Phishing: Conning The Unwary For Fun And Profit

I gave a talk entitled “Phishing: Conning The Unwary For Fun And Profit” at LugRadio Live 2005. The slides are available, although most of the fun was in the delivery ;-) If I can get hold of an audio recording, I’ll upload that too at some point.

Update 2005-06-28: Apparently the recording didn’t work. Sorry :-(

8 thoughts on “Phishing: Conning The Unwary For Fun And Profit

  1. is it just me, or is something not working with the javascript. I had to go foward twice and back once to read the text.

  2. How does a “stroppy” registrar help? Did you mean “sloppy” or am I just missing the point?

  3. Sorry – “stroppy” is used in the UK as “argumentative and uncooperative”. It helps because if some anti-phishing group tries to get your fake domain removed from the DNS, using some of the less cooperative registrars gives your site extra life (hours or days).

  4. I enjoyed Gerv’s talk, especially the Diplomatic immunity style points at the beginning even though he did try to steal MrBen’s breakfast in the morning.

  5. Gerv – annoyed that I missed your talk – the timing got messed up. Will hopefully catch it at some point on audio, although there’s been a bit of a problem with that from the LR side of things :(

    Meant to catch up with you over the weekend, but didn’t realise you were leaving early on Saturday.

    Check out http://www.thefreelyproject.org if you’ve not already seen.

    :)

  6. Well done! I’d think Step 4 might gain style points for not just using one rooted box, but a whole botnet. Extra bonus points for using a series of open redirects that can be changed on the fly to get to the final destination (needed in case one of the rooted boxes gets turned off.

  7. I got a great email the other week, which:

    • Claimed to be from the IT support department at work.
    • Stated that my password on the windows systems didn’t meet the password complexity rules, and that if I didn’t change it soon to a compliant password my account might be disabled.
    • Stated that the one sure way of knowing whether a new password is compliant is to use the “password checker” web page, and included a link in the email.

    I visited the alleged password checker page, and my browser shouted warnings about the certificate not being signed by a recognised CA. If you accepted the certificate, you got to a site which simply asserted “Is this web page secure? Yes, it’s safe to enter your password into this web page.”

    And the funny thing was …

    … it was all completely genuine and above board.

    I think our IT people may have seriously undermined any efforts to educate people about how to recognise phishing.