Monday, August 18, 2008

Re: [asterisk-biz] Fraud. (here we go again)

I think it is less of known proxy, sysadmin, or misconfigured machine
issue and more of a compromised system, zombie issue.

I know last Tuesday was a HUGE M$ "patch Tuesday", not sure if any of
those exploits could be used for proxy or port redirection but if not
directly, they can probably be used to open a hole big enough to drive
a truck into let alone remote execution of a little bit of code to
insert such a hidden service.

http://news.cnet.com/8301-1009_3-10015517-83.html?hhTest=1&part=rss&subj=news&tag=2547-1_3-0-20

Not to mention all the bootleg copies of Windows that will not be able
to update and those that just won't bother.

We are not even talking about Malware, worms, or viruses here which is
what most people fear and feel "protected", even allowing their emails
to append some nonsense about being "scanned and virus free". So was
Subseven or basically any new virus at zero hour.

http://blog.wired.com/27bstroke6/2008/04/zombie-computer.html

Anyways, on to how to combat it. I think the only real way is to have
human intervention. A phone call to speak with the card holder would
probably cut it back drastically.

I think it was Gafachi that sent me a credit card authorization form
via snail mail which I thought was strange at the time but obviously
prudent with rampant fraud. This way they verify the mailing address
to some degree, get a signature, and have some paper trail. While it
could still be fraudulent, I think most would be eliminated. There
are easier targets and with the explanation about fighting fraud along
with the snail mail authorization form, I would totally understand.

Thanks,
Steve Totaro

On Mon, Aug 18, 2008 at 6:52 PM, Nitzan Kon <nk3569@yahoo.com> wrote:
> Thanks for the reply Igor. :)
>
> I googled a little bit, and I don't see keeping lists as a viable
> option. There is basically an infinite number of proxies out there
> so it is impossible to block them all until after the fact. :(
>
> What I am going to try, is write something inside my payment
> modules to try and connect to common proxy ports on the REMOTE_ADDR,
> and if was able to connect to say port 80 - make a note on the IP
> address that it is most likely a proxy.
>
> The code is pretty simple, but the side effect is a delay in serving
> the page while the ports are being tried. I set it to a timeout of 1
> second for each port to avoid this as much as possible, but we'll see
> how well this works...
>
> Also, it is possible that some proxies use non-common ports, or
> are not open to the public, in which case this approach will fail.
>
> I'll let you all know the results after we tested it for a while...
>
> Thanks,
>
> -- Nitzan
>
> --- On Mon, 8/18/08, emist <emistz@gmail.com> wrote:
>
>> From: emist <emistz@gmail.com>
>> Subject: Re: [asterisk-biz] Fraud. (here we go again)
>> To: nk3569@yahoo.com, "Commercial and Business-Oriented Asterisk Discussion" <asterisk-biz@lists.digium.com>
>> Date: Monday, August 18, 2008, 6:06 PM
>> Hello Nitzan,
>>
>> As to how they do it its not very hard to proxy http
>> requests(or any
>> other request for that matter). There are plenty of
>> publicly available
>> proxy servers as well as servers that aren't intended
>> to be used by the
>> public but due to the sys-admin's misconfiguration they
>> are open to the
>> outside world. Most modern browsers can be configured to
>> use proxy
>> servers directly and tools exist such as proxychains that
>> let you proxy
>> pretty much any type of traffic through socks proxies.
>>
>> As to how to stop it...thats sort of a hard question. Maybe
>> you could
>> find sites with public proxy listings and write a script to
>> flag any
>> deposits made from any of the ips listed, but this
>> won't help against
>> non-publicly disclosed proxies.
>>
>> Regards,
>>
>> Igor H.
>>
>> Nitzan Kon wrote:
>> > Hi list! :)
>> >
>> > We've got hit with a guy in Vietnam who's
>> creating accounts with
>> > stolen American credit cards. Usually they are really
>> easy to stop,
>> > but this guy is matching the IP address to the credit
>> card address.
>> >
>> > Anyone knows how they do that? I am 100% sure they are
>> located in
>> > Vietnam as their SIP IP address is 222.252.42.118. So
>> somehow they
>> > go through a proxy or something to fake the IP
>> location. Any idea
>> > how they do that - and more importantly - how to stop
>> that on a
>> > systematic level?
>> >
>> > Thanks!
>> >
>> > --
>> > Nitzan Kon, CEO
>> > Future Nine Corporation
>> > www.future-nine.com
>> >
>> > _______________________________________________
>> > --Bandwidth and Colocation Provided by
>> http://www.api-digital.com--
>> >
>> > AstriCon 2008 - September 22 - 25 Phoenix, Arizona
>> > Register Now: http://www.astricon.net
>> >
>> > asterisk-biz mailing list
>> > To UNSUBSCRIBE or update options visit:
>> >
>> http://lists.digium.com/mailman/listinfo/asterisk-biz
>> >
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> AstriCon 2008 - September 22 - 25 Phoenix, Arizona
> Register Now: http://www.astricon.net
>
> asterisk-biz mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-biz
>

_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--

AstriCon 2008 - September 22 - 25 Phoenix, Arizona
Register Now: http://www.astricon.net

asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-biz

No comments: