[Dshield] Anti-Phishing

DigitalNation dshield at digitalnation.ca
Fri Mar 10 19:38:31 GMT 2006


Most online credit card transactions now require CVV2 numbers be inputted.
This is the direction all transactions are headed in. Our merchant provider
has CVV2 as standard and will not process any transaction without it. Visa
here in Canada has been using "VERIFIED by VISA" systems for 2 years now.
All in all, this means that having just the number and expiry doesn't cut it

I think the idea here of bombarding phishers is good one....but like said
previously, you would need to tap into BOTNET or have a widely dispersed
group of systems available to you to pull it off. I have myself gone to
phish sites and inputted BS info by proxy just to tick them off....I would
love to see some sort of application that inputs all kind of false data that
they would have to wade through. Heck, they force us to wade through all the
phish-mail they proliferate.

M. McBride
Security Admin
Vancouver, Canada

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Laura Vance
Sent: Friday, March 10, 2006 11:17 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Anti-Phishing

Jon R. Kibler wrote:

>Greetings All,
>What if we were able to make life more miserable for phishers? Would it 
>slow them down or discourage them?
>Would it be ethical to do so? Legal?
>A thought along those lines: There are dozens of programs available that
will generate 'legitimate' fake credit card numbers, bank account numbers,
etc. There are all sorts of ways to generate lists of names. Use these types
of programs to create millions of bogus identities. Then flood the phishing
site with so much bogus information that it would become a real chore to
sort out the legitimate phish caught from the decoys. To accomplish this
would be simple:
>   1) Visit the phish site and determine the information they are
>   2) Write a simple shell script to generate the required bogus data in
HTTP POST (or whatever method used) format.
>   3) Have the shell script submit the bogus data (netcat, etc.) to the 
>phish site one bogus identity at a time.
>A real dumb phisher may even try to use bogus data and that may be the 
>trigger that gets them caught.
>Just a thought...
>Jon Kibler

The only thing that I would be concerned about is if you randomly 
generate real credit card numbers.  All they have to do to meet the 
criteria for a valid card is start with the correct numbers for the type 
of card and pass the mod-10 test.  There are a finite set of numbers 
that meet those criteria, so the odds that you'll accidentally hit a 
valid number are higher than you might feel comfortable.

When I worked for an online credit card processing company, it amazed me 
how little information you need to successfully run a credit card 
transaction.  All you need is the credit card number and any date in the 
future to use as the expiration date (it does not have to be the real 
expiration date).  All of the other information is there as a 
verification, and the merchant gets charged a higher rate if they pass a 
transaction without it, but the transactions can go through without any 
personally identifiable information.  It's a little scary.  The personal 
information is needed if they want to steal your identity and get more 
credit cards in your name.

The clearing house and cc processor will return special codes if 
information doesn't match, but they won't deny the transaction without 
it.  It's up to the Merchant to deny the transaction at that point to 
prevent the increased transaction fees.  Most legitimate businesses 
follow the standard and deny the transaction, but in this instance we're 
talking about people that don't care.

Laura Vance
Systems Engineer
Winfree Academy Charter Schools

Learn about Intrusion Detection in Depth from the comfort of your own couch:

send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list