Here is part of an interesting idea I read at the "i, Cringley' site where he talks about stopping phishers.
"Of course, there has to be a better answer to this problem, and five readers in the past week have suggested it. Forget Max Levchin's idea of using bounties. But let's embrace what was at the essence of Max's idea, which is enlisting millions of Internet users in the cause.
If the bad guys out-number the cops by 1,000-to-1, Internet users must outnumber the bad guys by 100,000-to-1 or more.
Fear of punishment won't deter phishing, yet that's all traditional law enforcement has to offer. It's fear of UNPROFITABILITY that will finally work.
The simple way to kill phishing is by making it harder for the phisher to make money from it. Right now, a phisher sends out a million e-mails and gets back 100 replies that yield positive data. There is almost no effort involved in sending out the e-mails after the first one, and the quality of the return data is very high. No wonder this is such a popular business!
Let's change that. If you get phishing e-mail, go the web sites and enter false data. Make up everything -- name, sign-on name, password, credit card numbers, everything. Instead of one million messages yielding 100 good replies, now the phisher will have one million messages yielding 100,000 replies of which 100 are good, but WHICH 100?
This technique kills phishing two ways. It certainly increases the phishing labor requirement by about 10,000X. But even more importantly, if banks and e-commerce sites limit the number of failed sign-on attempts from a single IP address to, say, 10 per day, theft as an outcome of phishing becomes close to impossible.
No bounties are required, no cops, no parallel webmail systems that force us to log-in to e-commerce sites when they tell us to. Phishing just becomes a very unprofitable business, which it should be.
Are you in?"
Foiling the Phishers
Moderator: Wiz Feinberg
-
Bill Llewellyn
- Posts: 1921
- Joined: 6 Jul 1999 12:01 am
- Location: San Jose, CA
Jim,
Interesting idea. But is there any downside to clicking on the login links these people include in their phishing messages? Can virii or spyware be snuck onto one's PC just by visiting these bogus login pages, even without entering data?
------------------
<font size=1>Bill, steelin' since '99 | Steel page | MSA U12 | My music | Steelers' birthdays | Over 50?</font>
Interesting idea. But is there any downside to clicking on the login links these people include in their phishing messages? Can virii or spyware be snuck onto one's PC just by visiting these bogus login pages, even without entering data?
------------------
<font size=1>Bill, steelin' since '99 | Steel page | MSA U12 | My music | Steelers' birthdays | Over 50?</font>
-
b0b
- Posts: 29079
- Joined: 4 Aug 1998 11:00 pm
- Location: Cloverdale, CA, USA
Smart thinking, Bill. I looked at my PayPal and Ebay cookies, and there's no unencrypted personal data in them.
I get half a dozen phish emails a day for Ebay, PayPal and banks that I don't even have accounts at. I routinely forward (as attachments) to spoof@ebay.com and spoof@paypal.com. I think I'll start joining the activist effort here, especially with the various bank phish emails. Better than just deleting them.
My email address has been stable for about 8 years now, so I'm on every dam mailing list in the world. I wake up every morning to about 20 emails, and only 3 or 4 of them are real. I probably delete 50 junk emails every day.
------------------
<img align=left src="http://b0b.com/b0bxicon.gif" border="0"><small> Bobby Lee</small>
-b0b- <small> quasar@b0b.com </small>
System Administrator <span style="text-align: right; font-size: 0.75em; font-variant: small-caps">
My Blog</span>
I get half a dozen phish emails a day for Ebay, PayPal and banks that I don't even have accounts at. I routinely forward (as attachments) to spoof@ebay.com and spoof@paypal.com. I think I'll start joining the activist effort here, especially with the various bank phish emails. Better than just deleting them.
My email address has been stable for about 8 years now, so I'm on every dam mailing list in the world. I wake up every morning to about 20 emails, and only 3 or 4 of them are real. I probably delete 50 junk emails every day.
------------------
<img align=left src="http://b0b.com/b0bxicon.gif" border="0"><small> Bobby Lee</small>
-b0b- <small> quasar@b0b.com </small>
System Administrator <span style="text-align: right; font-size: 0.75em; font-variant: small-caps">
My Blog</span>
-
Ken Lang
- Posts: 4708
- Joined: 8 Jul 1999 12:01 am
- Location: Simi Valley, Ca
-
Bobby D. Hunter
- Posts: 165
- Joined: 24 Jul 2004 12:01 am
- Location: USA
I alos report Phishing sites, but in addition to sending a report to the spoof addresses, I also file reports via Spamcop. ISPs usually pay attention when they are notified that one of their members is doing a criminal activity. Unfortunately, most of the current crop are hosted by Chinatong, who could care less about spammers, scammers, or phishers. Others are hosted in Russia, by similarly minded criminal hostmasters.
One can make a dent in these schemes by utilizing the services of http://friedspam.net (Internet Explorer users only).
------------------
Bobby D. Hunter
Security for SGF
Hunting down Slimeball Game
Reporting member of SpamCop
<font size="1" color="#8e236b"><p align="center">[This message was edited by Bobby D. Hunter on 04 July 2005 at 03:15 PM.]</p></FONT>
One can make a dent in these schemes by utilizing the services of http://friedspam.net (Internet Explorer users only).
------------------
Bobby D. Hunter
Security for SGF
Hunting down Slimeball Game
Reporting member of SpamCop
<font size="1" color="#8e236b"><p align="center">[This message was edited by Bobby D. Hunter on 04 July 2005 at 03:15 PM.]</p></FONT>