Slashdot Mirror
How Well Do Businesses Respond to Phishing Reports?
FuzzyDaddy asks: "When I receive a phishing email, which I find has some new or interesting technique, I will usually forward it to the appropriate abuse department. I recently got one concerning 'my' paypal account (surprising, since I don't have one), which I forwarded to abuse@paypal.com. I received an automated reply telling me to 'please direct all customer service inquires through our website.' I didn't have time to do that, so I let it go. Is paypal being irresponsible, here? Have others on Slashdot been satisfied with their attempts to report Phishing?"
Paypal does have an e-mail address to forward them to, it's just not "abuse". Forward the e-mails to spoof@paypal.com. They actually do take these pretty seriously.
What I like to do until the site gets taken down is to fill out their form with bogus information, then after submitting it, hit the refresh button. It'll ask me if I want to submit the form again, and I'll say "yes". I'll just sit there for a while hitting F5 and enter just to fill their results with bogus crap.
I know a lot of people actually fall for them. I always tell them that the surefire way to tell if it's a spoof is to put a fake username/password in when prompted. Not only do they then get fake information, but if it gets accepted, you know that the site is fake. I've gotten my whole family to start doing this after my sister fell for one.
Our reports aren't very important, as most institutions pay fraud takedown companies to monitor the net for phishing attacks using their name, and outsource the legal aspect of it all together. A company like Paypal wouldn't directly address phishing attacks, instead they would pay a very large sum of money to someone else to make it go away.
With that said, those hosting the phishing sites have been very responsive. I came across a paypal phish on poly.edu's network, emailed abuse, and it was gone when I checked an hour or so later, along with an email response in my inbox. Problem is that the burden of enforcement is more on the company being phished than the source of the attack.
Fake Email/Website (Spoof, Phishing)
Paypal, eBay, Amazon, etc all have pretty good security centres. I am surprised that abuse@paypal.com gave that automated reply, but if you visit their website the security centre is prett yeasy to find. You might not get a personalised response to your report because they get so darn many reports, but they do follow through on all reports.
Once I looked at the website scamming PayPal (it was somewhere in South America) to see if I could get anything out of the server stats (http://example.com/server-stats) and other such Apache functions. To my horror, the Perl script that would accept input from the "verification" web page had several hundred hits. Either people are submitting bogus information, or hundreds of individuals are being fooled by these scams.
You could always report it to CERT (US Computer Emergency Readiness Team) or the FBI's Internet Crime Complaint Center.
And no, I didn't send them feedback on how they could improve their website.
Paypal's been dropping anything that comes to abuse@, which not only is an RFC Violation (and there's a DNSBL of those), but is part of a slow trend of ISP's and other similar service providers to kill off abuse@ and postmaster@.
--
# Canmephians for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.net";
The original poster asked about experiences with other companies.
Personally, I feel email is not a reliable way to make first contact with someone, unless you have some arrangement made with them in advance. While email sent to abuse@ and postmaster@ should always be read by a live person, many spammers send bulk email to abuse@ and postmaster@ addresses. Any published email address is likely to receive a large number of unwanted email messages, and anyone who reads mail at that address must spend extra time removing unwanted messages. Sometimes important messages are deleted or ignored by mistake.
Some companies ask to be contacted by email. They might publish a customer service email address on their web site, or publish a 'Contact Us' page which lists email addresses which can best handle different kinds of issues.
If you just guess an email address, or if you send mail to a published address where the recipient hasn't requested your email, I don't think you can assume your email will always be read, or that you can fairly call a company irresponsible for failing to read your unsolicited email.
Phone calls, faxes, and paper mail require more effort than an email message. If a company doesn't respond to an email message, but you really are interested in helping them find this web site, it might be worthwhile to look up their fax number or mailing address, and contact them that way. If you don't really want to help them, you don't have to. It's completely optional.
Do you believe there is anything that a company that is the target of a phishing attack can do? Let's see here, someone signs up for a hosting account and the hosting company is under legal obligation to protect the identity of their customer. If that hosting company is in a different country than the target, then without international police cooperation, you aren't going to get anywhere. No court is going to force a hosting company to disclose the identity of someone that might be either the perpetrator or a victim.
So, your helpful report (along with a few thousand others) is likely to be met with either silence or open rejection. There isn't much they can do, and it is unlikely they can do much for the fools that fall for such scams. If you believe you bank is going to send you email from a host they don't have their domain name on, you will believe anything. More over, these days if you think your bank is going to send you email at all you are being silly. They already figured out that email is useless given the density of spam.
The problem is the target is helpless. It is up to people to stop responding to this stuff. If we aren't going to go after the people that send this out, what do you want the target to do?
About half of all banks that send legitimate e-mail send it from
a host they don't have their domain name on, in my experience.
I don't have a bank message in my current inbox but Discover Card,
for example, sends e-mail from arm149.bigfootinteractive.com. The
bigfootinteractive.com web site (which I believe is legitimate) says
it's a "leading provider of strategic, ROI-focused email
communications solutions."
Actual banks, credit unions, etc. use similar e-mail outsourcing.
The messages that give me short https URLs are useful in some
cases. But mostly they give http URLs to the bank's web site, or
worse, http URLs to a legitimate but different domain (such as
a domain ending in ".m0.net").
I recently received a phishing mail pretending to be from Halifax (a UK bank). I clicked the link and it worked so I forwarded the mail to the address (onlineemailinvestigations@hbosplc.com) listed on their real web site. I've done this before and got the usual instant form response but this time I got that and a bounce message saying that my message could not be delivered to HBOSfeed@cyota.com. Cyota appears to be a company which Banks outsource their phishing responsibilities to.
I figured this was just a misconfiguration somewhere so I tried mailing postmaster@cyota.com and that bounced too so I think I then filled in the Contact Us form on their web site (I'm not certain if I got round to doing it, but I think I did). Next time a phishing e-mail came I forwarded it as usual but I got the same bounce so this time I tried mailing postmaster@hbosplc.com. This one didn't bounce so I figured someone was sorting it out.
Then yesterday another phishing e-mail came so I forwarded it to the designated address again and got the same bounce again. Now I'm out of ideas, but to answer the original poster's question: In the case of Halifax and Cyota, I'd say, "not very".
I also ran into this a few weeks ago with my own account when I accidently stumbled into phishing on a dot.tk Web site (stupid of me not paying attention to the domain at 3 AM). I never entered real datas when I signed up for a Yahoo! account about a decade ago so I didn't know what I used when they asked for my birthdate, Q&As, and stuff. Yahoo! wouldn't even lock my account!
I managed to get the phisher's two Web sites shut down by dot.tk's abuse department. So, the second time phisher came on to spam people, I told everyone on my buddy list (I had their e-mail address in local files) to fill out Yahoo!'s abuse forms to close my account so the phisher couldn't use it anymore.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Typing in a wrong password first is a brilliant trick but it's not "surefire" any more.
Now that banks are issuing one-time passwords and SecurID tokens, reports are that some phishers have invested in the software and infrastructure to do real-time man in the middle attacks. They talk to the genuine version of the web site they're impersonating and pass along your credentials. If you supply the wrong password, they echo back the "invalid login" from the real site.
I'm currently recommending "go to your bank from a bookmark" to non-technical people and adding "read the SSL certificate details" to everyone else. And I'm feeling inadequate because even those two together won't protect from a scammers who tampers with DNS or hosts files and who gets a cheapo cert that doesn't verify the organization name.
A week ago, I got a phishing scam that used the address http://paypal-com-us-ssl.info/ for its responses. At the time (it's dead now), that address resolved to a YAHOO server. So, I reported it, including the whole phishing message, with headers, to abuse@yahoo.com.
Their response? Don't know - their abuse@yahoo.com address has a spam filter on it, which rejected the message because it contained a phishing scheme:
The first thing they could do is to publish SPF records for their domains. And not the ones that end in "~all" ("and accept any other IP, in case we forgot one") like AOL, HOTMAIL, and many other sources whose domains are faked constantly use. The ability to tell your users "Hey, this didn't come from who it is claiming to have come from" is a start. But PayPal, eBay, and most banks I've seen scammed have no inkling of how a simple change to their DNS would protect them and their customers.
The second thing would be to tell their web servers to not serve images up that have the wrong referrer. Hey, referrer checking isn't 100%, but any time you have an image request from a victim of one of these scam mails, it would be a lot better if that picture had "THIS IS A FRAUD MESSAGE" overlayed on it. It would force the scammers to go back to hosting the pictures on the scam site, which is a harder to do than simply uploading a single script to a slightly-insecure website in Brazil or Ohio. And the emails are as legitimate looking as they are because they use the scammed bank's own graphics, from their own servers!
often the fishers will pull images off the real site to save bandwidth, referrer detection can stop this but last i knew paypal never bothered to implement that.
Snowden and Manning are heroes.
Just before I started working at my current job, our webserver was hacked and used as an ebay phishing site. It didn't take long before our offices were getting personal calls from agents at the FBI and urgent contact from the ISP who runs our node.
Suffice it to say we took action ASAP. I have a feeling they would have forced us to do something about it if we dragged our feet. I'm assuming they do the same for other reports they receive.
-Ryan
AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
I've been referred to you by FedEx tech support, with the case number above.
Attached is an obvious phishing scam using the FedEx name. It has the usual hallmarks of a phishing scam:
1. A forged return address "aroundtheworld@fedexemails.01o.com", while it was actually sent from "snd6222.britecast.com". (This, of course, is a criminal violation of the CAN-SPAM act.)
2. Phony links to fake sites: the link supposedly to "nba.fedex.com" actually goes to "http://fedex.00b.net/ajtk/servlet/JJ?H=h3cq6&R=28 6452495".
So this is a clear phony.
The real concern is that the sender of this message has some information about our FedEx account. The message contains the line
"All shipments must be paid for with your FedEx account number ending in 811."
That is in fact from our valid FedEx account number. So FedEx appears to have a security breach; account numbers have leaked to a scammer.
Full message source appears below.
Please let me know immediately if we need to cancel our FedEx account because of this security breach. Thank you for your attention to this matter.
FedEx reply:
Dear John:
We received your inquiry. Thank you for contacting FedEx. We apologize for the inconvenience.
We would like to inform you that you may need to contact your local FedEx Account Executive so they can further advise you of what you need to do regarding the status of your account.
We hope this information is helpful. Again, thank you for contacting FedEx.
Note that they've referred me back to the part of FedEx that referred me to them. So that's FedEx, clueless.
We caught it three weeks in the act. I analyzed the code, and made a script that would randomly send the receiver (a yahoo e-mail address) random login information (made from first and last name files downloaded from the US census bureau). Now, it's been running for at least three months.
The ph151ng page has been left intact, except that it does not report back to the original receivers, but instead shows a message that basically says "you've been phished, sucker!!!". And at least 200 people a day still get sucked in after three months!!!
I guess I will put google ads on the page...