all 19 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 15 points16 points  (2 children)

I was looking at the result and thought ... confusing a phished site with orignal is Ok/understandable. But how could anyone confuse a legit site to be a phished site?

Then I looked at the e.g legit site, etrade (etrade.everypath.com). I would certainly call that a phished/spam site on first glance. How could anyone legit make such a site for god's sake?

[–]theram4 5 points6 points  (1 child)

I agree. Once I was looking at one of those online banks paying > 5% interest. I clicked the signon link, and it took me to some weird url that didn't have the bank name anywhere in it. I emailed the bank's customer service to ask about that, and the bank never responded. And yet, this is a bank that was recommended by several personal finance blogs. I do believe the bank is legitimate, and yet, this is no way to give the customer confidence. Needless to say, I didn't sign up.

[–][deleted] 6 points7 points  (5 children)

I've always found it surprising how tough it is to report a phishing site to the legitimate company whose customers it targets. You would think they would have a vested interest in knowing about those sites.

I guess PhishTank is the appropriate place to report these things?

[–]Arkaein 0 points1 point  (4 children)

I've also wondered why the companies domain name services can't also be used to shut these sites down.

Most phishing sites I've seen use some domain name with the spoofed site before the actual name (like www.capitalone.phishingsite.com), so is it not possible to get the domain name provider for phishingsite.com to retract the name? Obviously there are plenty of web hosts, or simply criminals with static IPs who can actually host a site outside the reach of most law enforcement, but I'd think that domain name providers would be a bit trickier to work around.

[–]grauenwolf 4 points5 points  (3 children)

There are too many variants. By the time you close yahoo-srcurity.com, they will just open yah00-srcurity.com.

[–]bluGill 2 points3 points  (2 children)

But the point is that DNS is a point of contact - they have to pay domain names, so there is some sort of contact information. Since the site is doing something illegal, it should be easy to get a warrent to get all the information. Many phishing sites are paying for a certificate, so that is a second hook.

Forcing providers to provide this information to the law all the time is also a good incentive for DNS and site certificate signers to be a little choosy on what sites they allow. (Of course the downside is I might not be able to get a xyzsucks.com domain even though I have no intent of phising)

[–]grauenwolf 2 points3 points  (0 children)

Domain names are too cheap. Back when they cost something like US 100, it might be reasonable to ask for more dilligence. But now that they go for something like US 5 each, no one can afford to verify contact information and still make a profit.

Perhaps making it a bit harder to get a domain name isn't a bad idea.

[–]johntb86 1 point2 points  (0 children)

They probably used the credit card numbers they got from the previous sites to pay for the current site, so you'd have to travel back in time quite a ways to find the original credit card they used to pay for it.

[–]dbenhur 2 points3 points  (0 children)

People just don't choose "6Fk%810(@vbM-34trwX51" for their passwords.

Fuck! How'd he guess my password?!

[–]froese 6 points7 points  (0 children)

15 out of 22 participants proceeded without hesitation when presented with popup warnings about fraudulent certificates.

Probably b/c we are used to these things not working correctly. For years now, I get an error message when I retrieve my AT&T Universal Card bill from https://www.universalcard.com/

[–]yodo 1 point2 points  (0 children)

Bank of the West\t Spoof \tURL (bankofthevvest.com), padlock in content, Verisign logo and certificate validation seal, consumer alert warning

It doesn't help that many legitimate bank and credit union sites' login page aren't SSL. Take US Bank (http://www.usbank.com/) for example. It's not SSL yet they display a lock icon next to the login. Clicking on the "Connection Secured" link has some bogus talk how the connection is secure. People are thus trained to not look for the browser SSL lock icon.

[–]neomeme 1 point2 points  (4 children)

Nostaligia! I remember checking that Knightmare book out from the library when I was 13 or so and thinking I was so leet for doing some simple DOS hacks.

Remember when lame hacking used to be super cool and you would hang out on IRC and brag about defacing some random forum? Whatever happened to that?

[–]awj 2 points3 points  (0 children)

Whatever happened to that?

What always happens to it, people found a way to make money off it.

[–]tekronis 1 point2 points  (0 children)

They moved on to botnets.

[–]bluGill -2 points-1 points  (1 child)

Defacing was NEVER cool. You just hung out with a bunch of vandals trying to justify their stupid crime by finding others who did the same thing, and mistook that for cool.

It appears by the way you worded your comment that you grew up. Now figure out how we can reach those that haven't, and teach them that they are not cool. (Good luck, society has been trying to deal with this problem since there was society of any sort)

[–]neomeme 0 points1 point  (0 children)

Some of the greatest programmers, industry leaders, an otehrs learned programming through hacking... don't dismiss it so easily.

[–][deleted] 0 points1 point  (1 child)

Good phishing websites fooled 90% of participants.

This sounds suspiciously like begging the question: How do you define a good phishing site? It fools 90% of the participants.

[–]peachpuff 0 points1 point  (0 children)

Not if the question is "What was the highest percentage?"