Phishing: Conning The Unwary For Fun And Profit

I gave a talk entitled “Phishing: Conning The Unwary For Fun And Profit” at LugRadio Live 2005. The slides are available, although most of the fun was in the delivery ;-) If I can get hold of an audio recording, I’ll upload that too at some point.

Update 2005-06-28: Apparently the recording didn’t work. Sorry :-(

8 thoughts on “Phishing: Conning The Unwary For Fun And Profit

  1. is it just me, or is something not working with the javascript. I had to go foward twice and back once to read the text.

  2. How does a “stroppy” registrar help? Did you mean “sloppy” or am I just missing the point?

  3. Sorry – “stroppy” is used in the UK as “argumentative and uncooperative”. It helps because if some anti-phishing group tries to get your fake domain removed from the DNS, using some of the less cooperative registrars gives your site extra life (hours or days).

  4. I enjoyed Gerv’s talk, especially the Diplomatic immunity style points at the beginning even though he did try to steal MrBen’s breakfast in the morning.

  5. Gerv – annoyed that I missed your talk – the timing got messed up. Will hopefully catch it at some point on audio, although there’s been a bit of a problem with that from the LR side of things :(

    Meant to catch up with you over the weekend, but didn’t realise you were leaving early on Saturday.

    Check out if you’ve not already seen.


  6. Well done! I’d think Step 4 might gain style points for not just using one rooted box, but a whole botnet. Extra bonus points for using a series of open redirects that can be changed on the fly to get to the final destination (needed in case one of the rooted boxes gets turned off.

  7. I got a great email the other week, which:

    • Claimed to be from the IT support department at work.
    • Stated that my password on the windows systems didn’t meet the password complexity rules, and that if I didn’t change it soon to a compliant password my account might be disabled.
    • Stated that the one sure way of knowing whether a new password is compliant is to use the “password checker” web page, and included a link in the email.

    I visited the alleged password checker page, and my browser shouted warnings about the certificate not being signed by a recognised CA. If you accepted the certificate, you got to a site which simply asserted “Is this web page secure? Yes, it’s safe to enter your password into this web page.”

    And the funny thing was …

    … it was all completely genuine and above board.

    I think our IT people may have seriously undermined any efforts to educate people about how to recognise phishing.