Join 3,572 readers in helping fund MetaFilter (Hide)


Can we stop the phishing?
July 21, 2005 8:34 PM   Subscribe

MetaPhishing: I just got another phishing email "from" PayPal. My question is whether it might not be effective to go to whatever site it is and spam them with fake personal info. What if a lot of people did this?

I mean, suppose we could somehow create a "meme" for doing this. It seems to (not very bright) me that we might be capable of flooding their databases with useless information. But do they have ways of filtering out this kind of thing? Is this a stupid idea?
posted by trip and a half to Computers & Internet (21 answers total)
 
'Phishers' wreak havoc on online banking.
posted by ericb at 8:37 PM on July 21, 2005


What if a lot of people did this?

I'm all for a vigilante effort against the "phishers.'
posted by ericb at 8:39 PM on July 21, 2005


Why doesn't someone set up some sort of distributed phishing/identity theft poisoning project? Enough junk data could really ruin their whole operation.
posted by wakko at 9:01 PM on July 21, 2005


Oh... I thought everybody already did this!
posted by michaelkuznet at 9:07 PM on July 21, 2005


I dont want to derail but... what was the email trip and a half? I'd email you to get details but no address in your profile. The reason I ask is that I received two different emails just recently, one that said paypal australia was currently not available and provided an alternate clickable link to log in [I ignored this one]. But I also received one today that said I need to update my expired credit card details (this is true). This email didn't have a link in it - so I assume it was legit - yes?
posted by tellurian at 9:17 PM on July 21, 2005


Problem is, it's simple to write a script that tries out every username/password tuple given and keeps only the good ones.
posted by Leon at 9:30 PM on July 21, 2005


tellurian, I can't say whether the email was legit, but it's always safe to go to your browser and manually type the URL of a given site. The trick with phishing is to send you to a fake site (watch out for something like www.paypal.x.com, or paypal.com@123.456.78.9) — if you stay away from any links in the email and go to your browser manually, you can go to the Paypal site or your banks site to make sure everything's on the up-and-up.
posted by rafter at 9:36 PM on July 21, 2005


Bob Cringely thought it was a good idea just a few weeks ago.

I tend to just delete that stuff myself, but drowning them out sounds like a reasonable idea to me.
posted by freshgroundpepper at 9:49 PM on July 21, 2005


Also, not that it's neccessarily going to stop spam, but forward any suspected message to spoof@actualdomain.com (i.e. if you get a PayPal phishing attempt, forward it to spoof@paypal.com).
posted by rafter at 10:07 PM on July 21, 2005


I'm with Leon—it would take the phishers almost no time to validate the info you spend minutes creating, especially since they likely have got the whole process scripted. Not worth your time, IMO.
posted by jenovus at 10:35 PM on July 21, 2005


But that Paypal login takes a good 10 seconds to validate! It would take 10-15 minutes to try out 100 logins, and I'd imagine one's IP would get flagged in the process.
posted by rolypolyman at 10:55 PM on July 21, 2005


I prefer to do a little detective work and email abuse@ the ISP of the real sender as well as the host of the fake site.

Can we stop it? I doubt it.

The emails I've received tell me that I've added (some email address) to my account and that if I didn't authorize it I should log into (fake paypal.com url).

I've only had one phishing attempt lead to a live site, so these sites can be shut down, if only temporarily.
posted by O9scar at 11:15 PM on July 21, 2005


But that Paypal login takes a good 10 seconds to validate!
Unfortunately, the phishers probably have access to large networks of zombied computers. The time they need to check 100 logins is not 10 minutes, it's 10 seconds from 100 different computers.
posted by seanyboy at 12:12 AM on July 22, 2005


Does anyone have a good email address for PayPal? I've bounced things to fraud@PayPal.com, and a few variants but never heard anything in response.

Microsoft, by contrast, almost always responds to mail I forward to piracy@Microsoft.com

I'm not saying forwarding spam ads for cheap software are doing anything to stop their operations, however an email from MS to an ISP carries a lot more weight than one from mutant@you-suck.com
posted by Mutant at 1:36 AM on July 22, 2005


Delete the email, move on and forget about it
posted by ajbattrick at 2:03 AM on July 22, 2005


I enter false details on occasions - generally username: fuckyou

Hopefully it will waste their time a bit.
posted by laukf at 4:55 AM on July 22, 2005


If you forward the message to spoof@paypal.com, you will get an automated reply saying if it's legit or not. Whether they actually do anything with the message is unknown. There's also a spoof@ebay.com address for eBay phishes.

Btw, www.paypal.x.com is actually legit, as the X.com internet bank owned PayPal for a while before they went under. They still own the domain and it gets redirected to PayPal's main site. In any case, whenever I want to go to PayPal, or my bank, or whatever, good practice is typing in the address by hand, rather than following a link from any site or email.
posted by zsazsa at 5:45 AM on July 22, 2005


I had a friend who wrote a script to do this. Of course, when he used it, the phishers unleashed a zombie DDoS attack on him, which resulted in the ISP shutting off his Internet access.

This is not the solution.
posted by grouse at 7:07 AM on July 22, 2005


[sigh]

Thanks, everyone!
posted by trip and a half at 8:46 AM on July 22, 2005


I've received three phishing emails, claiming to be from our non-profit's bank, addressed to three two new addresses I set up for us. What freaks me out is that one of those addresses was never used for anything other than a link on our site, and I've never used the other email to sign up for anything with our bank. How the hell did they associate our email addresses with our bank? The fake bank website was very convincing, too.
posted by DakotaPaul at 10:41 AM on July 22, 2005


Just wanted to note that some of the major antivirus programs that scan e-mail will detect phishing as a "virus" or similar plight and automatically remove the message.
posted by VulcanMike at 3:23 PM on July 22, 2005


« Older When, how, where did the disti...   |  Reccomend a wireless card for ... Newer »
This thread is closed to new comments.