Shostack + Friends Blog Archive


Should we stop faking phishing data?

phish.jpgIn “Stop with the fake phish data,” Justin Mason quotes an anonymous friend complaining about people dumping crap into phishing sites:

Is there any way you can get the word out that dropping a couple hundred fake logins on a phishing site is NOT appreciated??

It creates havoc for those monitoring the drop since it’s an unbelieveable waste of time and resources to clean up the file. Also, for those drop files that ‘recycle’ after every 10 entries, valid data is lost.

It also creates havoc for those who get these files and try to notify victims. They waste time, too .. pulling legit info from amongst the trash.

First, I had no idea people were doing this. It seems like at least an interesting idea, and so I’d like to examine the assumptions that seem to underly the request by Justin’s anonymous friend (JAF).

Firstly, JAF (seems to) presume that his work is roughly equivalent to the phisher’s work, or more expensive. This seems likely true. If you’re a criminal, testing an account is easy: you try to steal from it. If you’re trying to stop them, you have more work to do.

I think a more interesting question is, what fraction of sites are getting hit? Are 10% of phishing sites experiencing this? 90%? I’m curious because it gives us insight into the overlap between the two sets of folks working against phishers. It’s a relatively easy statistical problem: If set 1 has overlap y with set 2, how large is the population being sampled? Ecologists do this all the time. (How can I spell ecologist with a ‘ph?’)

It seems like it’s an interesting possibility for measuring the size of the phishing site world.

Photo: “Fish” by Wistine.

3 comments on "Should we stop faking phishing data?"

  • Justin says:

    Hey Adam! I’ve passed it on — let’s see if there’s further comment.

  • JAF says:

    Sorry for the delay .. things have been a bit hectic.
    I can’t tell you ‘by the numbers’ how many sites are being hit with fake data of the type we’re discussing.
    …[ Firstly, JAF (seems to) presume that his work is roughly equivalent to the phisher’s work, or more expensive ]…
    Will you please explain this?
    All phishing sites have a limited number of entries by those who recoginze it for what it is and fill out the requested data accordingly .. questioning the parental lineage of the scammer or other scatological commentary.
    What I’m addressing is the ‘dump’ of hundreds of authentic-looking, but fake entries into a data file. In quantity, they’re clearly recognizable. On several forums I have seen posted that this is something ‘fun’ to do .. that somehow this ‘teaches the scammer’ something not quite defined. It doesn’t.
    The ‘wow, isn’t this fun’ activity does nothing to resolve/remove that phishing site. Perhaps if those who consider this amusing would, instead, report the site to any number of anti-phishing groups such as:
    Anti-Phishing Working Group:
    ..we’d be able to investigate and terminate the sites in a better time frame and reduce the actual numbers of ID theft victims.
    Thanks …

  • Adam says:

    My comment about expense should have said “assume” not “presume.” What I meant is that if it costs you and a phisher the same effort to validate an account, then dumping hundreds of fake accounts into the site might be a worthwhile thing because it absorbs lots of phisher time, and may help banks identify phishing data exploitation.
    Also the question of resolving (closing) the site isn’t the only question.
    Without any disrespect to the APWG or castlecops, I don’t think they have all the data we’d like to have. For example, imagine that tomorrow, Congress asked the FBI how many agents they’d need to shut down this problem. Do we have data to tell us how big it is? How many people are involved? I haven’t seen such, and I’m interested in seeing if we can get that sort of data.

Comments are closed.