View Full Version : In Praise of Phish Fighters

2007-02-01, 00:34

- http://blog.washingtonpost.com/securityfix/2007/01/in_praise_of_the_phish_fighter.html
January 31, 2007 ~ "...February marks the 5th anniversary of CastleCops.com -- an all-volunteer led forum that has morphed from a place where people can diagnose security problems with their PCs into one of the most active phish fighting forums -- and the group is releasing some interesting data to highlight its accomplishments. The online help forum is the public face of CastleCops, but the group has made a greater impact on consumer security and privacy through its Phishing Incident Response Team (PIRT). The team shares with law enforcement real-time data that could help bring the phishers to justice, along with financial information stolen from consumers... CastleCops' PIRT began sharing its phishing data with federal law enforcement agencies in June 2006. Since then, the group has intercepted stolen data from roughly 450 distinct phishing scams. If we conservatively assume that the average credit card has a balance limit of $500 and that the average phishing scam nets about 100 victims, CastleCops has prevented more than $22 million worth of fraudulent credit card charges since the middle of last year..."


2007-02-01, 20:54

More phish than viruses now... per MessageLabs
- http://preview.tinyurl.com/2sa89n
Monthly Report: January 2007 ~ "Top line results of this report include:
Spam 75.8% in January (an increase of 1.5% since December)
Viruses One in 119.9 emails in January contained malware (an increase of 0.08% since December)
Phishing One in 93.3 emails comprised a phishing attack (an increase of 0.55% since December)
For the first time, MessageLabs noted that the proportion of phishing attacks in email has now overtaken the threat from virus or Trojan attacks..."

:spider: :fear:

2007-02-17, 23:28
Castlecops DDoS in progress again...

It appears the bad boys are in action again.
> http://castlecops.com/modules.php?name=Forums

Message times out to:
"Site Temporarily Unavailable.
Sorry, the site you requested is currently unavailable. It will be available as soon as possible. Please try again later.
Generated Sat, 17 Feb 2007 02:22:16 GMT by Prolexic.com (SI4.PHX1/4.0) -and-
Generated Sat, 17 Feb 2007 21:22:12 GMT by Prolexic.com (SI4.PHX1/2.0)"

...and it looks like http://prolexic.com isn't able to fight it off, so it may be awhile.


2007-02-18, 05:26
They're baacckk... (response times a bit on the slow side, but do-able):

> http://www.castlecops.com/postlite180320-.html
Posted: Sat Feb 17, 2007 9:58 pm Post subject: CastleCops under DDoS


2007-02-19, 18:18
Without getting into any details specific to the Castlecops attack, to clarify the post, if you are getting that error from Prolexic, it generally means that our systems are having issues reaching the hosting servers themselves. This can be for several reasons, but generally means that the servers are down or that there is a problem with the network connectivity between us, not that Prolexic is having issues mitigating the attack.

Matt Wilson
Prolexic Technologies

2007-02-20, 19:45
In the news at The Register:

- http://www.theregister.com/2007/02/20/castlecops_ddos/
20 February 2007 ~ "...The motives of the attack are unclear, though it's reasonable to assume the phishing fraudsters or malware authors, who have most to gain from the inavailability of Castecop's website, are the likely perpetrators. Castlecops has become the latest target in a string of attacks targeting organisations looking to frustrate the efforts of phishing fraudsters, spammers, or other internet pond life. Veteran spam fighter Spamhaus suffered a denial of service attack last September, for example, while an attack by a rogue spammer brought down anti-spam firm Blue Security in April 2006. According to Blue Security, a renegade Russian language speaking spammer known as PharmaMaster succeeded in bribing a staff member at a top-tier ISP into black-holing Blue Security's former IP address at internet backbone routers."


2007-02-21, 00:53

- http://www.castlecops.com/article-topic-1.html

Another 933Mb/s DDoS on CastleCops
Posted by Paul on Tuesday, 20 February 2007 @ 23:16:18 UTC
"We will not be silenced! Here is a current MRTG chart showing about two hours ago we had a 933Mb/s spike DDoS, while a 44Mb/s is now consistent. Someone isn't happy we're up and running."

Near 1Gb/s DDoS on CastleCops
Posted by Paul on Monday, 19 February 2007 @ 21:31:23 UTC
"Not much for details at the moment, however, here is an mrtg chart from yesterday showing an almost full 1Gb/s attack against CastleCops. We shall prevail!"

(Charts available at the URL above.)


2007-02-23, 23:42

- http://blog.washingtonpost.com/securityfix/2007/02/spammers_declare_war_on_antisc.html
February 23, 2007 ~ "Spammers have been attacking and threatening several of the groups and individuals who have been performing some of the most important work in hobbling online scams, spam and computer viruses. The SANS Internet Storm Center on Thursday found a piece of malicious code (called "sans.exe") designed to update a group of several thousand infected computers that SANS has been monitoring. The code includes text strings that suggest an attack on the center if two of its crime fighters don't stop interfering with his money-making spam operations... The Web sites for CastleCops* - an all-volunteer, online scam fighting community - also have been under a consistent denial-of-service attack for the past couple of weeks..."
(Well, maybe not "weeks", but "days" for certain.)
* http://www.castlecops.com/article-topic-1.html

Backup/emergency URL for ISC
(per: http://isc.sans.org/diary.html?storyid=2292
Last Updated: 2007-02-23 04:53:15 UTC)
> http://iscems.dshield.org/index.txt