Saturday, July 29, 2006

Anti Phishing Site Calls Out Security Flaws that Phishers Use

I had mixed feelings before writing a post about a site pointing out security flaws used by hackers to create rogue websites. My struggle with it was -- if I were to post on it -- would I be teaching people how to phish?

After thinking about it carefully, I decided I would post on it. After all, "how to scam" information is readily available in IRC chatrooms and "how to kits" are being sold right on the Internet. The fact is that all this information is already available to the scammers in "members only" chatrooms.

Kay (the site's author) maintains that the information is to "wake people up" to the problem with phishing. As I stated - earlier - after much reflection, I came to the conclusion that Kay is right.

And there is no doubt that phishing is a big problem that continues to grow, if we are to believe the Anti Phishing Working Group (APWG). Their May report states it is at an all time high.

The site (fightphishing.blogspot.com) points out security flaws at AOL, MIT, Citibank, Wells Fargo and even the IRS. Interesting enough, Kay hasn't pointed out any flaws with eBay, or PayPal. This week, Sophos reported that 75 percent of the phishing attempts are directed towards their customers.

For a scary look at why creating rogue websites might be so easy, here is a link to Kay's site.

Thinking about this - made me reflect on how a person doesn't need to be a "hacker, cracker, or phreak" to commit these crimes - all they need to do is go on the Internet.

Here is a interesting story (describing how non-technical crooks are obtaining technical resources via the Internet) by Kim Zetter at Wired News, "Confessions of a CyberMule."

The story details - how a drugged out prostitute - got involved with cybercriminals from Eastern Europe and successfully used stolen debit and credit cards to make a lot of money.

Please note - based on the description I read - this was no "hacker" doing all of this, but rather a "common criminal," who made contact (via the Internet) with the people providing the means to plunder our financial system.

The ghouls doing this are very adept at letting low-level criminals (mules) take all the risks for them. Of course - as in most of these crimes - he only kept a percentage and wired the rest of the money back to his Eastern European employers.

The fact that he was caught means little because there are plenty of more people to recruit out there.

If you would like to help fight phishing - help create awareness - and report it to a new group of volunteers that fight it, link here.

They take care of "getting the word out" to all the right places.

2 comments:

michael webster said...

If you view the source of emails, you can almost allways detect a fake or wrong looking url in the very best faked up html emal.

prying1 said...

Great post once again Ted!