Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
The Internet Security

Gone Phishing? 218

Zastrossi writes "According to the Anti-Phishing Working Group, phishing sites--the practice of making sites that look and act like popular sites such as banks in order to steal personal information from customers--rose from 543 sites in September to 1,142 sites in October. Gartner reports that phishing scams cost banks and credit-card companies $10.2 billion."
This discussion has been archived. No new comments can be posted.

Gone Phishing?

Comments Filter:
  • by LostCluster ( 625375 ) * on Friday November 26, 2004 @08:31PM (#10928244)
    ING Direct's logon page has an interesting feature where it asks for an extra piece of info beyond the username and PIN such as your account's ZIP code or a piece of your SSN on each logon, with the extra question changing every time.

    However, this security method has a fatal flaw... if an attacker knows the answer to any one of the questions, the attacker can just keep reloading until they get the question they want to come up and then answer it. Still, it's better than doing nothing at all.
    • by realdpk ( 116490 ) on Friday November 26, 2004 @08:33PM (#10928255) Homepage Journal
      Not to mention it just gives the attackers more information to ask the attackees. They just have to create sites that ask for SSNs and ZIPs and stuff, on top of everything else. With that additional information the attackers'll have an even easier time stealing! Way to go ING :)
    • You must be getting phished, cause it [] clearly doesn't have anything beyond client number and PIN.
    • by itsthebin ( 725864 ) on Friday November 26, 2004 @10:09PM (#10928705) Homepage
      HSBC has a good extra security measure. Unless you are transferring to an existing account template you must request an extra qualifing code which is then sms'd to the phone number you have registered with them. To change the phone number requires you to ring up customer service and using your phone banking code to verify yourself.
    • All banks in Sweden have had two factor authentication for a long time now. When you get online access to your account, you are given a physical device that generates passwords (using a secret key and the current time and some nonce inputs). A login attempt must provide

      a. Login ID (usually the SSN)
      b. A device computed response to a challenge. The challenge is usually in the form of TWO 4-digit nonce numbers that must be input into the password generator.

      No "remembered" password is needed to be supplied in

  • This may continue (Score:2, Informative)

    by comwiz56 ( 447651 )
    This can only continue to rise. I'd imagine this is a good way to make money that won't be stopping soon. Consumer ignorance is high, and this is just another way of exploiting it. Make sure to educate your friends and families and check out the Anti-Phishing Working Group [].
  • by Anonymous Coward on Friday November 26, 2004 @08:34PM (#10928257)
    people should watch out for sites that seem at all phishy. i hope the govt. phish out who these bastards are so they can't phish anymore.

    this is one phucked up crime :(
  • by Concern ( 819622 ) * on Friday November 26, 2004 @08:34PM (#10928260) Journal
    If anyone believes this, it justifies fairly extraordinary investment to combat it. When you are talking billions then enormous infrastructure projects are possible. For instance, imagine the kind of systematic surveillance activity that could be mounted on the internet with a multi-billion dollar budget.
    • Part of the problem is that the losses are far more often bourne by the banks rather than the consumer involved. Therefore, it's a drop in the bucket out of a whole industry's profits. If that much money was lost by consumers themselves, then there'd definitely be motivation to close up the holes...
    • by WIAKywbfatw ( 307557 ) on Friday November 26, 2004 @08:50PM (#10928352) Journal
      I read recently that phishing scams have reached such a ridiculous level that UK banks are seriously considering making the victims 100 percent responsible for them.

      Whereas at the moment a phishing victim can reasonably expect their bank to to give back any money that's lost from their account(s) as a result of being scammed, in future the same victim could well be told that they're responsible so they're liable.

      Personally, whilst I would prefer that banks do the right thing, I find it hard to argue with a policy that says that they won't refund money where people have been stupid enough to be conned into giving away their banking details by obvious scams.

      I don't want Alzheimer's disease victims to suddenly find their accounts empty but when the average man on the street is practically giving away his financial details when he should be keeping them secure, well, what do you expect banks to do? Give away money which they then end up recouping by charging everyone more for their services?

      Sometimes, the only way you can educate people into doing the right thing is to not protect them when they do the wrong thing. In that respect, we're talking about the same sort of lesson people who don't have any backup procedures learn the first time they irretrievably lose all their data.

      Tough love is sometimes the best love.
      • by ManxStef ( 469602 ) on Friday November 26, 2004 @10:16PM (#10928742) Homepage
        It does seem to be yet another shift of burden of proof onto the consumer though, does it not?

        Have you noticed all the online banking EULA's with specific "you're liable for anything until you report your password as breached"? Much in the same way as "Chip and Pin" here in the UK, the shift in the responsibility of fraud onto the customer of these systems is designed for the benefit of the BANKS, any benefit to you is a secondary concern and it seems to be that its actually to your detriment in many cases.

        Interestingly, who is it that oversees the fraud of these systems to determine whether they're secure or not? Why, it's the same banks that run them. Hardly independent or unbiased now, is it? That's like asking Adobe, "is your PDF encryption secure?" Hmm, what do you think... *cough* ROT-13 *cough*

        Let's use an example of something like Chip and Pin, where instead of a signature you type in a pin along with your credit card transaction. This is vulnerable to multiple attacks, e.g. shoulder-surfing: say someone watches your pin, then steals your card and goes on a shopping spree -- the transactions are all valid as they had the correct pin, so YOU are responsible for this loss. Compare this to the old signature method, they might fool the store cashier, but when you report it you get your money back -- problem is, it's costly for the credit card companies to check and they (or the retailer) ends up paying out. The cost and burden of proof is on THEM, and they don't like that. Other examples of abuse would include dummy card readers and pin input devices, corrupt shops who capture pins, etc. For an interesting discussion on this see here: []

        So, while I totally agree that users have to bear a certain amount of responsibility, much in the same way as Chip and Pin, until internet banking can be made more secure *by the banks themselves* to the extent that phishing scams and other fraudulent methods are overcome AND the burden of proof is *kept with the banks* then I, for one, will not use them. (Removes tin-foil hat!)
        • I agree with you 100 percent about Chip and PIN.

          I'll be using my signature rather than a PIN for as long as possible. When the time eventually comes that I've got no choice but to use a PIN then I'm going to be making damn sure that the hand that isn't entering the digits is shielding the keypad whilst I'm using it.

          As to the security concerns that Chip and PIN creates, well, I guess we're all screwed by those.

          Personally, I'd prefer a system that has photo and signature-based security. You sign for transa
          • Getting hold of someone's pin may not be that difficult, but the pin is no use without the card.

            Cloning a smartcard is orders of magnitude harder than cloning a mag stripe. That's not to say that it cant be done, but it presently would require hundreds of thousands of dollars of equipment... unless of course there is some stupid vulnerability in this particular chip design.

            From the sketchy detials i've seen, it seems like your PIN gets fed into your CHIP and then your chip releases it's account informatio
            • My Chip and PIN nightmare scenario is a junkie armed with a knife threatening it out of me, or worse, my girlfriend. Granted, the chances of ever being mugged are very slim, but Chip and PIN seems to me to be a violent mugger's dream come true: take someone's wallet, extract their PIN from them and, voila, you've turned a nice profit simply by marching along to the nearest cashpoint.

              As I've said, being mugged isn't something that I worry about in the general scheme of things, but it does seem to me that a
          • I used one of these a couple of weeks ago. The machine was over the other side of the register and as I pulled the pinpad close enough to my chest that noone else could see what I was typing, the store owner sheiked at me not to break her precious new gadget by stretching the cable too far. No way was I entering my PIN at arms length right in front of her nose and in full view of the other customers in line behind me.

            My bank offered photo cards a while ago. They sent out junkmail describing how great they

      • ... by obvious scams...

        The problem is that some of these scams are not at all obvious. Banks (like mine) need to tell their customers again and again and again VERY emphatically to categorically NEVER respond to a request for information that the customer did not initiate and not to respond to any links in an e-mail. Even better, if unsolicited information is requested, give out some bogus data. If enough people start doing that it'll take a lot of the scammer's time for nothing. Still visiting an unknown
        • and not to respond to any links in an e-mail

          The problem with this is - sometimes the banks do need to contact their customers. Maybe more often than not it's to try to sell them something, but occasionally they have genuinely good reasons. So they can't tell customers they'll never contact them by e-mail or not to respond to e-mail.

          Normally, market forces would drive things so that in order to gain business, banks would have to assume responsibility for some or all losses. Unfortunately with banks acting

      • by Anne Thwacks ( 531696 ) on Saturday November 27, 2004 @07:40AM (#10930187)
        making the victims 100 percent responsible

        The banks are 100% responsible. They operate accounts for the scumbags, and they know who the scumbags are, in order to open accounts for them, and they hand the money to the scumbags.

        Lets face it, this is a problem which the banks could solve without third partiy intervention if they only tried. (You can almost hear them singing: If I only had a brain"

    • by krbvroc1 ( 725200 ) on Friday November 26, 2004 @10:06PM (#10928689)
      If anyone believes this, it justifies fairly extraordinary investment to combat it.

      It sure is a stunning number. However, the credit card industry is a huge rip off. They charge consumers interest rates in the 12 - 23% range. (This us during a time in history where interests rates are at historic lows). They charge the merchant fees from 1.5 - 7% on each transaction. The ever increasing fees are adding more profit. They are changing due dates to Sundays hoping to increase late fees. Telemarketing their customers. Trying to sell stuff when you call with the customer support lines.

      Last year the credit card industry profits were nearly $30 billion dollars. My guess is that they just write off the fraud and then pass those costs onto the consumer. The average credit card debt keeps increasing so it seems they can pass these costs along and the customer is so reliant on credit card debt for daily life that they don't fight it. What a sham, what a shame.

      I think this is an example of how poorly regulated capitalism doesn't work. Despite the appearance of hundreds of credit card competitors and so many cards to choose from, the industry is extremely anti-consumer. The better business bureau reports that the credit card agencies are number one when it comes to consumer complaints.
      • ...poorly regulated capitalism doesn't work...

        What a bunch of BS. What ya want -- communism? --- Nobody is holding a gun to anyone's head demanding you MUST use one of those ubiqutous pieces of plastic to pay for the stuff you want.

        If your wants outstrip your cash supply you might possibly have to discipline yourself to curtail your desires. Why are there so many elitists in this world that insist that they know better and try to protect stupid/greedy/undisiplined people from themselves by getting the gov
        • by krbvroc1 ( 725200 ) on Friday November 26, 2004 @11:52PM (#10929082)
          ...poorly regulated capitalism doesn't work...

          What a bunch of BS. What ya want -- communism?

          Ah come on. Because I would prefer some checks and balances in the form of effective regulation on a trillion dollar credit card industry that makes me a supporter of communism?

          The article was about an industry claiming 10.2 billion is losses due to fraud. My response was because the industry is poorly regulated, that inefficiency is allowed to be passed onto the consumer. The competition among the card companies has not created effecive solutions to the problem.

          I do have a credit card, but I carefully keep track of my expenditures (computers are great for this) and pay it off before the due date and therefore pay NO interest

          Good for you. We share something in common, I do the same. Even with great discipline I have not been immune from the credit company schenanigans - incorrectly claiming they didn't receive a bill payment until 1 day late and charging a $25 fee (on a $100 bill - wow 25% penalty).
        • by loraksus ( 171574 ) on Saturday November 27, 2004 @07:02AM (#10930128) Homepage
          Come now, these are the same motherfuckers who send seniors $5 checks which, when cashed, enroll them into some credit protection program / yellow pages listing service that costs $10 a month.
          Of course the "terms and conditions" were written on the inside of the envelops (i.e. on the envelope itself) and the AG has to step in to put a stop to it.

          I had a credit card company who used to try to pull this sort of shit all the time - the due dates were set to sundays or holidays (changed every couple of months), the payment address changed every couple of months and, for some strange reason, it took about 13-15 days for them to "receive" payments (and usually another 2 days to "process". The checks weren't being sent to fucking Rwanda, but from Oregon to Utah / California / Nevada. Blind mail is faster. Mysterious fees would be added and re-added, apparantly with my consent. Membership points / air miles would vanish.
          Their collections people would be happy to call you repeatedly even though your bank told you they cashed your check 4-5 days ago.
          And it went on and on and on.
          Sure, it was fun to abuse the agents for a while, but it got old pretty fucking quick.

          The damndest thing was the company was decent for a while, and all of a sudden they changed.
          I suppose one or two screwups on their part could be attributed to incompetence or a one time screwup, but there are limits.

          I could walk away, and I did - but I'm sure many people couldn't. I know a home loan isn't the same as a credit card, but you presume that they aren't going to act like Guidos.

          I think this is also less about the person's greed - It is assumed that you're going to have to borrow a significant amount of money (not many people buy a house outright), but I don't think it is reasonable to assume that a credit card company is going to be a bunch of vicious greedy assholes when you sign up. It's one of those unwritten rules.
          Rules that are eventually broken and result in "Pussification Legislation" being passed by the state's AG.

    • ...wouldn't their lapdogs in government be doing something about this?

      I wonder if $10.2 billion represents a "real" number, as in $10.2 billion dollars total actual sucked out of bank accounts, or if its one of those squishy numbers that represents a bunch of soft costs like customer service time and other "clean up" costs (you know, like the RIAA "lost sales" number or "virus cleanup" costs).

      While I don't doubt that fraud runs rampant on the Internet, I also have a hard time believing that a business sec
  • by russler ( 749464 ) on Friday November 26, 2004 @08:39PM (#10928290)
    1. Make certain the site name is not all numeric.

    2. Make certain it is spelled correctly.

    3. If they write to you unsolicited, just type the website in directly that you normally use for the service and you can be certain where you are going.

    I can think of more things to tell her, but the more I say the less I fear she will remember. So I boiled it down to the above list.

    So far so good....

    She is as clueless as anyone on the net, so I figure if it works for her that's a good litmus test....
    • by LostCluster ( 625375 ) * on Friday November 26, 2004 @08:43PM (#10928310)
      That list is a good start, but the latest variant involves a worm that hoses the hosts file and that means a properly spelled URL can still possibly lead to a phisher's site...
    • Same thing with my wife -- because I've warned her, she's been on the lookout for these things. The bank scams are pretty obvious for us, since we're not based in the US and the ones we get are for US banks, but the Paypal ones are the tricky ones. It's going to get to the point where you just don't click on a link you get in an email.

      How to masquerade your browser []
      • The two acid tests that have worked so far are:
        1. If the e-mail starts with "Dear PayPal User" or "Dear Valued Customer", it's always bogus. A legitimate mail will always use your name.
        2. If the e-mail asks you to click on a link, it is always bogus. A legitimate e-mail will always ask you to enter the real site name in your browser.

        If you're still in doubt simply open a new browser window and log into your account (see host file trick elsewhere). If PayPal or your bank needs information from you they will

    • Wasn't there an IE exploit where you could make one URL show up like another URL in the address bar?
    • What you should do is make a shortcut on the desktop labeled "online banking" or "bank" or something like that.
      Then point that as a URL shortcut to the online bank and tell the internet newbie who you are doing this for to only ever use the "bank" icon to access the online banking and to ignore anything that any email says.

      Thats dead simple and easy to remember.
      Also, usual precautions like a good virus scanner that updates automatically (to stop worms that would mess with the hosts file).
    • by erice ( 13380 ) on Saturday November 27, 2004 @12:58AM (#10929297) Homepage
      I received a very well done paypal phish recently. It was sent to my paypal email address (different from my ebay address and never used for anything else).

      There was a link that claimed to go to: st erEnterInfo

      But mousing over revealed that it actually went to:

      Note the rather than com/cgi-bin
  • one problem... (Score:5, Informative)

    by tsu doh nimh ( 609154 ) on Friday November 26, 2004 @08:41PM (#10928299)
    is that banks themselves are guilty of perpetuating this stuff.

    got an email from Network Solutions the other day, complete with HTML graphics, etc. It said, Dear Customer, we periodically ask our customers to update their whois here to access your account information....

    then it said failure to keep your account info up to date could result in the suspension of your domain. turned out this was a legitimate email from NetSol, but it had all the signs of a phish - addressing me with no indication they knew who I was, a la "dear [fill in bank or company here] valued customer"; it urged me to click on a link - which by the way was a dotted IP address; and it threatened negative consequences unless I acted quickly.

    Same thing happened to me with Citibank. I am a citibank customer, and the other day I received an email urging me to transfer my balances from other cards, blah, blah. Anyhow, it had all the right logos, and urged me to click on a link. When I did (with some trepidation), I was brought to a site called "", which as it happens, is in fact owned by Again, turns out this was a legit email from Citibank (or its marketing dept.)

    Yes, it is sad that we have gotten to the point where companies cannot use email as a legitimate means of marketing and communications with thier customers (and prospective customers), but banks and other major companies need to heed their own advice, and as far as I'm concerned, as long as these companies keep doing that sort of thing, they have only themselves to blame when their customers expect this sort of communication.
    • I am a citibank customer

      There's the problem. Move your banking to a small community bank that has at least some modicum of respect for your personal data and you won't have to worry about Citibank spamming you.

    • The Citibank case is entirely their fault. Whatever the web site was, it should have been somewhere in the domain. As long as the web server also used SSL, you could have been assured that the site was legit.

      Well, as long as the domain given wasn't the unicode equivalent of (I+16@|\||.com anyway. :)
    • There's a real simple solution to this. While it isn't 100%, it's close.

      To contact a bank, you need to provide some sort of information to prove who you are. When the bank contacts you, there is no reason it should not need to do the same. Banks should take a passcode that they give to their clients when they contact them so that the clients know they are dealing with the real thing. This even works for phonecalls which people apparently don't realize can be phished just as easily.
    • got an email from Network Solutions the other day

      Well, we all know Network Solutions is only about 1 step better than phishers on the scumbag scale to begin with.

      I'm sure I've blown away legit e-mail because I don't want to deal with trying to decide if it's real or not. As long as SMTP is in use we will continue to see these kinds of things.

      It's going to take some fundamental changes to make this stuff go away (or even just abate)... and seeing as how IPv6 has been just around the corner for about a d
    • Re:one problem... (Score:2, Insightful)

      by ArcaneLord ( 175946 )
      I get these types of emails all of the time; very frustrating to not know if it is something I really need to do something about or scam. It seems that there is a simple solution, if banks started digitally signing emails they sent to customers, then we would know that it actually came from them. No more worries about redirects, phishing, etc.

      Does anyone know of a bank that digitally signs all of its email to its customers? It seems that it would be worthwhile to switch to a bank that does this.

    • Paypal did the same to its European (or maybe just UK) customers last week. Unlike the phishers they weren't asking to update any details, just notifying of new terms and conditions, but to read the new T&Cs you had to log in. Completely unnecessary, and had me manually typing in the URL just to make sure some phisher hadn't figured out how to fool Thunderbird and Firefox into showing false information.
  • by ucsckevin ( 176383 ) on Friday November 26, 2004 @08:42PM (#10928308) Homepage
    Phishing is a big problem for those who may be too old or too busy to remember what their bank's URL should be. with URL spoofing in IE, it's an even bigger problem.

    I think the most important thing is education. Anti-phishing technology will only be a stop gap measure. Phishing techniques will just become more advanced. I think an agressive advertising campaign, including information when you sign up for a bank account, information when you log on to your account or receive your bill will also be helpful. the previous author mentioning the example of additional login info is correct, the phisher will just reload until the information requested is available to them.

    • with URL spoofing in IE, it's an even bigger problem

      Has anyone developed any anti-phishing plugins for the various browsers? It should be easy to do for Firefox and Mozilla, of course, and you can even write an ActiveX (cough) browser handler for IE, if I recall my MSDN documentation correctly. The plugins wouldn't be perfect, of course, but they could detect some obvious cases like numeric-only IP addresses being clicked, or maybe even do some analysis of your hosts file. Better than nothing, it seems

  • by EllynGeek ( 824747 ) on Friday November 26, 2004 @08:46PM (#10928330)
    Banks, Ebay, PayPal, and all the other popular phish targets should have rewards programs for customers who aren't gullible and don't fall for scams. And maybe a "congratulations on not being an ignorant gullible fool" reward would motivate more customers to actually care. Most folks don't, they assume the government will protect them. I think we should stop foiling natural selection and let it do its job.
    • I've sent like 150+ phishing emails to eBay's (and a number of them to paypal). I always say "How about a shirt?" but have yet to get anything other than an automated response followed by a real response saying it's fake (which I already knew).


  • by Anonymous Coward on Friday November 26, 2004 @08:47PM (#10928335)
    543 sites in September to 1,142 sites in October

    Hmmm ... the number of "sites" found doubled just when Google doubled its index size...

    • You mean all these sites are indexed under "phish"? Google has a magic way of recognising a fake site? Somehow, I don't think so.

      These are the number of distinct phish sites found by people investigating and tracking phishers. It has nothing to do with Google at all.

      The increase is extremely real and extremely significant.
  • by sjbe ( 173966 ) on Friday November 26, 2004 @08:48PM (#10928342)
    Tangentially related. I just had an interesting conversation with CDW. I ordered some toner from them for my laser printer. Set up an account and gave my credit card number through the website. Very typical online experience. We've all done it hundreds of times.

    A day later I get a call from them asking for the security code on the back of my credit card as well as the phone number for my credit card. Odd, I thought. I've been ordering online for years with this credit card and never been asked after the fact for that info. Additionally the card was a Discover card and there is only one number for that which I'm quite sure CDW knows.

    While I doubt there was anything malicious going on I had them cancel the transaction. They explained that it was for extra security but the could have easily asked for that information in the online transaction. I have no way of knowing if this rep was acting on her own so I don't see any added security for me. My only criticism of CDW is that I don't think this was a very professional way to handle this transaction.

    I don't really think there was anything malicious going on but its a good idea to be very careful when something is out of the ordinary, even a little bit.
    • by Anonymous Coward on Friday November 26, 2004 @09:04PM (#10928415)
      They called you, from CDW to verify the transaction? That's a pretty standard practice. You could always ask for the persons extension and call back to ensure it's not call from outside their organization.

      Just think. If they called you, because they thought the transaction was fishy (and you had NOT placed an order) wouldn't you be thankful they called you?

      Just today someone used stolen card card details in full. Phone number, address, etc, for a service. I did a whitepages lookup, and called the card owner. He was completely surprised that his card had been utilized, and immediatelly called to report the attempted fraud and get a new card issued. I would sure hate to call a customer to verify 'just in case' and have them cancel on me, for only doing what is right to protect myself from a chargeback, and protect them from potential fraud.
      • Just think. If they called you, because they thought the transaction was fishy (and you had NOT placed an order) wouldn't you be thankful they called you?

        Of course, they wouldn't need his card info for that, just a yes or no would do. In the example you mkention, did you quiz the guy for his card info or just ask to verify that he ordered the service?

        I certainly wouldn't give my card info out to anyone who called me, especially since caler ID isn't exactly infallable. I would, however be willing to co

  • Solution (for me) (Score:5, Insightful)

    by xsupergr0verx ( 758121 ) on Friday November 26, 2004 @08:53PM (#10928361)
    My bank doesn't have my email address. Give them a throwaway email address when registering online, then delete the address. All the mail to that account would bounce, and the bank has other (non phishable) ways to contact me if needed.

    I can't click a false hyperlink in a printed letter.
    • Wether your *bank* legitimately has your address is irrelevant.

      Phish emails DONT COME FROM YOUE BANK, idiot. They go to huge numbers of scraped and bought addresses, by people who have no idea if they even have an account at your bank, in the hopes that some tiny fraction of them do, and are stupid enough to respond with their info.

      1. Dont *EVER* use a link in an email to access any site that has anything to do with your money or your identity, or any other sort of information or accounts that should be k
      • Phish emails DONT COME FROM YOUE BANK, idiot.

        Uh, no kidding, junior. And no, it's not irrelevant whether or not my bank has a legitimate address. This way guarantees no false positives, as any bank correspondence that would show up in my primary email would have to be false. So confident, that you can add your bank's name to a spam filter and junk them all immediately.
  • 10.2 Billion (Score:3, Interesting)

    by Viceice ( 462967 ) on Friday November 26, 2004 @08:55PM (#10928375)
    Did the industry really loose 10.2 billion dollars to scammers or did this number come from the same process the RIAA and the BSA used to estimate loss to piracy?

    Personally, I think something is seriously wrong if phishing alone managed to net scammers $10.2 billion. Maybe if it was world wide consumer finance fraud combined it would be more believeable.

  • This problem would go away quickly if people signed their E-mail. All the infrastructure is there, companies just have to use it and mail user agents have to deal with it a bit more intelligently.
    • This problem would go away quickly if people signed their E-mail.

      I used to do that but I stopped because it was too hard to wipe the magic marker off my monitor.
  • Figures... (Score:5, Funny)

    by Superfreaker ( 581067 ) on Friday November 26, 2004 @09:07PM (#10928430) Homepage Journal

    Gartner reports that phishing scams cost banks and credit-card companies $10.2 billion.

    In related news, some anonymous guy using randomly generated numbers, estimates that tech employees who visit /. during working hours have cost corporate America in excess of $1.5 trillion since September.
    • Well, don't forget all the revenue generated by a beowulf cluster of reloaders sucking up bandwidth!
    • The costs aren't being born by the banks & credit card companies, they're being passed on to the customers -- US!

      So even if you do everything right, you don't get caught by a phish, you'll still be paying. A portion of losses caused by others getting duped will be added to your fees and/or reduce value you recieve. The companies will pass the cost along to everybody & protect their bottom line.

  • by NotQuiteReal ( 608241 ) on Friday November 26, 2004 @09:19PM (#10928478) Journal
    ... then I realized those hooks and such were there on purpose. These young'uns call it piercing, and do it on purpose!. And pay tattooed fellows to do it!

    When I was a kid, we had to get bits of metal embedded in us the old fashioned way - war, industrial accidents and drunken fishing!

  • Too bad, but I cannot expect my share of these attractive $10.2 billion.
  • by laughingcoyote ( 762272 ) <barghesthowl@e x c> on Friday November 26, 2004 @09:26PM (#10928502) Journal

    The problem seems to be people who don't know the difference. A phishing scam won't really fool anyone who is aware of them. Sure, everyone here knows about dummy e-mail accounts and is well aware what a phish looks like. The problem, as with many scams, is not those who are aware of them but those who are not.

    Given that, why don't banks and the like give a simple online tutorial before allowing a user to set up any type of Net account that implies moving real money? I would think a 5-minute (at most) presentation followed by a short quiz would be sufficient.

    If everyone involved in online financial transactions is thus educated about phishing, it would become quite a bit harder for the scammers to find unknowing victims.

  • Some of these attacks have gotten quite good. I recently got an email from "paypal" that seemed quite convincing...except that I don't have a pay pal account. The fact is that some of these attacks are getting quite sophisticated, to the point that someone who is even on the lookout for phising scams can be tricked in a moment of slight distraction, or even be impressed by the amount of work that went into this.
  • The rise of phishing just shows how broken the current internet and e-mail system is. In a age in which worms and scammers can gather address books, fake headers, copy websites of legitimate businesses, hijack browsers, create zombies, and log keystrokes, no e-mail (or even web page) can be presumed to be legitimate no matter who it comes from or how you got it.

    This problem saddens me greatly because it ruins the promise of global communications. Rather than a utopian information paradise for everyone,
    • ...How long will it take before the government regulates the net...

      Why are there so many otherwise intelligent people that think the government can solve every problem? Most of the time government creates more problems than it solves. Trusting computers is not the problem and there will always be scams, with or without the Internet. The problem is that there are more and more untrustworthy people, not computers. These phishing scams can also done with the phone or by mail. However, the Internet happens to
    • The technology for trustworthy, secure e-mail is there and isn't even really all that new. But try to get anyone to use it and they'll ask you "what the hell do I need all this encryption crap for? I'm not a criminal!"
  • Don't get me wrong, I believe this to be a serious issue. BUT, every time there is a problem like this, the price tag to those unfortunate scammed or wormed or virii'd is an amount of money that seems a little rediculous. Seriously, 10.2 billion? 10.2 billion what?
  • We have one time pads for our banks (at least my bank has them) and you have to verify your transactions with another code.
  • Phishing, the 21st century's stupidity tax.
  • by Sanat ( 702 ) on Friday November 26, 2004 @09:55PM (#10928641)
    I received a paypal phishing scheme email just yesterday. I have paypal but not on that email account. Here is what the url looked like: ?= cess979879879879879@#$@*(*87987987234242@#$@$@$@$@ $@$9

    (Have a ball with the address if you want.)

    If I was using IE then it would have spoofed the url as well.

    I halfheartedly filled in some obscene words to send, however so much data was asked for in particular ways that I never could validate the screen for sending without carefully crafting a reply ( I was cutting and pasting) so I aborted instead.

  • so lucrative.

    If only Swami didn't want the hassle so much $ brings he'd be offshore and phishing tomorrow.

    Hell, as it is, he can't manage the checking account, never mind $10^7!

  • Basicly, the bank would give each netbank customer a physical device.
    This device would be specific to the customer and would contain a special hash embedded in it. Each time you log in to the netbank, it gives you a randomly generated hash (something using the current date and time as part of the randomiszation process is good). Then, you input this hash into the device and it combines it with the stored hash and prints the result. The result is then input back to the netbank along with the other banking de
    • There's no need for user input. I do work for several large organisation and as part of their security measures, logging in remotely requires an RSA secureID (little key fob thing).

      Basically this thing generates a number on it's LCD screen every 60 seconds, and that is time synchronised to the customer's authentication servers. When you combine your username, 4 digit pin number and this RSA secureID number, it is very secure.

      I cant see this being particularly difficult/expensive for banks to implement w
  • Search images? (Score:4, Interesting)

    by earthforce_1 ( 454968 ) <> on Friday November 26, 2004 @10:00PM (#10928667) Journal
    I wonder if it is possible to automatically spider for suspicious sites with images and logos from financial institutions that don't belong there? They could be shut down almost before the scam gets started.
  • Damn,
    Even with an equal share for each site...that is almost 9 million dollars per site. If I got in last year, I would have been almost 20 million richer.

    Ah, if only I knew and got into phishing last year.
  • Here's where email security would come in real handy. If we could convince the banks to digitally sign the email they send us, and for them to tell their customers that if it's not digitally signed by them, then it isn't from them, then there wouldn't be so many problems. On the other hand I would never click on a link in an email to update my account details. I can't believe they aren't holding the customers liable. They hold them liable if they tell people their pin code. This is pretty much the same
  • I'm a tech support guy for a small hosting company. I'm going to keep from mentioning who, because I don't want to violate my NDA, but in the past week I've dealt with two customers who call wondering why we've yanked their sites, and find that we caught phishing scams on them.

    At the moment, it looks like a single guy is poking at our servers, as all of the phishing incidents we've had thus far include an Ebay scam and a Suntrust scam. Given how the attaker works (changes the contact email to a yahoo ac

  • by telemonster ( 605238 ) on Saturday November 27, 2004 @12:56AM (#10929296) Homepage
    So you set up a bunch of systems that capture tons of spam emails. Catchall's on various domain names, publish the domain names in public along with email addresses (websites, newsgroups, etc).

    After your stupid phishing scams hit, eBay, Suntrust, Citibank, Paypal and BOA start hitting them with a few marked accounts. These marked accounts are setup with the purpose of dropping the information to the phishing scam people.

    From that point, the phishing scammers will try to use this information for their benefit. At that point, it should be easier to build a path back to them.

    That would require effort, it's easier for the banks to tack another dollar onto ATM fees and write off the losses. Has anyone checked to see if banks are actually writing off these losses and reporting them to shareholders?

    Just like spam emails, the money goes somewhere. Just follow the money.
  • I work for the Credit Card division of one of the largest banks/financial services companies in the United States. We have a very large online presence and have been targeted extensively by phishers. It has become a very serious problem. Not only does it cause direct financial loss when accounts are compromised, but we have delayed several new features due to phishing risk. We are in fact talking about a LOT of money. It is one of the top couple of issues for the entire corporation.
  • Most phishing sites link you into your bank's website at some point or include graphics directly from them. Banks should carefully monitor their image referrers and investigate when they all of the sudden have a high number from

    Another thing to do is to hack the phishing sites. Phishers are typically terrible coders. This means that many standard web attacks can be used to divulge information about them. Even if the site is hosted in a remote nation, they typically forw
  • I can't think of a reason the past few months specifically that would make the number of sites doubled...

    Just because this research firm *discovered* more sites, doesn't mean the actual number of such sites in existence increased. Did they even check to see how long these new sites they've catalogued have been around? I suspect the number of sites for phishing was even higher than the current October count of 1,142 way back in September... possibly significantly so.
  • I've received spoofed emails from paypal claiming that fraudulent activity was taking place and that I needed to login to verify my information. I'm starting to wonder if some of this phishing is being done by ex-employees. It looked very real.

    Dear valued *PayPal^® *member: *PayPal^® * is committed to maintaining a safe environment for its community of buyers and sellers. To protect the security of your account, PayPal employs some of the most advanced security systems in the world and our
  • Phish Firefox? (Score:3, Interesting)

    by hyphz ( 179185 ) * on Saturday November 27, 2004 @09:31AM (#10930377)
    I personally have a bet that, if FireFox gets popular, hackers will start using its open source nature to phish Firefox itself.

    Ie, they'll hand out fake Firefox download links in e-mails or HOST file hack Then, when you download, you get Firefox - plus add-on code that sniffs your keystrokes or credit card numbers.

    Mind you, this has been my big problem with using Firefox from the beginning: the distribution might contain that kind of thing anyway. At least MS, with their existing millions, are unlikely to be interested in my card number.
  • by shoemakc ( 448730 ) on Saturday November 27, 2004 @11:58AM (#10931060) Homepage

    I too have been getting quite a few more of these lately, but there is a pretty easy way to combat them:

    :::never::: follow a link from an email

    If you recieve an email about company bla bla bla, needing bla bla bla, open your brower and :::type::: the known, valid address in and see if they mention it. If you're still

    It's really that simple folks.


Air is water with holes in it.