | more than 9 years ago | (#10746545)

In other words, make them look legit. Enter a well formed but bogus account / credit number, valid sort codes, expiry dates, names, PINs memorable dates etc. If you have an account with the target bank you could even ensure you enter an account number of the correct length and has the first four digits as your own.

The only way they have to separate the wheat from the chaff is to actually try them. If they're really stupid, they (or their underlings) may actually get caught when they attempt to withdraw cash or buy something. Now that would be funny.

Re:How to annoy phishers (2, Insightful)

sonicattack (554038) | more than 9 years ago | (#10746711)

Enter a well formed but bogus account / credit number,

Today I got one of these fraudulent "the bank needs your information" E-mails. So, I thought, let's give them some noise to fill their log.

But the credit card number I made up was detected as non-existent - or at least the fake website said so.

Now, is there any way to:

1) Generate fake credit card numbers that pass as "valid"
2) Do this, and be certain that no-one actually owns that particular number, and if so, still not get into trouble?

Re:How to annoy phishers (0)

Anonymous Coward | more than 9 years ago | (#10746973)

How much analysis do they do on the number? It's possible that they just set it to get rid of numbers that were anything other than 16 digits long.

Re:How to annoy phishers (3, Informative)

throughthewire (675776) | more than 9 years ago | (#10747248)

But the credit card number I made up was detected as non-existent - or at least the fake website said so. Now, is there any way to:

1) Generate fake credit card numbers that pass as "valid"

They're probably doing something trivial with Luhn numbers. [webopedia.com] Trivial to implement, trivial to spoof. Generating apparently valid but fraudulent card numbers is known as carding. [creditcardco.co.uk]

2) Do this, and be certain that no-one actually owns that particular number, and if so, still not get into trouble?

Trouble with whom? The scammers? If you aren't using the number to commit fraud, I wouldn't worry. We want to get the phishers in trouble!

Re:How to annoy phishers (0)

Anonymous Coward | more than 9 years ago | (#10747337)


is there any way to:
1) Generate fake credit card numbers that pass as "valid"


The number is easy, but a matching name is virtually impossible.

Re:How to annoy phishers (2, Interesting)

Sepodati (746220) | more than 9 years ago | (#10746592)

Drown them in noise. Everytime you get one of these emails, visit the site and enter bogus information.
I've always wanted to find a way to automate that. Have a site where you could submit a phishing site, have it analyzed and then feed it a bunch of noise.

If it's all done from the same computer, smart people could weed out the noise by IP address, so you'd have to account for that somehow, too.

Once you make enough noise in the system, scams like this do not remain economical, I would think.

---John Holmes...

Re:How to annoy phishers (1)

Threni (635302) | more than 9 years ago | (#10747026)

> It might not be enough to get the scumbags caught but it must certainly be an
> annoyance to them

People say that about spammers. I'm sure they're annoyed with the millions they make from their activities.

The best way to avoid getting hit by phishers is to delete any emails that claim to come from your bank, paypal etc without reading them. And if they insist that they contact you via email rather than post, or via messages readable once you've logged on then I suggest you close your account with them and look elsewhere.

check out antiphishing.org (5, Informative)

enbody (472304) | more than 9 years ago | (#10746468)

Check out antiphising.org [antiphishing.org]

Also check out aa419.org (1)

GQuon (643387) | more than 9 years ago | (#10746617)

Artists against 419 [aa419.org] is also interesting. They are working against the phising sceems of 419 scammers.
If you've got bandwith to spare, be sure to check out The Lad Vampire [aa419.org]

Please modify the news post and add one of those links. They could use the help of a lot of slashdotters, I think.

The wrost ones are... (4, Insightful)

ScooterBill (599835) | more than 9 years ago | (#10746470)

The EBay request to verify account information. I've received this several times. Perhaps the financial institutions don't do much because a small country in Africa isn't going to let U.S. law enforcement take care of the problem. Too much corruption is usually the case.

The maxim I always use is: The company that holds your account never needs to ask you for your password since they already have it.

Something many probably don't know is that your local police dept. probably has a high tech crimes unit. They will investigate and prosecute illegal activites like snooping around your company network. They can be very helpful.

Re:The wrost ones are... (1)

sonicattack (554038) | more than 9 years ago | (#10746764)

The maxim I always use is: The company that holds your account never needs to ask you for your password since they already have it.

Eh, unless they want to verify that you know the right password, which is what these kind of scams are giving the impression of - a complete login page.

Re:The wrost ones are... (3, Informative)

jdkane (588293) | more than 9 years ago | (#10747000)

The maxim I always use is: The company that holds your account never needs to ask you for your password since they already have it.

I would add: Often the employees of the company don't have access to the password because it is encrypted on their end. But the institution can change or reset your password without knowing the old password. This is usually preceded by a manual check performed by customer service over the phone to ensure you are really you. They might also ask you to come into the bank and provide ID.

Enough Already. (4, Insightful)

xanadu-xtroot.com (450073) | more than 9 years ago | (#10746471)

Enough already with this "a blog entry says" stuff. Can we please get some ACTUAL news on this site and not just someone's rantings on a BB? Is that too much to ask?

Re:Enough Already. (1)

bob beta (778094) | more than 9 years ago | (#10748598)

'ACTUAL' news, also known as Mainstream News, or MSM, is dying.

Hadn't you heard? Everybody else has. They cashed in so many chips in the recent election that people like Dan Rather may soon need training on the Fry Machine.

Receiving too (3, Interesting)

gmuslera (3436) | more than 9 years ago | (#10746477)

in a mailing list I administer, and in my own personal address (time to test the new "report phishing" gmail feature) I received today what could be the same message, but the IP it pointed to resolved as ipvpn101156.netvigator.com (don't look like to be in zimbabwe) port 38, that looked like a Windows 2000/XP with too many open ports.

Probably that message is sent from hacked/owned/not patched windows machines that send the entered info to the real criminal. I suppose that for really knowimg who is him that "infected" machines should be hacked back or that the provider of that internet connection contacts/gives the address of the owner, and check the programs there.

Is it that simple? (4, Interesting)

Sarin (112173) | more than 9 years ago | (#10746480)

I still don't understand, do these banks just give their customers a login/password for their account?

The bank I use gave me a little authentication device which combined with my bank card, my personal code and a random code provided by the bank site can generate digital signatures. In order to login and in order to make all transactions final I must provide the right code.
I've been using this system for about 10 years now, if those exploitable banks still use a normal password protection it's their fault they're exoploited this way and there's no way customers should be responsible for it.

Re:Is it that simple? (1)

Tim C (15259) | more than 9 years ago | (#10746559)

My bank issues two codes, a registration code and an id code. These are used together with your card number when logging in, and you're encouraged to change them on first log in.

So, essentially I have two passwords, but they're both required to log in. I've not heard of any UK bank that issues anything like the authentication device you describe.

Re:Is it that simple? (0)

Anonymous Coward | more than 9 years ago | (#10747342)

How is this any better? The phiser has you enter two passwords then. The OP's bank has a better method. Two-factor authentication. In your case the second password is static whereas the other guy's changes. You're just as insecure as us with one password.

Re:Is it that simple? (0)

Anonymous Coward | more than 9 years ago | (#10746560)

You'll have to remember that when it comes to banking, the USA is lightyears behind.
After all, they're still doing everything over checks.. ugh.

I Have Not Seen My Bank's Name in Phishing Scams (2, Informative)

mrs clear plastic (229108) | more than 9 years ago | (#10746520)

I have used the same bank for over 15 years for my personal checking account.

I have not gotten one email from that bank (either legitimate email or a phishing scam with that bank's name or fake url.

That bank does have my email address.

I have gotten phising scams that have ebay in them (I do have an ebay account). I have also gotten phising scams with the names of other banks in my area.

I think they go by geographical data for banks. For ebay, it's no problem. They can scan ebay's pages and get seller's ebay account names with no problem.

Damn (4, Funny)

Glonoinha (587375) | more than 9 years ago | (#10746526)

I misread the subject line on this article, thought it read Fisting for Phishers.
Now that is a punishment that would work pretty good, once word got out!

The problem is much larger than just banks. (5, Interesting)

daperdan (446613) | more than 9 years ago | (#10746527)

I work for a company that attempts to protect its customers from this kind of fraud. We monitor domain registrations to locate potential phishing scams. It's interesting to see that it's not only banks that are hit with this kind of scam. These guys will set up an entire shopping cart taking credit cards that mimick an online store like Dell. It's a pretty interesting scam that only seems to be gaining popularity.

It's not a major concern in the 3rd world so these guys have no reason to stop. We've seen scams like this based out of Russia, Brazil, China, and several African countries. It will be interesting to see how this all pans out.

Why is it so hard to catch these criminals? (4, Interesting)

Anonymous Coward | more than 9 years ago | (#10746533)

In order for them to get their ill gotten gains, they have to eventually withdraw some money from somewhere. It seems it would be trivial for INTERPOL or some other agency to set up a bunch of bank accounts with a few thousand dollars/euros in them and then start responding to all the phishers. Then just follow the money to the crooks. What's the big deal? Is there just no will to do this or am I missing something?

Cheers,

Re:Why is it so hard to catch these criminals? (1)

Tony-A (29931) | more than 9 years ago | (#10747591)

Is there just no will to do this or am I missing something?

I doubt it's that easy or simple, but.
The authorities tend to be good at gathering and accumulating statistics.
The banks should also be concerned that somebody is using their identity fraudulently.
Savvy users forward the email with headers to such as abuse@citibank.com (which bounces, so there probably is no will to actually do anything about it).

Seems that if the authorities are to be able to do anything about it, they need lots of in-depth information so that the activities of the phishers are exposed as the activities are engaged in.

Gmail vs. Phishers (4, Interesting)

igrp (732252) | more than 9 years ago | (#10746558)

It's definitely becoming more of a "mainstream problem". Afterall, the whole identitity theft problem is perfect Dateline/60 Minutes material.

Has anyone else noticed that the folks at Gmail have added a "report phishing" feature? When you view a message, click "More Options" and you'll see it.

Then again, maybe it's been there for some time and I just haven't noticed (it definitely wasn't there when I first got my Gmail account though and it doesn't appear to be listed as a new feature).

Slashdot this (4, Interesting)

GQuon (643387) | more than 9 years ago | (#10746568)

On a related note:
The lad vampire [aa419.org] needs your help

Banks are lazy (0)

Anonymous Coward | more than 9 years ago | (#10746574)

They could use the techniques suggested here but that's too much like real work. Or they could just stick it to their customers and make them prove it was fraud and even then just screw the customers over. As long as the banks aren't out any money, they have no incentive to do anything.

Here is a good rule of thumb: ignore them 100% (1)

gelfling (6534) | more than 9 years ago | (#10746586)

Honestly how stupid are you people to fall for any of this. Absolutely do not respond to any request from anyone to provide any information for any reason whatsoever. Not even from someone who purports to be from the government. If anyone needs to get in touch with me that badly they can send a letter registered mail or have their attorney contact me.

Re:Here is a good rule of thumb: ignore them 100% (1)

npross (564046) | more than 9 years ago | (#10746780)

Great advice if you are computer literate. You fail to realize that a very large percentage of computer users 1. Do not read slashdot and 2. Have no idea that they shouldn't trust the official looking emails they get. (If you recieved a physical mail on bank letterhead that said please visit your branch to confirm some details with your account, you'd probably trust it)

How exactly are these newbie users supposed to get the information that the web is different than real life? Watch the RvB PSA (yeah, my 60yr old relative is somehow going to see that)? Read the fine print on the banks website? These people religiously follow the exact steps they were shown, they are fearful of technology and are afraid to leave the "safe" path they have been shown.

Banks are rushing so quickly to push their users out of the banks and onto the internet without warning them of the dangers. They should shoulder some of the blame and fix the problem.

Re:Here is a good rule of thumb: ignore them 100% (3, Insightful)

gelfling (6534) | more than 9 years ago | (#10747155)

Nonsense. Before there were computers there were credit card companies and banks. If they called you up asking you to verify information they're supposed to have you'd be an idiot to give them that info.

There is little new under the sun. Just because we give it an incredibly lame 1337 name; "PHishing" doesn't mean it's not a hundred year old con game.

Re:Here is a good rule of thumb: ANNOY them 100% (1)

Concerned Onlooker (473481) | more than 9 years ago | (#10747579)

I only ignore them if I don't have enough time to fill out one of their forms with some incredibly bogus and insulting information.

How do you drain an account without a trace? (2, Insightful)

npross (564046) | more than 9 years ago | (#10746669)

What monetary transaction can you make on an account that leaves no trace?

In every case getting cash out of my account involves paying a bill (to an authorized agent like VISA), or emailing money or transferring money to a 3rd party acct. All of these leave a trail that banks can recognize and plug.

I once changed my buying habits with my VISA card and had to confirm my identity before the transaction could be authorized. Since fradulent VISA transactions cost VISA, it appears that when it affects the bottom line, banks can and do put checks in to stop fraud, but there is no incentive for banks to stop fraudulent bahviour on behalf of their customers. (Of course we are no longer the banks customers, shareholders are the real customers)

Pressure needs to be applied to the banking industry to minimize the average person's exposure to fraud! It is easy to do, for example I should be able to lock transactions from my online banking account to a specific set of recipients and require a face-face visit with a banking representative to change this... Would-be fraudsters that obtained access to my account might be able to overpay my utility bill but that would be about it.

Idiots looking to make a quick buck, that's who. (1)

wantedman (577548) | more than 9 years ago | (#10747102)

It's amazing what people will do for you for some cash.

My friend's paypal account was ripped off. A 3rd party bought a camera and shipped it to Russia, because the auction's shipping was only avalible in the US and the Russian wanted the deal. The Russian supplied my friend's paypal and a $20.

The camera is safe in Russia while the idiot who bought it had a chat with the police.

countermeasures? (2, Insightful)

doginthewoods (668559) | more than 9 years ago | (#10746670)

Just like spam, can we @ /. take any countermeasures? I'm not up on this stuff, so if I make a few silly suggestions, please give me a break. Pick a phisher /spammer and: /. them Send a reply with the name of a pop tune or movie in the title. Send a reply with a big attachment Send a reply with a virus attached If it's possible, think of all of on one day, sending an email with "White Houses" on the title, and a 4 Mb attachment to a spammer / phisher. A toasted server, maybe?

Re:countermeasures? (1)

YouHaveSnail (202852) | more than 9 years ago | (#10747264)

Pick a phisher /spammer and: /. them

So you're advocating a distributed denial of service attack on somebody's server?

An actual phisher would undeniably deserve such a treatment and much more, but that doesn't make it okay. But what if you make a (gasp!) mistake? You could be asking thousands of Slashdotters to participate in a DDoS attack against someone who might be completely innocent, or whose only 'crime' is that their own server was compromised and used by the real phisher.

What you're talking about is vigilante justice. It's illegal, and reasonable people don't engage in it.

If you want to do something about phishing, make a stink about it with your elected officials, government agencies, your ISP, your bank, etc. If you don't have time to do all that, just do some. The issue won't gain traction until enough people start talking about it.

Re:countermeasures? (0)

Anonymous Coward | more than 9 years ago | (#10748772)

Get a fucking life and stop accusing the man on the street of a crime when all he is interested in is safely stopping a crime in progress.

This isn't vigilante justice. A web site that is up, running, and is a financial danger to grandmas everywhere MUST be taken down. A web site that is up, running, and compromised MUST be taken down.

People lose thousands of dollars by such sites - and most of those people dnt have thousands of dollars to piss away. And you think it is acceptable to let them operate?

Contacting elected officials won't help. Contacting your ISP won't help. And good god, contacting your bank won't help.

If action against these guys isn't IMMEDIATE, regular people will lose. Maybe only 5 or 10 people will lose - but that could very easily be 5 or 10 life savings.

Get a life and post only when you have something useful to say.

fp d07l (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10746699)

Could sink your ThE CHANNEL TO SIGN OF THE WARRING

I am a victim! (1)

ljavelin (41345) | more than 9 years ago | (#10747115)

I am the recent victim of a scam.

OK, not a victim. Let me restate: I am the recent victimizer of a scammer looking for a victim.

And I have a new $3000 to prove it. Sent to me directly from an "honest businessman" from Nigeria. Really. It was FedEx'd from Nigeria. From a guy named Walter Nabanu.

OK, I don't have a new $3000. But I have a check that says it is worth $3000. But I'm not going to cash it.

How much does it cost to Fedex an envelope from Nigeria to the US?

At least FedEx made out on this deal.

Re:I am a victim! (1)

YouHaveSnail (202852) | more than 9 years ago | (#10747290)

All my posts have the "sarcasm" volume turned up to high. Read as "this is a joke".

OK, not a joke. Let me restate: despite significant evidence to the contrary, I continue to think that I am clever.

What worries me (1)

Al Al Cool J (234559) | more than 9 years ago | (#10747275)

Is the day that some phisher gets control of an ISP's name server, either by hacking it or by being in cahoots with the ISP. They could then redirect somebank.com to their own server, and just sit back and let all the unwitting victims come to them. Throw up a "service not available, try again later", message after login, and the victim would leave, totally unaware.

What would be the best way to protect yourself against this? Is it possible to set up caching DNS to pool from multiple independent sources and either alert on conflict or resolve by majority rule?

Re:What worries me (1)

ettlz (639203) | more than 9 years ago | (#10747336)

Genuine banks' web-sites should have digital certificates signed by known authorities (Verisign, etc.). If I know my authentication schemes correctly, this signature is nigh-on impossible to forge (one of those "mathematically hard" tasks). Thus, even though the name resolves to a bogus server, the certificates don't add up. To make a convincing effort, a phisher would need access to private data from within the on-line bank's systems (i.e., run an inside job).

Although I might be wrong on this...

This FP for GNAA (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10747328)

Anti-phishing solution (2, Informative)

overThruster (58843) | more than 9 years ago | (#10747501)

This is not true:
>a Gartner analysis is quoted as saying "What's
>really scary about it [phishing] is right now there
> are no back-end fraud detection solutions for it."

Corillian Corporation provides an effective back end solution that is capable of detecting phishing sites as they are being built:
Corillian Fraud Detection System [corillian.com]

Why do I never get Phished? (1)

peccary (161168) | more than 9 years ago | (#10747692)

I have about a hundred email aliases that I use on a regular basis (for spam control - so I can see if any of my vendors divulge my address).

I have made numerous postings to Usenet and public email lists with some of those addresses.

I have a few email addresses in mailto: links on web pages.

I have about five times as many credit cards and bank accounts as the average person.

Some of my email aliases are six years old -- I don't think that any of my email addresses from > six years ago still forward to me.

I never get any of these phishing emails. I can't remember the last time I received an email virus/trojan/worm. I get a fair bit of spam, but it's manageable.

Am I living in a different universe from the technology journalists?

Some remarks... (1)

tradervik (462791) | more than 9 years ago | (#10747716)

I have a fair degree of familiarity with this issue and have some comments on the blog entry.

Limit access to customer records.


There's almost zero chance the phishers knew the author had an account at his bank. They use spamming techniques and count on getting lucky.

Financial Institutions could automate the process of identifying where their logos and site images are used as a standard practice of trademark enforcement.


Some financial institutions already do this but it is very expensive. Despite the dire headlines, current levels of fraud are not high enough to justify the cost in many (or most) cases. This is also why financial institutions in North America do not use two-factor authentication such as token cards. I've seen some clever ideas for cheap two-factor auth. that might work out.

FIs, and other organizations, should pressure ISPs (AOL and Comcast especially) that deliver email on their networks to mark these emails as fraudulent.


I think it would be more effective if consumers put pressure on browser and email client software suppliers to fix the security holes in their applications.

highly sophisticated phishing sites would require that the phisher have a banking account


I find it very doubtful that phishers would ever have an account at the instituion whose clients they are attempting to defraud. First, there is no need to get access to authenticated pages to create a "highly sophisticated phishing site". Second, the act of opening an account requires providing proof of identity and would create evidence that could lead to finding the real identity of the phisher.

Banks should actually follow-up on reported phishing attacks.


This is bang on. Not following up on the author's email is a pretty big mistake.

Sometimes, when the public tried to assist... (1)

deunan_k (637851) | more than 9 years ago | (#10747973)

Based on this experience, I now honestly believe that 5-15% of all recipients of this email could easily have fallen prey to the scam. I documented all the information collected and emailed the scam hotline of my bank .

Yeah, it happened to me many times.. The first time (way back in 2003), I too documented everything, even went so far to do a reverse IP, full e-mail headers, checking the geographical location of the IP address (turns out to be Korea, land of mass broadband penetration) and even incl. a snapshot of the display output. What do I get in return?

The bank e-mailed me back advising not to click nor believe the mail that I got originally. Hello?? I've done half of the work for you trying to assist in catching these bast**ds, and I know that it's a clear blatant fraud case.. What do you take me for? Sometimes I don't believe the kind of idiots they employ.. Can't they understand english? And these guys are supposed to be the country's largest commercial bank!!

From that moment on, I'm not gonna do their work for them, I find it easier to press the delete key/include in my shit list/configure my spamfilter.. Well, at least not for these idiots anyway..

Peace of mind

PS - I noticed that since most of the scams (at least on my side) originates from Korea, I wonder whether it is the work of North Korean agents trying to scam money in order to generate cash in order to funnel it back to ol' Kim?? Nah... I've been watching too many kung-fu movies..

clamav (0)

Anonymous Coward | more than 9 years ago | (#10748052)

clamav will find and bust a lot of the phising e-mail as viruses. - works great.

draz

I'm so disappointed (1)

gone.fishing (213219) | more than 9 years ago | (#10748278)

Every time I get a phishing scam, I contact the affected bank's security department providing them all of the information that I've developed. In many cases this is made extra difficult because the only method they provide of contacting is a web-form. With these, I have to cut and paste the headder info and so on. It really sucks.

Usually, no matter what the method of contact, all I get is an email reply with boilerplate info telling me how to protect myself against these scams. This is utterly stupid, I've already taken action that shows them I am aware of what is happening!

After a week or two I always follow up. On the few occasions where I recieve a human reply from this follow up, I am told they can't provide me with information on an on-going investigation. I know BS when I see it and these replys are BS.

I'm trying to do the banks a favor yet apparently they view this as more hassle then help. Apparently they don't do anything unless someone actually loses something (and maybe not even then, I wouldn't know - I've never fallen victim).

I'd suggest that the banks rotate their images in a public folder changing the real image with ones that say You are visiting a scam site if you are seeing this image. That would slow the phishers down or make them do some real work at least.

I get a few phishing spams a day (1)

francisew (611090) | more than 9 years ago | (#10748431)

I'd say that I see at least 3 financial institution phishing scams each week. I have never had a single scam in the name of my bank. Over all, I think I have seen phishing for information for about 10-15 banks. Seems likely to me that the blogger simply got unlucky with having his own bank targeted (or maybe the phisher just got lucky).
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>