A Tour of the Google Blacklist

WienerPizza writes "Michael Sutton takes us on a tour of the Google blacklist, a list of suspected phishing sites. He finds that eBay, PayPal and Bank of America combined account for 63% of the active phishing sites. Amusingly, he also reveals that Yahoo! has a nasty habit of hosting phishing sites that harvest — you guessed it — Yahoo! credentials!"

But it's not a problem

[syousef (465911)]

Try telling Ebay or Paypal that there's a problem. All they do is flood you with propaganda about how they're keeping you safe.

After a bad experience I closed my Paypal account and only use Ebay for small purchases.

Re:But it's not a problem

[AoT (107216)]

PayPal is annoying.I can't start a new account with them because I never verified my old account which was connected to a bank account I no longer have. Not that I really want to, I wouldn't trust those guys any further than I could throw them.

Re:

[mhokie (988228)]

Grace: Well, with your bad knee Ed, you shouldn't throw anybody... Its true.

Re:But it's not a problem

[Jonnty (910561)]

Or define [zug.com] the type of scam you're trying to report. (Scroll down, it's in black, indented courier.)

Re:

[shashark (836922)]

Oh & yes, before you get into the scam - you should know [zug.com] that "Jeff was not heard from again. I personally e-mailed him for permission to run his story on ZUG, but after an initial response, I never heard from him again."

Good Experience with Paypal

[drewzhrodague (606182)]

Am I the only one that has had a good experience with Paypal? I mean, yah normal banks can handle a deposited check, but they also charge a monthly fee. Paypal OTOH cuts me a check for *interest*, and that is ontop of the 1.5% cash back they offer. I can sell junk on EBay, and take my PayPal card right to the liquor store. That's the best banking scenario I can imagine!

Re:

[DerekLyons (302214)]

Am I the only one that has had a good experience with Paypal?

No, you aren't. Like any service - from Slashdot to your local quick-e-mart, Paypal has unsatisfied users. Those unsatisfied with Paypal however are *extremely* vocal.

Re:

[Dun Malg (230075)]

Monthly fee for a bank account? is that commen?

yes

The only case where i would consider paying for a bank account would be a business account..

How nice for you. Most banks require a minimum balance before they waive the monthly service fee. Many people do not have the kind of cash flow necessary to meet the minimum. This is one of the many ways they soak the poor.

Re:

[HistoricPrizm (1044808)]

Dun Malg said:

Most banks require a minimum balance before they waive the monthly service fee.

In my experience, it's just a matter of finding the right bank that has a relationship with someone you also have a relationship with. I get offers for free checking (no minimum balance requirements) through my alumni associations (undergrad and graduate), my wife's employer, my employer, even through the fact that my father-in-law is retired military. Dun Malg also said:

This is one of the many ways they soak the poor.

I don't really think that is a fair portrayal of the situation. Banks charge fees for accounts that don't keep high balan

Re:Good Experience with Paypal

[scottv67 (731709)]

Most banks require a minimum balance before they waive the monthly service fee.
In my experience, it's just a matter of finding the right bank that has a relationship with someone you also have a relationship with. I get offers for free checking (no minimum balance requirements) through my alumni associations (undergrad and graduate), my wife's employer, my employer, even through the fact that my father-in-law is retired military. Dun Malg also said:

This is one of the many ways they soak the poor.
I don't really think that is a fair portrayal of the situation. Banks charge fees for accounts that don't keep high balances because they don't make money on them. Banks are not charitable organizations, they are in business to make money.

Excellent advice on how to locate the "free checking" offers. I have a couple of additional tips:
1) Direct deposit. If your paycheck goes directly to your financial institution, you may be eligible for free checking.
2) Skip the "bank" and check-out a local credit union. As the parent poster said about banks, "they are in business to make money". While banks treat their customers like cattle that can be slowly tapped for blood [wonderclub.com], credit unions treat their customers like...people. I haven't had an account at a "bank" for fifteen years. I am a very happy credit union member.

Re:

[cyberwench (10225)]

Frankly, while I have had better experience in the past with credit unions, my latest experiences have been horrible. It's the sort of thing where they treat you like people and soak you for slightly less than the banks. I think that the smaller credit unions are generally good places to deal with, and the larger they get the more they become like regular banks.

Re:

[Captain Splendid (673276)]

Banks charge fees for accounts that don't keep high balances because they don't make money on them.

Bullshit. Banks are (supposed) to be about aggregation. It shouldn't matter if you have 50 or 50 mil in your account, the bank is still using your money to lend out at higher rates than they pay you.

Question do Sys Admins

[pembo13 (770295)]

Do any of you guys actively block IPs and IP blocks of phishing sites? And also those "fake domains" which just have search results? If so, how is that working out?

Re:Question do Sys Admins

[pestilence669 (823950)]

OpenDNS will do phishing detection for you. Not only that, it'll correct common typos and speedup name resolution on your entire network. Oh yeah, it's also free, but it won't block those annoying fake search pages.

http://opendns.com/ [opendns.com]

Re:Question do Sys Admins

[GigsVT (208848)]

Yeah, because DNS is something that you should obviously trust a single company about!

Who need that old DNS system with the robust infrastructure, when we can have ads pushed on us for every domain we mistype and alongside our search results!

Someone call Verisign and tell them to fire sitefinder back up, these guys need some competition!

Re:

[mr_Spook (458791)]

Sadly, OpenDNS will give you its own fake/crappy search page when you type something wrong. That alone was cause enough for me to stop using it.

Re:

[Arimus (198136)]

You turn it off if you have a static ip address...

Re:Question do Sys Admins

[speculatrix (678524)]

opendns is a copycat of the verisign adware dns trick... it's hoping to achieve success by relying on the many ISPs who are clueless when it comes to running effective dns resolvers.

Re:

[divisionbyzero (300681)]

That's probably not a great solution because some of the servers that host these sites are either compromised or the servers host multiple other legitimate sites or the content on the page has been hijacked from a legitimate site.

If you block all of the IPs on the page you may be blocking legitimate traffic. Would you rather get 1000 complaints that your users can't get to Bank of America or take the risk that 10 users may be duped? Despite the fact that the injury to the duped user is probably greater from

So...

[NightWulf (672561)]

That guy on eBay who told me to use my Bank of America account to send money to Paypal all through his link may not have been legit?

Re:So...

[The Zon (969911)]

You know that guy too? Don't worry, I'm pretty sure he's legit. I just used his service to order some chemicals to clean the dye off of a suitcase full of money I'm splitting with an exiled doctor from Nigeria. Can you believe it? This doctor contacted me right out of the blue, and all I needed was a U.S. bank account and a sympathetic heart. And, except for the chemicals, this is all at no cost to me! I can't believe such a great proposition initially got filtered to my spam folder!

This one made me cry a little inside

[Rude Turnip (49495)]

Here is one of the last entries on the Google blacklist:

+http://zeta-os.com/astats/bankofamerica/......... ..

For those not in the know, Zeta-os.com is/was the successor developer to YellowTab, which was developing a new operating system based on the old BeOS code. Now, zeta-os.com (or at least a part of it) has been reduced to a phishing site. *sigh*

Re:This one made me cry a little inside

[jasonwc (939262)]

I just loaded http://zeta-os.com/astats/bankofamerica/ [zeta-os.com] on Firefox 2.0.0.1 using Firefox's built-in phishing detector using Google to provide the blacklist ["Check by asking Google about each site I visit" option]. It loaded the site just fine, without any warning.

Re:This one made me cry a little inside

[Rude Turnip (49495)]

That's because I truncated the full URL. You have to follow the link in the article to get the whole thing.

Oh, and thanks for modding my little emotional episode as funny, you bastards.

Re:

[Tim C (15259)]

A couple of weeks ago a work mate of mine visited a phishing site he got a scam email about, and filled the form in with a load of bogus data (to help poison their database). It wasn't until after he'd submitted the form that google warned him that the site was a suspected phishing site...

Re:

[AndrewNeo (979708)]

I once got mail pointing to a phishing page on a school's website. Never know where those things are going to pop up..

Someone should start an "anti-spam"...

[PurifyYourMind (776223)]

...that blasts people with security information/education.

Re:

[FirienFirien (857374)]

Unfortunately that would just be confused with the anti-spam spam we already get. Just like the popups advertising popup blockers.

Google's not keeping up

[Jonnty (910561)]

Judging by the huge proportion of the blacklisted sites that are offline (and the tiny fraction that are actually phishing sites) it seems Google isn't taking this seriously enough. There is much, much more than 341 phishing sites in the world. This list should be being updated daily, they should start a way for suggesting sites or, if it exists, make it more visible.

For the only external blacklisting organisation on Firefox, and as the provider for possibly the most widely used toolbar ever, they're not taking this seriously enough. But would any security company come in with a better free blacklist?

Re:Google's not keeping up

[GigsVT (208848)]

They don't have to do this at all.

Any way to suggest sites would be gamed and abused. There are thousands of people in the "search engine optimization" "industry" that are total sleeze.

Re:

[Nasarius (593729)]

Any way to suggest sites would be gamed and abused.

How? How is a tool that allows you to submit URLs for review possible to abuse, aside from simple flooding?

Re:

[Tim C (15259)]

That's simple to abuse. If there really is a human sat there reviewing submitted URLs, then you just DoS it, by flooding it with far more submissions than it's possible to review.

If it's an automatic, "X hits and you're blacklisted" type system, then zombie PC networks will be submitting URLs and getting legitimate sites blacklisted - sure, you probably won't be able to do that to a large, well known site, but there are millions of sites that would be vulnerable.

It's a nice idea, but I personally think that

Re:

[Ravadill (589248)]

In the comments section it's mentioned that the Encoded/Hashed blacklist is larger and more frequently updated than the plain text one.
I assume to prevent phishers using a live plain text list to know when they have been found.

Re:

[hotdiggitydawg (881316)]

they should start a way for suggesting sites or, if it exists, make it more visible.

You mean, like this page [google.com]?

Or, the "Help --> Report Web Forgery" menu in Firefox?

Or, the "Report phishing" option in the dropdown menu in Gmail?

How exactly to you think they should improve availability of this function?

Re:

[simstick (303379)]

I use the phishtank plugin for firefox. And when I have a minute I jump on and rate some submitted phishes. One thing I disagree on is if a site is offline already people vote it as a not phish. I say if they are trying they need to be rated bad to build a history.

Here is a site that has a lot of IPs

[VGfort (963346)]

Banned IP Address [glodev.com] - a lot of them are spammers or fake bots that will look around your website and fill your forms in the attempt to spam you or your forums/blog or whatever else you might have

Pollute the phishing sites

[thewils (463314)]

Go there and put in false information. Make it harder for them to get valid data.

Re:Pollute the phishing sites

[speculatrix (678524)]

mod parent up!

I do this when I have time... ensure you use what look like valid entries for bank a/c and pin values.

I also enter things like "f**k you spammer" into the name fields, so that when they go through to test the captured data, they get to see my opinion of them (yeah, relatively useless I know, but I get tiny twinge of pleasure at the thought)

Re:Pollute the phishing sites

[mindriot (96208)]

Well, I wouldn't write "f**k you spammer" or anything like that, it makes your entries distinguishable. If you want to ensure having a correct credit card number (except for the CVV code, bug the phisher couldn't verify those directly anyway), you could use something like this quick dirty hack I wrote up a few months ago to spam a phishing site using simple wget queries. To read up on the format of valid credit card numbers, see for instance this article on the anatomy of credit card numbers [merriampark.com]. The following code worked for me to create numbers that were accepted by a phishing site I spammed:

my $cc = substr("000000" . int(rand(1000000)), -6); # Any format

# Add 9 digits for the account number
$cc .= int(rand(900000000))+100000000;

# Check digit: Luhn Code
my $checknum = 0;
for (my $j = 0; $j < length($cc); $j++) {
my $val = substr($cc, $j, 1);
if ($j % 2 == 0) {
# These will be doubled
my $v = 2*$val;
$v -= 9 if ($v > 9);
$checknum += $v;
} else {
# These will just be added normally
$checknum += $val;
}
}
# The last digit should add up to a multiple of 10
$cc .= ($checknum%10 != 0)?(10-($checknum%10)):'0';

# Output an expiration date (arbitrary, 2007..2015)
my $month = int(rand(12))+1;
my $year = qw(2007 2008 2009 2010 2011 2012 2013 2014 2015)[int(rand(9))];

# Random CVV2 code
my $cvv = substr("000" . int(rand(1000)), -3);

Re:

[speculatrix (678524)]

erm, I use firefox, and I run linux.. so I presume you are still living in the darkside :-P

Check out the whitelist

[tecker (793737)]

Either Google is really paranoid or they have yet to find a site to put on the whitelist that was linked to.

See for yourself what I mean [google.com] Nothing there.

What?

[8ball629 (963244)]

I tried signing into one of the listed Geocities site and nothing happened... what gives?

You mean to tell me this [geocities.com] is not a legit Yahoo Photos gateway?!

Interesting example for URL redirection

[mdemeny (35326)]

URL Redirection

Another surprising finding was that few of the phishing scams utilized open URL redirectors. This is a known technique whereby phishers identify redirection functionality at a popular website (e.g. Google) and use that functionality to redirect the victim to the targeted phishing site in order to minimize suspicion. Combing through the blacklist did however reveal the following redirection attack using Google AdWords: http://www.google.com/pagead/iclk?sa=l&ai=x&adurl= http://www.s [google.com]

Good help for fishing actually ...

[perenaurel (681620)]

from: a post on full-disclosure [derkeiler.com]:

I just played around a bit with those lists and as it seems,
Google did a splendid job, even capturing some people's login data.
Like here:
http://sb.google.com/safebrowsing/update?version=g oog-black-url:1:7753 [google.com]

Regards,
J.M.
Professional Lurker

Google have fixed this link now but that was funny, most of the logins/passwords were for gmail accounts...

BOA came in right now!

[Rick Richardson (87058)]

Date: Fri, 05 Jan 2007 12:44:23 +0000
From: Bank of America
Subject: Secure SSL server update

[-- text/html is unsupported (use 'v' to view this part) --]

(a) Known for years and (b) not just Yahoo

[Arrogant-Bastard (141720)]

A. This problem has been discussed in depth on various
anti-spam mailng lists and newsgroups for many years.
This long-standing problem has been steadfastly ignored
by Yahoo, who went so far as to dismiss the key people
on their own abuse staff when they tried to address it.

As a consequence, it's now a better-than-even bet
that any site hosted by Yahoo belongs to a spammer,
phisher, spyware injector, child pornographer, scammer
or other lowlife. My own meager list of Yahoo-hosted
dropboxes for such stands at 26,831 this morning and
those are just the ones that brought themselves to
my attention, i.e. I'm passively noting them and not
actively searching them out.

As a result, Yahoo is one of the biggest spam-sending
and spam-supporting operations on the entire Internet.
(Oh, and Geocities is now completely infested. Rejecting
all inbound mail [except anti-spam discussions] that contains
a Geocities URL is a surprising effective tactic.)

B. They're not alone. For instance, MSN BCentral should
be renamed MSN SpamCentral -- it's just as bad. And Hotmail
cheerfully hosts spammer dropboxes by the tens of thousands.

There are others, but what makes these two particularly
annoying is that they make a public show of being anti-spam
by promoting snake-oil like SenderID and DomainKeys, both
of which are worthless. (If it isn't obvious why, then think
about the hundreds of millions of zombies -- hijacked Windows
systems -- out there and consider that their new masters
have possession of all email credentials belonging to their
former owners -- from POP passwords to PGP keys. It is not
possible to solve the forgery problem -- for any useful
definition of "solve" -- without solving this problem first.
Good luck. This same thing applies to SPF and variants, by
the way, all of which are complete failures.)

Another thing that distinguishes them is the absolutely
irresponsible, totally clueless way in which abuse reports
are handled. Most seem to disappear into black holes. The
majority of the rest are returned with semi-literate denials
that the abuse has any connection with their operation -- even
when their own IP address are clearly the source. If you'd
like to browse a huge number of examples of this, go to
Usenet's news.admin.net-abuse.email and search for
"Yahoo clueless" or "Hotmail clueless". Make coffee first.

The bottom line is that both of these services are huge abuse
magnets and have been for years, so I find it curious that
yet another report of the same old thing is deemed noteworthy.

ReGoogle ReSearch

[Doc Ruby (173196)]

How does Google monitor these sites for content updates to update the Google index? Does Google offer the public (or private subscribers) a way to register a website or URL to be polled ongoing? Notification that it's changed? Web services offering "uptime" monitors seem to do this, as does apparently Google News. Can mere mortals access the feature?

www.microsoft.com, www.msn.com ...

[peter303 (12292)]

Hmm, looks suspicious to me.

yahoo phishing site

[TheCybernator (996224)]

i went to mail.yahoo.com and they asked my name and password. i am smart and i fooled them by giving my gmail password.

Mod Papa Funny

[PopeRatzo (965947)]

It made my ass laugh at 6am.