(See update below.)
An article today on InfoWorld, entitled “Don’t be a phishing vigilante”, casts a bright light on Cyveillance (a firm which does consulting for banks, etc. on security).
The article indirectly slams PIRT, the CastleCops-founded group which does takedown of phishing sites.
While there have been some funny examples of people who have gone to great lengths to hoodwink phishers and other online fraudsters — and some people have even turned the pursuit into a full-time hobby, new research shows that playing games with the cyber-thieves just might not be a good idea.
Note that “full-time hobby” points to Castlecops.
The idea that a group like PIRT is some type of “hobby” is more than false, it’s actually a bit heartbreaking when I think of the thousands of hours of volunteer work done by vetted security professionals at PIRT, who do takedowns everyday, and have saved millions of dollars for consumers. People like Gary Warner, who certainly has earned his chops as a security professional. Or Robin and Paul Laudanski, the founders of PIRT, who are both highly regarded Microsoft Security MVPs. While I’m no longer an active part of PIRT, I feel quite protective of the volunteers there — who are amazing given the level of profesionalism of their work and the fact that it’s all done out of a passion for helping people (for no monetary gain).
I agree that phishing termination (or even going to a phishing site) should only be done by people who know what they’re doing. There is a real danger going to these sites, because of exploits and malware. But to put a broad stroke on it only serves the for-profit vendor highlighted in this blog.
I have a lot of respect for Cyveillance, as well as the article’s authors, Victor Garza and Matt Hines. Hopefully, this is only a misunderstanding.
Feel free to post your comments on their blog.
Got this from our friends at Cyveillance (edited for brevity):
The interview focused on individual consumers who find it humorous to provide bogus information to phishing sites…The point of the story was that these individuals could actually expose themselves to malware simply by accessing the site.
Cyveillance strongly supports the role of CastleCops in the battle against phishing and online crime.
And Matt Hines posts a nice clarification on his blog:
OK, I’ve been getting some feedback re the link to CastleCops and feel the need to clarify a bit.
I really only included the link to their site because they’re the best example of an organized group going about this sort of infiltration and takedown approach to fighting phishing.
To be fair, it is far from a “hobbyist” operation. More like it is made up of
real IT sec pros who want to help take out some of the baddies in their free
time, which is a really cool effort in general.
The post itself was aimed more at individual consumers who seem to feel that
they can frustrate the phishers by filling out their forms with curses and the
like, but who are getting infected by drive-bys (as highlighted in the
advice/research of Cyveillance).
My intent was not at all to discourage CastleCops or take anything away from
what they do, I personally think it is a really admirable and cool thing that
they do.. so, I’m pulling the link and apologize to any of the fine people
involved with CasteCops, again, my intent was not to detract from or discourage
their efforts (or imply that Cyveillance had done so).
Thanks, and sorry for the confusion! (it’s good to know people are actually
clicking on those links though!)
Rock on CastleCops!
Looks like we’re all good now. And thanks to Cyveillance and Matt Hines for the clarifications!