How Well Do Businesses Respond to Phishing Reports?

FuzzyDaddy asks: "When I receive a phishing email, which I find has some new or interesting technique, I will usually forward it to the appropriate abuse department. I recently got one concerning 'my' paypal account (surprising, since I don't have one), which I forwarded to abuse@paypal.com. I received an automated reply telling me to 'please direct all customer service inquires through our website.' I didn't have time to do that, so I let it go. Is paypal being irresponsible, here? Have others on Slashdot been satisfied with their attempts to report Phishing?"

Re:Bank of America

[Just+Some+Guy]

What stopped me was that the feedback form required me to submit my email address with the feedback and the feedback page's EULA had something like this in there: "we might use your address to send occasionaly information about our services".

Boy, that's a tough break. If only there were some technological method that would allow you to put a fake email address in the form, or some free webbased email account you could sign up for and then discard immediately afterward.

No, sir, once they outlawed Hotmail and made it physically impossible to type "root@localhost" into web forms, the terrorists won.

Considered sending paper mail?

[Michael+Spencer+Jr.]

The original poster asked about experiences with other companies.

Personally, I feel email is not a reliable way to make first contact with someone, unless you have some arrangement made with them in advance. While email sent to abuse@ and postmaster@ should always be read by a live person, many spammers send bulk email to abuse@ and postmaster@ addresses. Any published email address is likely to receive a large number of unwanted email messages, and anyone who reads mail at that address must spend extra time removing unwanted messages. Sometimes important messages are deleted or ignored by mistake.

Some companies ask to be contacted by email. They might publish a customer service email address on their web site, or publish a 'Contact Us' page which lists email addresses which can best handle different kinds of issues.

If you just guess an email address, or if you send mail to a published address where the recipient hasn't requested your email, I don't think you can assume your email will always be read, or that you can fairly call a company irresponsible for failing to read your unsolicited email.

Phone calls, faxes, and paper mail require more effort than an email message. If a company doesn't respond to an email message, but you really are interested in helping them find this web site, it might be worthwhile to look up their fax number or mailing address, and contact them that way. If you don't really want to help them, you don't have to. It's completely optional.

Why bother?

[cdrguru]

Do you believe there is anything that a company that is the target of a phishing attack can do? Let's see here, someone signs up for a hosting account and the hosting company is under legal obligation to protect the identity of their customer. If that hosting company is in a different country than the target, then without international police cooperation, you aren't going to get anywhere. No court is going to force a hosting company to disclose the identity of someone that might be either the perpetrator or a victim.

So, your helpful report (along with a few thousand others) is likely to be met with either silence or open rejection. There isn't much they can do, and it is unlikely they can do much for the fools that fall for such scams. If you believe you bank is going to send you email from a host they don't have their domain name on, you will believe anything. More over, these days if you think your bank is going to send you email at all you are being silly. They already figured out that email is useless given the density of spam.

The problem is the target is helpless. It is up to people to stop responding to this stuff. If we aren't going to go after the people that send this out, what do you want the target to do?

Re:Why bother?

[FuzzyDaddy]

It is up to people to stop responding to this stuff.

Here's where I'd draw an analogy to the credit card business. Credit card companies did not used to be liable for fraud, and did very little to protect people from it. In fact, they would do things that were very insecure (like sending out live, unsolicated credit cards to people, that would get intercepted and used by thieves.) It was a huge problem, and it was eventually solved by Congress limiting individual's liability in credit card fraud cases to $50. Suddenly, the credit industry had a huge incentive to fix the problem, and it is much better than it used to be.

If the companies involved take a "what can we do?" approach (which I don't think they are doing at the moment), then the entire credibility of their online business is going to suffer, to their and everyone else's ultimate detriment. The rational customer response to getting Phished out of their Paypal information is to stop using Paypal.

So what can they do? If a website is in the process of committing fraud with their name, I'm sure they have legal options to pursue in getting it taken down. If not, they certainly should be fighting for the legal tools to do so. Blaming the consumer is very easy, but it's not going to solve the problem. It's just a way to feel like our failures to do anything about it are OK, because WE'RE too smart to fall for it.

Re:Paypal security center - "Alert us to fraud"

[Almost-Retired]

The std form letter that says we're too gawddamned busy to worry about your little squeek is all I've ever gotten from them when fwding such crap to abuse@. As for useing a new 'spoof' address for this when IIRC the RFC says it should be abuse@ is just ducking the issue and hoping it will go away.

Personally, I sort ALL that crap to the JunqueMail folder and make it all go away about daily.

Personally also, I've always looked at my fellow man as a like minded person, but the last 65+ years has taught me there are lots of them, who like bad puppies, should have been drowned at birth. But I still let each one prove him(or her)self before I pass judgement.

As for it being our problem, and not ebay/paypal's, somebody in a position of power at these don't give a damn companies needs to get bit & have his life ruined. Then maybe they'll hire a lobbyist firm who will see to it that crimes of this nature are both harder to pull off, and a damned sight more costly, effectively ruining the perps life for even trying it, let alone doing it successfully a few times. Then and only then, when the chances of pulling it off vanish, will we get rid of such slime.

Their warped mind needs to be removed from the gene pool by whatever means is both effective, and permanent until such time as they've proved themselves worthy of the name 'human'. Society and its goody two shoes people are not doing humanity a favor when they want to let them breed more of them just to keep the welfare agents busy.

Sorry, in a bad mood tonight. These phishers are not the kind of "fishers of men" Jesus had in mind.

--
Cheers, gene

Only stops the low-tech phishers

[Beryllium+Sphere(tm)]

Typing in a wrong password first is a brilliant trick but it's not "surefire" any more.

Now that banks are issuing one-time passwords and SecurID tokens, reports are that some phishers have invested in the software and infrastructure to do real-time man in the middle attacks. They talk to the genuine version of the web site they're impersonating and pass along your credentials. If you supply the wrong password, they echo back the "invalid login" from the real site.

I'm currently recommending "go to your bank from a bookmark" to non-technical people and adding "read the SSL certificate details" to everyone else. And I'm feeling inadequate because even those two together won't protect from a scammers who tampers with DNS or hosts files and who gets a cheapo cert that doesn't verify the organization name.

Re:Wrong address.

[DrSkwid]

I don't know why they don't just use mod_proxy and Man-in-the-middle everything

(something like)

ProxyPass / http://www.ebay.com/

ProxyPass / https://www.ebay.com/

and then just log all the mitm data they are interested in

Re:Bank of America

[MikkoApo]

You're right, I could have lied about my identity. But CastrTroy was right, that was about a principle. I support things which I like and I don't support things which I don't like. I hope that in the long run market forces will make the "good" things flourish and drive the "bad" things/companies/whatever out of business. For example: Sony bad, open source good. When enough people start making conscious choises the companies might actually start caring about their customers again.

And for the record, since I'm Finnish I couldn't care less about Bank of America or its offerings, specially if I might get spam from it.

Re:Our reports aren't very important

[TexasRodeoClown]

The headers allow us and the wronged entity to attempt to get something done about said zombied machines, bad formmails, and so on. Sometimes it leads nowhere but other times we can put a stop to a source of spam. You would be amazed at how many phishing emails come from things like the php-nuke webmail module. We this is the case the offending provider usually takes swift action. Reporting a phishing site should lead to a chain of events and while rarely leads to those phishing it can help to stem the flow of spam over the net to a small degree.