I have always wanted to beat “phishers” at their own game. Briefly, a phishing scam creates a page that looks like a legitimate site, requesting user name and password information. The scammers send phony requests via electronic mail under a variety of pretenses, urging customers to follow the enclosed link. Instead of going to your bank or eBay or PayPal, the link goes to their rogue server that looks like a legitimate site and the information is logged there for subsequent criminal activity.
As a rule, if everyone who received a phising attempt (or a mortgage solicitation for that matter) took the time to follow the link, then input bogus data, then the scam / solicitation would instantly be rendered ineffective. The criminals would be faced with sorting through thousands of garbage records in order to locate the actual victims.
Unfortunately as a society, we’re don’t do all that well at things that benefit the “collective good”, so we’re stuck with scams in our mailboxes.
But AJAX changes that.
I have often thought &mdash what better way to beat the capture of confidential information from gullible users than to flood phishing databases with useless data? The main problem is that it takes a little time, some programming expertise, and a web server to really do a good job.
My guess is that the proportion of technically savvy people who receive phishing attempts has to be at least as high as the proportion of gullible users. So if those of us with web skills generate scripts that in turn generate thousands of bogus requests, we at least make life difficult for the criminal element.
The benefit of AJAX is that you can use it to generate automated page requests right from the browser. A relatively simple bit of JavaScript code can put random data into a request, then direct it at the rogue server. You can share this page with your not-so-savvy friends, just to make IP address filtering more difficult for them.
The process is pretty simple: look at the source of the scam page, figure out what fields are in the form’s request back to the server, then create an AJAX request that fills the form with random but correctly formatted data. Post the request to the server, then loop back and do it again. Repeat until someone takes the server down.
Someone could even write a little library to generate phone numbers, valid state codes, valid postal codes and credit card numbers, and then it would be even easier. I wish I had the time.
Hello
how are u going to identify the phishing site.
this thing is only possible when we knw particular site is phinging
SREE
[Ed. Note: Come on, it’s not really that hard. When the text in the link says PayPal.com, but the link goes to http://www.paypal.com.somesite.cn, you can be pretty sure it’s phishing. Good mail clients like Thunderbird will warn you about links like this. Good browsers like Firefox will present a warning dialogue when you try to open a reported phishing site. Isn’t that enough?]
what about phishing links in email, user cannot identify by his eyes and not anti-hishing tools are doing thier best.
Do u have any more ideas about fighting with phishing
[Ed. Note: Aside from educating users a bit, I’m not sure what more the tools can do. I can only speak for Thunderbird, but if the URL in the link doesn’t match the text in the link: (1) it pops up a very clear warning; (2) If you hover over the link, you can see the actual target URL in the status. That pretty much does it all for me. Lately the most popular phish attempts seem to all be related to Google AdWords… it’s pretty simple to ask “gee, is the domain in this URL actually google.com or not?” If not, then the message is a phish.]
dude is there any new ideas
[Ed. Note: I am not working on more ideas. My personal opinion is that current tools are pretty good. The big challenge is educating users and getting them to pay attention to the warnings. My idea is that people should pay attention. Good luck with that!]