Full Disclosure mailing list archives
Re: simple phishing fix
From: "Exibar" <exibar () thelair com>
Date: Wed, 30 Jul 2008 12:19:45 -0400
No time to comment on most, but just to throw this in there: Here in the states we have a few hundred thousand different banks at least. 500 is WAY too small of a number. Credit Unions are banks, small banks, and almost every city has at least one credit union. The city I grew up in has 12 or so different credit unions, along with all the major bank branches.... You mentioned it's not a problem to list all the major banks, and many of the smaller banks as well. I'll pose a challenge to you, list half of the banks and credit unions here in the states by the weekend and you'll win the prize.... :-) Cost of sending the phishing mail is ZERO... I'll repeat, it costs the bad guys NOTHING, ZERO, ZILTCH, NADA to send out their phishing messages. They mainly use 'bot nets and compromised machines to send the mail. It doesn't matter if they send 1 message or 1 billion messages, still costs them the same, nothing. So, even if they get to scam one person, it's all profit for them. So ya, you're right on your ARPM thoughts. When it falls to nothing forever, they will stop sending their messages and move onto another scam.... like a 419 scam, that's been around in one form or another since the late 50's.... I'll tell you one thing that will help prevent Phishing... User Awareness... but even that, won't stop it.... Exibar ----- Original Message ----- From: "lsi" <stuart () cyberdelix net> To: <full-disclosure () lists grok org uk> Sent: Wednesday, July 30, 2008 4:14 AM Subject: Re: [Full-disclosure] simple phishing fix
Thank you all for your comments. However, I cannot disagree more fully. It doesn't matter that the blacklist is not complete, if a scammer tries to phish a bank that's not on the list, eg. is not popular, he won't make much money, because it's a small bank and the probability of him hitting an email address which works, and is an address of a customer of that tiny bank, and the customer gets suckered, and all other security mechanisms fail, is very small. The scammer knows this and so he targets the popular banks. Therefore, the blacklist only needs to contain popular banks. However there is almost no penalty to add another 500 to the list, it's a simple filter, it's fast. I do agree that the more banks on the list, the better, but there are not millions of banks in the world, it's not a problem to list all the major banks, and many of the smaller banks as well. As the blacklist is deployed, the average revenue per mail (ARPM) will fall. The more it is deployed, the more the ARPM will fall. The ARPM does not need to hit zero. As soon as the ARPM falls below the average cost to send each mail, phishing will be economically unviable. Eg. it might still be technically feasible, however it will no longer be profitable to be a phisher. Repeat, phish do not need to be completely eliminated. Once they are reduced below a certain level, it will become economically infeasible to be a phisher. The invisible hand [1] will do the rest of the work for us. Other bits: I agree that by opening a hole in your phish firewall (eg. permitting traffic from the Bank of Foo) you are making yourself slightly less protected, however if a user has a blacklist where he has to specifically ALLOW traffic from a certain bank that user will be well aware that he has opened a hole in his phish wall and will be extremely attentive when he actually gets a mail. (I'm appalled that some banks actually use email, how cheap are they? If my bank did that, I'd complain, and consider changing banks.) As with a real firewall, it's not a total solution, but one layer of several. The blacklist catches variations, of course the common variations are listed as well, again, every combination is not required, because the probabilities of failure rapidly stack up once the scammers start to get too imaginative with their variations (eg. they will have to use more and more obscure variations, which will trick less and less users). I hear unicode will make life interesting, I'm looking forward to some samples. Blacklists do work. They are successfully used in many applications, the Spamhaus blocklist, the denyhosts SSH tool and desktop AV software all spring to mind. Blacklists don't work *when the content they are checking is polymorphic*. Phish, by definition are NOT polymorphic. We are talking banks here, they do not change their names very often. I think that is an important point. The problem space is a lot smaller once you start working with a finite list of domainnames. A blacklist is feasible in these circumstances. I agree my list is small, you'll note however it contains most of the biggest banks, I didn't choose them, they self-selected, by being sent to me. That's why they are the biggest banks, because the scammers target those banks. There's obviously no reason why the list could not contain every large bank in the world. I could maybe hunt down some stats to add banks I don't get phished for, but that would just slow down my filter! If others were to use it they'd want to customise it. Because the blacklist is on the client machine, the user is free to add banks they get hammered with, and free to remove banks they want to correspond with. Don't forget that "achovia." can be listed, to catch wachovia.com, vvachovia.com, vvachovia.co.uk etc. Think about it, most people have no need to accept mail from every bank in the world. That is accept ALL. Using the blacklist means they are now denying all bank traffic. (OK, denying all on the list, I agree that it's not a complete deny all, because we cannot know the names of all banks in advance. I do regret confusing the discussion by mentioning DENY ALL, I was hoping to explain my analogy to a firewall, eg., it blocks everything by default and then lets in what you tell it to let in, I do accept that unlike a real firewall it can be got around by using an unlisted name, it's really DENY MOST.)"(x) Mailing lists and other legitimate email uses would be affectedIrrelevant. They are affected already. They are the victims of spoofing. It's either block their mails, or users suffer the spoofs. Given than suffering the spoofs means bank-originated mails are useless in any case, that means the only available course of action is to deny all bank email traffic.my Bayesian filter gets these anywayMy spam filter misses some, hence my post, however following this comment I have checked my config and the Bayesian plugin is disabled ;) Thank you for the suggestion. [1] http://en.wikipedia.org/wiki/Invisible_hand --- Stuart Udall stuart at () cyberdelix dot net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192:168/0.2) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: simple phishing fix, (continued)
- Re: simple phishing fix lsi (Jul 28)
- Re: simple phishing fix Biz Marqee (Jul 28)
- Re: simple phishing fix lsi (Jul 28)
- Re: simple phishing fix Stian Øvrevåge (Jul 29)
- Re: simple phishing fix Peter Besenbruch (Jul 29)
- Re: simple phishing fix lsi (Jul 30)
- Re: simple phishing fix Nick FitzGerald (Jul 30)
- Re: simple phishing fix Peter Besenbruch (Jul 30)
- Re: simple phishing fix lsi (Jul 28)
- Re: simple phishing fix Robert Holgstad (Jul 30)
- Re: simple phishing fix blah (Jul 30)
- Re: simple phishing fix Exibar (Jul 30)
- Re: simple phishing fix Dragos Ruiu (Jul 30)
- Re: simple phishing fix Exibar (Jul 30)
- Re: simple phishing fix Dragos Ruiu (Jul 30)
- Re: [inbox] Re: simple phishing fix Exibar (Jul 30)
- Re: simple phishing fix Randal T. Rioux (Jul 29)
- Re: simple phishing fix Peter Besenbruch (Jul 29)