Saturday, June 30, 2007
reporting phishes
If you really want to do something about phishes, don't bother reporting them to your ISP. Millions of people already hit that "this is spam" button. And it's only useful if you do it within a few minutes of your ISP's receiving it.
Instead, open the message source and find the URL of the fake bank site. We call that the payload URL. The whole point of the spam is to get you to go there with a web browser. The fake bank site was created by a dangerous gang of criminals. Don't forget that. Do not visit the URL with a web browser. It probably contains malware and will attack your PC.
Sometimes these are hosted on spammer-friendly ISPs in Eastern Europe or China. Do not report those. But most fake bank or credit union or Paypal sites are hosted on servers that the criminal broke into.
With a little common sense, you can safely figure out where the fake bank site is hosted. Look at the payload URL in the spam message source. You can spot it among the decoys and images because it's the one with "click here" or the domain name of the real bank.
If the payload URL is something like http://www.podunk-realtor.com/images/.hideme/bankofamerica.com/, you can be pretty sure it's a break-in, and the Podunk Realtor and his ISP or web design firm have no idea they are supporting large scale felony fraud. If it's more like http://www.cheaphosting.com/~someguy/bankofamerica.com/, it's probably a shared hosting account at a giant web hosting company, purchased with a stolen credit card. If it's http://www.paypaI.com/ (a subtle misspelling), the hosting company and the Registrar are probably in on it, and there's no point in reporting those. Some web hosting places are so careless that they might as well be in on it.
If it's in eastern Europe or China, leave it to the professionals. Stop here. You do not want to provoke the Russian mafia.
Copy the domain name of the fake bank site out of the message source and trace it (with "tcptraceroute" on unix or "tracert" on MSWindows, or use Samspade.org) to its hosting.
The output of the traceroute starts at your PC (or at Samspade) and shows the route to the fake site. The last item is the compromised server. It may have a domain name that belongs to the ISP, or to one of his customers. With a little practice you'll know which is which at a glance. Look up the IP address in Whois. ISPs generally own their own IP addresses. Even if they don't, it gives you a pretty good clue as to what company owns or controls that end of the route. In the case I called Podunk Realtor, it is probably safe to look at the front page of the Realtor's site with a browser, and find some contact info that way. Look up the domain name on the server, in Whois. That will give you more contact info, of the Podunk Realtor or his ISP or both.
Report the break-in to the owner of the server and his ISP. Out of the hundreds of thousands who received that phish run, you may be the only person to report it properly. Do not include a copy of the spam. That will probably prevent the victim from receiving it. Just tell them the IP address of the compromised server, and the URL you found in the spam.
You can look up contact addresses of a well-run ISP at www.abuse.net. Or just send to abuse@example.net where, of
course, example.net is the ISP's domain name. (If that bounces, report the ignorant ISP to RFC-Ignorant.org.)
Do that with one phish a week and you're doing more than all the times you ever hit "this is spam."
Instead, open the message source and find the URL of the fake bank site. We call that the payload URL. The whole point of the spam is to get you to go there with a web browser. The fake bank site was created by a dangerous gang of criminals. Don't forget that. Do not visit the URL with a web browser. It probably contains malware and will attack your PC.
Sometimes these are hosted on spammer-friendly ISPs in Eastern Europe or China. Do not report those. But most fake bank or credit union or Paypal sites are hosted on servers that the criminal broke into.
With a little common sense, you can safely figure out where the fake bank site is hosted. Look at the payload URL in the spam message source. You can spot it among the decoys and images because it's the one with "click here" or the domain name of the real bank.
If the payload URL is something like http://www.podunk-realtor.com/images/.hideme/bankofamerica.com/, you can be pretty sure it's a break-in, and the Podunk Realtor and his ISP or web design firm have no idea they are supporting large scale felony fraud. If it's more like http://www.cheaphosting.com/~someguy/bankofamerica.com/, it's probably a shared hosting account at a giant web hosting company, purchased with a stolen credit card. If it's http://www.paypaI.com/ (a subtle misspelling), the hosting company and the Registrar are probably in on it, and there's no point in reporting those. Some web hosting places are so careless that they might as well be in on it.
If it's in eastern Europe or China, leave it to the professionals. Stop here. You do not want to provoke the Russian mafia.
Copy the domain name of the fake bank site out of the message source and trace it (with "tcptraceroute" on unix or "tracert" on MSWindows, or use Samspade.org) to its hosting.
The output of the traceroute starts at your PC (or at Samspade) and shows the route to the fake site. The last item is the compromised server. It may have a domain name that belongs to the ISP, or to one of his customers. With a little practice you'll know which is which at a glance. Look up the IP address in Whois. ISPs generally own their own IP addresses. Even if they don't, it gives you a pretty good clue as to what company owns or controls that end of the route. In the case I called Podunk Realtor, it is probably safe to look at the front page of the Realtor's site with a browser, and find some contact info that way. Look up the domain name on the server, in Whois. That will give you more contact info, of the Podunk Realtor or his ISP or both.
Report the break-in to the owner of the server and his ISP. Out of the hundreds of thousands who received that phish run, you may be the only person to report it properly. Do not include a copy of the spam. That will probably prevent the victim from receiving it. Just tell them the IP address of the compromised server, and the URL you found in the spam.
You can look up contact addresses of a well-run ISP at www.abuse.net. Or just send to abuse@example.net where, of
course, example.net is the ISP's domain name. (If that bounces, report the ignorant ISP to RFC-Ignorant.org.)
Do that with one phish a week and you're doing more than all the times you ever hit "this is spam."
Comments:
<< Home
Good stuff Cameron. Thanks for posting this suggestion and "how-to". I'll make the effort to do this from time to time. I just hope I avoid the Russian Mafia through it all. ;-)
Post a Comment
<< Home
