« March 2007 | Main | May 2007 »

April 25, 2007

It has been a long time since I bothered to fill out the username/password fields (with bogus information, obviously) of a bogus phishing site, but I tried one today to see what the modern phisher is up to.

The "Verify Your PayPal Account" phishing email message that prompted me wasn't all that well done. There was no PayPal logo art. The date by which I had to update my records to prevent account suspension was February 10, 2007 (two-and-a-half months ago according to my calendar). The actual URL behind the "Click here to update your PayPal account information" link was to an IP address, which turned out to be yet another hijacked web site (in Australia).

Visiting any unknown web page these days is incredibly dangerous—especially with the recently revealed and as-yet-unpatched QuickTime flaw that can affect Windows and Mac users if your browser opens QuickTime to play media files (including inside IE, Firefox, and Safari). The flaw allows an attacker to take over your computer. Therefore, I first checked the target page using a non-graphical download of the content to inspect for HTML attempts at loading QuickTime content. None found. I then locked down my browser to prevent loading of plug-ins or execution of Java and JavaScript before visiting the phisher's page.

Appearing before me was the usual knock-off PayPal starting page with text fields for entry of username and password. I made up some appropriate text strings (the highly juvenile, yet highly satisfying, words "bite me" were sprinkled liberally throughout). I expected to be taken immediately to a more elaborate and equally phony page containing form fields for more personal data. Surprisingly, this phisher (or, rather, the supplier of the phishing kit) included the same (or at least plausibly similar) "Processing Login" page that PayPal's real site uses, complete with little dot animation:

Processing Login

I could see that this might convince a newbie that the site was PayPal's, even though the browser failed to show a secure connection.

Once the "processing" was completed (after a pre-ordained span of four thumb-twiddling seconds—why bother with real processing?), the site showed the page I expected. Fields included the usual names, credit card data, CVN number, ATM PIN number (always a dead giveaway that the form is being used for identity thievery), billing address, home phone number, mother's maiden name, date of birth, and even your driver's license number.

That's all the information an identity crook needs to hijack something you might treasure...you!

April 23, 2007

I'm still going through The President's Identity Theft Task Force Strategic Plan, but there is one aspect of it that already causes me to wince.

Among the recommendations (of which there are many), this one set stands out:

• Amend the identity theft and aggravated identity theft statutes to ensure that identity thieves who misappropriate information belonging to corporations and organizations can be prosecuted


• Add new crimes to the list of predicate offenses for aggravated identity theft offenses


• Amend the statute that criminalizes the theft of electronic data by eliminating the current requirement that the information must have been stolen through interstate communications


• Penalize creators and distributors of malicious spyware and keyloggers


• Amend the cyber-extortion statute to cover additional, alternate types of cyber-extortion

As noted by a CNET article covering the release of this report, it's not like there aren't already plenty of laws on the books covering identity theft. There are. And they have even led to some convictions of identity thieves.

(I also point out that identity theft is not limited to online activity. In fact, I recall reading research that claimed the majority occurred off the Net, such as through dumpster diving and such. That may well be true, but the Internet has certainly made it easier for more thieves to attack more people in more ways.)

Friends of mine who knew me waaaay-back-when are aware that I majored in classical antiquity in college and grad school. Greek and Roman history always appealed to me, although by now I feel as though I've forgotten more than I ever knew. But one thing I learned does shine through the mists of time. One of my ancient history professors pointed out that although we don't have the benefit of detailed statistics about the efficacy of many ancient Roman laws, we can deduce that when a society issues law after law after law covering the same subject, it means that the laws aren't working, or at least aren't working sufficiently well.

If a law is poorly written, or if new technology obsoletes the intent of a law, the law should be updated accordingly. But many of the offenses that continue to plague hapless consumers have been illegal for years and years. Refining the legislative language won't make such offenses any more illegal.

As usual, the issue comes down to enforcement. Prosecutions—even when they can be brought against alleged offenders within the law's jurisdiction—are extremely costly and arduous to mount. An alleged offender had better be either a Big Fish (having bilked a large number of consumers) or a Big Dummy (making it cheap to gather evidence) to make a prosecution pay for itself. Even if a conviction can be won, will it be a deterrent to the college kid in Hong Kong or criminal gang in eastern Europe?

In a word...no.

April 01, 2007

The combination of audacity and lack of information in the following business proposal spam makes me wonder how many (if any) respondents this guy will get.

Hi,

Please find the proposal for the online real estate website development and parternership.

Investment : US$ 20,000 (In 3 installment)

Partnership : 50% ([removed] Technologies) and 50% (Your company)

Part of your Return for first year : US$ 200,000

Please email your contact details to send the details proposal.

Thanks
Ravi Kant
Mobile : +1-765-000-0000 [number removed]

The named company (the supposed 50% partner) is a software and web development company based in India. Its domain name was first registered in 2001. Their web site (explicitly not identified in the email message or return address) lists Ravi Kant as the Business Development Manager, based in Bangkok, Thailand.

It's hard to say whether this message originated from, or leads to, the real Ravi Kant. I can't fathom why an established company would need to spam the world for a measly twenty grand investment. Having been in business for about six years, the firm would certainly have established a credit line with its bank—unless the company is in severe financial trouble, in which case, an investment with them would carry rather high risk.

And yet, I suppose there are gullible people out there who will drool over the promised 10x return in the first year, and make that call. They'll fail to perform due diligence or will fall under the spell of an impostor con artist. Even just one fish on the hook will make this little campaign pay for itself, and then some.