That's why blacklisting sucks for phishing. Phishing links can go live and then go down in a matter of hours. By the time a human looks at the fake URL, determines it is a real phishing site, updates the blacklist, pushes out the blacklist and the client downloads the blacklist, it can be more than an hour before a URL is blacklisted. PC Magazine tested Firefox 3's antiphishing (which uses the same Google blacklist as Safari) and it detected only 60% of the attacks.
Anti-spam programs have relied on heuristics for years, so nobody would in their right mind write an anti-spam program that used a blacklist. But anti-phishing still uses blacklists for the most part (not singling out Safari, the other browsers use it too) .
Blacklisting includes your "client" listing. No matter who the hell changes that status, if you have blacklisted the site you should continue to see this as an unsafe site.
Well this clearly demonstrates that Apple isn't taking basic precautions to fight Spam. They should be using reverse DNS lookups, DomainKeys, and SPF
not that any of that would help since it is super easy to put any return address you want in your emails. I could send one out right now that looks like it came from Steve Jobs. or even from Apple saying he's dead.
and it's pretty easy to fake the look of an apple press release if I wanted to.
which is what phishers are counting on. they make it look good and no one thinks twice. they whip out the credit cards and give up the info. or at least they do if they don't stop to think about how they bought that new computer in October and bought mobileme to go with it so there's no way a year has been up
Is by not giving Apple your credit card for MobileMe. If you already have MobileMe, and want to renew it, buy it somewhere else cheaper and then use the code. My credit card they have on file expired and even though my email is the same as my apple ID for iTunes which has
where have you found it cheaper than $99 a year. outside of the discount at an apple store when you are also buying a computer or an iphone
but you are correct that it is safer to go to a retail store where you can pay cash for a new code and add it to your account . just like it is safer to go and buy an itunes gift card and load up your account that way instead of using an on file credit card (or you can do like a friend of mine and buy those prepaid CC gift cards)
Quote:
Originally Posted by retroneo
Well Safari 4 grabs this as a phishing site...
which is great for those that have Safari 4 but keep in mind that that is likely a fraction of folks since most aren't so gutsy about grabbing a beta. and the folks that might fall from such a scam are definitely not the type to grab anything that doesn't pop up in software update (and as i understand it, S4 isn't going to be released until snow leopard hits the shelves or very shortly before)
Blacklisting includes your "client" listing. No matter who the hell changes that status, if you have blacklisted the site you should continue to see this as an unsafe site.
I don't know what you mean. The client has to download the blacklist first which is what takes the longest. There is no blacklisting functionality in Safari, and how would a user know what sites to blacklist anyway? Somebody at Google (well the company they buy their data from) has to blacklist the site, and then the new blacklist has to be pushed out to clients. If you mean people should be more careful about what sites they visit, sure I agree.
not that any of that would help since it is super easy to put any return address you want in your emails. I could send one out right now that looks like it came from Steve Jobs. or even from Apple saying he's dead.
This simply isn't true. The technologies that I listed prevent anyone from doing just that
I don't know what you mean. The client has to download the blacklist first which is what takes the longest. There is no blacklisting functionality in Safari, and how would a user know what sites to blacklist anyway? Somebody at Google (well the company they buy their data from) has to blacklist the site, and then the new blacklist has to be pushed out to clients. If you mean people should be more careful about what sites they visit, sure I agree.
Blacklists with an sqlite3.x database running can periodically be pulled with snapshot changes to keep the clients current.
This sort of option either hasn't been a high priority or never thought inside Apple Systems Engineering.
My question is how would the scam email know the correct renewal date of the person receiving the email? Is it just a random date (which would be a huge clue that the email is fake); or did the spammer get access to that information somehow?
They might be relying on all the confusion last year with renewal dates getting moved. My original renewal date was around October I think - but with the free extensions it actually ended up being in January. plus a message that says your credit card is set to expire could say your account expires in the next 6 months and that would cover 50% of the people who got the message. then if only 10% of those people have a card that is close to expiration (or who do not notice that the card is not close to expiring) then the scammers maybe get 1% or even less - the real question is how small a fraction of a percent of people do they need to fall for it in order for them to make a ton of money on fraudulent charges etc. even 1 tenth of 1 tenth of 1 percent of 1 million fake emails is 100 people.
Comments
That's why blacklisting sucks for phishing. Phishing links can go live and then go down in a matter of hours. By the time a human looks at the fake URL, determines it is a real phishing site, updates the blacklist, pushes out the blacklist and the client downloads the blacklist, it can be more than an hour before a URL is blacklisted. PC Magazine tested Firefox 3's antiphishing (which uses the same Google blacklist as Safari) and it detected only 60% of the attacks.
Anti-spam programs have relied on heuristics for years, so nobody would in their right mind write an anti-spam program that used a blacklist. But anti-phishing still uses blacklists for the most part (not singling out Safari, the other browsers use it too) .
Blacklisting includes your "client" listing. No matter who the hell changes that status, if you have blacklisted the site you should continue to see this as an unsafe site.
Well this clearly demonstrates that Apple isn't taking basic precautions to fight Spam. They should be using reverse DNS lookups, DomainKeys, and SPF
not that any of that would help since it is super easy to put any return address you want in your emails. I could send one out right now that looks like it came from Steve Jobs. or even from Apple saying he's dead.
and it's pretty easy to fake the look of an apple press release if I wanted to.
which is what phishers are counting on. they make it look good and no one thinks twice. they whip out the credit cards and give up the info. or at least they do if they don't stop to think about how they bought that new computer in October and bought mobileme to go with it so there's no way a year has been up
Is by not giving Apple your credit card for MobileMe. If you already have MobileMe, and want to renew it, buy it somewhere else cheaper and then use the code. My credit card they have on file expired and even though my email is the same as my apple ID for iTunes which has
where have you found it cheaper than $99 a year. outside of the discount at an apple store when you are also buying a computer or an iphone
but you are correct that it is safer to go to a retail store where you can pay cash for a new code and add it to your account . just like it is safer to go and buy an itunes gift card and load up your account that way instead of using an on file credit card (or you can do like a friend of mine and buy those prepaid CC gift cards)
Well Safari 4 grabs this as a phishing site...
which is great for those that have Safari 4 but keep in mind that that is likely a fraction of folks since most aren't so gutsy about grabbing a beta. and the folks that might fall from such a scam are definitely not the type to grab anything that doesn't pop up in software update (and as i understand it, S4 isn't going to be released until snow leopard hits the shelves or very shortly before)
Blacklisting includes your "client" listing. No matter who the hell changes that status, if you have blacklisted the site you should continue to see this as an unsafe site.
I don't know what you mean. The client has to download the blacklist first which is what takes the longest. There is no blacklisting functionality in Safari, and how would a user know what sites to blacklist anyway? Somebody at Google (well the company they buy their data from) has to blacklist the site, and then the new blacklist has to be pushed out to clients. If you mean people should be more careful about what sites they visit, sure I agree.
Well Safari 4 grabs this as a phishing site...
But I guess a few people have to get caught out before it gets blacklisted...
But, my point was that the email should never reach the users inbox
not that any of that would help since it is super easy to put any return address you want in your emails. I could send one out right now that looks like it came from Steve Jobs. or even from Apple saying he's dead.
This simply isn't true. The technologies that I listed prevent anyone from doing just that
I don't know what you mean. The client has to download the blacklist first which is what takes the longest. There is no blacklisting functionality in Safari, and how would a user know what sites to blacklist anyway? Somebody at Google (well the company they buy their data from) has to blacklist the site, and then the new blacklist has to be pushed out to clients. If you mean people should be more careful about what sites they visit, sure I agree.
Blacklists with an sqlite3.x database running can periodically be pulled with snapshot changes to keep the clients current.
This sort of option either hasn't been a high priority or never thought inside Apple Systems Engineering.
My question is how would the scam email know the correct renewal date of the person receiving the email? Is it just a random date (which would be a huge clue that the email is fake); or did the spammer get access to that information somehow?
They might be relying on all the confusion last year with renewal dates getting moved. My original renewal date was around October I think - but with the free extensions it actually ended up being in January. plus a message that says your credit card is set to expire could say your account expires in the next 6 months and that would cover 50% of the people who got the message. then if only 10% of those people have a card that is close to expiration (or who do not notice that the card is not close to expiring) then the scammers maybe get 1% or even less - the real question is how small a fraction of a percent of people do they need to fall for it in order for them to make a ton of money on fraudulent charges etc. even 1 tenth of 1 tenth of 1 percent of 1 million fake emails is 100 people.