Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Fighting back against phishing – two wrongs do not make a right

September 11th 2005 in Uncategorized

There is a URL circulating that purports to fight back against phishing sites, being http://www.phishfighting.com/

Sunbelt reckons its “fun” to fight back:

Here’s the deal.  The sentiment is great, but the reality is not.  Having “fun“ is of no practical use (although it may make you feel good). 

Many phishing sites are hosted on compromised computers – computers that have been hacked.  The owners have no idea what has happened to their systems, and invariably each phish site only lasts 5 to 9 days (on average) before the phishers move on.

Who are we punishing here?  The victim whose computer has been hacked and who has to pay for the phisher’s bandwidth, and now the bandwidth generated by sites like phishfighting?  Are we punishing the phishers? They don’t care.  When one site is compromised they simply create a new one. 

We’re dealing with professionals who are more than capable of weeding out and discarding fake data.  All they need to do is whip up a little programme that will retrieve, and test, information provided with no human interaction or effort.  If you think that there is a person, or a series of people, wading through print-outs trying out each log-on by hand, I’m betting you’re wrong in that assumption.  Think about it. How many millions of phish emails do you think are sent out every day? 

Microsoft reported in their Anti-Phishing White Paper back in mid 2005 that over $2 billion has been lost to phishers. $2 billion!!!  With that sort of money the phishers can handle as much fake data as phishfighting can throw at them.

Let’s also consider the fact that unless phishfighting changes their IP address regularly their fake data is easily captured and dumped.  Its very easy to whip up a programme to search for mulitple submissions by one IPs, and just as easy to find submissions sent via anonymous remailers and cloakers.

Not only that, the Anti Phishing Working Group advised in their July report that there has been a 100% increase in the number of phishing sites that attempt to infect systems with keyloggers and trojans to capture sensitive information such as usernames and passwords.  The implications are far worse, in such circumstances, than the compromise of username and password for one financial institution.

What is phishfighting’s “Method One” for retrieving a phishing URL?  They say “Simply click on the link and copy the real url from the browser bar.  Caution: This method can be hazadardous. If you system is not well protected, it is possible that clicking the link could download viruses, trojans or other unwanted programs.“  (The stuff in blue was added after this Blog entry first went live) – at least we know those behind phishfighting are listening) 

NO!!!  DON’T DO IT!!!!!  Don’t open the email!!!  Don’t click on the link!!!!! 

Edit: Let’s expand on this – If a phishing email includes remote graphics, and your email client is set to download such things, simply by opening the email you are confirming that your email is “live“, making it immediately valuable to all kinds of spammers, and saleable. 

URLs used by spammers and phishers are sometimes unique – another way that spammers sniff out whether an email address is live or saleable. 

This means that, even if they don’t get your financial details, the scammers can still make money off you by selling your name and your email address to other spammers and phishers.  Please, don’t expose yourself to the bad side of town like that.

Some phishing emails and phishing web sites attempt to infect computers as soon as an email is opened, or the site is visited, by using certain old security vulnerabilities that *should* be patched, but may not be.

DO NOT open spam emails. DO NOT go to phishing sites. End of story.

All that we get from services such phishfighting is a misplaced sense of satisfaction that we are somehow hurting the phishers. 

There is NOTHING on the phishfighting site that teaches users how to report phish sites to ISPs and get them shut down legitimately.

Phishfighters say that they are not using a DOS (denial of service) tactic because they only send one fake alert every 20 seconds.  Is that 20 seconds per report, or 20 seconds per URL?  The site doesn’t say.

Don’t use services such as phishfighting. 

Use spamcop to report spam emails (http://www.spamcop.net/)

Learn how to read emails headers and report spammers to their ISP (http://www.stopspam.org/email/headers.html) but remember, the spamming computer may be a zombie, the owner may have no idea what has happened, so be nice.

 Use allwhois (http://www.allwhois.com/) to trace the host of phish sites and report their existence direct to the host ISP – get the site shut down.  Again, remember the host computer may have been hacked, and the owner completely unaware of what has happened.  Be nice. 

Please, don’t use services such as phishfighting and DON’T open the emails or click on the link … please.

Comments are closed.

Note: Patched means turned off, not fixed:https://addons.mozilla.org/messages/307259.html
Until Mozilla releases a version of Firefox with IDN turned off by default, or an integrated fix, any new user of Firefox will be vulnerable, unless they know to go searching for the fix/patch.  At time of writing there is no alert on the home page (getfirefox.com) and Firefox […]

Previous Entry

Did you know that there is a special utility available on MSDN that makes it easy to add RSS to your web site?  Check it out here:RSS Tool for Frontpage 2003

Next Entry