Re: Scamming the phishers?

[Drsolly <drsollyp () drsolly com>]

On Thu, 28 Sep 2006 Valdis.Kletnieks () vt edu wrote:

> On Thu, 28 Sep 2006 14:15:54 EDT, "Richard M. Smith" said:
> > Is anyone aware of any banks which are creating fake online bank accounts
> > that appear to be valid accounts but with no real money in them?  The idea
> > then is to feed valid login information to the fake accounts to phishers.
>
> Congrats, you've re-invented honeytokens. ;)
>
> > These accounts can then be used by investigators to gather intelligence
> > about how phishers operate.
>
> The problem is, of course, figuring out how to get the bogus credentials
> into the hands of the phishers.
>
> >                             The fake account can also be used to make phish
> > less attractive by wasting phisher's time on financial transactions that
>
> Doubtful you can inject enough bogus accounts to make it less attractive due
> to wasted time - you'd need a fairly large farm of distributed machines in
> likely places.  If they get handed 258 hits from some /24 that has a PTR that
> points to *.fbi.gov or *.bigbank.com, they're not going to take the bait.  So
> you need 258 boxes out in DSL land....

It's a shame that the FBI can't afford an AOL account with non-static IP.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.