Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Well Do Businesses Respond to Phishing Reports?

Posted by Cliff on from the is-abuse@-worth-anything dept.

FuzzyDaddy asks: "When I receive a phishing email, which I find has some new or interesting technique, I will usually forward it to the appropriate abuse department. I recently got one concerning 'my' paypal account (surprising, since I don't have one), which I forwarded to abuse@paypal.com. I received an automated reply telling me to 'please direct all customer service inquires through our website.' I didn't have time to do that, so I let it go. Is paypal being irresponsible, here? Have others on Slashdot been satisfied with their attempts to report Phishing?"

12 of 90 comments (clear)

  1. Our reports aren't very important by Nuclear+Elephant · · Score: 5, Interesting

    Our reports aren't very important, as most institutions pay fraud takedown companies to monitor the net for phishing attacks using their name, and outsource the legal aspect of it all together. A company like Paypal wouldn't directly address phishing attacks, instead they would pay a very large sum of money to someone else to make it go away.

    With that said, those hosting the phishing sites have been very responsive. I came across a paypal phish on poly.edu's network, emailed abuse, and it was gone when I checked an hour or so later, along with an email response in my inbox. Problem is that the burden of enforcement is more on the company being phished than the source of the attack.

    1. Re:Our reports aren't very important by FuzzyDaddy · · Score: 2, Interesting
      I only submit a report if I find the phishing web site is up. Businesses, I think, ought to forward the abuse@xxx.com emails to the correct place, as abuse has become like webmaster - an account name people expect to be answered. (Heck, if you want to sort the abuse emails by type, modify spambayes to score the complaint emails based on your human reps training - it shouldn't take long to train it up.)

      Also, why is the email header information so important? I presume the email came from a zombie machine somewhere, and that the most pressing lead (and threat) is the phishing website itself.

      --
      It's not wasting time, I'm educating myself.
  2. Someday, take a look at those phishing websites by destuxor · · Score: 4, Interesting

    Once I looked at the website scamming PayPal (it was somewhere in South America) to see if I could get anything out of the server stats (http://example.com/server-stats) and other such Apache functions. To my horror, the Perl script that would accept input from the "verification" web page had several hundred hits. Either people are submitting bogus information, or hundreds of individuals are being fooled by these scams.

  3. Bank of America by MikkoApo · · Score: 3, Interesting
    I almost submitted a report about a phishing attack to the Bank of America. What stopped me was that the feedback form required me to submit my email address with the feedback and the feedback page's EULA had something like this in there: "we might use your address to send occasionaly information about our services". I may be paranoid but that translates way too easily to "we will be sending you spam as soon as possible".

    And no, I didn't send them feedback on how they could improve their website.

    1. Re:Bank of America by Harker · · Score: 4, Interesting

      I actually did fill out their form for one I received. I'm not too terribly worried about spam from someone like them. Perhaps I'm naive, but I don't believe they will continue if I request them to stop sending it.

      Anyway, I got a reply, from a real person, telling me they needed my account number in order to proceed. I told them I didn't have one, and that I only forwarded the information to them so they could stop possible fraud. They replied that they still needed my account number to proceed.

      My final response to them was not very kind, and I never heard back from them again. I'm certain the profanity in it caused them to dump my 'case' right there. Too bad for their customers. Luckily, I won't ever be one.

      H.

      --
      When VCR's are outlawed, only outlaws will have VCR's.
  4. Ditto. by antdude · · Score: 2, Interesting

    I also ran into this a few weeks ago with my own account when I accidently stumbled into phishing on a dot.tk Web site (stupid of me not paying attention to the domain at 3 AM). I never entered real datas when I signed up for a Yahoo! account about a decade ago so I didn't know what I used when they asked for my birthdate, Q&As, and stuff. Yahoo! wouldn't even lock my account!

    I managed to get the phisher's two Web sites shut down by dot.tk's abuse department. So, the second time phisher came on to spam people, I told everyone on my buddy list (I had their e-mail address in local files) to fill out Yahoo!'s abuse forms to close my account so the phisher couldn't use it anymore.

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  5. Yes, there are things they can do! by WoodstockJeff · · Score: 4, Interesting
    Do you believe there is anything that a company that is the target of a phishing attack can do?

    The first thing they could do is to publish SPF records for their domains. And not the ones that end in "~all" ("and accept any other IP, in case we forgot one") like AOL, HOTMAIL, and many other sources whose domains are faked constantly use. The ability to tell your users "Hey, this didn't come from who it is claiming to have come from" is a start. But PayPal, eBay, and most banks I've seen scammed have no inkling of how a simple change to their DNS would protect them and their customers.

    The second thing would be to tell their web servers to not serve images up that have the wrong referrer. Hey, referrer checking isn't 100%, but any time you have an image request from a victim of one of these scam mails, it would be a lot better if that picture had "THIS IS A FRAUD MESSAGE" overlayed on it. It would force the scammers to go back to hosting the pictures on the scam site, which is a harder to do than simply uploading a single script to a slightly-insecure website in Brazil or Ohio. And the emails are as legitimate looking as they are because they use the scammed bank's own graphics, from their own servers!

    1. Re:Yes, there are things they can do! by sommere · · Score: 2, Interesting

      The problems with SPF is that its broken with regards to forwarding accounts.

      Unless the forwarding account is SPF aware (which is not trivial to do) legit e-mail will say its from ebay.com but the ip will be for forward-mail.com and ebay won't be able to send e-mail to those customers.

      Until everyone makes sure their servers are SPF compatible I can't see how companies like ebay can possibly use SPF records and reliably get their mail to their customers.

  6. FedEx botches it by Animats · · Score: 3, Interesting
    My message to FedEx, after receiving a phishing scam and talking to the billing part of FedEx.
    • FedEx case number: 1752XXXX

      I've been referred to you by FedEx tech support, with the case number above.

      Attached is an obvious phishing scam using the FedEx name. It has the usual hallmarks of a phishing scam:

      1. A forged return address "aroundtheworld@fedexemails.01o.com", while it was actually sent from "snd6222.britecast.com". (This, of course, is a criminal violation of the CAN-SPAM act.)

      2. Phony links to fake sites: the link supposedly to "nba.fedex.com" actually goes to "http://fedex.00b.net/ajtk/servlet/JJ?H=h3cq6&R=28 6452495".

      So this is a clear phony.

      The real concern is that the sender of this message has some information about our FedEx account. The message contains the line

      "All shipments must be paid for with your FedEx account number ending in 811."

      That is in fact from our valid FedEx account number. So FedEx appears to have a security breach; account numbers have leaked to a scammer.

      Full message source appears below.

      Please let me know immediately if we need to cancel our FedEx account because of this security breach. Thank you for your attention to this matter.

    FedEx reply:

    • Response (Kristine C.) - 01/24/2006 09:13 PM
      Dear John:

      We received your inquiry. Thank you for contacting FedEx. We apologize for the inconvenience.

      We would like to inform you that you may need to contact your local FedEx Account Executive so they can further advise you of what you need to do regarding the status of your account.

      We hope this information is helpful. Again, thank you for contacting FedEx.

    Note that they've referred me back to the part of FedEx that referred me to them. So that's FedEx, clueless.

  7. Re:RFC Violation by Skapare · · Score: 2, Interesting

    I read elsewhere that 75% of what is coming OUT from Hotmail/MSN server is spam of one sort or another (and apparently mostly phishing and similar scams based on what I've gotten in the past). It's time to just refuse all email from Hotmail/MSN servers ... except for specific email addresses you know of by whitelisting them. This is what I have had to do (because Hotmail/MSN reached the point of representing more than 50% of all incoming spam because I've been rather effective at blocking spam from lots of other sources such as the bulk of home zombie machines). Just block them, whitelist any friends that still use it, and move on.

    --
    now we need to go OSS in diesel cars
  8. Re:Wrong address. by Anonymous Coward · · Score: 1, Interesting

    Some are even more sophisticated than this. I've seen a number of phishing mails where the sites actually verified the password entered in the background via ebay.com and only sent you to their "we need your credit card number, SSN, driving license, bank account etc... to verify your account"-page when the password was correct. More recently, they've started sending you to that page after three failed attempts to login to ebay, probably in the hope that they'd get your personal data after all. I found it quite irritating that this still worked after over 800000 failed scripted login attempts within about 12h with random usernames and passwords from dict/words. Doesn't ebay try to prevent brute force attacks?

    In short, it's not a good idea to use failed login attempts with the wrong password as an indicator for the authenticity of a website.

  9. The other side by Pig+Hogger · · Score: 2, Interesting
    I've been on the other site of a ph151n9 attempt... A client had his server b0rk3d into and a ph15h page installed on it.

    We caught it three weeks in the act. I analyzed the code, and made a script that would randomly send the receiver (a yahoo e-mail address) random login information (made from first and last name files downloaded from the US census bureau). Now, it's been running for at least three months.

    The ph151ng page has been left intact, except that it does not report back to the original receivers, but instead shows a message that basically says "you've been phished, sucker!!!". And at least 200 people a day still get sucked in after three months!!!

    I guess I will put google ads on the page...