[funsec] Scamming the phishers?
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Thu Sep 28 15:30:29 CDT 2006
On Thu, 28 Sep 2006 14:15:54 EDT, "Richard M. Smith" said:
> Is anyone aware of any banks which are creating fake online bank accounts
> that appear to be valid accounts but with no real money in them? The idea
> then is to feed valid login information to the fake accounts to phishers.
Congrats, you've re-invented honeytokens. ;)
> These accounts can then be used by investigators to gather intelligence
> about how phishers operate.
The problem is, of course, figuring out how to get the bogus credentials
into the hands of the phishers.
> The fake account can also be used to make phish
> less attractive by wasting phisher's time on financial transactions that
Doubtful you can inject enough bogus accounts to make it less attractive due
to wasted time - you'd need a fairly large farm of distributed machines in
likely places. If they get handed 258 hits from some /24 that has a PTR that
points to *.fbi.gov or *.bigbank.com, they're not going to take the bait. So
you need 258 boxes out in DSL land....
> never get completed. Things may also get really interesting if the false
> account information is sold to another party for them to steal money.
That does have possibilities. :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://linuxbox.org/pipermail/funsec/attachments/20060928/bf356cf1/attachment.pgp
More information about the funsec
mailing list