Gone Phishing? 218
Zastrossi writes "According to the Anti-Phishing Working Group, phishing sites--the practice of making sites that look and act like popular sites such as banks in order to steal personal information from customers--rose from 543 sites in September to 1,142 sites in October. Gartner reports that phishing scams cost banks and credit-card companies $10.2 billion."
ING Direct's changing logon (Score:5, Informative)
However, this security method has a fatal flaw... if an attacker knows the answer to any one of the questions, the attacker can just keep reloading until they get the question they want to come up and then answer it. Still, it's better than doing nothing at all.
Re:ING Direct's changing logon (Score:5, Insightful)
Re:ING Direct's changing logon (Score:2)
Re:ING Direct's changing logon (Score:2)
He is talking about the United States ING Direct, not Canadas.
Re:ING Direct's changing logon (Score:4, Interesting)
Re:ING Direct's changing logon (Score:3, Insightful)
a. Login ID (usually the SSN)
b. A device computed response to a challenge. The challenge is usually in the form of TWO 4-digit nonce numbers that must be input into the password generator.
No "remembered" password is needed to be supplied in
Re:ING Direct's changing logon (Score:3, Insightful)
This may continue (Score:2, Informative)
my suggestion, (Score:3, Funny)
this is one phucked up crime
Re:my suggestion, (Score:2)
Re:my suggestion, (Score:2)
nah, this phish will have to eat much spam until they became the bulk of internet...
Truly it is said... (Score:5, Funny)
Teach a man to phish; and you have fed him for a lifetime.
Re:Truly it is said... (Score:2)
Show a man the internet and he won't bother you for weeks.
10.2 Billion is a stunning number. (Score:5, Interesting)
Re:10.2 Billion is a stunning number. (Score:2)
Combat it or deny responsibility you mean... (Score:5, Interesting)
Whereas at the moment a phishing victim can reasonably expect their bank to to give back any money that's lost from their account(s) as a result of being scammed, in future the same victim could well be told that they're responsible so they're liable.
Personally, whilst I would prefer that banks do the right thing, I find it hard to argue with a policy that says that they won't refund money where people have been stupid enough to be conned into giving away their banking details by obvious scams.
I don't want Alzheimer's disease victims to suddenly find their accounts empty but when the average man on the street is practically giving away his financial details when he should be keeping them secure, well, what do you expect banks to do? Give away money which they then end up recouping by charging everyone more for their services?
Sometimes, the only way you can educate people into doing the right thing is to not protect them when they do the wrong thing. In that respect, we're talking about the same sort of lesson people who don't have any backup procedures learn the first time they irretrievably lose all their data.
Tough love is sometimes the best love.
Re:Combat it or deny responsibility you mean... (Score:5, Insightful)
Have you noticed all the online banking EULA's with specific "you're liable for anything until you report your password as breached"? Much in the same way as "Chip and Pin" here in the UK, the shift in the responsibility of fraud onto the customer of these systems is designed for the benefit of the BANKS, any benefit to you is a secondary concern and it seems to be that its actually to your detriment in many cases.
Interestingly, who is it that oversees the fraud of these systems to determine whether they're secure or not? Why, it's the same banks that run them. Hardly independent or unbiased now, is it? That's like asking Adobe, "is your PDF encryption secure?" Hmm, what do you think... *cough* ROT-13 *cough*
Let's use an example of something like Chip and Pin, where instead of a signature you type in a pin along with your credit card transaction. This is vulnerable to multiple attacks, e.g. shoulder-surfing: say someone watches your pin, then steals your card and goes on a shopping spree -- the transactions are all valid as they had the correct pin, so YOU are responsible for this loss. Compare this to the old signature method, they might fool the store cashier, but when you report it you get your money back -- problem is, it's costly for the credit card companies to check and they (or the retailer) ends up paying out. The cost and burden of proof is on THEM, and they don't like that. Other examples of abuse would include dummy card readers and pin input devices, corrupt shops who capture pins, etc. For an interesting discussion on this see here:
http://toothycat.net/wiki/wiki.pl?ChipAndPin [toothycat.net]
So, while I totally agree that users have to bear a certain amount of responsibility, much in the same way as Chip and Pin, until internet banking can be made more secure *by the banks themselves* to the extent that phishing scams and other fraudulent methods are overcome AND the burden of proof is *kept with the banks* then I, for one, will not use them. (Removes tin-foil hat!)
Re:Combat it or deny responsibility you mean... (Score:2)
I'll be using my signature rather than a PIN for as long as possible. When the time eventually comes that I've got no choice but to use a PIN then I'm going to be making damn sure that the hand that isn't entering the digits is shielding the keypad whilst I'm using it.
As to the security concerns that Chip and PIN creates, well, I guess we're all screwed by those.
Personally, I'd prefer a system that has photo and signature-based security. You sign for transa
Cloning smart cards (Score:2)
Cloning a smartcard is orders of magnitude harder than cloning a mag stripe. That's not to say that it cant be done, but it presently would require hundreds of thousands of dollars of equipment... unless of course there is some stupid vulnerability in this particular chip design.
From the sketchy detials i've seen, it seems like your PIN gets fed into your CHIP and then your chip releases it's account informatio
Re:Cloning smart cards (Score:2)
As I've said, being mugged isn't something that I worry about in the general scheme of things, but it does seem to me that a
Re:Combat it or deny responsibility you mean... (Score:2)
My bank offered photo cards a while ago. They sent out junkmail describing how great they
Re:Combat it or deny responsibility you mean... (Score:2)
The problem is that some of these scams are not at all obvious. Banks (like mine) need to tell their customers again and again and again VERY emphatically to categorically NEVER respond to a request for information that the customer did not initiate and not to respond to any links in an e-mail. Even better, if unsolicited information is requested, give out some bogus data. If enough people start doing that it'll take a lot of the scammer's time for nothing. Still visiting an unknown
Re:Combat it or deny responsibility you mean... (Score:2, Interesting)
The problem with this is - sometimes the banks do need to contact their customers. Maybe more often than not it's to try to sell them something, but occasionally they have genuinely good reasons. So they can't tell customers they'll never contact them by e-mail or not to respond to e-mail.
Normally, market forces would drive things so that in order to gain business, banks would have to assume responsibility for some or all losses. Unfortunately with banks acting
Re:Combat it or deny responsibility you mean... (Score:4, Interesting)
The banks are 100% responsible. They operate accounts for the scumbags, and they know who the scumbags are, in order to open accounts for them, and they hand the money to the scumbags.
Lets face it, this is a problem which the banks could solve without third partiy intervention if they only tried. (You can almost hear them singing: If I only had a brain"
Re:Combat it or deny responsibility you mean... (Score:2, Informative)
Right, in my country (Australia) the banks coerce us into using internet banking by charging us for the 'privilege' of speaking to a teller.
If they can't make internet banking safe then there should not be a charge for doing banking with a teller.
Re:Combat it or deny responsibility you mean... (Score:4, Insightful)
I'd love to own a bank, any and all expenses are simply passed onto the customer, you can charge them anything you want for whatever you want, and with the way society is set up now days it is imposible to go without a bank. Ever tried to buy a new car with cash? It is much easier with a bank cheque.
I hate banks, but I'd love to own one.
Seconded! (Score:2)
Exactly. In any system that is this obviously open to abuse (and being actively abused), a large part of the blame lies with the financial institutions.
They are the ones with the inside information on how much is lost and how many accounts are compromised. It's up to THEM to provide a better security model or to cance
Re:10.2 Billion is a stunning number. (Score:5, Informative)
It sure is a stunning number. However, the credit card industry is a huge rip off. They charge consumers interest rates in the 12 - 23% range. (This us during a time in history where interests rates are at historic lows). They charge the merchant fees from 1.5 - 7% on each transaction. The ever increasing fees are adding more profit. They are changing due dates to Sundays hoping to increase late fees. Telemarketing their customers. Trying to sell stuff when you call with the customer support lines.
Last year the credit card industry profits were nearly $30 billion dollars. My guess is that they just write off the fraud and then pass those costs onto the consumer. The average credit card debt keeps increasing so it seems they can pass these costs along and the customer is so reliant on credit card debt for daily life that they don't fight it. What a sham, what a shame.
I think this is an example of how poorly regulated capitalism doesn't work. Despite the appearance of hundreds of credit card competitors and so many cards to choose from, the industry is extremely anti-consumer. The better business bureau reports that the credit card agencies are number one when it comes to consumer complaints.
Re:10.2 Billion is a stunning number. (Score:2)
What a bunch of BS. What ya want -- communism? --- Nobody is holding a gun to anyone's head demanding you MUST use one of those ubiqutous pieces of plastic to pay for the stuff you want.
If your wants outstrip your cash supply you might possibly have to discipline yourself to curtail your desires. Why are there so many elitists in this world that insist that they know better and try to protect stupid/greedy/undisiplined people from themselves by getting the gov
Re:10.2 Billion is a stunning number. (Score:5, Interesting)
What a bunch of BS. What ya want -- communism?
Ah come on. Because I would prefer some checks and balances in the form of effective regulation on a trillion dollar credit card industry that makes me a supporter of communism?
The article was about an industry claiming 10.2 billion is losses due to fraud. My response was because the industry is poorly regulated, that inefficiency is allowed to be passed onto the consumer. The competition among the card companies has not created effecive solutions to the problem.
I do have a credit card, but I carefully keep track of my expenditures (computers are great for this) and pay it off before the due date and therefore pay NO interest
Good for you. We share something in common, I do the same. Even with great discipline I have not been immune from the credit company schenanigans - incorrectly claiming they didn't receive a bill payment until 1 day late and charging a $25 fee (on a $100 bill - wow 25% penalty).
Re:10.2 Billion is a stunning number. (Score:5, Insightful)
Of course the "terms and conditions" were written on the inside of the envelops (i.e. on the envelope itself) and the AG has to step in to put a stop to it.
I had a credit card company who used to try to pull this sort of shit all the time - the due dates were set to sundays or holidays (changed every couple of months), the payment address changed every couple of months and, for some strange reason, it took about 13-15 days for them to "receive" payments (and usually another 2 days to "process". The checks weren't being sent to fucking Rwanda, but from Oregon to Utah / California / Nevada. Blind mail is faster. Mysterious fees would be added and re-added, apparantly with my consent. Membership points / air miles would vanish.
Their collections people would be happy to call you repeatedly even though your bank told you they cashed your check 4-5 days ago.
And it went on and on and on.
Sure, it was fun to abuse the agents for a while, but it got old pretty fucking quick.
The damndest thing was the company was decent for a while, and all of a sudden they changed.
I suppose one or two screwups on their part could be attributed to incompetence or a one time screwup, but there are limits.
I could walk away, and I did - but I'm sure many people couldn't. I know a home loan isn't the same as a credit card, but you presume that they aren't going to act like Guidos.
I think this is also less about the person's greed - It is assumed that you're going to have to borrow a significant amount of money (not many people buy a house outright), but I don't think it is reasonable to assume that a credit card company is going to be a bunch of vicious greedy assholes when you sign up. It's one of those unwritten rules.
Rules that are eventually broken and result in "Pussification Legislation" being passed by the state's AG.
Anyways...
Re:10.2 Billion is a stunning number. (Score:2)
I'd have to argue with the "which shows how much they are bathing in money." The settlement process is their attempt to get some, hell, any money.
They aren't going to ask (well, once, twice) for $80,000 if they know you can't get $80,000. Unreasonable demands will be answered with a "fuck you" (You can't get blood from a rock), reasonable ones might get them some money.
Any money is better than no money, a
If business really lost this much... (Score:2)
I wonder if $10.2 billion represents a "real" number, as in $10.2 billion dollars total actual sucked out of bank accounts, or if its one of those squishy numbers that represents a bunch of soft costs like customer service time and other "clean up" costs (you know, like the RIAA "lost sales" number or "virus cleanup" costs).
While I don't doubt that fraud runs rampant on the Internet, I also have a hard time believing that a business sec
Here's how I got my mom to verify (Score:5, Informative)
2. Make certain it is spelled correctly.
3. If they write to you unsolicited, just type the website in directly that you normally use for the service and you can be certain where you are going.
I can think of more things to tell her, but the more I say the less I fear she will remember. So I boiled it down to the above list.
So far so good....
She is as clueless as anyone on the net, so I figure if it works for her that's a good litmus test....
Re:Here's how I got my mom to verify (Score:5, Informative)
Re:Here's how I got my mom to verify (Score:2)
Same thing with my wife -- because I've warned her, she's been on the lookout for these things. The bank scams are pretty obvious for us, since we're not based in the US and the ones we get are for US banks, but the Paypal ones are the tricky ones. It's going to get to the point where you just don't click on a link you get in an email.
EricHow to masquerade your browser [ericgiguere.com]
Re:Here's how I got my mom to verify (Score:2)
If you're still in doubt simply open a new browser window and log into your account (see host file trick elsewhere). If PayPal or your bank needs information from you they will
Re:Here's how I got my mom to verify (Score:2)
Well, sometimes my friends will send me links and sometimes I'll still click on those... but yeah, these days it's safer to copy and paste links instead of clicking on them.
EricOnly works if what you see is still what you get (Score:3, Insightful)
Re:Only works if what you see is still what you ge (Score:2)
Re:Here's how I got my mom to verify (Score:2)
Then point that as a URL shortcut to the online bank and tell the internet newbie who you are doing this for to only ever use the "bank" icon to access the online banking and to ignore anything that any email says.
Thats dead simple and easy to remember.
Also, usual precautions like a good virus scanner that updates automatically (to stop worms that would mess with the hosts file).
Re:Here's how I got my mom to verify (Score:2, Interesting)
Make sure links to where they say they do (Score:5, Interesting)
There was a link that claimed to go to:
https://scgi.ebay.com/saw-cgi/eBayISAPI.dll?Reg
But mousing over revealed that it actually went to:
http://signin.ebay.com-ogi-bin.tk/_eBaydll.php
Note the com-ogi-bin.tk rather than com/cgi-bin
one problem... (Score:5, Informative)
got an email from Network Solutions the other day, complete with HTML graphics, etc. It said, Dear Customer, we periodically ask our customers to update their whois information....click here to access your account information....
then it said failure to keep your account info up to date could result in the suspension of your domain. turned out this was a legitimate email from NetSol, but it had all the signs of a phish - addressing me with no indication they knew who I was, a la "dear [fill in bank or company here] valued customer"; it urged me to click on a link - which by the way was a dotted IP address; and it threatened negative consequences unless I acted quickly.
Same thing happened to me with Citibank. I am a citibank customer, and the other day I received an email urging me to transfer my balances from other cards, blah, blah. Anyhow, it had all the right logos, and urged me to click on a link. When I did (with some trepidation), I was brought to a site called "accountonline.com", which as it happens, is in fact owned by Citibank.com. Again, turns out this was a legit email from Citibank (or its marketing dept.)
Yes, it is sad that we have gotten to the point where companies cannot use email as a legitimate means of marketing and communications with thier customers (and prospective customers), but banks and other major companies need to heed their own advice, and as far as I'm concerned, as long as these companies keep doing that sort of thing, they have only themselves to blame when their customers expect this sort of communication.
Re:one problem... (Score:2)
There's the problem. Move your banking to a small community bank that has at least some modicum of respect for your personal data and you won't have to worry about Citibank spamming you.
Re:one problem... (Score:2)
Having said that, you would think that Citibank - one of the first targets of the phishermen - would be intelligent enough not to use something that resembles phishing e-mails in a marketing campaign!
Re:one problem... (Score:2)
Well, as long as the domain given wasn't the unicode equivalent of (I+16@|\||.com anyway.
Re:one problem... (Score:2)
To contact a bank, you need to provide some sort of information to prove who you are. When the bank contacts you, there is no reason it should not need to do the same. Banks should take a passcode that they give to their clients when they contact them so that the clients know they are dealing with the real thing. This even works for phonecalls which people apparently don't realize can be phished just as easily.
Re:one problem... (Score:2)
Well, we all know Network Solutions is only about 1 step better than phishers on the scumbag scale to begin with.
I'm sure I've blown away legit e-mail because I don't want to deal with trying to decide if it's real or not. As long as SMTP is in use we will continue to see these kinds of things.
It's going to take some fundamental changes to make this stuff go away (or even just abate)... and seeing as how IPv6 has been just around the corner for about a d
Re:one problem... (Score:2, Insightful)
Does anyone know of a bank that digitally signs all of its email to its customers? It seems that it would be worthwhile to switch to a bank that does this.
Probabl
Re:one problem... (Score:2)
Re:one problem... (Score:2)
One time I had my accounts at CIBC, and I got a phone call from someone saying that they were from CIBC and they needed to ask me a question and to verify ME they asked me for my SIN #. I told her that I cannot give them that information to them over the phone. She put her 'manager' on the line and the manager said that this was all OK, they are CIBC.
I said 'How do I know you are really from the bank? Can you give ME proof
Knowing is half the battle (Score:3, Informative)
I think the most important thing is education. Anti-phishing technology will only be a stop gap measure. Phishing techniques will just become more advanced. I think an agressive advertising campaign, including information when you sign up for a bank account, information when you log on to your account or receive your bill will also be helpful. the previous author mentioning the example of additional login info is correct, the phisher will just reload until the information requested is available to them.
Re:Knowing is half the battle (Score:2)
with URL spoofing in IE, it's an even bigger problem
Has anyone developed any anti-phishing plugins for the various browsers? It should be easy to do for Firefox and Mozilla, of course, and you can even write an ActiveX (cough) browser handler for IE, if I recall my MSDN documentation correctly. The plugins wouldn't be perfect, of course, but they could detect some obvious cases like numeric-only IP addresses being clicked, or maybe even do some analysis of your hosts file. Better than nothing, it seems
rewards for the non-gullible (Score:3, Insightful)
Re:rewards for the non-gullible (Score:2)
Someday...
Misleading Statistic? (Score:4, Insightful)
Hmmm ... the number of "sites" found doubled just when Google doubled its index size...
Re:Misleading Statistic? (Score:2)
These are the number of distinct phish sites found by people investigating and tracking phishers. It has nothing to do with Google at all.
The increase is extremely real and extremely significant.
An interesting exchange (Score:4, Interesting)
A day later I get a call from them asking for the security code on the back of my credit card as well as the phone number for my credit card. Odd, I thought. I've been ordering online for years with this credit card and never been asked after the fact for that info. Additionally the card was a Discover card and there is only one number for that which I'm quite sure CDW knows.
While I doubt there was anything malicious going on I had them cancel the transaction. They explained that it was for extra security but the could have easily asked for that information in the online transaction. I have no way of knowing if this rep was acting on her own so I don't see any added security for me. My only criticism of CDW is that I don't think this was a very professional way to handle this transaction.
I don't really think there was anything malicious going on but its a good idea to be very careful when something is out of the ordinary, even a little bit.
Re:An interesting exchange (Score:4, Interesting)
Just think. If they called you, because they thought the transaction was fishy (and you had NOT placed an order) wouldn't you be thankful they called you?
Just today someone used stolen card card details in full. Phone number, address, etc, for a service. I did a whitepages lookup, and called the card owner. He was completely surprised that his card had been utilized, and immediatelly called to report the attempted fraud and get a new card issued. I would sure hate to call a customer to verify 'just in case' and have them cancel on me, for only doing what is right to protect myself from a chargeback, and protect them from potential fraud.
Re:An interesting exchange (Score:3, Insightful)
Just think. If they called you, because they thought the transaction was fishy (and you had NOT placed an order) wouldn't you be thankful they called you?
Of course, they wouldn't need his card info for that, just a yes or no would do. In the example you mkention, did you quiz the guy for his card info or just ask to verify that he ordered the service?
I certainly wouldn't give my card info out to anyone who called me, especially since caler ID isn't exactly infallable. I would, however be willing to co
Solution (for me) (Score:5, Insightful)
I can't click a false hyperlink in a printed letter.
Re:Solution (for me) (Score:2)
Phish emails DONT COME FROM YOUE BANK, idiot. They go to huge numbers of scraped and bought addresses, by people who have no idea if they even have an account at your bank, in the hopes that some tiny fraction of them do, and are stupid enough to respond with their info.
1. Dont *EVER* use a link in an email to access any site that has anything to do with your money or your identity, or any other sort of information or accounts that should be k
Re:Solution (for me) (Score:2)
Uh, no kidding, junior. And no, it's not irrelevant whether or not my bank has a legitimate address. This way guarantees no false positives, as any bank correspondence that would show up in my primary email would have to be false. So confident, that you can add your bank's name to a spam filter and junk them all immediately.
Re:Problem (for everyone but you) (Score:2)
10.2 Billion (Score:3, Interesting)
Personally, I think something is seriously wrong if phishing alone managed to net scammers $10.2 billion. Maybe if it was world wide consumer finance fraud combined it would be more believeable.
Re:10.2 Billion (Score:2)
Yep. They set all that money loose.
sign the E-mail (Score:2)
Re:sign the E-mail (Score:2, Funny)
I used to do that but I stopped because it was too hard to wipe the magic marker off my monitor.
Figures... (Score:5, Funny)
Gartner reports that phishing scams cost banks and credit-card companies $10.2 billion.
In related news, some anonymous guy using randomly generated numbers, estimates that tech employees who visit
Re:Figures... (Score:2)
It cost US! Re:Figures... (Score:2)
So even if you do everything right, you don't get caught by a phish, you'll still be paying. A portion of losses caused by others getting duped will be added to your fees and/or reduce value you recieve. The companies will pass the cost along to everybody & protect their bottom line.
I thought I saw a phishing victim the other day... (Score:5, Funny)
When I was a kid, we had to get bits of metal embedded in us the old fashioned way - war, industrial accidents and drunken fishing!
Gone Phishing? Alas no! (Score:2)
An anti-phishing class? (Score:4, Insightful)
The problem seems to be people who don't know the difference. A phishing scam won't really fool anyone who is aware of them. Sure, everyone here knows about dummy e-mail accounts and is well aware what a phish looks like. The problem, as with many scams, is not those who are aware of them but those who are not.
Given that, why don't banks and the like give a simple online tutorial before allowing a user to set up any type of Net account that implies moving real money? I would think a 5-minute (at most) presentation followed by a short quiz would be sufficient.
If everyone involved in online financial transactions is thus educated about phishing, it would become quite a bit harder for the scammers to find unknowing victims.
Quite good (Score:2)
Who will "fix" the internet and how? (Score:2)
This problem saddens me greatly because it ruins the promise of global communications. Rather than a utopian information paradise for everyone,
Re:Who will "fix" the internet and how? (Score:2)
Why are there so many otherwise intelligent people that think the government can solve every problem? Most of the time government creates more problems than it solves. Trusting computers is not the problem and there will always be scams, with or without the Internet. The problem is that there are more and more untrustworthy people, not computers. These phishing scams can also done with the phone or by mail. However, the Internet happens to
Re:Who will "fix" the internet and how? (Score:2)
10.2 Billion? Does that bother anyone else? (Score:2)
Re:10.2 Billion? Does that bother anyone else? (Score:2)
Pesos.
Here in Finland (Score:2)
Ah, yes... (Score:2)
Paypal's fake email looked real (Score:3, Informative)
http://www.cisec.or.kr/~sr5141/paypal/update.ht
(Have a ball with the address if you want.)
If I was using IE then it would have spoofed the url as well.
I halfheartedly filled in some obscene words to send, however so much data was asked for in particular ways that I never could validate the screen for sending without carefully crafting a reply ( I was cutting and pasting) so I aborted instead.
Re:Paypal's fake email looked real (Score:2)
What was funny was that the email used the actual paypal site for the logo and blue bars to save bandwidth.
Dear slashdot@hotmail.com
It has come to our attention that your PayPal Billing Information records are out of date. That requires you to update the Billing Information.
Failure to update your records will result in account termination. Please update your records in maximum 24 hours. Once you have updated your account
10*^3/10^10=10^7 DAMN! No idea it was (Score:2)
so lucrative.
If only Swami didn't want the hassle so much $ brings he'd be offshore and phishing tomorrow.
Hell, as it is, he can't manage the checking account, never mind $10^7!
One solution (Score:2)
This device would be specific to the customer and would contain a special hash embedded in it. Each time you log in to the netbank, it gives you a randomly generated hash (something using the current date and time as part of the randomiszation process is good). Then, you input this hash into the device and it combines it with the stored hash and prints the result. The result is then input back to the netbank along with the other banking de
Re:One solution (Score:2)
Basically this thing generates a number on it's LCD screen every 60 seconds, and that is time synchronised to the customer's authentication servers. When you combine your username, 4 digit pin number and this RSA secureID number, it is very secure.
I cant see this being particularly difficult/expensive for banks to implement w
Re:One solution (Score:2)
Search images? (Score:4, Interesting)
10.2 billion for 1100 sites (Score:2, Funny)
Even with an equal share for each site...that is almost 9 million dollars per site. If I got in last year, I would have been almost 20 million richer.
Ah, if only I knew and got into phishing last year.
Email Security (Score:2)
Report These To The Webhost (Score:2)
At the moment, it looks like a single guy is poking at our servers, as all of the phishing incidents we've had thus far include an Ebay scam and a Suntrust scam. Given how the attaker works (changes the contact email to a yahoo ac
They could slow the crime, if they really cared. (Score:3, Interesting)
After your stupid phishing scams hit, eBay, Suntrust, Citibank, Paypal and BOA start hitting them with a few marked accounts. These marked accounts are setup with the purpose of dropping the information to the phishing scam people.
From that point, the phishing scammers will try to use this information for their benefit. At that point, it should be easier to build a path back to them.
That would require effort, it's easier for the banks to tack another dollar onto ATM fees and write off the losses. Has anyone checked to see if banks are actually writing off these losses and reporting them to shareholders?
Just like spam emails, the money goes somewhere. Just follow the money.
A serious problem (Score:2)
There are some easy improvements (Score:2, Informative)
Another thing to do is to hack the phishing sites. Phishers are typically terrible coders. This means that many standard web attacks can be used to divulge information about them. Even if the site is hosted in a remote nation, they typically forw
it doubled? (Score:2)
Just because this research firm *discovered* more sites, doesn't mean the actual number of such sites in existence increased. Did they even check to see how long these new sites they've catalogued have been around? I suspect the number of sites for phishing was even higher than the current October count of 1,142 way back in September... possibly significantly so.
Paypal phishing irony (Score:2)
Dear valued *PayPal^® *member: *PayPal^® * is committed to maintaining a safe environment for its community of buyers and sellers. To protect the security of your account, PayPal employs some of the most advanced security systems in the world and our
Phish Firefox? (Score:3, Interesting)
Ie, they'll hand out fake Firefox download links in e-mails or HOST file hack mozilla.org. Then, when you download, you get Firefox - plus add-on code that sniffs your keystrokes or credit card numbers.
Mind you, this has been my big problem with using Firefox from the beginning: the distribution might contain that kind of thing anyway. At least MS, with their existing millions, are unlikely to be interested in my card number.
The Easiest Counter (Score:3, Insightful)
I too have been getting quite a few more of these lately, but there is a pretty easy way to combat them:
If you recieve an email about company bla bla bla, needing bla bla bla, open your brower and :::type::: the known, valid address in and see if they mention it. If you're still curious...call.
It's really that simple folks.
-Chris