Forgot your password?
typodupeerror
Privacy Security The Internet

Netcraft: 5,600 Phishing Sites Since December 181

Posted by timothy
from the not-good-news dept.
miller60 writes "Netcraft has tracked and blocked 5,600 known phishing sites since the December launch of its anti-phishing toolbar, which it has now updated with a risk rating feature that warns users about new sites with phishy characteristics, based on trends observed in known phishing scams. It has also started a service that makes the full list available of phishing sites as a continuously updated feed for service providers and companies to use in mail servers and web proxies." One bad sign: the phishing attacks I see are getting (on average) more professional in their phrasing -- it used to be easy to toss out the trawlers based on their spelling alone.
This discussion has been archived. No new comments can be posted.

Netcraft: 5,600 Phishing Sites Since December

Comments Filter:
  • Spelling (Score:5, Funny)

    by Anonymous Coward on Monday May 02, 2005 @02:15PM (#12410091)
    the phishing attacks I see are getting (on average) more professional in their phrasing -- it used to be easy to toss out the trawlers based on their spelling alone

    One could say the same for the /. trolls.

  • by Kozz (7764) on Monday May 02, 2005 @02:18PM (#12410122)
    Funny thing, I submitted a phishing site to Netcraft and was notified that it was a new one to their database, and what do they do?

    They ask me to reply to their email address with my full name, street address so that they can send me a "gift". I don't know what it is (haven't received it yet), but thought it ironic that they were soliciting information in a phishing-style.

    I sent them the address so they can send me a gift (t-shirt? who knows) since I knew I had contacted THEM about the particular phishing URL, and the info they requested could be gleaned by someone who wanted to find out, but found it humorous nonetheless.

    Anybody know what is this "reward" they mail you? I'm curious.
  • One Day (Score:3, Insightful)

    by ericschoon (814346) on Monday May 02, 2005 @02:19PM (#12410139)
    The phishing community will learn to read an write in a professional manner. When that day comes, the world will end

    no wait.... only those gullables will find themselves in trouble.

    Phishing is only a problem when you aren't paying attention.
  • Live Bait (Score:2, Insightful)

    by Doc Ruby (173196)
    The great crime in this phishing system is at the Patent and Trademark Office. We fund the office, subsidizing corporate IP owners by defending their IP. But when the PTO could enforce trademark IP to protect the consumer, they do little or nothing. How come Citigroup isn't spending billions to protect its trademark, which is used to con thousands of people a day into phishing scams?
    • probably because it costs less money to pay out chargebacks and do nothing to help repair stolen credit compared to paying a swarm of lawyers to track down phishers
      • probably because it costs less money to pay out chargebacks and do nothing to help repair stolen credit compared to paying a swarm of lawyers to track down phishers

        Bingo - I think you got it. The chargeback hits the merchant. The credit card company really pays nothing anyway AFAIK.

        IMO, it's perfect. The purchase occurs, and the merchant pays the piper.

        Imagine this economy for a second now:

        1) Phishing scam begins
        2) Customer CC#'s are stolen
        3) Computer gear is purchased with stolen CC#
        4) Phisher
    • Re:Live Bait (Score:1, Informative)

      by Anonymous Coward
      The PTO doesn't enfore antything. It only grants or revokes. Enforcements take place at courts and usually only after charge by the patent/trademark holder.
    • Are you serious?
      So instead of the whole Fraud thing, we shoud nail them for trademark stuff?
      I do agree that these companies should be doing more to protect their customers though.
    • Re:Live Bait (Score:2, Interesting)

      by Anonymous Coward
      Insightful? Interesting? Who modded this spew of disorganization up?

      "But when the PTO could enforce trademark IP to protect the consumer, they do little or nothing."

      This is because it's left to the trademark owners, not the PTO.

      "How come Citigroup isn't spending billions to protect its trademark, which is used to con thousands of people a day into phishing scams?"

      Should *you* be held liable if someone uses *your* identity to scam others? If someone nabs your SIN and starts causing mischief, should yo
      • Both should be proactive - they're both part of the system that protects trademarks from abuse by others. Which is entirely to protect consumers: read the Lanham Act sometime, the basis of trademark law. It requires trademark owners to agressively defend their mark from infringement, because dilution confuses the consumer in navigating the market.

        Then maybe you can spew your disorganized posts, naive questions, and obnoxious bitching, Anonymous clueless Coward.
    • Re:Live Bait (Score:4, Insightful)

      by Rasta Prefect (250915) on Monday May 02, 2005 @02:48PM (#12410501)
      The great crime in this phishing system is at the Patent and Trademark Office. We fund the office, subsidizing corporate IP owners by defending their IP. But when the PTO could enforce trademark IP to protect the consumer, they do little or nothing. How come Citigroup isn't spending billions to protect its trademark, which is used to con thousands of people a day into phishing scams?

      First off, phishers are _hard to catch and prosecute_. They're often located in other countries using and/or using compromised resources such as zombified home machines to serve their pages. They're committing fraud, they're not going to stop because Citigroup sends them a cease and desist. Thats like saying the real crime of the war on drugs is that the IRS hasn't dragged in all of these drug kingpins for not paying taxes.

      Secondly, who the hell is subsidizing anything? The Patent Office takes in more in user fees than it spends - It's a yearly budget battle for them to keep more of what they bring in, not to get more money from congress. They've been totally user fee supported for at least 12 years now.

      • In point of fact, mistakenly combined the PTO and the Justice Department and Branch, when complaining that we subsidize "the PTO", which doesn't properly defend trademarks from phishers. Just as you just combined the IRS and the FBI, which together fail to drag in all these drug kingpins for not paying taxes. But in fact, failure to pay taxes isn't in the critical path of stopping drug dealers. If you complained about "the FDA" not dragging them in for selling unsafe products without quality or health testi
    • Perhaps some big corporation should patent phishing and not use it, but instead go after those who infringe on their patent.
    • Moderation +1
      40% Insightful
      30% Overrated
      20% Offtopic

      What is "Offtopic" about pointing out that phishing depends on trademark exploits, which the PTO isn't addressing? And that "Overrated" mod is really just the most cowardly TrollMod of all: anonymous, unsupported, but negative.
  • Gasp! (Score:1, Redundant)

    by jleq (766550) *
    I'm going to get paid $2 million to transfer $14,000,000 worth of money from the All-Super Bank of Nigeria to an undisclosed location? Sounds too good to be true! Oh, wait...
    • The nigerian scams aren't Phishing scams.... Phishing scams are the emails you get from your bank or paypal saying that you need to update your information. The link in the email is to a page that looks exactly like your bank's page, but the information you submit goes to the crooks. So they have your bank information or paypal information or whatever.
      • I'm going to get paid $2 million to transfer $14,000,000 worth of money from the All-Super Bank of Nigeria to an undisclosed location? Sounds too good to be true! Oh, wait...

        The nigerian scams aren't Phishing scams.... Phishing scams are the emails you get from your bank or paypal saying that you need to update your information.

        Maybe he has a Nigerian Express credit card and phishing scams on Nigerian Express credit cards work that way.

        In other words, he gets an e-mail saying that he needs to updat

      • The link in the email is to a page that looks exactly like your bank's page, but the information you submit goes to the crooks.

        Often, the sites even have Jen-You-Whine graphics from the banks/institutions being scammed, because the real site owners don't even take the precaution of checking the brower referrer header. If you request (say) a Citibank.com graphic and the referring page isn't one one that belongs to Citibank, then it should come up with a graphic that includes "NOT A LEGITIMATE CITIBANK SITE"

  • firefox toolbar? (Score:3, Interesting)

    by bdigit (132070) on Monday May 02, 2005 @02:20PM (#12410164)
    Is there any toolbar available for firefox? This would be a great thing to install on my relatives computers or anyone's computer for that matter.
    • Re:firefox toolbar? (Score:3, Informative)

      by Rude Turnip (49495)
      Firefox one-ups this already by doing 2 things:

      1. Encrypted URLS turn the address bar to a gold color to remind you that you're on an encrypted site. And, more importantly,

      2. In the lower right hand corner of the screen, Firefox tells you the name of the site to which the digital signature certificate is assigned.
      • by elid (672471) <(moc.liamg) (ta) (dopi.ile)> on Monday May 02, 2005 @02:45PM (#12410459)
        Yes, but that's probably too difficult for the average relative to understand.
      • First of all, the gold color address bar idea is the same as IE with SP2, where it also happens.
        Second, Phishing sites can be encrypted too, that's stupid to say just because it's encrypted it's safe. As for the site giving the certificate, if they trust a site called "http://128.61.33.532/citibank/login.html" then do you really think they will look for encryption information?
        • Most browsers will show a warning when it sees the certificate is invalid/signed by someone you don't trust. Though if they don't understand the "THIS SITE'S CERTIFICATE CAN NOT BE TRUSTED" message, then I don't think theres anything that could help them short of not being allowed to use the computer.
          • The message you refer to is a lot less alerting than that, and in fact looks almost like the other stupid stuff people just click through. So no, that doesn't help as much as you claim.
  • Yet the list of "phishing" sites is apparently encrypted. That helps out the crooks.

    Is that list being provided to law enforcement?

  • Neat idea. (Score:4, Interesting)

    by going_the_2Rpi_way (818355) on Monday May 02, 2005 @02:24PM (#12410204) Homepage
    The only problem that I see is that those people with the Netcraft toolbar are probably already in the low-risk category for this type of scam (although I guess the fact that they install toolbars at all makes it a slightly more at risk group) since they're reasonably aware of the problem. Still, Netcraft continues to impress me with excellent tools and insight on web traffic and secuirty trends. A daily must-read for webmasters, far more so than Alexa.
  • New sites: ouch! (Score:5, Insightful)

    by jfengel (409917) on Monday May 02, 2005 @02:25PM (#12410221) Homepage Journal
    One of the factors that goes into the risk rating is the age of the site. That's a good insight: phishers tend to create new sites often, as the old ones get closed down or are simply dropped.

    But man, wouldn't it suck to open a new site only to have Netcraft scare off all your customers?

    I wonder what "new" means. How long do phishing sites stay around? And how badly would this kill the buzz of the initial marketing effort?

    Time isn't the only tool they have in the toolbar, so hopefully novelty as the only warning sign won't ring any alarm bells.

    Eventually, phishers will work around this by creating sites and only activating the phishing attack after the requisite time period has elapsed. But that's work, which weeds out the laziest phishers. Watching the escalation of tactics is going to be fascinating.
    • Watching the escalation of tactics is going to be fascinating.

      After all, technical solutions have worked SOOOO well against Spam, and email worms.

      /dripping sarcasm

      • Yup! Gmail works fantastic in regards to those.
        Using Thunderbird or Outlook are you?
        Both of those have worked badly for me with spam blocking and virus detection...
        • SpamBayes plugin for Outlook works quite nicely - http://spambayes.sf.net/ [sf.net]
          • how many slip through, and how many false positives do you usually get a month?
            asking just out of curiosity... I havin't used outlook in a long while.
            • How it works is there's a lower bound for non-spam, an upper bound for definate spam, and everythign else gets thrown into a 'suspect' folder which is great for keeping up with changing language.

              I get zero false positives reaching the definate spam bin, 2 or 3 a week from mailing lists get into suspect. I see maybe one a week which hasn't been flagged as suspect and is sitting in my inbox.

              There's only 5 or 6 a day in the suspect folder to deal with, and since it's a Bayesian filter they all help to keep i
      • After all, technical solutions have worked SOOOO well against Spam, and email worms.
        /dripping sarcasm

        Some do, some don't. I find that most of my spam is now caught by various RBL's like Razor/Pyzor, and DCC. Plus a few of the new tests added in SpamAssassin [apache.org] 3.0. Bayesian scoring seems to do very little now, the spammers have found ways to obscure words so that they don't attract attention. But SA (even before 3.0) has tests for those tricks as well. Plus Clam AV [clamav.net] appears to be adding new signatures

        • Ditto here, but as soon as I think I'm making progress, Marketing bitches that they aren't receiving mail from their "industry contacts".

          No, really.

          • Do you keep the rejected emails? My "site" is just a small family network providing email for a few people. So the number of spam/virus/phishing emails isn't that large. In fact, my honeypot address now gets far more spam than any of the real email accounts that the system handles.
    • One of the factors that goes into the risk rating is the age of the site. That's a good insight: phishers tend to create new sites often, as the old ones get closed down or are simply dropped.

      Force the people who register URL's to have proof of who is buying the domain. Force them to have a credit card to buy, and force them to give a phone number and address that must be verified prior to making the URL go live. Banks do this, they check your social security number, they check your home address. Why ca

      • ummm.... ya. I'll choose "no" to tracking url registers which won't do any good since most phishers are from other countries or register in countries that don't care. You're proposing the firemen trying to stomp out a forrest fire with their shoes.
  • Not only are these fishing sites sneaking past my spam filter, one came worded as an alert that someone was misusing my Ebay account. Of course, I knew it was a fake before I even checked where the URL was going, but man, someone spent a lot of time thinking it up.

    I'm not admiring them. I'm not trying to understsnd them. I just look at it like "what an utter waste of a mind."

    • but man, someone spent a lot of time thinking it up.

      Hint: Enable "full headers" on your e-mail. That way you won't spend a second before hitting the delete button.
      • Dude, I do this for a living. Unless you are intimately familiar with the IP addresses of every host you receive email from, you are wasting more time peering through the headers than employing common sense.

        And I don't just delete the message. Phishing Scams like these I actually forward on to Pay Pal and Ebay's fraud units. It takes a few extra minutes, but it helps me sleep better at night.

        • Phishing Scams like these I actually forward on to Pay Pal and Ebay's fraud units.

          They sure don't make it easy... I tried forwarding one *twice* today to spoof.ebay.com and they rejected it each time because it wasn't done just the way they wanted. If I can figure out how to tie the pretty bow they want around the forwarded message, I might even succeed in giving them the information next time!

          - Leo
    • ebay spoofs (Score:3, Informative)

      by jangobongo (812593)
      I got that ebay spoof, too, a while ago. That kinda scared me until I contacted ebay and they confirmed that, indeed, it was a spoof.

      I got a newer one just a short while ago that said:
      • Subject:*** Your eBay Bid was Cancelled ***


      • Dear eBay Community Member,

        The bid that you entered for the item ( 5569407583[original link removed] ) has been cancelled. You can view the reason provided for the cancellation by selecting the link bellow[sic].

        http://cgi.ebay.com/ws/eBayISAPI.dll?Item=55694075 83&Bi [ebay.com]
  • by yotto (590067) on Monday May 02, 2005 @02:35PM (#12410343) Homepage
    it used to be easy to toss out the trawlers based on their spelling alone.

    I've always detected the trawlers by the fact that they're asking me to give them information via email.
  • by x.Draino.x (693782) on Monday May 02, 2005 @02:37PM (#12410377)
    Dear Slashdot Reader,

    We regret to inform you that our subscription database was lost in a major crash. In order to continue your advertising-free dupe ridden news service, we require you to verify your account details. Please have your credit card handy and head on over to Slashdot Subscription Verification [slashd0t.org] to verify your account. Once again, we apologize for the mis-hap.

    Sincerely, teh Taco.
    • If I had mod points, you'd get 'em all. :-)
    • Please have your credit card handy and head on over to Slashdot Subscription Verification to verify your account

      The site you linked doesn't work. For the record, my credit card details are:
      Name: Mr John Citizen
      Visa Card number: 4940 5233 1123 0876
      Expiry: 06/07
      3 digit verification number: 666
      Billing address:
      202B King William Road
      Hyde Park, SA 5061
      Australia

      BSB (branch routing) number: 065-332
      Account number: 00222334
      Pin number: 3356 ( MY MOTHER'S DATE OF BIRTH )
    • teehee.slashd0t.org?

      I'm sorry, but one of your DNSes drops all packets on port 53, and the other one doesn't even respond to ping.

      Could you provide alternate contact means so I can send you my personal data?
  • by John Seminal (698722) on Monday May 02, 2005 @02:40PM (#12410398) Journal
    It seems the real crooks like the dark shadows, they don't like being seen. The old addage of don't walk alone at night, walk in lighted places, ect... how do they translate for the world of the internet. With the web, there is more anonymity. It is just what the crook wants, a place where they can do their crimes and not be seen. Plus, it is easier to give the perception that you're in a nice well lite area, it's safe here. You can't fake that kind of perception in a ghetto.

    The obvious responce will be more laws. Laws that will take away the freedom of the non-criminal. The RIAA is forcing ISP's to hand over IPA's. Commercial websites track customers. How long until the web requires authentication just to do anything?

    I hope the government really hurts the first people it catches. But until the laws change, I doubt it will be that bad. If you could rip off 1,000 people for $1,000,000, would you? What if it meant 5 years in prision, and you could hide the money so it was there when you were released?

  • by Anonymous Coward on Monday May 02, 2005 @02:44PM (#12410451)
    I actually looked into making a Firefox extension that worked with the netcraft phishing list. that you get from using their toolbar. I'm still just learning to code Firefox plugins, so I thought it would be a fun exercise. I put it aside for now since there is a big "DO NOT REVERSE ENGINEER OUR SOFTWARE" type notice in the install license, and I still have a long ways to go in learning to program Firefox extensions. I figured out how it works by reading the log file, is that reverse engineering these days?

    Anyway, how the blocker works is pretty nifty, the toolbar creates an MD5 hash of each the url you visit, then compares it to a file that the toolbar auto-updates with the MD5 hashes of the bad urls. To figure out where info is coming from, take a look at "blocked.log" in the Toolbar directory, you'll see the lines that update "blocklist.dat". The only problem I saw is that www.badsite.com/bleh.html might be in there, but www.badsite.com itself might not be, even if both are really the same page.

    I still think the best anti-phishing software would be a program that just notices when you are doing something really boneheaded. It would do things like shout "Hey, that's your ebay username and password and this isn't ebay! Are you sure you want to do this?" and "This page isn't posting to an encrypted page and that is a credit card number! Are you sure about this?". Just my little idea, I'm sure there are plenty of problems with it.
    • What would be the drawbacks of maintaining a list of crooked URL's, then having the program add them to the hosts file with an IP mapping to a safe site that explains why the site was blocked and how to unblock it if desired? This could actually be run as a seperate program, as needed, instead of adding that extra (tiny) bit of load time and another toolbar. Run the program and it checks the netcraft list against the hosts file, adding or deleting (if a domain was sold or turned legit) as needed. It would a
  • Netcraft has tracked and blocked 5,600 known phishing sites

    Yes, but how many unknown phishing sites have they tracked and blocked?
  • by krbvroc1 (725200) on Monday May 02, 2005 @02:50PM (#12410520)
    The biggest problem is the inability to email a person who cares at a lot of these places. In the past two weeks I've tried to find contacts for domains that were hosting ebay phishing pages. Emails to 'support', 'webmaster', internic domain contacts all go unanswered and the sites remain. I reported this one a week ago, its still up: http://210.0.213.115/~homepage/Secure/eBay/cgi-bin /index.php [210.0.213.115]
    • Amen to that - I had the same experience with eBay - I am NOT signing up to tell them that someone is trying to scam their customers. Make it easy for me to report, or I'll just bin it.

      After all, if they don't care enough to make it easy to report phishers abusing their name, why should I make the effort to find out how to report it to them?
    • That one is hosted from a luthrian school somewhere that speaks Chinese. Here is there contact information, but don't speak the language so I'm not sure that they would be able to read it if I were to send one.

      mailto:lck@lck.mysch.net [mailto]
    • by hazzey (679052)
      I don't know how well it works, but there is always: spam@uce.gov It is the FTC's official phishing reporting address. http://www.usdoj.gov/spam.htm [usdoj.gov]
    • Send the info to ebay (spoof@ebay.com)- they have a whole department set aside for pursuing these. As I stated in another post [slashdot.org] previously, here is the link that tells what to do with this info:

      http://pages.ebay.com/help/policies/id-account-t heft-spoof.html

      As far as I know, you don't have to be a registered member to report these phishers.
    • The biggest problem is the inability to email a person who cares at a lot of these places.

      Quoting myself, I know. However, this past weekend, I tried going to http://www.bestbuy.com/ [bestbuy.com] and the site reports that 'I dont have cookies enabled'. They must have some problem on their site so I figure I would report it to them (after testing it from 2 different machines). Emails to 'webmaster' and 'support' bounce. Emails to their DNS contact bounce. Another example of no way to get in touch with someone who give

  • With a staggering 1 out of 14 websites in Syria categorized as a phising site, I'd like to congratulate Syria for doing a staggeringly good job...

    Eh, I can't even think of a joke. One out of every 14 sites? Jeez.

    Perhaps it's time for a little liberation?
  • "it used to be easy to toss out the trawlers based on their spelling alone."

    while true, they all still contain some form of 'verification' and urgency to the request. I see 'verify' or 'confirm' and I didnt recently sign up for a forum or ask for a password reset, I get rid of it
  • by SpaceAdmiral (869318) on Monday May 02, 2005 @02:52PM (#12410558) Homepage
    I've visited Phishing sites before, but I just don't get it. You'd have to be stoned or something to appreciate their music.
  • Why are they so hard to catch?
  • She's friggin paranoid and doesn't give out ANY info unless you're standing right there in front of her and you'd better not be planning to go anywhere cause she'll take her info back before you do.

    She uses FireFox and ThunderBird, (fuck IE and Outlook,) despite knowing barely enough to switch on the machine.

    My wife... I think I'll keep her. :-)

    As for me... She's taught me well.

    CNet's site been mined for addresses so I got that crap from them (maybe CNet is in worse financial shape that they're letting
  • by Tom (822)
    it used to be easy to toss out the trawlers based on their spelling alone.

    And it still is. I don't have an account with the First Whatever Bank, so it must be spam. I know that neither paypal or ebay will send me mail asking for my password. I know that my bank doesn't even know my e-mail address.

    What is wrong with you people?

  • by Anonymous Coward
    cince netcraft is whoring the community for their free data and then selling it to people. Can we make a nice firefox version that reports to FREE servers (ala freeDB style) that we can get going?

    or did netcraft patent it?

    I personally would trust a OPEN list that is under the eyes of many than a closed and encrypted secret list that can have sites or ip addresses secretly added to serve an agenda.

  • Wait, I thought the sole purpose of Netcraft was to confirm us all that BSD is dead? Has /. betrayed my trust?
  • I would recommend AmavisNew+ClamAV+SpamAssassin, it's a killer combo!

    Most of the Phishing is detected as virus by ClamAV on my servers, and the few that escapes from it are stopped by SpamAssassin.

    I administrate a small server, with only a few hundred accounts. But it's still amazing how it effectively stops virus/spans/phishing.

    Funny thing is, we're behind a SymantecAV server... as required by the company "secure policy". But most of the new virii passes through it... and in the end AmavisNew and ClamAV
  • professional? (Score:3, Insightful)

    by drew (2081) on Monday May 02, 2005 @06:19PM (#12413560) Homepage
    One bad sign: the phishing attacks I see are getting (on average) more professional in their phrasing -- it used to be easy to toss out the trawlers based on their spelling alone.

    i'll be worried when i start seeing attacks imitating places that i actually have accounts at. other than paypal, i don't think a single one out of the thousands of phishing attacks i've received has tried to imitate a bank or institution that i actually do business with.

    maybe it's just me, but i would think that when people see hundreds of emails coming from places they've never done businesss with in their life, they might be a little suspicious when they see one that's almost exactly the same except with their bank's logo on it, no matter how well written. or am i expecting too much of the average person?
  • it used to be easy to toss out the trawlers based on their spelling alone.

    For me, it's still easy. If it says it is from any sort of "phinancial institution", it's a phishing exercise. Email is one thing that I do NOT give to banks, credit card companies, or other companies that deal with my money. If a bank ever tells me that I authorized something to be transfered via electronic means, they damn well better be ready to provide restitution, because I do not and will not authorize any such transfer, except

"Life, loathe it or ignore it, you can't like it." -- Marvin the paranoid android

Working...