Just opening a thread to curse the email phishers that send out those fake notices. Usually they’re pretty obvious, for a bank I don’t belong to or something. But this morning I got one from “eBay” claiming my account has possibly been compromised. IP address of the offender, all the URLs looked good… I didn’t click, though. For one, I don’t click links like that from email, and besides… the address they sent it to was a ‘feedback’ address, not one of my personal email addresses. They harvested it from the web, obviously.
Yeah, it’s a pretty pointless little mumble of a rant, but face it… these people are scum.
Yea, I get phish like this from time to time as well. It will look real good. The images will be actual ebay images, there may even be some actual links in the email to ebay itself. But the link they are telling you to click on will be subtly wrong. They don’t do the dotted-ip’s anymore; everyone’s caught on to that. No, the link, if you hover your mouse, will be something like www.ebaysecure.com/confirm. If you don’t read it closely, you’ll think it really is ebay. But if you do a “whois” lookup on it, you’ll find it’ll be associated with somebody with no vowels in his name or some such.
If you’re so inclined, go to ebay and look for “report abuse” or some such and report this scam. They’ll at least be able to shut down (this) site …
Is it worthwhile to report this type of thing to law enforcement? Does the FBI, or Attorney General deal with attempted fraud via email? Is this type of thing so common that it’s not even worth reporting? I, for one, get at least five to ten of this type of mail per day.
The fucks who do this need to roast in Hell. Sure, it’s obvious to me it’s a scam, but not everybody was on the internet from its popular web inception like I was, and was first-hand witness to it becoming a playground of casual fraud.
I hate that I have to worry about newbs like my Mom and other relatives, who might forget that any idiot can make these emails.
I’ve had quite a few that have impressed me by actually giving a link to the genuine ‘report fraudulent email’ links from the real bank’s website (I dug around and checked that they really were real - yes I was bored at the time). I suppose they’re relying on the fact that anybody who would report such an email will probably just delete it in the first place. Or they’re really stupid…
Most, if not all, phishing scams are international affairs. Usually the email and scam site are hosted on servers in remote locations, often with governments not terribly interested in assisting US law enforcement (China, Russia, etc).
Some of the better scams involve using sites hosted in the US (which makes it harder to do things like a traceroute to figure out if something is legit), but that are just cheap shared server accounts purchased by someone from one of those countries.
Usually it doesn’t take too long before the scam site is shut down, usually by the hosting company who provides the space (or the ISP) once they realize what’s going on. But a good phishing attempt doesn’t need long to net good results, less than 24 hours is usually good enough.
It’s a very real problem with no easy solution, and it gets worse every day.
The strangest ones I get are for obscure banks that I’ve never heard of. Do these scammers really think they’d be more successful by replacing CitiBank with The First National Bank of Bob (or whatever)?
Actually it doesn’t really matter. Banks quite often get reports almost immediately for this type of thing when it happens (this was for a while related to my job, for a very large bank). It didn’t matter if we knew about it, there was nothing we could do. In some cases we might issue a statement re-emphasizing that you should not respond to any requests for information, but usually we didn’t do anything (since it could be construed as admission of a problem, or something).
When a phisher builds his emails and site, the easiest way to do so is to simply rip the real site and then tweak the few things necessary to direct your input to their servers. Think of going to eBay and just doing a site rip (download the page source and images), then dumping it on your webspace. Any URL’s that were on the site originally will still be there, and will still work (they’ll take you back to the real eBay site, after all). Thus, any and all links, images, and formatting will likely be identical to the real thing (except for where it counts, the login form action).
I can’t tell you the number of times someone high up would look at one of these sites, do a Vew Source, and then totally freak out when he saw the SAME HTML OMG! “We must have been hacked!” People still don’t understand how the web works.
The other thing about phishing that’s really nasty, you can’t just mouse-over URL’s to be sure. There have been (and probably still are) many exploits that let someone maliciously format a URL to look like it’s taking you to one URL but in actuality take you to another. For example, I could set up a link that says www.google.com and when you mouseover it says “www.google.com” and when you click on it it says “www.google.com” in your address bar, but the content is really from my own server. This is why they say to NEVER click on a link in an email, if it’s to something important. You can’t really be sure what’s happening.
I suppose this might have been the case in the ones I’m thinking of - although I vaguely remember something being off-kilter, some obvious typo or something.
Awww, bless 'em!
The first time I ever heard of Citibank was in an email asking me for my password …
Would anything good come if you were to provide phoney info each time you got phished? If these scammers had more phoney account #s and passwords, would the phished company be able to go and identify them easier? Would it be considered “good” citizenry to make it a pain in the ass for the scammers risking the use of these phoney id’s?
I haven’t done that yet, but I have considered it many times before.
Unfortunately, not really. You’re not setting the phishers back a whole lot (unless you organize some scripts to run batches of millions of bogus entries, I guess) and it’s not going to help the victimized company at all. The scammers are probably going to take whatever hits they get and then plug them into scripts of some sort (that depends on what kind of scam it is). Even if there’s a lot of failures it’s not going to slow things down much at all. Remember that they probably get more bad entries than good anyways, ranging from typos to people messing with them to people realizing they’ve been scammed and changing their password. A few more won’t do anything.
Notifying the company can never hurt, but like I said before it’s not particularly effective for actually stopping the problem. Unfortunately, phishing is a lot like spam… it’s pretty much free for them, and all they need is a .0001% success rate to be wildly successful. There’s almost nothing an individual or single company can do about it. There are some efforts at solving the problem technologically (domainkeys, for example), but the real problem is people, and I don’t know how you solve that.
If you read the text even a little carefully, the English is often awkward or filled with mistakes, very different from typical corporatese. They may ask you for “informations,” or even miscapitalize the name of the company they’re trying to impersonate (beware anything claiming to come from “Ebay” or “Paypal”).
