Friday, March 31, 2006

Search Engines and News Stories

I have been away from my blog a bit. Many personal things going on to take up all of my creative energies. Now back to my entry.

Eventhough Google in of itself can be construed by some critics as being an online version of Big Brother, I have been using its search engine since late 2000. Earlier, I had used dogpile and earlier, back in 1999 it was Mamma and Metacrawler Now, it is google almost all the time. Back in 1996 I had used Yahoo. I use Yahoo today for its content and not for searching.

I have a Gmail account and I stay logged into and I have created my own customized page. I
mostly read tech related stories. The regular news stories of if it leads, it bleeds have just warned me thin. However, one of the most interesting articles online I have read lately is Snapper refusing to sell its mowers in Walmart. I believe I will never shop at Wal-Mart myself again. I seldom do as it is. Wal-mart is very unpleasant for me to shop. I, like others, are driven to shop there by the low prices. That Snapper story hit me hard personally. Snapper (the lawn mower company) is based out of McDonough, GA. They make all their fine lawnmowers in McDonough, Georgia and not in far flung places like China or Indonesia. Before reading that article, I had thought that was one of their plants. McDonough, a town I had lived in for a few years ago , lies approximately 30 miles south of Atlanta. McDonough was chosen by Amazon in the dot com hey day to build a distribution center. So the big warehouse was built. Some friends and I even applied for jobs at Amazon in McDonough, GA. My guess is Amazon stayed open for less than 2 years in McDonough, GA. Its closing by Amazon was part of the NASDAQ fall out or dot com flame out which started in the spring of 2000.

At the bottom right of the customized Google page are Words of the Day:
benignant: kind; gracious; favorable.
invidious: tending to provoke envy or ill will.

Perusing at these words reminds me of the endless hours I spent prepping for the SAT and GRE as young'n. Maybe I should incorporate them somehow in my blog, if I were update it daily.

Sunday, March 19, 2006

Exposing Online Fraud – Phishing

Phishing is very common place on the Internet. Basically, it is a spoof sent via email in the form of spam purporting to be a bank, Ebay or some other payment service. The purpose of the spam is to trick the recipient who reads it to divulge his/her personal information to a fraudulent website. The phishers then take that information and go to Ebay or some specified bank and clean them out. Phishing has evolved online over the years. No one knows exactly how many phishing gangs are operating currently on the Internet.

Phishing fraud is a still a real menace, tricking people into divulging their personal information daily. Organized crime is believed to behind some of it. I am writing about this because the financial losses are substantial: according to the Wikipedia entry on phishing: "It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phishing, totaling approximately $929 million USD. U.S. businesses lose an estimated $2 billion USD a year as their clients become victims."


Phishing in 1995

AOL IM SPIM – form of phishing One of the earliest widespread forms of online phishing that I am aware of is the AOL IM spim that AOL members would receive where the fraudster would pretend to be someone from AOL Support asking for AOL user passwords and credit card numbers. This activity was prevalent back around 1996 or so. I knew of someone who was tricked this way on AOL. A few short years later, the fraudsters turned to spoofing the popular Ebay and Paypal websites and other payment services

Phishing in 2006

There is more to this problem on the backend, or from the viewpoint of an ISP, or a webhost, so to speak. Phishers operate worldwide. Often they work in groups rather than one lone person attempting to undertake all the things that must be done to make it a successful theft. Another approach phishers, use is that they upload viruses and trojans to the phishing sites, so that unprotected PCs get infected if they visit the phishing URL. You must use caution when going to any supposed phishing URL.

The fraudsters spoof all kinds of financial institutions, banks in Brazil, Turkey, UK, France and other places. You can see a list of payment services which have been spoofed in phishing exploits kept by FraudwatchInternational (FWI)

What is spoofed the most?

Fraudwatchinternational has been tracking phishing frauds as far back as 2001. This is its tally of the top 6 reported phishing frauds by name as of 3/18/06 You will see Paypal is spoofed the most, followed by US banks and UK bank Barclays.

Rank - Reported organization - number of separate reported phishing incidents(FWI)

1. PayPal 6551

2. eBay 6080
3. Washington Mutual Bank 1225
4. Chase Bank 1018
5. Barclays Bank 735
6. SunTrust Bank 603


The newer Phishtrack on DSLreports has this tally as of 3/18/06. This tracking system was only setup in November 2005.

Rank - Reported organization - number of separate reported phishing incidents (Broadbandreports)

1. paypal 201

2. ebay 113
3. chase 88
4. barclays 25
5. wellsfargo 15
6. bofa (Bank of America) 13


On the DSLreports forum, you can view how long a phishing website stays online. There is a Phishtracker utility, written on Perl posted on dslreports forum where users can report phsihing websites Ranking. Fraudwatchinternational (FWI) has been tracking phishing frauds as far back as 2001. FWI has over 31,00 reported cases of phishing in its database as of March 2006.

There is a Phishtracker utility, written on Perl posted on dslreports forum where users can report phsihing websites

To navigate to the phishtracker for the first time, you have to click through the website a few times. 1. URL: http://broadbandreports.com 2. click on Forums --- 3. Under + Up and Running··Online, what next? Select this forum: “Spam, Scam and Charge Busters” 4. Select first posting called ‘Submitting to the Phish Tracker” and the the link to the Phishtracker is listed at top: http://www.dslreports.com/phishtrack

The top link contains the phish tracker. This tracker was activated in November 2005 and believe it or not, some phishing websites from late last year are still active. There are 2 over 100 days old listed as still active! Most often these hosts are in Asia where they are not responsive to spamming issues or any other security issues for that matter. There is also a breakdown there of what institution is spoofed. I sent this information below today to the Indian organization so they can remove this phishing site, I also CCed spoof@ebay.com


Long Living Phishing websites - One is active for over 120 Days old online!

Example of a long lasting Paypal phishing website hosted in India: as of 3/18/06, this Paypal phishing site has been active for over 120 days and as of today 3/19/06, the phishing URL has been removed. Yay. finally.! Removing link below.

(link gone)
WHOIS info gone.

--------------------------------

________________________________________________________________

Anatomy of a Phishing Scam Setup

Here is a typical scenario on how a part of a phishing fraud site is setup. Fraudsters share stolen credit card information with some other trusted gangs, for example. They will go and buy domain names at registars such as the Korean registrar such as Yesnic that look similar to Ebay. Examples include: ebay-cgi-login.com or paypal-login.com, etc There are literally thousands of variations of these fraudulent domain names. The contact info in the WHOIS for these domains is fraudulent as well, often they use yahoo or some other free email address as an Email contact. With this domain, they purchase a webhosting account, usually it is an automated purchase with a small or large hosting company. Then as soon as the site is enabled, the actual spam itself is sent out through compromised machines on the Internet. So while the spoofed website is online, a few unsuspected people receive the Ebay phishing spam and think they have to update their Ebay accounts. Often the phishers have a text file or another email address where this data is sent to.

The new spin to this is phishers now use a dynamic redirect where once imbedded in the phishing spam itself, it will continually redirect recipients to newly hosted phishing sites. In this approach, the spam running gets more out of scamming users than using a specific URL that has been disabled. (when I find this information, I will post more of it here)

Brute Password Hacks
Some of the patterns I have seen: phishers exploit existing webhosting accounts. Often they brute force passwords on older systems where a lockdown of password tries has not been implemented.
Typical : Ebay phishing URL (fake of course)

http://members.someISP.com/~john/ebay/aw/cgi-login.htm


If you take a close look at this. For the username, John after tilde ~john, his username has been guessed via FTP and the phisher uploaded the phishing files to appear like an Ebay login page. This is why they use words like aw or cgi – it looks like part of an actual Ebay URL.

Exploit Vulnerabilities
Phishers also exploit ecommerce software, PHP messageboards and many other online programs where the software versions are often out of date and hence, vulnerable to an attack like this.

USEFUL PHISHING URLs

Forums and useful Messageboards
Broadbandreports - message board about large scale spamming and phishing. This site you may have to navigate from the main page.
Castlecops Phishing forum - this one contains some useful information, not very active. Castlecops is a good site for securing your PC.
Scam.com - Online scams of any kind, and other scams posted, mostly for newbies.

Anti-Phishing Organizations
Anti-Phishing Working Group - a US based organization designed to collect information on phishing. They have a useful mailing list for those who work to minimize phishing scams.
FWI - FraudWatchInternational – An Australian based organization which collects info on internet scams, including 419
Miller Smiles – a UK based anti phishing organization. They also have a messageboard, however, it is not as active as the one mentioned above.

Anti-phishing Vigilantes
phishfighting - These guys work at bringing down phishing on their own by any means necessary. I do not recommend partaking in this activity at all. Definitely a grey hat area.

Books and Articles on Phishing
Phishing Wiki information on phishing, very detailed and useful.

Phishing Exposed (2005) by Lance James – listed on Amazon - Lance James is active in the APWG (
Anti-Phishing Working Group). This book probably is considered definitive on phishing.

Phishing : Cutting the Identity Theft Line (2005) by Rachael Lininger, Russell Dean Vines - listed on Amazon. I have had a chance to read this book.

Wednesday, March 15, 2006

Hideousness of Some Very Dark Online Activity

Child expl0itation, of course, of all forms flourishes on the Internet; this is definitely one of the most disgusting subjects to blog, isn't it? - Reportedly arrests have been made in an online international kiddie p0rn ring. Great news: the more arrests the better where ever these disgusting people hide. I occasionally go to the Drudge Report and on this evening found this screaming ALL CAPS headline: CHILD P0RN RING TRANSMITTED ACTS LIVE ON WEB - Here is a link to that very news story.

Maverick online media man Matt Drudge, a long-time netizen and a pioner blogger, capitalizes on lead stories (when it bleeds, it leads) so goes the contrite quip about media in general. Drudge brings down a lot of smaller shared websites when he links to them since his mega site generates so much traffic. According to Alexa, Drudgereport.com is the 265th busiest site online and according to Drudge himself, a total of 3,633,320,392 visitors clicked on his website in 2005. I know in times past, DrudgeReport ranked higher than the humble 265th place his site is listed now. Drudge has his own set of detractors such as this one who was wise enough years ago to buy a shorter domain name; this website owner probably gets some of drudge's own traffic for those not very proficient at typing out longer domain names. According to netcraft.com there are 53 active domains containing drudgereport and well over 200 active domains containing drudge. I can surmise without visiting all these sites that the vast majority were created because of Matt Drudge; with domains activated such as: drudgeisajoke.blogspot.com, drudgepuppet.com or bizzarodrudge.com you know that Drudge has a lot of Net buddies.

I first learned about Drudge when the Bill Clinton and Monica Lewinsky scandal story broke. Drudge already had a significant following at that time 1998. Since then, when I am in a news mood, I go to his site for top stories. I have heard the traditional media despite what Drudge has done. I think Drudge is a very interesting one man media show online. However, over the more recent years, I frequent geek-infested Fark.com for reading unusual news stories where one can get an account and contribute a note worthy newstory. Heck, you can even customize the title to the news story to make it eye catching! I guess this is the democraziation of spreading news when any ol' online Jane or Joe who knows how to get around online can site odd news stories for others to read. Interestingly enough, Fark.com is ranked by Alexa as the 867th most popular site.

Now back to the sordid topic of online child porn0graphy. I know from friends in American ISPs that in the US the FB1 does investigate cases of online child p0rn0graphy which is deemed graphic. Fighting online crime of this nature is a very tall order and task undertaken by any government agency, non-profit organization, or a humble ISP's security department. These kiddie p0rn peddlers probably do all they can to hide their tracks such as persistant ROKSO spammers do or the sneaky gangs of phishers who send out spam to steal banking, creditcard or other personal information to empty bank accounts or commit identity fraud. The US based Antiphishing.org does a fine job in helpig banks and organizations and end-users fight this very large online criminal activity. It is known within those who work at ISPs that some kiddie p0rn sites pop up on the net from setting up fraudulent shared hosting accounts, sharing data on IRC channels. P2P websites or compromising existing webhosting accounts. It is rather interesting to note how these illegal p0rn peddlers behave like rogue spammers and phishers.