By joining our community you will have the ability to post topics and access other forums reserved for members. Registration is quick, simple and absolutely free. Join our community today by clicking here. - Internet Anti-Fraud Center - now open!

 Rendering Phishing Sites/Forms Useless::Concept::

View next topic
View previous topic
Post new topicReply to topic
Author Message
Hello I'm New here!

Joined: 13 May 2009
Posts: 3

PostPosted: Wed May 13, 2009 8:25 am Reply with quoteBack to top

Ok, call me out for being new ::obviously:: but I had an idea that I thought worth sharing that I just don't have the time right now to pursue farther yet. Primarily an idea to render phishing web sites useless to those using them(from email address phishing, to bank/credit account, to even World of Warcraft).

The idea I recalled was several web sites that outline non-violent ways to get back at regular junk mailers. Stuff with prepaid envelopes and the like. Quite literally mailing them back their own junk. Then came across the Pirate Bay's DDo$ attack request, which simply is requesting lots of people to transfer the minimal amount to the target, in the idea that the large numbers raise the transfer costs and eventually the free $1000 they made is cobbled in fees due to the $1000 after with $3000 in transaction fees...
Anyhow, I just realized that was more back story and mind tracing then needed.

The basic idea i've come up with was to just literally fill up phisher's systems with randomly generated junk.
My thinking is/was to setup a tor web server with a simple web site on it that forwards and posts to another site's form. So for example i type my login information to page.html and it gets forwarded to, or Then setup a computer with brutus(word list checker/brute force) to constantly brute force randomly generated passwords against the tor web server's which is in turn pushing it to the target site. Going this route would permit the "attack" to come from an abundance of random IP addresses as well as filling their email/database with false account information, making the legitimate information be a needle in a haystack not worth filtering through.

Also in my thoughts this could be implemented differently, since there is a tor web server involved, the idea is that it could contain an sql db of phishing sites, and it would be constantly cycling through them for each attempt/value. so every time a user/brutus submits a new "theoretical account" login, it moves onto the next one and cycles back. This mixed with lengthening the timers on brutus could result in what would look like constantly incorrect logins and not a timed repetitive attack against a specific server.

I feel that this method would minimize the web programming needed, another thought for implementation would be to replace brutus in some manner.
Setup a collection of possible user logins manually(sql db of user submitted accounts, permit the 419 community to post new names). and use a collection of php/ajax/cgi/java calls to randomly generate infinite fake passwords. Then program a simple web page on the tor web server that automagically pulls a user account from the sql db, and then randomly generates a non-existing password and then submits it to the phishing sites in an ordered sequence(ensures everyone gets a turn). Then it just turns into someone refreshing their page(i know of a firefox addon for this) and getting a "success" or "fail" page while a tor web server just fills phishing sites with invalid information.

Don't know if this has ever been posted, implemented, or if i'm out of line throwing this up there. The primary purpose of tor in this project is to mask the location/information of the "attacking" computer so that it cannot be easily/directly blocked. This also has a secondary benefit of having a computer act within the mask of anonymity, as this sort of effort's legality may be questionable depending on location and implementation.

I'm not much of a programmer, so within my head, this is probably about as far as i can get with this idea. I've got the computing power. plenty of computers can be mindlessly added to the cause(consented botnet?), reminds me of [email protected]
View user's profileSend private message
Nurse Nasty
Baiting Guru

Joined: 31 Aug 2005
Posts: 7253
Location: Australia, where a dingo stole my eski

PostPosted: Wed May 13, 2009 8:29 am Reply with quoteBack to top

First and only real question you need to ask yourself is; Is it illegal?

If yes. Then no, we wouldn't be interested.

Plus we don't really tackle phishing sites. We do kill the occasional one, but we specialize in killing fake banks.

[Support 419Eater] l [Get Premium!] l [Helpful stuff] l [ScamWarners]

vv Nasty Predicaments vv
Musa Crocodile
Comic Lads

Starstarstarstarstar Easter Egg 2012
GoatPurple FlowerMc FryGolden PithGolden Pith
View user's profileSend private messageSkype Name
soylent green
Master Baiter

Joined: 21 May 2004
Posts: 160
Location: Terra Firma

PostPosted: Wed May 13, 2009 9:09 am Reply with quoteBack to top

The downside to this is that it can be used against legitimate sites, as well. The ill feelings generated when one legitimate site goes down because some prankster decided to screw it up will make it bad for everyone here.

You say there are no such pranksters who will try to sabotage such anti-phishing measures? Think again ...

... as the actress said to the bishop.
Closed lad accounts x4

// s.t.
View user's profileSend private message
419Eater is my life

Joined: 10 Jul 2008
Posts: 366

PostPosted: Wed May 13, 2009 10:23 am Reply with quoteBack to top

@@Zaephor be careful of unintended consequences.

I have had a lot experience with phishing sites (and their death and destruction).

The fatal flaw in your plan is the bank site, credit card or whatever site that is also referenced in most phishing scripts validates the password and account information. Only the valid accounts are saved.

The denial of service only impacts the intermediate site, almost always an innocent web site. The intermediate site typically is a club, local store, small internet business, a radio station all innocent.

The final argument is the reason not to do it. If you have enough information to attack the phishing site you also have enough information to kill it and protect the innocent victims who give up passwords and account information.

Phishing scams are based on the predictable statistical distribution of responses. The scams are set up days in advance in most cases and when everything is ready a mass emailing goes out timed to maximize the responses before the intermediate site gets killed.

It is important to kill a site as close to the mailing as possible to minimize the the number of victims. When killing phishing sites, minutes are the appropriate unit.

The simplist route is to forward the phishing email to security at the bank or credit card company. (Google will find the appropriate email address by searching for something like "phishing company-name") Don't assume they have already seen the phishing scam.

Killing phishing sites is nowhere near as much fun as baiting, its usually over in less than ten minutes.

View user's profileSend private message
Hello I'm New here!

Joined: 13 May 2009
Posts: 3

PostPosted: Wed May 13, 2009 5:39 pm Reply with quoteBack to top

Ahh completely forgot about those points. half asleep when i decided to type it and hadn't thought through to the downsides of people abusing it.
View user's profileSend private message
Display posts from previous:      
Post new topicReply to topic

 Jump to:   

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

** Find out information about your IP address **

All Content © 2003 -
Powered by phpBB © 2001, 2002 phpBB Group :S5: FI Theme :: All times are GMT