Re: Scamming the phishers?

[Valdis.Kletnieks () vt edu]

On Thu, 28 Sep 2006 14:15:54 EDT, "Richard M. Smith" said:
> Is anyone aware of any banks which are creating fake online bank accounts
> that appear to be valid accounts but with no real money in them?  The idea
> then is to feed valid login information to the fake accounts to phishers.

Congrats, you've re-invented honeytokens. ;)

> These accounts can then be used by investigators to gather intelligence
> about how phishers operate.

The problem is, of course, figuring out how to get the bogus credentials
into the hands of the phishers.

>                             The fake account can also be used to make phish
> less attractive by wasting phisher's time on financial transactions that

Doubtful you can inject enough bogus accounts to make it less attractive due
to wasted time - you'd need a fairly large farm of distributed machines in
likely places.  If they get handed 258 hits from some /24 that has a PTR that
points to *.fbi.gov or *.bigbank.com, they're not going to take the bait.  So
you need 258 boxes out in DSL land....

> never get completed.  Things may also get really interesting if the false
> account information is sold to another party for them to steal money.

That does have possibilities. :)

Attachment: _bin
Description:

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.