digg

Join DiggAbout

Discover the best of the web!
Learn more about Digg by taking the tour.

Online Neighborhood Watch Nails Phishers

news.zdnet.com — A volunteer group, dubbed the Phishing Incident Reporting and Termination squad (PIRT), will take in reports from consumers of suspected phishing Web sites and work to take the sites offline. On Friday, before its official launch, the group received 100 phishing reports, and 30 of those were shut down in a few hours.

Bury
show profanity settings
expand all
  • wilwheaton, on 10/12/2007, -1/+9I'd suspect that the average Digg user can quickly and easily spot a phishing scandal (if it even gets past our filters) but it's people like our parents who need to be protected. If we can work together to nail these phishing ***** at the server level, it's time well spent.
    • Seumas, on 10/12/2007, -0/+5My concern isn't whether the average tech can spot it. It's whether the people reporting these and the people doing the close-downs can. I've had people spoof millions of emails "from my domain" which has caused enormous problems from idiots who thought they knew something and didn't - and admins who didn't bother to pay attention and just assumed the mail really was from me and really was spam. Very disconcerting when you are running a non-profit site with tons of users who expect the thousands of emails you send every day to actually GET to them.
    • merreborn, on 10/12/2007, -0/+1seumas: A valid concern.

      However, I think it's pretty clear to most net-savvy folks that the site responsible for a phishing attack is not the domain from which the email appears to have been sent from, but the phishing URL to which it links.

      If a phishing email links to a URL on your server that's clearly a fake ebay/paypal/amazon/bank login page, your server is hosting a phisher, no questions about it.

      You still have to be careful. First things first, it's probably best to contact the ISP first.

      One problem with stepping up to the level of DDoSing a server hosting a phishing URL, is that there may be other perfectly legitimate sites hosted on the same box/network/ISP that may be affected by your attack. Hopefully, these guys don't aproach this level of vigilanteism.
  • davidu, on 10/12/2007, -1/+3Hmm... More closed phishing circles. I think this data needs to be way more open and available. Also, credit should be given to data providers and there should be a feedback loop. I'm working on this now. If someone is interested in helping me they should definitely email. Bay Area folks even better!
  • MissM, on 10/12/2007, -0/+1From the blog of one of the partners in this wonderful initiative!!
    Sunbelt BLOG: Become a phishing terminator http://sunbeltblog.blogspot.com/2006/03/become-phishing-terminator.html
    Good catch wil!
  • Tribble, on 10/12/2007, -0/+4You've missed the reports davidu, the data is entirely open to the community, just read the reports. The phish URL is there with all investigatory work. If its so publicly open how is it among closed circles? Don't mislead the readers.
  • ComputerGuru, on 10/12/2007, -1/+1How do they "take down" the sites? I don't think they are white hats like some of us here...........
    • Stormwysper, on 10/12/2007, -0/+1It says how they do it in the article. At least that is what they say they do.
    • ComputerGuru, on 10/12/2007, -4/+1Really? Where?

      "Eckelberry and Laudanski acknowledge that removing phishing sites isn't easy. They expect to be able to shut down between 40 percent and 50 percent of those reported to the team of handlers. PIRT is looking especially for handlers who have experience in dealing with Asian Internet service providers, they said"

      I think there is no way they are doing it legally, and as amateurs and not in any way government or certefied, they have no reliable way of distinguishing between legit phishing, domain spoofing, and simple abuse of their system.
      No Digg.
    • Tweekster, on 10/12/2007, -1/+1"
      I think there is no way they are doing it legally, and as amateurs and not in any way government or certefied, they have no reliable way of distinguishing between legit phishing, domain spoofing, and simple abuse of their system."

      well since they are looking for people who know how to deal with Asian ISP's it is pretty obvious they are doing it legally by contacting ISPs

      jeez, I would have thought was pretty evident
    • ComputerGuru, on 10/12/2007, -2/+1legal? read here: http://neosmart.net/blog/?p=122
    • ComputerGuru, on 10/12/2007, -2/+1http://digg.com/security/PIRT_is_NOT_the_Solution_
  • Tweekster, on 10/12/2007, -0/+1I have been doing that a lot lately from the spam reports on my email server...

    I contacted 3 websites last week, all were shut down within 12 hours. They were quite suprised as to what was happening..

    I also contacted Bellsouth about a spammer/phisher on their dsl service...man they are idiots. saying that they cant control what he is sending blah blah blah they arent responsible etc etc etc.

    It felt good to get those couple of sites knocked offline so quickly. Hopefully before anyone got scammed
  • critic, on 10/12/2007, -0/+0I dunno I've given up reporting all the Paypal ***** I get to Paypal. Standard form letter, yes we know it's phishing, yes we are working to solve the problem, yes we are...That was about a thousand emails ago asking me to verify my Paypal account. btw - Do you think Paypal maintains offices in Nigeria?
  • uhdean, on 10/12/2007, -0/+2Just post the URL to the phishing site to digg.com and the Diggers will bring the site down in no time!
    • critic, on 10/12/2007, -1/+0 You have added laptopseller@yahoo.com as a new email address for your
      PayPal account.

      If you did not authorize this change or if you need assistance with
      your account, please contact PayPal customer service at:

      https://www.paypal.com/row/wf/f=ap_email



      Thank you for using PayPal!
      The PayPal Team


      Please do not reply to this e-mail. Mail sent to this address cannot be
      answered. For assistance, log in to your PayPal account and choose the
      "Help" link in the header of any page.

      ----------------------------------------------------------------
      PROTECT YOUR PASSWORD

      NEVER give your password to anyone and ONLY log in at
      https://www. paypal. com/ Protect yourself against fraudulent websites
      by opening a new web browser (e.g. Internet Explorer or Netscape) and typing
      in the PayPal URL every time you log in to your account.

      ----------------------------------------------------------------


      PayPal Email ID PP007


    • Oldfrog, on 10/12/2007, -0/+0All that you have provided here is the TEXT of the email which shows the entirely legitimate PayPal link. The real phishing URL is not visible.
  • ComputerGuru, on 10/12/2007, -2/+1Need to read this http://neosmart.net/blog/?p=122 for more info on why it is not that great an idea....
  • mwisconsin, on 10/12/2007, -0/+0Why should I care about the efforts of a 100 volunteers, when Spamcop makes my complaints for me, and immediately? Spamcop has culled the best places to complain about abuses, and many ISPs have parsers for Spamcop complaints.

    *shrug* It just seems to me that an automated solution beats a human solution every time. Every Phishing email I submit to Spamcop has a site that goes down pretty quickly.
  • Tribble, on 10/12/2007, -0/+0Spamcop goes after the offending emailer, and not the domain hosting the phish URL. Both can be different, and in fact, the phish URL may point to multiple A records that have nothing to do with the MTA which sent the spam in the first place. PIRT is shutting down phish sites. No one else is doing this project.
  • mwisconsin, on 10/12/2007, -0/+0and not the domain hosting the phish URL.

    Wrong. Spamcop has parsed the body of spam since day one, looking for abused URLs. If you've looked at the output from spamcop from a parsed Phish email, you'll notice it complaining to the web host of the site as well.
    • Tribble, on 10/12/2007, -0/+0Oldfrog is right, PIRT's purpose is to terminate phish and retrieve phish kits so we can follow the trail and report any drop zones immediately. So what happens when a phish has 7 different IP addresses residing on 4 different ASNs? Does Spamcop get them all shut down? I don't think so.
  • Oldfrog, on 10/12/2007, -0/+0A couple of comments (I am the team leader of the handlers in this project):

    Everything we do is 100% legal

    Parsing the email body is often ineffective. We constantly see hyperlinks which target one domain that does a meta refresh to others. Multiple rotating DNS A records and multiple NS records from different providers are also common. We follow the chain until the very end. We also find and report all the associated ASNs. Every report that we confirm is 100% public and in addition to being provided to the netblock owners of all derived IP addresses is sent to vendors offering antiphishing toolbars and services.

    I want to emphasize that this is not an antispam project. We concentrate exclusively on the fraudulent sites harvesting personally identifiable information and shut them down.
  • gd007, on 10/12/2007, -0/+1Very good. I have a web site where I teach about evils of spam and phishing in a
    funny way. It is : http://www.spamsalad.com/.
  • LarianLeQuella, on 10/12/2007, -0/+1Keep up the good work. I hate these phishers and spam as well. Anything to eliminate them is okay by me (does that include eliminating them from the gene pool as well?).
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.