Phishing, for those of you who don’t know the term, is sending out those fake e-mails purporting to be from eBay, PayPal, or any number of banks and telling people that they need to log in using the username and password for some reason. In fact, the gullible person who obeys those e-mails end up giving a total stranger access to his account.
Shouldn’t it be reasonably easy to catch the folks who are doing this? Let the banks or the cops set up some dummy accounts, turn off their spam filters, see where the money being stolen from the dummy account is being routed, and slap the cuffs on the recipients. I’d think that if this were being done on a reasonably regular basis especially if it’s done very publicly, the pool of fraudmeisters would eventually get shallower. But I have yet to hear of anyone ever being arrested or prosecuted for phishing, nor has the flow of these kind of e-mails lessened over the years.
Many phishers operate outside the US. Of those who DO operate within the US, there’s only a few agencies who really have the authority to go after them, and those agencies seem to have other priorities.
IMO, we should bring back the stocks for phishers and spammers, with a large sign labelling the offender and the offense, and let the public let these leeches feel the outrage.
I know, but I can’t tell you how I know, that some of the attacks have originated from servers outside of North America, so slapping cuffs isn’t as easy as you might think. Anti-Spam filters are getting better at tracking the Phishing URLs that are being used and identifying them as suspect, but new ones are being created every day so it’s a never ending cat and mouse game.
If it was easy to identify these folks someone would have figured it out by now and shut them down. BTW, it only takes a very small percentage of hits to justify these attacks… and yes, unfortunately, some people do fall for them every day.
That would be an illegal attack, and in most cases, the phisher sites are colocated with perfectly legal sites. It would be like sending an ICBM to take out a storage locker in a sovereign nation because you know that one of the units is being used as a drugs lab that’s exporting to your nation.
“Justify” in the mind’s of these pukes… there is no justification for criminal behavior like this. It is nothing more that stealing, pure and simple. I just wish some people could be more circumspect and less gullible… but what are you going to do?
The thing is, I can understand that emails are spoofed and can be hard to trace. But for phishing emails, you are inevitably led to click a link to a website. It should be ridiculously easy to identify who is hosting the website, shouldn’t it?
Note that a lot of bad things are done via people’s individual computers that have been hijacked by malware into “botnets”.
So you are not going to get anywhere with a DoS attack. So what if you identify the web site? It’s just some grandma’s computer and she has no clue her PC has been taken over. All the collected data, etc. has already been forwarded to the phisher’s gmail account which has forwarded it to who knows where. She also isn’t running any logging software, the malware could be using encyrption. All you can do is call granny and tell her to run some anti-spyware software.
People have to stop thinking in terms of there being “a” site that a given phisher is using that is “their” site. No, they might have 10s of thousands of other people’s PCs in a botnet.
It would be easy to identify their ISP, and if they use commercial hosting of some sort, you could get that as well. However, this just means you have a way to get their site shutdown (by reporting them to the host/ISP). It doesn’t necessarily give you an easy way to find the perpetrators, because they might be paying for the hosting in a way that’s difficult or impossible to trace effectively.
The trick, from the phisher’s perspective, is to pay for the hosting in a way that doesn’t give authorities a way to trace it back to them. This is not terribly difficult for small sums of money, and with hosting being so cheap these days this is pretty easy.
Usually, phishing sites don’t last very long. They get setup on cheap throwaway hosting somewhere, and are online long enough to sucker a few people. The overhead on this sort of operation is so low that it can be done repeatedly.