The Spam Diaries

News and musings about the fight against spam.
 by Edward Falk

Monday, April 03, 2006

Fighting phishing by poisoning the database

c|net has an article about a denial of service attack being used to fight phishers: Fighting fraud by baiting phishers.

In short, the Cyota division of RSA Security monitors spam traps for phishing sites. Along with the usual procedure of contacting the phisher's service provider and having the web site taken down, Cyota also floods the phisher's form with thousands of bogus entries. The idea being that any data obtained from the genuine victims of the phish is lost in the bogus data, making the data acquired in the phish impractical to use. The technique is called dillution.

I wrote about a similar technique in January. There are a number of spam-fighting tools, such as FormFlood, which floods a mortgage spammer's leads database with so many bogus entries as to make it useless.

There is some discussion on Cyota on the net-abuse newsgroups on whether or not fighting phishing with such dos attacks constitutes fighting abuse with abuse. The concensus (and my own opinion) is that database poisoning is a legitimate, and even admirable technique.

Another site that performs the same service is


Blogger my0p said...

Personally, I see nothing wrong with flooding phishers with bogus information. It is a kin to baiting 419ers to waste their time, resources and hopefully make them spend $$$. OTOH, there is also a site called where one can bring down servers of phishing sites by DOS or some other method. This bringing down of webservers of phishing sites is the part I just cannot agree with completely.

6:27 PM  
Blogger Unknown said...

The site now appears to be up for sale but the previous owner is not asking a huge amount ($1,500). Perhaps a professional phisher will now be able to purchase it and ensure that his little scams are unaffected.

Personally I think that all banks should invite customers to sign up for a "Fish for the phisher" additional account when they sign up for online banking and every time they get a phishing e-mail they send through the fake details.

The fake details send the phisher to a non-existent account, containing non-existent funds, that the phisher then tries to empty. The phisher puts in the bank account details that they wish to transfer the money to and the bank's systems, in full knowledge that this is a "Fish for the phisher" set of banking details, logs the details of the bank account, pretends to transfer the funds and the owner of the account is tracked and hopefully caught upon subsequent transfer or attempted collection.

The effects of this would be threefold:

1. The bank would be able to catch phishers who were too stupid to realise they were being fed a line.

2. Phishers who are a bit more savvy and keep up with the safety measures imposed by banks would stop using this method of fraud in case they were being fed a line.

3. By asking customers to supply a set of anti-phishing login details that they could use to respond to phishing e-mails, they would heighten customer awareness of this fraudulent practice.

Just my two penneth anyway.

6:54 AM  

Post a Comment

<< Home