I gave a talk entitled “Phishing: Conning The Unwary For Fun And Profit” at LugRadio Live 2005. The slides are available, although most of the fun was in the delivery ;-) If I can get hold of an audio recording, I’ll upload that too at some point.
Update 2005-06-28: Apparently the recording didn’t work. Sorry :-(
is it just me, or is something not working with the javascript. I had to go foward twice and back once to read the text.
The text has incremental display… Be patient ;-)
How does a “stroppy” registrar help? Did you mean “sloppy” or am I just missing the point?
Sorry – “stroppy” is used in the UK as “argumentative and uncooperative”. It helps because if some anti-phishing group tries to get your fake domain removed from the DNS, using some of the less cooperative registrars gives your site extra life (hours or days).
I enjoyed Gerv’s talk, especially the Diplomatic immunity style points at the beginning even though he did try to steal MrBen’s breakfast in the morning.
Gerv – annoyed that I missed your talk – the timing got messed up. Will hopefully catch it at some point on audio, although there’s been a bit of a problem with that from the LR side of things :(
Meant to catch up with you over the weekend, but didn’t realise you were leaving early on Saturday.
Check out http://www.thefreelyproject.org if you’ve not already seen.
:)
Well done! I’d think Step 4 might gain style points for not just using one rooted box, but a whole botnet. Extra bonus points for using a series of open redirects that can be changed on the fly to get to the final destination (needed in case one of the rooted boxes gets turned off.
I got a great email the other week, which:
I visited the alleged password checker page, and my browser shouted warnings about the certificate not being signed by a recognised CA. If you accepted the certificate, you got to a site which simply asserted “Is this web page secure? Yes, it’s safe to enter your password into this web page.”
And the funny thing was …
… it was all completely genuine and above board.
I think our IT people may have seriously undermined any efforts to educate people about how to recognise phishing.