[Dshield] Anti-Phishing

Laura Vance vancel at winfreeacademy.com
Fri Mar 10 19:17:25 GMT 2006

Jon R. Kibler wrote:

>Greetings All,
>What if we were able to make life more miserable for phishers? Would it slow them down or discourage them? 
>Would it be ethical to do so? Legal?
>A thought along those lines: There are dozens of programs available that will generate 'legitimate' fake credit card numbers, bank account numbers, etc. There are all sorts of ways to generate lists of names. Use these types of programs to create millions of bogus identities. Then flood the phishing site with so much bogus information that it would become a real chore to sort out the legitimate phish caught from the decoys. To accomplish this would be simple:
>   1) Visit the phish site and determine the information they are collecting.
>   2) Write a simple shell script to generate the required bogus data in HTTP POST (or whatever method used) format.
>   3) Have the shell script submit the bogus data (netcat, etc.) to the phish site one bogus identity at a time.
>A real dumb phisher may even try to use bogus data and that may be the trigger that gets them caught.
>Just a thought...
>Jon Kibler

The only thing that I would be concerned about is if you randomly 
generate real credit card numbers.  All they have to do to meet the 
criteria for a valid card is start with the correct numbers for the type 
of card and pass the mod-10 test.  There are a finite set of numbers 
that meet those criteria, so the odds that you'll accidentally hit a 
valid number are higher than you might feel comfortable.

When I worked for an online credit card processing company, it amazed me 
how little information you need to successfully run a credit card 
transaction.  All you need is the credit card number and any date in the 
future to use as the expiration date (it does not have to be the real 
expiration date).  All of the other information is there as a 
verification, and the merchant gets charged a higher rate if they pass a 
transaction without it, but the transactions can go through without any 
personally identifiable information.  It's a little scary.  The personal 
information is needed if they want to steal your identity and get more 
credit cards in your name.

The clearing house and cc processor will return special codes if 
information doesn't match, but they won't deny the transaction without 
it.  It's up to the Merchant to deny the transaction at that point to 
prevent the increased transaction fees.  Most legitimate businesses 
follow the standard and deny the transaction, but in this instance we're 
talking about people that don't care.

Laura Vance
Systems Engineer
Winfree Academy Charter Schools

More information about the list mailing list