How to track a Phisher... Re: FW: Abuse report email for CitiBank/CitiCards?

From: Nicholas Weaver (nweaver_at_CS.berkeley.edu)
Date: 01/13/04

  • Next message: Jim Gonzalez: "Re: FW: Abuse report email for CitiBank/CitiCards?" 
    Date: Mon, 12 Jan 2004 15:07:05 -0800
To: Jim Gonzalez <gonzj@dslinmaryland.com>

    On Mon, Jan 12, 2004 at 04:41:40PM -0500, Jim Gonzalez composed:
    > I just received this a few hours ago not sure if it is legit. Here is the
    > header info if someone would like to invesigate. Seems like the like is down
    > already.

    Tracking down a Phishing scheme takes a little work.

    First, you need to look at the email message source, as it is almost
    invariably html or txt/html.

    Look at the URLs in the HTML form.

    They are often of the form

    http://www.citibank.com/whatever.whatever@realsite/realdata...

    THese days, most web browsers will warm when you follow such links
    (they use the username@site URL syntax) but there are occasional bugs
    where a browser will NOT issue a warning, likewise OLD browsers will
    often not issue a warning.

    THe other thing to look at is the headers of the message, to see where
    it comes from. Often, like most spam, its some random open relay or
    compromised machine which will often lead nowhere.

    Now that you have the URL, visit it. Use some browser other than IE
    (Internet Explorer is such a big target, with a history of 0 day
    exploits running around), and ideally in VMware (paranoia is a good
    thing here, you're dealing with criminals) and start digging through
    the site.

    Odds are good it is a corrupted site, often through some managed
    hosting or similar operation.

    Now is where it gets hard: You NEED to get law enforcement, the
    hosting company/machine owner, and the credit card company involved.
    I'm not sure if its even possible. I've not gotten past this step
    myself, only getting an ack from the hosting company, and a black-hole
    from the credit-card company.

    But ssuming you CAN do that, now there are two ways to go about
    tracking the phiser further: track the breakin (LEO, hosting
    company/machine owner looking through logs/forensics) and/or track
    where the credit card info goes (send out honeytoken/deliberately bad
    data and THEN start taking the site down/apart, look at the script
    functionalities etc).

    And then be prepared to groan when, at the end of it all, it turns out
    to be some kiddiot in a foreign contry... 

    -- 
Nicholas C. Weaver                                 nweaver@cs.berkeley.edu
  • Next message: Jim Gonzalez: "Re: FW: Abuse report email for CitiBank/CitiCards?"