Safe Speed Forums

I don't know about you folk but I get zillions of emails hoping I'll put passwords into fake web sites. This process seems to be known as 'phishing' these days, but years ago I knew the approach as 'chameleon'. It beats all password security because users are tricked into giving their passwords to a third party while believing that they are logging in correctly.

It seems to me that we could swamp the phishers out of business quite easily if we entered plausible but imaginary log ins to their nasty harvesting pages. Don't they take the data and use it to log in manually at some point?

What's the current thinking on this nonsense?

_________________
Paul Smith
Our scrap speed cameras petition got over 28,000 sigs
The Safe Speed campaign demands a return to intelligent road safety

Manually entering such a large amount of harvested data would take ages even if it was correct, much easier to have a script running.

_________________
What makes you think I'm drunk officer, have I got a fat bird with me?

You're not the only one Paul. I've had nearly 30 of them overnight! I suspect it's best to ignore them.

I tend to report then to the real organisation they purport to be from. Banks and building societies are keen to know about these sort of attacks on their security.

I get well over 100 a day.

_________________
Paul Smith
Our scrap speed cameras petition got over 28,000 sigs
The Safe Speed campaign demands a return to intelligent road safety

You need a better spam filter!

if you can, ignore them and delete without opening (autopreview?) as simply opening some will confirm your email address as genuine. my company's filter get rid of most, but some always get through and are deleted on sight.

I didn't say they didn't get filtered did I?

_________________
Paul Smith
Our scrap speed cameras petition got over 28,000 sigs
The Safe Speed campaign demands a return to intelligent road safety

I'll do that if it is a variant I haven't seen before, otherwise I just delete them. Most are being picked up by the spam/virus filter at the moment so I assume they are already well known.

Quite awhile ago I got an e-mail from EBay asking to update it's records. It was before phishing was widely know(at least I hadn't heard about it) and naively I put my details in. I felt someonthing wasn't right so I changed my password and contacted Ebay who confirmed it wasn't genuine. I'm a lot more warey now, I still buy a lot of stuff and bank on the net though thankfully have never had a problem - touch wood!

The giving away of personal details is the main risk but you also run the risk of computer hijack via your web browser by simply visiting such sites. If you are tempted to visit and enter false details make sure your security is in tip top condition.

Another issue is that by simply clicking the link or viewing the email you may be flagging that email address as valid. This makes it much more valuable to anyone selling email addresses. You are therefore helping the criminals.

It would take a vast number of sets of false information to make any kind of dent in the phishers profit margins anyway. Email spammers expect only something like a one in a million of their mails will result in any income.

I usually go to them (as long as there is nothing in the URL to confirm my e-mail address) and enter fake data just for fun.

If you enter a random login username/password and it just lets you in then it's got to be fake.
I usually fill in fake details because I like to see how their sites look.

I report eBay scams but haven't seen any others lately. I've been getting viruses and lots of them. (oh look, there's one now!) Shame they don't run on my Mac

I once pointed out to a bank that the fake site used logos pointing to the real site. If the real site had made a copy of that image with a different name and changed their pages to look at the new image name they could have made the old one say "this is a fraud site do not enter your details". They didn't listen/understand.

Also the fraud sites usually redirect to the real site at the end. Chances are the real site could monitor the referer URLs coming in to it and if it's from a known bad site redirect the user to a page telling them what has happened and that they must change their password and notify their bank. But I know no banks would listen to me if I suggested that. Too complex I'm sure.

_________________
Andrew.

I don't know if it is of any help but I use mailwasher and that bounces E-mails back address unknown.

Been using for some years now, even actually upgraded and paid for it and so far been very pleased with it.

http://www.mailwasher.net/

_________________
Shooting is good for you and too good for some people.

Set up an HTTP script to plug random sequences of alpha and numeric characters into the userid/password fields of the phisher's site repeatedly. Hit "run". Leave running until phisher's web server runs out of disk space. Job done.

_________________
“For every complex problem, there is a solution that is simple, neat, and wrong.” - H. L. Mencken

Brilliant - I thought it was so good I rang the computer crimes unit at Scotland Yard and gave it to them. I spoke at length with Robert Buris there (he's no fan of speed cameras ). He's got concerns about the legality of the idea, but agrees it would be a useful countermeasure. He's going to put it up for legal advice. Nice chap.

_________________
Paul Smith
Our scrap speed cameras petition got over 28,000 sigs
The Safe Speed campaign demands a return to intelligent road safety

Only down side is that if all the random logins come from the same IP and the crooks are clever enough to log IP addresses with each record they just delete all records which match your IP address.
(sorry, I like to solve computer problems!)

_________________
Andrew.

But if say 10,000 people ran the same script...

That might well work

_________________
Andrew.

As each combination would only use a couple of bytes, I just checked my user & pass - only 30 BYTES not Kb!! (4Kb on disk - 30 bytes actual), we could be looking at billions, if not trillions of fake id's to kill a web servers storage!

The trouble with that is you are bouncing them back to a fake or hijacked address. Creating extra traffic for no benefit to anyone.



This would be a DoS attack. And would most likely land you in more trouble than the scammers.

A while back one of the A/V companies distributed a screensaver which would similarly attack sites of known spammers. This was removed after allegations of it constituting a DDoS attack.

Sorry but the only solution is to educate and protect end users.

You are right but I am an end user and I can get rid of any E-mails I don't want before they come to my computer and bouncing them does seem to reduce the repeats. These things happen, like junk mail, because the end user actually accepts them.

_________________
Shooting is good for you and too good for some people.