Hacking for Christ: Phishing: Conning The Unwary For Fun And Profit

June 25, 2005

Phishing: Conning The Unwary For Fun And Profit

I gave a talk entitled "Phishing: Conning The Unwary For Fun And Profit" at LugRadio Live 2005. The slides are available, although most of the fun was in the delivery ;-) If I can get hold of an audio recording, I'll upload that too at some point.

Update 2005-06-28: Apparently the recording didn't work. Sorry :-(

Posted by gerv at June 25, 2005 10:03 PM

Comments

is it just me, or is something not working with the javascript. I had to go foward twice and back once to read the text.

Posted by: Alan Trick at June 26, 2005 7:43 AM

The text has incremental display... Be patient ;-)

Posted by: Gerv at June 26, 2005 9:23 AM

How does a "stroppy" registrar help? Did you mean "sloppy" or am I just missing the point?

Posted by: Simon at June 26, 2005 12:56 PM

Sorry - "stroppy" is used in the UK as "argumentative and uncooperative". It helps because if some anti-phishing group tries to get your fake domain removed from the DNS, using some of the less cooperative registrars gives your site extra life (hours or days).

Posted by: Gerv at June 26, 2005 2:18 PM

I enjoyed Gerv's talk, especially the Diplomatic immunity style points at the beginning even though he did try to steal MrBen's breakfast in the morning.

Posted by: ScottMac at June 26, 2005 7:46 PM

Gerv - annoyed that I missed your talk - the timing got messed up. Will hopefully catch it at some point on audio, although there's been a bit of a problem with that from the LR side of things :(

Meant to catch up with you over the weekend, but didn't realise you were leaving early on Saturday.

Check out http://www.thefreelyproject.org if you've not already seen.

Posted by: mrben at June 27, 2005 4:34 PM

Well done! I'd think Step 4 might gain style points for not just using one rooted box, but a whole botnet. Extra bonus points for using a series of open redirects that can be changed on the fly to get to the final destination (needed in case one of the rooted boxes gets turned off.

Posted by: Miles Libbey at July 1, 2005 12:32 AM

I got a great email the other week, which:

Claimed to be from the IT support department at work.
Stated that my password on the windows systems didn't meet the password complexity rules, and that if I didn't change it soon to a compliant password my account might be disabled.
Stated that the one sure way of knowing whether a new password is compliant is to use the "password checker" web page, and included a link in the email.

I visited the alleged password checker page, and my browser shouted warnings about the certificate not being signed by a recognised CA. If you accepted the certificate, you got to a site which simply asserted "Is this web page secure? Yes, it's safe to enter your password into this web page."

And the funny thing was ...

... it was all completely genuine and above board.

I think our IT people may have seriously undermined any efforts to educate people about how to recognise phishing.

Posted by: Alan at July 8, 2005 7:14 PM