Anti-Phishing Tools

mikeage writes "PCWorld has an article about an anti-phishing tool available that tries to detect fake websites." This is about Web Caller-ID already in use by eBay's custom user toolbar. The article also talks a bit about the incredible increase in phishing scams.

phishers of men

[celeritas_2]

I've tried to actually reply to some of the money-caught-in-forign-bank phish attempts and the only thing i get back is more and more phishing. I've failed to reach the point where they ask for your SSN credit card or my first born child. Either they're stupid and don't want my information, or they're smart and realize i know what they're up to.

so the cure to prevent phishing

[Anonymous Coward]

is to install a spyware toolbar ?

i have enough trouble persuading users NOT to install crappy toolbars and plugins as it is without people reccomending that they do,
MS ActiveX and to a lesser extent Mozilla's XPInstall xpi features coupled with uninformed users are the main reason spyware/malware exists and is so easy to exploit, can you explain the difference to a (l)user between a good plugin/toolbar and a bad one ?

security should be built into the browser

Phishing is a big problem for hosting companies

[gtrubetskoy]

Phishers need a place to host their fake sites, and hosting companies like ours are prime targets for phishers to set up their "collection points", and we see a lot of those.

My theory is that unlike the script-kiddies of the old days, 99% of all phishing is work of organized crime. I believe that they recruit users at ISP's in places where internet (or any for that matter) law is not enforced (like Kosovo), they provide people simple step-by-step instructions on what to do, give them lists of fake card numbers and pay them based on the number of accounts hacked (e.g. $1 for every 50 good passwords). The actual cleaning out of the accounts probably happens elsewhere and at a much higher level because you need a much more elaborate system for it (off-shore bank accounts, etc). At least if I was doing it, this is how I would set it up. The users appear to be not very smart - we often see weird typos, names spelled in all caps and other dead giveaways - why would ANNE FISHER from Ohio signup for a year of virtual hosting and register a domain XABCDFERNG.COM for 10 years?

We see that they are getting more elaborate in their attempts to sign up for an account. They try to use proxies or zombies now (because most same companies will flat out refuse any attempts to sign up from Indonesia, Romania, etc.).

A funny side note - we got a copy of a credit card statement from one of the unfortunate cardmembers whose card's been stolen as part of the "chargeback" report, and among various hosting accounts they signed up for, there was an $20 contribution to moveon.org - go figure!

Right now the best way to fight off phishers is to attempt to speak to the customer in person, it has worked 100% for us so far. But since this phishing thing is probably big money for some mafia boss, I think the motivation is there for them to get more technologically advanced, and I wouldn't be surprised if we start seeing fake VoIP phone numbers provided where the criminals would answer the phone in English and pretend to be cardmembers.

Another very unfortunate side-ffect of this is that it's the merchants who east the cost of it. For every instance of fraud, we get the funds withheld and transferred back to the cardmember (don't be fooled by those reports of "poor" cc companies bearing the cost of fraud!) AND we get slapped with an $25-$50 penalty by the CC processing company AND our rates go up. So it's almost in their interest that cards get stolen, it simply means more revenue for them. Now our services are "virtual", but for those who actually ship something physical (like a shirt), they get to eat the cost of that as well.

Backwards

[RU_Areo]

You can't put somebody in a car and tell them to drive, but not tell them what the brake and gas pedal are for

I think this statement is completely backwards. You can give someone the tools; ie. tell them what the gas and brake are for, but under no circumstances can you make them use them (properly) or understand the full consequences of not using them this is especially true for users who are not technically inclined.

Re:Anti-phishing toolbar for FireFox

[TheOtherAgentM]

The problem arises with this when a website has multiple domains to cover their content. That can confuse users. Multiple domains shouldn't be used just to serve media from another server, but I've seen it done. Also, what happens when you are drawing content from other domains? Will Spoofstick list all the domains?

should be a firefox plugin

[jdkane]

Someone should create a phishing-detection extension for Mozilla. Does anybody have any ideas about how that would work efficiently/effectively? Same as EBay technology?

Re:Huh

[Mysticalfruit]

Actually there have been a large number of cases where an ISP's DNS server has been poisoned so users type in the legimate www.somehugebank.com and it brings them to a proxy mirror image of the site where you gleefully login in and they scarf your information.

Re:phishing automated reply

[The Ultimate Fartkno]

It's for mortgage spammers and not phishers, but I'm a fan of the Unsolicited Commando [astrobastards.net] project. It's a little Java app that spends its day filling out mortgage applications on spamvertised sites with completely believable - but totally bogus - personal data. The source is available so perhaps a clever person could randomly generate credit card numbers and adapt the program to attack phish sites.

Firefox/IE

[mrseigen]

I've noticed that neither Firefox nor new versions of IE let you do the www.cnn.com@http://myattackersite.com phishing vulnerability; Firefox warns you (as long as myattackersite.com doesn't request authentication), IE just doesn't let you do it as far as I've seen (but this is hearsay; I haven't used IE in years).

Re:Anti-phishing toolbar for FireFox

[Wizzo1138]

Sites like apple use other domains for their images. It looks like apple has recently changed a bit though. Instead of all images coming from akamai directly, they come from images.apple.com.

But...

ping images.apple.com
PING a932.g.akamai.net (38.115.177.150) 56(84) bytes of data.
64 bytes from 38.115.177.150: icmp_seq=1 ttl=57 time=30.6 ms

Re:should be a firefox plugin

[Cheerio Boy]

The Firefox plugin you're looking for is Spoofstick. [corestreet.com]

A little simple but it tells you exactly what site you're on.

They also have one for IE.

Re:Email Phishing

[aussersterne]

Citibank can't do anything about it anyway; they're not law enforcement, and even if they were, what exactly do you see law enforcement doing about SPAM or phish emails? Nada.

I used to work at eBay and the phishing problem was terrible (though I didn't deal with it directly, that wasn't my department). When users would find out, they'd demand to know why eBay didn't do something about it. The people who worked on that floor would stand around in the smoking shed and bitch, "What do they want us to do, buy some guns and go to Romania and raid the guy's house wearing little eBay uniforms?"

Had a bit of a scare, recently

[TomorrowPlusX]

I got an email from Earthlink that looks SO MUCH like a textbook Phishing scam ( your credit card number's going to expire... ) that I deleted it the first couple times it came my way.

It kept on coming, however, and I decided to go to earthlink myself ( e.g., not clicking the link ) and see what the deal was.

Turned out, it was legit. Amazing.

The trouble here, really, is how do we handle legitimate email from banks, ISPs, etc?

What banks *should* do!

[callipygian-showsyst]

What banks (and eBay) should do is NEVER, EVER send an email to customers. Period.

And on their websites they should say on top: "REMEMBER: WE *NEVER* SEND YOU EMAIL ABOUT ANYTHING."

If you want to know something, you just visit eBay or your bank account.

Re:Phishing is a big problem for hosting companies

[swb]

I've always found the credit card companies and banks ability to shift the financial responsibility onto merchants and users for their insecure system to be one of the greatest ripoffs in history. Merchants in particular take it up the dirt road -- chargebacks, penalties AND rate increases! And zero incentive for the people who created and control the system to do anything about it.

I hate to say "they should pass a law", but they SHOULD pass a law that pushes the cost of CC fraud back onto banks and the CC companies themselves. This would provide a much bigger incentive.

What's even better is that once the new bankruptcy bill goes into force, not only will banks not have to bear the burden of fraud, they won't have to bear the burden of irresponsible lending, either.

Re:Email Phishing

[Andrewkov]

I reported one of these scams to Citibank through their website (I'm not even a customer, just a nice guy). They didn't even ackknowledge my report, let alone fix it.

Re:Educate

[Mouse42]

98%, eh? heh.

One other problem companies have is changing their website's appearance. For example, CapitalOne recently changed their homepage and I was actually too nervous to log in for a few days.

Also, a poor quality website can make people suspicious. A friend of mine asked me to inspect his cable company's website to see if it were real or not because it was so poorly designed. I told him since it was so poorly designed to not trust it's security, either, and not bother doing the online bill pay.

Simple idea.

[JessLeah]

When you get an email, at the top, 'caller ID' shows up (e.g. "This email was sent from: SOMEWHERE IN CHINA", vs. "This email was sent from: CITIBANK'S servers")

When you mouseover a link, a LARGE JavaScript thingy pops up saying "This link is to: SOMEWHERE IN NIGERIA" or "This link is to: CITIBANK'S site"

Re:Email Phishing

[Volmarias]

You know? That would be absolutely delightful. Hell, I'm sure there would be legions of geeks willing to ensure that the information entered into their systems wasn't "Murder", but "Tickling with fluffy bunnies" instead.

I've always wondered just what law enforcement would do if someone started to serially hunt spammers, and I keep coming to the conclusion that all you need to keep the trail cold is leave a note saying "This man sent your daughter emails about zoo porn"

Re:Email Phishing

[Anonymous Coward]

"What do they want us to do, buy some guns and go to Romania and raid the guy's house wearing little eBay uniforms?"

How about persuading the government to put pressure on the foreign country's government until they sort the problem out? If the MPAA can get "DVD Jon" arrested all the way over in Norway, surely eBay can get some spammers arrested?

phishing

[ajs318]

Most of the scam e-mails don't render properly in KMail -- which is what I mostly use -- anyway. But if they did, I'd probably go ahead and fill in a whole bunch of bogus details anyway. Can't be too hard to write a script that does a HTTP GET on the site URL, then submits random data. Preferably plausible data ..... maybe we could borrow the spammers' trick of picking words that seem to go together? And, of course, credit card numbers that pass The Test ..... not difficult, you just generate a 15 digit random string, and calculate the check digit.

IMHO the only thing missing from KMail is the ability to turn on and off off HTML rendering and image loading on a folder-by-folder basis (so I can view known "ham" e-mail in the format it was sent; but my brain already renders HTML so well that <em>this looks a bit slanty</em>).

Re:Phishing is a big problem for hosting companies

[JoeBuck]

Every phishing scam I've seen get through my spam filters gave itself away, because the e-mails are all written by people who are either not fluent in English or who are too illiterate to get a job as a junior secretary in any English-speaking country.

The biggest threat would be if any of these guys ever hires a native English speaker who can write, and thinks a bit about what a real e-mail from a big corporation might look like.

Re:Email Phishing

[glesga_kiss]

"What do they want us to do, buy some guns and go to Romania and raid the guy's house wearing little eBay uniforms?"

That's not all that far from the real world. Goverment is corporations; corporations is government.

Re:Educate

[moeymo]

You're right. Additionally...

The type of user that knows enough to install such a tool will be the same user that wouldn't be fooled in the first place.

Vice versa: a user that doesn't know about phishing and would get fooled is also the user that doesn't understand why such a toolbar would be useful!

Re:Email Phishing

[wmaker]

My dad recently showed me that e-mail, that exact one, and the link says http://www.citibank.com/blah.aspx but if you were to actually click the link it goes to citibank.ru or something similar.

Re:Email Phishing

[Jaysyn]

It'd be like Boondock Saint's with T-1's.

"Television is the explanation for this. You see this in bad television. Little assault guys creeping through the vents, coming in through the ceiling - that James Bond shit never happens in real life, professionals don't do that."

Jaysyn

"Phishing"?

[Anonymous Coward]

Am I the only one who doesn't understand this term? I probably am, since nobody bothers to briefly explain it in their posts, which probably happened for some time when I missed the whole thing altogether...

I feel sorry for Phish the band. Then again, I still eat Spam, so maybe it's quite all right after all.

Re:"Phishing"?

[shrewmy]

From what I understand, basically you collect a big list of emails (or chat names, I don't know how much that goes on anymore) and e-mail them with an e-mail that you're from such and such company, and that they lost this or that information or you need to update it. Then they click a link in the email to go to the authentic looking but fake page, put their information in, and it gets sent to a file or email account the phisher set up.

I remember back when I used to go on Prodigy chat (I know AOL had these programs too, probably Compuserve also) there were all sorts of stupid chat room disrupting programs. One of the features a lot of them had was a "Phisher" which would collect peoples names off of the "Whos Chatting" list things in the rooms, and once you get a big enough collection you type in your scam line (ex "Greetings! I'm from the Prodigy(R) Billing Support Department. We've been having some issues with your account, and need you to certify your billing information. To accomplish this we will need your current billing address and the type, number, and expiration date of the credit card you have signed up for our services with." and click a button.

It'd automatically instant message everyone on the list with the message, and 5 minutes later or so you'll have a crapload of replies ranging from their info, to very colorful takes on the phrase "no i will not give it to you, idiot", to the CHAT Host telling you you're now suspended from chat. Usually you're doing it from accounts you've already phished, so it doesn't matter that you got suspended, because you probably just picked up 10 or more accounts anyways.

The worst part of Prodigy as opposed to AOL was that on Prodigy you could have more than one user signed on at a time. If you phished a master account, you set yourself up your own account and no one's the wiser. Unlike AOL which AFAIK only allows one screen name on at a time, and tells you when someone's already signed on. That might've changed now, who knows? On Prodigy though, you could IM people by account numbers OR chat names (account numbers and chat names were separate, accounts were ABCD12(A-F), and A was the master. There used to be some good chat logs floating around from people who set up a "user account" (letters B-F) and IMed the master account that they phished earlier.

It was amazing the amount of people that would bite, especially on Prodigy where most people had their user ID shown in their Chat Info (like an AOL profile but more basic) so you could pick out the master accounts and not deal with the regular users.

Basically you've got your "pond", which is the email addresses or chat names, your "fishing pole and bait" which would be the email or instant message, and you "cast it out" and wait around to see what you can catch. No idea where the PH- came from, but I have a good idea judging from how the super leet hackers typed back then.

Sorry for the livejournaling, but thinking back to the days of Prodigy chat made me a little nostalgic. :)