Slashdot Mirror
How Well Do Businesses Respond to Phishing Reports?
FuzzyDaddy asks: "When I receive a phishing email, which I find has some new or interesting technique, I will usually forward it to the appropriate abuse department. I recently got one concerning 'my' paypal account (surprising, since I don't have one), which I forwarded to abuse@paypal.com. I received an automated reply telling me to 'please direct all customer service inquires through our website.' I didn't have time to do that, so I let it go. Is paypal being irresponsible, here? Have others on Slashdot been satisfied with their attempts to report Phishing?"
Paypal does have an e-mail address to forward them to, it's just not "abuse". Forward the e-mails to spoof@paypal.com. They actually do take these pretty seriously.
What I like to do until the site gets taken down is to fill out their form with bogus information, then after submitting it, hit the refresh button. It'll ask me if I want to submit the form again, and I'll say "yes". I'll just sit there for a while hitting F5 and enter just to fill their results with bogus crap.
I know a lot of people actually fall for them. I always tell them that the surefire way to tell if it's a spoof is to put a fake username/password in when prompted. Not only do they then get fake information, but if it gets accepted, you know that the site is fake. I've gotten my whole family to start doing this after my sister fell for one.
Fake Email/Website (Spoof, Phishing)
Paypal, eBay, Amazon, etc all have pretty good security centres. I am surprised that abuse@paypal.com gave that automated reply, but if you visit their website the security centre is prett yeasy to find. You might not get a personalised response to your report because they get so darn many reports, but they do follow through on all reports.
You could always report it to CERT (US Computer Emergency Readiness Team) or the FBI's Internet Crime Complaint Center.
Paypal's been dropping anything that comes to abuse@, which not only is an RFC Violation (and there's a DNSBL of those), but is part of a slow trend of ISP's and other similar service providers to kill off abuse@ and postmaster@.
--
# Canmephians for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.net";
About half of all banks that send legitimate e-mail send it from
a host they don't have their domain name on, in my experience.
I don't have a bank message in my current inbox but Discover Card,
for example, sends e-mail from arm149.bigfootinteractive.com. The
bigfootinteractive.com web site (which I believe is legitimate) says
it's a "leading provider of strategic, ROI-focused email
communications solutions."
Actual banks, credit unions, etc. use similar e-mail outsourcing.
The messages that give me short https URLs are useful in some
cases. But mostly they give http URLs to the bank's web site, or
worse, http URLs to a legitimate but different domain (such as
a domain ending in ".m0.net").
I recently received a phishing mail pretending to be from Halifax (a UK bank). I clicked the link and it worked so I forwarded the mail to the address (onlineemailinvestigations@hbosplc.com) listed on their real web site. I've done this before and got the usual instant form response but this time I got that and a bounce message saying that my message could not be delivered to HBOSfeed@cyota.com. Cyota appears to be a company which Banks outsource their phishing responsibilities to.
I figured this was just a misconfiguration somewhere so I tried mailing postmaster@cyota.com and that bounced too so I think I then filled in the Contact Us form on their web site (I'm not certain if I got round to doing it, but I think I did). Next time a phishing e-mail came I forwarded it as usual but I got the same bounce so this time I tried mailing postmaster@hbosplc.com. This one didn't bounce so I figured someone was sorting it out.
Then yesterday another phishing e-mail came so I forwarded it to the designated address again and got the same bounce again. Now I'm out of ideas, but to answer the original poster's question: In the case of Halifax and Cyota, I'd say, "not very".
often the fishers will pull images off the real site to save bandwidth, referrer detection can stop this but last i knew paypal never bothered to implement that.
Snowden and Manning are heroes.
Just before I started working at my current job, our webserver was hacked and used as an ebay phishing site. It didn't take long before our offices were getting personal calls from agents at the FBI and urgent contact from the ISP who runs our node.
Suffice it to say we took action ASAP. I have a feeling they would have forced us to do something about it if we dragged our feet. I'm assuming they do the same for other reports they receive.
-Ryan
AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
Reports directly to PayPal and eBay are handled by those companies directly. Our reports, our rather your reports, do make a huge differnce. I say "your reports" because I head the abuse department for a large webhost. We deal directly with eBay, PayPal, AOL, and more directly on abuse issues. Banks tend to outsource if they are US Banks whereas EU banks tend to outsource. Reports that are CC'd to the webhost are acted on very quickly. To properly report a phishing scam the following information, while seemingly common sense, helps greatly:
1. Full headers from the email
2. The IP and hostname of the server
Always CC the the webhost on your reports as we take these reports very seriously. I cannot say what host I work for the usual reasons but we actively check for phishing as well. We run scripts to check for phishing sites, we scan outbound email for URLs containg the names of the most common phished entities.
Here is a list of the companies we have dealt directly with in recent days:
1. AOL
2. PayPal
3. eBay
4. Verisign
There are more but with the security measures we have implemented we generally do not have to deal with a lot of phishing.