A Tour of the Google Blacklist

WienerPizza writes "Michael Sutton takes us on a tour of the Google blacklist, a list of suspected phishing sites. He finds that eBay, PayPal and Bank of America combined account for 63% of the active phishing sites. Amusingly, he also reveals that Yahoo! has a nasty habit of hosting phishing sites that harvest — you guessed it — Yahoo! credentials!"

But it's not a problem

[syousef]

Try telling Ebay or Paypal that there's a problem. All they do is flood you with propaganda about how they're keeping you safe.

After a bad experience I closed my Paypal account and only use Ebay for small purchases.

Re:But it's not a problem

[AoT]

PayPal is annoying.I can't start a new account with them because I never verified my old account which was connected to a bank account I no longer have. Not that I really want to, I wouldn't trust those guys any further than I could throw them.

Re:

[mhokie]

Grace: Well, with your bad knee Ed, you shouldn't throw anybody... Its true.

Re:But it's not a problem

[Jonnty]

Or define [zug.com] the type of scam you're trying to report. (Scroll down, it's in black, indented courier.)

Re:

[shashark]

Oh & yes, before you get into the scam - you should know [zug.com] that "Jeff was not heard from again. I personally e-mailed him for permission to run his story on ZUG, but after an initial response, I never heard from him again."

Good Experience with Paypal

[drewzhrodague]

Am I the only one that has had a good experience with Paypal? I mean, yah normal banks can handle a deposited check, but they also charge a monthly fee. Paypal OTOH cuts me a check for *interest*, and that is ontop of the 1.5% cash back they offer. I can sell junk on EBay, and take my PayPal card right to the liquor store. That's the best banking scenario I can imagine!

Re:

[Jo Owen]

Monthly fee for a bank account? is that commen?

The only case where i would consider paying for a bank account would be a business account.. and i dont think Paypal is suitable for that...

Re:

[Dun Malg]

Monthly fee for a bank account? is that commen?

yes

The only case where i would consider paying for a bank account would be a business account..

How nice for you. Most banks require a minimum balance before they waive the monthly service fee. Many people do not have the kind of cash flow necessary to meet the minimum. This is one of the many ways they soak the poor.

Re:

[HistoricPrizm]

Dun Malg said:

Most banks require a minimum balance before they waive the monthly service fee.

In my experience, it's just a matter of finding the right bank that has a relationship with someone you also have a relationship with. I get offers for free checking (no minimum balance requirements) through my alumni associations (undergrad and graduate), my wife's employer, my employer, even through the fact that my father-in-law is retired military. Dun Malg also said:

This is one of the many ways they soak the poor.

I don't really think that is a fair portrayal of the situation. Banks charge fees for accounts that don't keep high balan

Re:Good Experience with Paypal

[scottv67]

Most banks require a minimum balance before they waive the monthly service fee.
In my experience, it's just a matter of finding the right bank that has a relationship with someone you also have a relationship with. I get offers for free checking (no minimum balance requirements) through my alumni associations (undergrad and graduate), my wife's employer, my employer, even through the fact that my father-in-law is retired military. Dun Malg also said:

This is one of the many ways they soak the poor.
I don't really think that is a fair portrayal of the situation. Banks charge fees for accounts that don't keep high balances because they don't make money on them. Banks are not charitable organizations, they are in business to make money.

Excellent advice on how to locate the "free checking" offers. I have a couple of additional tips:
1) Direct deposit. If your paycheck goes directly to your financial institution, you may be eligible for free checking.
2) Skip the "bank" and check-out a local credit union. As the parent poster said about banks, "they are in business to make money". While banks treat their customers like cattle that can be slowly tapped for blood [wonderclub.com], credit unions treat their customers like...people. I haven't had an account at a "bank" for fifteen years. I am a very happy credit union member.

Re:

[cyberwench]

Frankly, while I have had better experience in the past with credit unions, my latest experiences have been horrible. It's the sort of thing where they treat you like people and soak you for slightly less than the banks. I think that the smaller credit unions are generally good places to deal with, and the larger they get the more they become like regular banks.

Re:

[Captain Splendid]

Banks charge fees for accounts that don't keep high balances because they don't make money on them.

Bullshit. Banks are (supposed) to be about aggregation. It shouldn't matter if you have 50 or 50 mil in your account, the bank is still using your money to lend out at higher rates than they pay you.

No. Banks are about PROFIT.

[Behrooz]

No. Banks are about PROFIT, not aggregation.

Aggregation may be a handy way of profiting, but so are obfuscated pricing structures and excessive fees. Someone with $200 in their account who gets laid off and bounces a check when one of their other checks is late coming in, then bounces ten more within a week because the bank happens to be a little slow notifying them that the first bounced check's overdraft fees wiped out their balance is going to net the bank a lot more than someone with $2,000 in their a

Re:

[Dragonslicer]

I don't remember monthly fees on my old bank accounts, and the minimum balance was $100. My accounts now are at the credit union for my university, which has no fees and a minimum balance on my savings account of only $25.

Re:

[markwalling]

i have no fees, free checks, free atm transactions, cash back on card purchases, and rebates of foreign atm fees... the catch? you have to be ex-military or a (former) dependant of someone.

USAA [usaa.com]

And I love my paypal account too

Re:

[drinkypoo]

Most banks give you free savings with a checking account, and most banks give you free checking with direct deposit. Not weird-ass Washington Mutual though - check this bizarreness out. They give you free checking if you let them automatically move $25 to your savings every month. You can take it out five seconds after the transfer is complete and your checking is still free, so that's what I do, every month. It would be easier for everyone if they just gave me free checking. I only chose them as my bank be

Re:

[cloudmaster]

The last four banks (one of which is a credit union) I've used have had a minimum balance requirement ranging from $0 to $25 in order to have free checking. If you don't have "the cashflow" required to put $25 down up front and consider it spent until you leave the bank (it's not taken from you - you get it back if you leave), then it's arguable whether you need to actually use a bank at all.

They're not soaking the poor, they're soaking the lazy and/or stupid. I guess there's some overlap...

Re:

[Jo Owen]

Another joy of living in the UK it seems, none of the major banks charge for a basic account - nor do they have a minimum balance.

A basic account would consist of a Maestro/Visa card + cheque book. There arn't any charges for writing or cashing a cheque either.

Interesting to find that out about banks over there though

Re:

[zenslug]

I also like PayPal and haven't had any issues with them. Right now I have several thousand dollars in there earning 5%. Much better savings account than my 2% Bank Of America account.

Re:

[orielbean]

If you have credit unions in the area, they are usually very good about no fees for basic checking. And they usually share ATMS with other small banks and so you only get atm fees at the big box banks.

Re:

[DerekLyons]

Am I the only one that has had a good experience with Paypal?

No, you aren't. Like any service - from Slashdot to your local quick-e-mart, Paypal has unsatisfied users. Those unsatisfied with Paypal however are *extremely* vocal.

Question do Sys Admins

[pembo13]

Do any of you guys actively block IPs and IP blocks of phishing sites? And also those "fake domains" which just have search results? If so, how is that working out?

Re:Question do Sys Admins

[pestilence669]

OpenDNS will do phishing detection for you. Not only that, it'll correct common typos and speedup name resolution on your entire network. Oh yeah, it's also free, but it won't block those annoying fake search pages.

http://opendns.com/ [opendns.com]

Re:Question do Sys Admins

[GigsVT]

Yeah, because DNS is something that you should obviously trust a single company about!

Who need that old DNS system with the robust infrastructure, when we can have ads pushed on us for every domain we mistype and alongside our search results!

Someone call Verisign and tell them to fire sitefinder back up, these guys need some competition!

Re:

[mr_Spook]

Sadly, OpenDNS will give you its own fake/crappy search page when you type something wrong. That alone was cause enough for me to stop using it.

Re:

[Arimus]

You turn it off if you have a static ip address...

Re:Question do Sys Admins

[speculatrix]

opendns is a copycat of the verisign adware dns trick... it's hoping to achieve success by relying on the many ISPs who are clueless when it comes to running effective dns resolvers.

Re:

[divisionbyzero]

That's probably not a great solution because some of the servers that host these sites are either compromised or the servers host multiple other legitimate sites or the content on the page has been hijacked from a legitimate site.

If you block all of the IPs on the page you may be blocking legitimate traffic. Would you rather get 1000 complaints that your users can't get to Bank of America or take the risk that 10 users may be duped? Despite the fact that the injury to the duped user is probably greater from

Re:

[ACMENEWSLLC]

We actively block these sites with Surfcontrol & eSafe. These product has a phishing category.

Though I must admit, they don't keep up with the number of sites which are phishing. It's more of a marketing thing than actual protection. Though I do see a log showing a user blocked from a phishing site from time to time. www.hackcanada.com being the only one I see in the last 12 hours.

So...

[NightWulf]

That guy on eBay who told me to use my Bank of America account to send money to Paypal all through his link may not have been legit?

Re:So...

[The Zon]

You know that guy too? Don't worry, I'm pretty sure he's legit. I just used his service to order some chemicals to clean the dye off of a suitcase full of money I'm splitting with an exiled doctor from Nigeria. Can you believe it? This doctor contacted me right out of the blue, and all I needed was a U.S. bank account and a sympathetic heart. And, except for the chemicals, this is all at no cost to me! I can't believe such a great proposition initially got filtered to my spam folder!

The list still isnt big enough

[Benaiah]

I still get phishing emails and see sites every week. It will be a glorious day when phishing sites and emails can be shutdown within seconds of being setup. This has the downside, that if google can do it with phishing. What if the government forces them to do it with something like pr0n? or build a p2p blacklist?

Re:

[anakha]

Or political dissidents perhaps?

Re:

[photomonkey]

Yeah, it really sucks. You want everything exactly your way, only to discover that you might have to put up with someone else in order to do what you want.

Shucks, I should be the only person allowed to use the InterTubes. Ever.

Mod Papa Funny

[PopeRatzo]

It made my ass laugh at 6am.

This one made me cry a little inside

[Rude Turnip]

Here is one of the last entries on the Google blacklist:

+http://zeta-os.com/astats/bankofamerica/......... ..

For those not in the know, Zeta-os.com is/was the successor developer to YellowTab, which was developing a new operating system based on the old BeOS code. Now, zeta-os.com (or at least a part of it) has been reduced to a phishing site. *sigh*

Re:This one made me cry a little inside

[jasonwc]

I just loaded http://zeta-os.com/astats/bankofamerica/ [zeta-os.com] on Firefox 2.0.0.1 using Firefox's built-in phishing detector using Google to provide the blacklist ["Check by asking Google about each site I visit" option]. It loaded the site just fine, without any warning.

Re:This one made me cry a little inside

[Rude Turnip]

That's because I truncated the full URL. You have to follow the link in the article to get the whole thing.

Oh, and thanks for modding my little emotional episode as funny, you bastards.

Re:

[jasonwc]

This time I entered the full URL [http://zeta-os.com/astats/bankofamerica/online_b o fa_banking/e-online-banking/index.htm], and I did receive the warning message. However, the page that loaded was a harmless 404 Not Found page.

Google only blocklisted that particular URL what pointed to "bankofamerica/online_bofa_banking/e-online-bankin g/index.htm", so it should have no affect on legitimate usage of the site. Anyways, I can't see a legitimate reason why a site dedicated to software development would have "b

Re:

[nschubach]

Oh, and thanks for modding my little emotional episode as funny, you bastards.

Your supposed to enjoy the mod points even if they don't fit the mood or your intentions. It's kind of like getting a money from a pimp. At least your UserID isn't WienerPizza. :rolleyes:

Re:

[Storlek]

You don't get points for funny.

Re:

[Tim C]

A couple of weeks ago a work mate of mine visited a phishing site he got a scam email about, and filled the form in with a load of bogus data (to help poison their database). It wasn't until after he'd submitted the form that google warned him that the site was a suspected phishing site...

Re:

[AndrewNeo]

I once got mail pointing to a phishing page on a school's website. Never know where those things are going to pop up..

Re:

[partenon]

I couldn't access the page:

Access Denied (content_filter_denied)

RESTRICTED ! -- You have attempted to access a restricted site. This restriction is to prevent you from inadvertently bringing offensive/non-business related material into the workplace.

Seems somebody else is thinking it's phishing :-)

Someone should start an "anti-spam"...

[PurifyYourMind]

...that blasts people with security information/education.

Re:

[FirienFirien]

Unfortunately that would just be confused with the anti-spam spam we already get. Just like the popups advertising popup blockers.

Google's not keeping up

[Jonnty]

Judging by the huge proportion of the blacklisted sites that are offline (and the tiny fraction that are actually phishing sites) it seems Google isn't taking this seriously enough. There is much, much more than 341 phishing sites in the world. This list should be being updated daily, they should start a way for suggesting sites or, if it exists, make it more visible.

For the only external blacklisting organisation on Firefox, and as the provider for possibly the most widely used toolbar ever, they're not taking this seriously enough. But would any security company come in with a better free blacklist?

Re:Google's not keeping up

[GigsVT]

They don't have to do this at all.

Any way to suggest sites would be gamed and abused. There are thousands of people in the "search engine optimization" "industry" that are total sleeze.

Re:

[Nasarius]

Any way to suggest sites would be gamed and abused.

How? How is a tool that allows you to submit URLs for review possible to abuse, aside from simple flooding?

Re:

[Anpheus]

Flooding.

No, really. Google is a big target. Right now, for SEO's, it's a big albeit moving target. That makes work harder for them. If Google opens up a suggestion system expect it to be shut down rather quickly for flooding.

Re:

[Tim C]

That's simple to abuse. If there really is a human sat there reviewing submitted URLs, then you just DoS it, by flooding it with far more submissions than it's possible to review.

If it's an automatic, "X hits and you're blacklisted" type system, then zombie PC networks will be submitting URLs and getting legitimate sites blacklisted - sure, you probably won't be able to do that to a large, well known site, but there are millions of sites that would be vulnerable.

It's a nice idea, but I personally think that

Re:

[Ravadill]

In the comments section it's mentioned that the Encoded/Hashed blacklist is larger and more frequently updated than the plain text one.
I assume to prevent phishers using a live plain text list to know when they have been found.

Re:

[hotdiggitydawg]

they should start a way for suggesting sites or, if it exists, make it more visible.

You mean, like this page [google.com]?

Or, the "Help --> Report Web Forgery" menu in Firefox?

Or, the "Report phishing" option in the dropdown menu in Gmail?

How exactly to you think they should improve availability of this function?

Re:

[Marauder2]

they should start a way for suggesting sites

...

For the only external blacklisting organisation on Firefox, and as the provider for possibly the most widely used toolbar ever, they're not taking this seriously enough.

Something like http://www.google.com/safebrowsing/report_phish/ [google.com] perhaps? Or within Firefox 2.x, Help -> Report Web Forgery?

If you think they need help, (they do) then grab the links from those pfishing emails and report them.

Re:

[simstick]

I use the phishtank plugin for firefox. And when I have a minute I jump on and rate some submitted phishes. One thing I disagree on is if a site is offline already people vote it as a not phish. I say if they are trying they need to be rated bad to build a history.

Here is a site that has a lot of IPs

[VGfort]

Banned IP Address [glodev.com] - a lot of them are spammers or fake bots that will look around your website and fill your forms in the attempt to spam you or your forums/blog or whatever else you might have

Pollute the phishing sites

[thewils]

Go there and put in false information. Make it harder for them to get valid data.

Re:Pollute the phishing sites

[speculatrix]

mod parent up!

I do this when I have time... ensure you use what look like valid entries for bank a/c and pin values.

I also enter things like "f**k you spammer" into the name fields, so that when they go through to test the captured data, they get to see my opinion of them (yeah, relatively useless I know, but I get tiny twinge of pleasure at the thought)

Re:

[gsslay]

I also enter things like "f**k you spammer" into the name fields

Doesn't that negate the whole point of polluting the data with what look like valid bank accounts etc? Far better to have a completely fake name to go with the fake account. Let them waste their time attempting to use it.

I don't visit phishing sites, even though I'd love to mess with them this way. I know I have up-to-date virus and malware protection, but why risk visiting a site that you know is more than likely going to attempt to infec

Re:

[speculatrix]

erm, I use firefox, and I run linux.. so I presume you are still living in the darkside :-P

Re:Pollute the phishing sites

[mindriot]

Well, I wouldn't write "f**k you spammer" or anything like that, it makes your entries distinguishable. If you want to ensure having a correct credit card number (except for the CVV code, bug the phisher couldn't verify those directly anyway), you could use something like this quick dirty hack I wrote up a few months ago to spam a phishing site using simple wget queries. To read up on the format of valid credit card numbers, see for instance this article on the anatomy of credit card numbers [merriampark.com]. The following code worked for me to create numbers that were accepted by a phishing site I spammed:

my $cc = substr("000000" . int(rand(1000000)), -6); # Any format

# Add 9 digits for the account number
$cc .= int(rand(900000000))+100000000;

# Check digit: Luhn Code
my $checknum = 0;
for (my $j = 0; $j < length($cc); $j++) {
my $val = substr($cc, $j, 1);
if ($j % 2 == 0) {
# These will be doubled
my $v = 2*$val;
$v -= 9 if ($v > 9);
$checknum += $v;
} else {
# These will just be added normally
$checknum += $val;
}
}
# The last digit should add up to a multiple of 10
$cc .= ($checknum%10 != 0)?(10-($checknum%10)):'0';

# Output an expiration date (arbitrary, 2007..2015)
my $month = int(rand(12))+1;
my $year = qw(2007 2008 2009 2010 2011 2012 2013 2014 2015)[int(rand(9))];

# Random CVV2 code
my $cvv = substr("000" . int(rand(1000)), -3);

Re:

[blacknblu]

I have been reading on this lately, and found some products to poison spambots [spamlinks.net]. The site itself (http://spamlinks.net/ [spamlinks.net]) is very informative, and gives some pretty good tips/techniques for combating spam.

Check out the whitelist

[tecker]

Either Google is really paranoid or they have yet to find a site to put on the whitelist that was linked to.

See for yourself what I mean [google.com] Nothing there.

What?

[8ball629]

I tried signing into one of the listed Geocities site and nothing happened... what gives?

You mean to tell me this [geocities.com] is not a legit Yahoo Photos gateway?!

Interesting example for URL redirection

[mdemeny]

URL Redirection

Another surprising finding was that few of the phishing scams utilized open URL redirectors. This is a known technique whereby phishers identify redirection functionality at a popular website (e.g. Google) and use that functionality to redirect the victim to the targeted phishing site in order to minimize suspicion. Combing through the blacklist did however reveal the following redirection attack using Google AdWords: http://www.google.com/pagead/iclk?sa=l&ai=x&adurl= http://www.s [google.com]

Good help for fishing actually ...

[perenaurel]

from: a post on full-disclosure [derkeiler.com]:

I just played around a bit with those lists and as it seems,
Google did a splendid job, even capturing some people's login data.
Like here:
http://sb.google.com/safebrowsing/update?version=g oog-black-url:1:7753 [google.com]

Regards,
J.M.
Professional Lurker

Google have fixed this link now but that was funny, most of the logins/passwords were for gmail accounts...

Biased

[vegardh]

This blurb is horribly biased, using ! and "amusingly" and "you guessed it". Google don't own any properties like Geocities, and don't have that problem. Yahoo! have several people weeding out scam stuff all day long.

Re:

[Pyrusj]

Actually, Google does host sites via Googlepages. Granted, it's still in beta, but then so (still) is Gmail...

Google blacklist

[ituloy angsulong]

At least Google made efforts to weed out these sites. http://www.ituloyangsulong.org/ [ituloyangsulong.org]

BOA came in right now!

[Rick Richardson]

Date: Fri, 05 Jan 2007 12:44:23 +0000
From: Bank of America
Subject: Secure SSL server update

[-- text/html is unsupported (use 'v' to view this part) --]

(a) Known for years and (b) not just Yahoo

[Arrogant-Bastard]

A. This problem has been discussed in depth on various
anti-spam mailng lists and newsgroups for many years.
This long-standing problem has been steadfastly ignored
by Yahoo, who went so far as to dismiss the key people
on their own abuse staff when they tried to address it.

As a consequence, it's now a better-than-even bet
that any site hosted by Yahoo belongs to a spammer,
phisher, spyware injector, child pornographer, scammer
or other lowlife. My own meager list of Yahoo-hosted
dropboxes for such stands at 26,831 this morning and
those are just the ones that brought themselves to
my attention, i.e. I'm passively noting them and not
actively searching them out.

As a result, Yahoo is one of the biggest spam-sending
and spam-supporting operations on the entire Internet.
(Oh, and Geocities is now completely infested. Rejecting
all inbound mail [except anti-spam discussions] that contains
a Geocities URL is a surprising effective tactic.)

B. They're not alone. For instance, MSN BCentral should
be renamed MSN SpamCentral -- it's just as bad. And Hotmail
cheerfully hosts spammer dropboxes by the tens of thousands.

There are others, but what makes these two particularly
annoying is that they make a public show of being anti-spam
by promoting snake-oil like SenderID and DomainKeys, both
of which are worthless. (If it isn't obvious why, then think
about the hundreds of millions of zombies -- hijacked Windows
systems -- out there and consider that their new masters
have possession of all email credentials belonging to their
former owners -- from POP passwords to PGP keys. It is not
possible to solve the forgery problem -- for any useful
definition of "solve" -- without solving this problem first.
Good luck. This same thing applies to SPF and variants, by
the way, all of which are complete failures.)

Another thing that distinguishes them is the absolutely
irresponsible, totally clueless way in which abuse reports
are handled. Most seem to disappear into black holes. The
majority of the rest are returned with semi-literate denials
that the abuse has any connection with their operation -- even
when their own IP address are clearly the source. If you'd
like to browse a huge number of examples of this, go to
Usenet's news.admin.net-abuse.email and search for
"Yahoo clueless" or "Hotmail clueless". Make coffee first.

The bottom line is that both of these services are huge abuse
magnets and have been for years, so I find it curious that
yet another report of the same old thing is deemed noteworthy.

ReGoogle ReSearch

[Doc Ruby]

How does Google monitor these sites for content updates to update the Google index? Does Google offer the public (or private subscribers) a way to register a website or URL to be polled ongoing? Notification that it's changed? Web services offering "uptime" monitors seem to do this, as does apparently Google News. Can mere mortals access the feature?

www.microsoft.com, www.msn.com ...

[peter303]

Hmm, looks suspicious to me.

yahoo phishing site

[TheCybernator]

i went to mail.yahoo.com and they asked my name and password. i am smart and i fooled them by giving my gmail password.

Linking to original site

[aegl]

"The pages are generally exact replicas of the original web page and generally pull graphics (*.jpg, *.gif, etc.) from the legitimate web site."

The owners of the original sites should regularly rename the real image files, and replace the old files with images that would help inform the potential victim that they were on a scam site.

Next step is that the phishers no longer link to the image files, but copy them instead ... but this gives the real site owner another legal tool (copyright infringement) to