In a nut shell I run a small hosting business domain names, dedicated server and the like so consider myself to be fairly “clued up” as far as the net and in particular net security is concerned; not your average phishing victim and because of the nature of the business saw both sides of the phish…
One day I get an email and a subscription payment of for a dedicated server. Paypal verified member; fine, emailed him, seemed ok if a little clueless about web servers; whatever. Sorted out which ports he wanted open on his firewall which OS he would like etc. Once set-up and configured we sent through the Ts&Cs (No spamming, no copyright infringement, no hacking etc) and left him to it.
A couple of days later for reasons I cant remember I plugged the monitor back into his machine (Windows 2000) and to my horror saw “The Bat” mail client up on the screen with the following message: Dear PayPal member, In order to maintain the security of your account…. A phish! From our network… Our machine! The police will be here any moment…. panic.
Using the firewall we redirected outbound SMTP traffic to a “dead” mail server to stop any more phishes (and get a log) then I called the NHTCU (National Hight Tec Crime Unit https://www.nhtcu.org/). A quick note on the NHTCU. If you get a phish and are prepared to scour the police and government web sites to find out who to report it to it eventually lands at an inbox with the NHTCU. You can imagine they’re pretty busy.
Once I had convinced them over the phone that I wasn’t calling to say I’d had a phish and should I type in my pin number but one of my customers had phished thousands of people would they like to know who it was it dawned on me that the original payment for the server was probably fraudulent. (That was the forehead slapping bit).
I explained to them about dedicated servers (yes its my machine, no someone else runs it, yes its our network, no I don’t have a clue who this guy is) there was some umming and ahhing over the phone but the following conclusion was reached: Its an Ebay problem… we’ll pass the details onto them. Did I have a copy of the email? Maybe I was being over dramatic; no request for the hard drive for forensic hi tec stuff, no exotic tracing of his IP address back to his telephone number and finally to a bedroom in Orlando. As Steve pointed out; its not life threatening so it really dosent get a very high priority.
At this point I did feel a little shame faced; bothering these very busy people with what amounts to a sophisticated spam. They gave me the email address of Ebay’s security department and suggested I pass on everything to them which I dully did. There was a deafening silence broken after a couple of days when they requested the mailing list the phisher had used. When prompted I was told that investigations into the case were ongoing. I asked if they were interested in the guys IP address; no not really; would they like the hard drive… nope.
Over the next couple of days orders via the web site picked up and almost all of them were on the phishers mailing list. Out of the 5-600 email on the list we had 2 more orders for dedicated servers which is a shocking response rate. When I finally managed to get hold of the person for the first fraudulent server he was naturally irate; his account had been emptied and he had bought a dedicated server from me. I managed to eventually placate him and expalined that we were both victims of this and of course I would refund the money for his server. I also suggested he change the password on his PayPal account (“Oh I had an email about that”; I really had to bite my tounge at that point).
The fallout from that simple phish was enormous; PayPal users had their accounts emptied, we had bought the hardware that wasn’t going to be used, and these are just the incidents that we heard about. I chased up NHTCU and Ebay and was disappointed. As far as the NHTCU were concerned the case was closed (its an American site) and I never heard from ebay again.
The phisher made no effort to cover his tracks, we logged his IP address for several days which changed as he logged on and off (AOL dial up and not coming through any proxies) logged the connection for IRC traffic, pinched all his passwords, traced him to other machines and basically had enough evidence to get him landed in the slammer without any difficulty. The problem was, nobody was particularly interested. The phisher acted without any concern for getting caught basically because he knew he wouldn’t.
The whole incident probably cost 10s of thousands of pounds and a good deal of heartache for the victims particularly the PayPal members following the instructions in the email who will never get their money back. These scams do imesurable damage to e-commerce; users want to buy on-line but will be greatly put off by this increasing plague of frauds.
When someone with WinXP, AOL dialup, VNC and a very basic knowledge of computing can do this sort of scam with complete impunity safe in the knowledge that nobody’s going to catch them there’s a problem.
No tags