Phishing: A Real-Life Experiment with Troubling Results


February 9 , 2007

Dear Readers:

We received the following electronic mail message from an individual, describing his investigation into a phishing message he received.

We thought his message to be so instructive and so well- written that we obtained his permission to share it with you.

But, first, a little background:

A "phishing" message appears to be from a bona fide company, usually a financial institution. The scamster attempts to trick the recipient into believing that the message is really from his or her own bank or credit card company.

The bogus message instructs the recipient to visit a look-alike web site and then divulge sensitive information such as bank or credit card account numbers, passwords, and Social Security numbers. Once the scam artist has such information, he or she can use it to commit identity theft and open fraudulent credit card accounts in the victim's name.

Here's "J.P.'s" account of his clever phishing investigation:

[begin message]
Last week I received a Bank of America phishing email. Nothing out of the ordinary in that. If I have a spare moment, I usually look to see if the phishing site is still up, then do a DNS lookup and blast off an email to let the site owner know of the scam.

I figure that is more effective than whining to BofA (or whoever). Though I also cc the Bank's abuse address, too.

Call it my little piece of spare time electronic civic duty.

Well, last week's phishing was particularly sophisticated. So I became more intrigued than normal and did a little amateur digging. The email pointed to a hacked site in Singapore. Not too surprising. But the Singapore page was a re-direct script, and when you popped back up, the phishing site was actually on what appeared to be a zombie home PC in Canada.

More intriguing, the phishers had not done a good job of creating secure folders or files on the zombie PC. I pointed to the source directory of the phish page and there were all the source files. So I could poke around and look at just what it took to set up a fake phishing site. Not much, as it happens.

And there were the data files, created by the phishing page when people entered data. In other words, there was the payoff, in an open, un-encrypted file for anyone to download.

So I downloaded it. I was curious to see how successful (or not) this type of site might be.

The results were a little depressing. More on that in a moment.

Even more depressing, a couple of days later: the site was still up. The data file was still there. And people were still dutifully entering their personal info into this burgeoning repository.

So that left me in a moral dilemma. In effect, I was witnessing some bad stuff happening in real time. .... What to do? I downloaded the latest version of the harvested data and pondered.

I had already alerted BofA and the owners of the domains. The harvested data file contained no email addresses, so I couldn't alert the people downloading data by email. I couldn't delete or alter the source files or the data file.

I finally decided to simply write letters to all the people who had been duped into entering their street address, informing them of the scam and advising them to do all the sensible things necessary after your identity has been stolen.

That would be forty letters. Three days; one web site; forty people who had entered every precious fact about themselves into this data file: names, addresses, phone numbers, account numbers, credit card numbers & security codes & expiration dates, SSNs, birth dates, mother's maiden name etc. etc. etc.

I just got back from the Post Office. Ten letters down, thirty to go. I include in each letter a redacted copy of the data associated with the street address. If the data are genuine, the owner will be able to recognize them, despite having every nth character replaced by a "*."

In case there is any feedback or fallout, I will pass that along.

But the thing that sticks with me is just how normal and ordinary all these people seem to be. Something in their lives made the scam seem plausible, so they fell for it. And now they are about to get [conned], if they haven't been already. With luck, my letters will help some of those people avoid major hassles in the future. If they take them seriously.

So the PSA part: Be aware that, sometimes, ordinary intelligent people get conned. Don't be one of them. Don't let any of your friends or relatives be one of them. Take a little pro-active action. Especially if things drift into view that can't be ignored. Don't just walk on by.

And one last thing to mull over: Several people didn't enter street addresses, just all their account and card info and their SSNs. Nothing I can do for them. That really, really [stinks].

[end of message]

Our thanks to J.P. for sharing this story with us.

To learn more about phishing and how to avoid becoming a hapless victim, visit this web site:

Beth Givens
Privacy Rights Clearinghouse