Bayesian Spam Filters Make Phishers More Effective

I use SpamBayes to keep my inboxes virtually spam-free. I’ve also written and tweaked bayesian filters to solve other problems, but I realized a while back that personal bayesian spam-filters actually help phishers be more effective in their attacks. Stay with me…

Bayesian spam filters need to be trained. You teach the filter what you want to see and what you don’t, and it learns very quickly. I use eBay and PayPal all the time, so I’ve trained SpamBayes to let official-looking eBay and PayPal emails get through to me. Someone else might classify these emails as spam, but I definitely want to get them.

A phisher’s dream is to be able to send emails to the most likely targets. Citibank spoofs would only be sent to Citibank users, eBay spoofs to eBay users, etc. Phishers would get much higher "conversion rates" if they could do this. Luckily for us, they can’t.

But here’s the kicker – a well-trained bayesian filter makes sure you only see phishing emails for which you are a good target. SpamBayes makes sure I see eBay and PayPal spoofs in my inbox, but it also makes sure I don’t see attacks targetting Bank of America, AOL, SunTrust, etc. So, in a way, I’ve trained my filter to help phishers target me directly.

First Graders Use Optimized Insertion Sort

Every other Monday morning, I take Lauren (my first grader) to school and work in her classroom for about an hour. One of the things we do before the other students get there is to assemble homework folders for the week. Lauren’s job is to sort the folders (they are numbered) for the 20 students in her class, and I put the homework packets in the folders. You know you’re a geek when you watch your first grader sort things to see what algorithm she uses.

Turns out she uses a slightly optimized insertion sort — she scans for the smallest item (#1) and moves it to the front, then scans left-to-right looking for #2, etc. Sometimes her scan is optimized because she remembers #5 is near the end, and can jump near it instead of doing a full scan. Its not the fastest algorithm, but it works just fine for 20 items. I think I’ll wait until 2nd grade to teach her to quicksort 🙂

Hybrid Spoof Sites – AOL and eBay

Most phishing sites replicate the login pages from financial institutions or ecommerce sites… not much creativity there. But we are starting to see more hybrid and creative spoof sites. Here’s a combination eBay/AOL spoof that showed up in my inbox the other day…


The email told me that a bid I’d made on eBay was being cancelled and that I needed to login again to re-enable my bid. 

The spoof site asks for my "AOL Email Password" and some other information, but none of it is especially dangerous. I don’t have an AOL account. Even if I gave them my password, zip code, and birth date, they still wouldn’t have my name, AOL screen name, or anything else of real value. I sent some bogus data to the phisher and was redirected to an actual eBay auction – no two-step phishing site here. Why wouldn’t the phishers ask for more valuable information? Could this be a phishing experiment? Perhaps the next iteration of this attack will be sent only to AOL users and the AOL screen name will be embedded in the URL (or form) so the phisher can connect that to the password.

3 Ways to Make Google Maps Better

I’m directionally challenged in a big way, so I print direction maps all the time. I’ve used MapQuest for years, but Google Maps is my new favorite – big maps, cool UI, good directions.

Google has got this almost perfect, but here are things that could make it even better:

1. Don’t load the full map on the home page

Maps loads a full map of the US whenever it loads. That’s nice when you are playing with Maps for the first time, and want to drill down visually, but its a pain to wait for it to load when all I want to do is type in an address and find it.

2. Fix the tab order from the search box


When I search for an address, my fingers want to type in the search box, hit TAB, then ENTER to fire the search (yes, I know I could just hit ENTER without the TAB). This works on the Google home page. But, in Maps, the focus shifts to the Help link, so ENTER launches the help page and I lose my typed search. I’ve opened the help page way too many times.

3. Remember My Starting/Ending Addresses

Gm_directions_1 When I print directions, I’m almost always printing them from home to some location. Maps doesn’t remember what I’ve typed before… so I have to type my address over and over again. Maps let me choose from a short list of recently typed addresses.

Any one else have suggestions for Google Maps?






Why Do Folders Start With Dots?

Many phishing sites include a period (.) at the start of a folder name. Here’s a sanitized example:

Why is there a period (.) at the start of the the .bank folder? In unix and unix-like environments, a period at the start of a folder or file name makes that object a hidden object. When phishers take over machines to host their sites, they’ll often put the site in a hidden directory to minimize the chance that the owner of the box will find it. Apache won’t show the folder in its directory listings, and neither will the ls program (like dir in dos) unless you use a special command-line parameter (-a).

Wamu Phishing Sites Stale Too

Earlier this week I noted that most PayPal phishing sites are stale – they are based on old versions of the PayPal login page. It seems that most WAMU phishing sites are also stale.

If you take a quick look at the HTML source of the standard WAMU login page, you’ll find some javascript that looks like this – its pre-populated with today’s date.

var g_dtToday = new Date(“03/23/2005”);

However, most WAMU phishing sites use a date from 10/29/2004.

var g_dtToday = new Date(“10/29/2004”);

Why is this significant? The old date (and other timestamp code in the HTML) creates a kind of signature. Either we have a single phisher creating most of the WAMU spoof sites, or someone created a kit that’s being used by multiple phishers.