No Phishing
December 15, 2004 10:47 PM   Subscribe

I get a phishing e-mail on a daily basis. It probably accounts for 10% of my spam. The FTC and private industry groups are up in arms, but the problem keeps getting worse. Given the little old ladies who are losing their pensions by clicking on these links, why can't anyone catch these guys? What's the technological barrier?
posted by Saucy Intruder to Computers & Internet (15 answers total)
 
I'm surprised too, since they all have a central server they point at where the fake scripts live. Often it's a fake paypal site at something like http://67.123.66.234/paypalscammer.php and it's pretty easy to find who owns the server hosting the form and grabbing the data.

I'm guessing there are so many, and it takes so long to track folks down to bust them that folks like paypal can't keep up.
posted by mathowie at 11:13 PM on December 15, 2004


I'm sure a lot of it has to do with the servers being located in countries where law enforcement is less than eager to spend time tracking down the people who are committing the fraud.
posted by cmonkey at 12:00 AM on December 16, 2004


1. The main reason that the banks/FTC/whoever can't catch these people is that this is going on all the time, every day, with multiple attacks from different sources. Companies like Citibank are hit numerous times every week. The banks are working on this and do get the web sites shut down - but if the server is in China and the ISP isn't cooperative, it can take a while...
2. It's really simple to do. Spoofing the PayPal web site is trivial. You can grab the scripts to harvest the details and bung them into the database at the backend off IRC or a bunch of web sites. You don't need much technical knowledge. It's become the script kiddies exploit of choice for things like PayPal or eBay.
3. As well as the kiddies, you've got large criminal bodies involved as well who will target the banks. They will rotate through the banks they're aiming for, use open relays or botnets to distribute the emails, base the web sites on hacked computers or foreign servers, and be able to use or sell the details obtained at the other end.

A lot of the time, it's firefighting because the banks never know when or where the next attack is going to come from... It's impossible to stop the emails coming - it's like viruses. As long as there's money to be made out there, this will carry on happening. The best protection is to make sure people don't give out their personal details in response to an email - but considering how many years it's been that users have been told not to click on attachments because of viruses, it'll take a while for that message to get through.
posted by humuhumu at 2:56 AM on December 16, 2004


The GMail approach to phishing is excellent, and the more email providers that provide this service the better. It looks as though Google tests links to see if they're pointing to payPal, etc, and if they are not, then it removes the link, and adds a "Warning - possible phishing" section to the email.

A lot of my phising links seem to come from free-hosting services. I guess that the criminals will use a proxy to set up a new site with a free website hosting site, and then encrypt and redirect all phished details to public IRC / news servers. This would be almost impossible to track down.
posted by seanyboy at 4:49 AM on December 16, 2004


Phishing happens for a few reasons
  1. A great deal of it comes from overseas, as much as the US Government would like to they don't have any jurisdiction there.
  2. Tracking phishing to unique people is difficult. Getting new web sites or email accounts is very simple. If you're phishing from overseas in order to get punished two or more foreign governments have to co-operate together. Two domestic political groups can't even do that within the U.S.
  3. People are idiots. Phishing would stop if it didn't work. It works so it doesn't stop.
  4. The most popular operating system is horribly insecure (the upstarts are insecure but not horribly so) which makes it possible to build a mesh of relays for your phishing needs through the use of a worm.

posted by substrate at 5:18 AM on December 16, 2004


I'd love to see a free tool released by a giant like Google or (gasp) Microsoft or someone that integrated into the address bar of a browser and was able to verify that the website someone was looking at was truly the legitimate website of the company it purported to be. It wouldn't be that hard to do with public/private key encryption; I'd envision something like this:

1. The aforementioned company compiles a database of known, valid, trusted public keys for all sites that opt to participate.
2. When a user goes to a website, the toolbar checks the database to see if there's a matching public key for the actual URL of the site, and if so, encrypts a short random string and sends it, along with its public key, to a script that lives in a globally-known location on the site. (Again, the company behind the site is opting into this; they would put the script in that known location.) This script would accept the encrypted string and decrypt it, re-encrypt it with the public key that the toolbar sent along, and return the result.
3. The toolbar would decrypt the result, check it against what it originally sent, and then know whether or not it was dealing with the valid website of the company. It could then display this in a small area of the toolbar (e.g., "Verified Site (Paypal)" or "Unverified Site").

The three big obstacles: first, getting a company that would want to embark on something like this (with all its implied liability and whatnot); second, getting a company that people would intrinsically trust; third, getting people to install the toolbar. But it'd be cool to see, nonetheless.
posted by delfuego at 6:59 AM on December 16, 2004


Here's a thought (I'm sure there's a reason why it wouldn't work, Someone tell me):

The link text in the phishing scams I've seen usually looks legit, but the actual target is, as Matt says above, some random IP address. Could a browser have a list of sites (Paypal, eBay, etc.) with known good IPs for those sites stored somewhere? So if your granny clicks on a link that's ostensibly for "paypal.com" but that actually goes to 69.1234.56.77 a warning pops up along the lines of "WARNING The site you are trying to access may not be the site named in the link. This is a common scam technique. Are you sure you want to go to this site?"

Is this possible/feasible?
posted by PinkStainlessTail at 7:00 AM on December 16, 2004


Or, uh, what delfuego said. Must be something in the air.
posted by PinkStainlessTail at 7:02 AM on December 16, 2004


Thinking it through a little bit, a slightly better way to implement this would be to add a step 1.5, and augment step 2:

1.5. The aforementioned company would maintain a page that lists a current public key for the toolbar; participating sites (e.g., Paypal, eBay, etc.) would have access to this page so that they could grab the public key. (Optimally, this page would only be protected, and only accessible to partipating sites.)
2. When a user goes to a website, the toolbar checks the database to see if there's a matching public key for the actual URL of the site, and if so, encrypts a short random string and sends it, along with its public key, to a script that lives in a globally-known location on the site. (Again, the company behind the site is opting into this; they would put the script in that known location.) This script would accept the encrypted string and decrypt it, re-encrypt it with the public key that the toolbar sent along for the toolbar, and return the result.

That would add a bit of protection for man-in-the-middle attacks, since the man-in-the-middle would have no way of mucking with the participating sites' server's ability to grab the correct public key for the toolbar and use it.
posted by delfuego at 7:05 AM on December 16, 2004


Quick Link to one of the Better Anti-Phishing Sites:

Why Does it Work?

Off the top of my Head.

1. People unfamiliar with technology don't apply common sense - if you received a Snail Mail with a Stamped, Self Addressed envelope that requested you put all all your bank account access info in the envelope and mail it off, Would you do it without checking where it was going? With an email, would you even know how?

2. The ROI for the bad guys is huge. Popping a home broadband users box and setting it up as a spam originator or relay is a minutes work. Just 1 sucker = Profit

3. HTTP was not designed with security in mind. Truthfully, none of the internet protocols really were. There are a few initiatives to change this (particularly in the email Area), but they take time.

4. As has been mentioned. A lot of the actual servers that collect the data from these emails are overseas in countries that don't really give a rats ass at best.

On the plus side, there are a lot of people working on the problem. many of them are actually pretty smart, and some are even competent. Really, all you can do right now is get an anti-Spam client for your box and be conscious of the problem
posted by ad hoc at 8:14 AM on December 16, 2004 [1 favorite]


A further note on why they're hard to catch: A lot of these are hosted on hacked web servers. The owners are totally unaware of it. Tracking them down gets them turned off, but even the least skilled hacker can own a new web server, simply by running some widely-circulated scripts.
posted by agropyron at 8:17 AM on December 16, 2004


And I am a dolt that posted a duplicate link to the one the original questioner did

doh!
posted by ad hoc at 10:15 AM on December 16, 2004 [1 favorite]


> A further note on why they're hard to catch: A lot of these are hosted on
> hacked web servers. The owners are totally unaware of it. Tracking them
> down gets them turned off, but even the least skilled hacker can own a new
> web server, simply by running some widely-circulated scripts.


To: info@ain.co.jp

Dear sir or ma'am,

According to whois.nic.ad.jp. you are the email contact for the ajesthe.jp domain. I wish to report an Ebay ID/password/credit card phishing scam being run from one of your servers, esv1.ajesthe.jp.

I have received many notices asking me to sign in to Ebay and confirm my credit card number. The link in the email displays as

http://signin.ebay.com/eBayISAPI.dll?SignIn&ssPageName=h:h:sin:US

...but if you click on this link it takes you to a fake ebay sign-in page at

http://esv1.ajesthe.jp/signin.ebay.com/saw-cgi/eBayISAPIdllSignIn.php

Thanks very much for taking care of this. I'm sure you didn't know your server was being used in this way.

Sincerely yours,


P.S. the upshot of this was that the next time I got one of these phishing emails (the next day) the fake ebay signin page was in the .kr domain. Speaking of whack-a-mole...
posted by jfuller at 10:59 AM on December 16, 2004


delfeugo, https already does a lot of that automatically. That's why when you use https with smaller sites, the browser will say "unknown certificate" or somesuch.
posted by cillit bang at 11:07 AM on December 16, 2004


According to whois.nic.ad.jp. you are the email contact for the ajesthe.jp domain. I wish to report an Ebay ID/password/credit card phishing scam being run from one of your servers, esv1.ajesthe.jp.

Everytime I've tired that, the e-mail has bounced.
posted by PinkStainlessTail at 11:46 AM on December 16, 2004


« Older Lies and the lying employers who tell them.   |   Finding a juicer that will work in Australia Newer »
This thread is closed to new comments.