lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040112150705.A8489@ring.CS.Berkeley.EDU>
Date: Mon, 12 Jan 2004 15:07:05 -0800
From: Nicholas Weaver <nweaver@...berkeley.edu>
To: Jim Gonzalez <gonzj@...inmaryland.com>
Cc: "Sullivan, Barbra A" <barbra.a.sullivan@...igroup.com>,
	bugtraq@...urityfocus.com
Subject: How to track a Phisher... Re: FW: Abuse report email for CitiBank/CitiCards?


On Mon, Jan 12, 2004 at 04:41:40PM -0500, Jim Gonzalez composed:
> I just received this a few hours ago not sure if it is legit. Here is the
> header info if someone would like to invesigate. Seems like the like is down
> already.

Tracking down a Phishing scheme takes a little work.

First, you need to look at the email message source, as it is almost
invariably html or txt/html.  

Look at the URLs in the HTML form.

They are often of the form

http://www.citibank.com/whatever.whatever@realsite/realdata...

THese days, most web browsers will warm when you follow such links
(they use the username@...e URL syntax) but there are occasional bugs
where a browser will NOT issue a warning, likewise OLD browsers will
often not issue a warning.


THe other thing to look at is the headers of the message, to see where
it comes from.  Often, like most spam, its some random open relay or
compromised machine which will often lead nowhere.


Now that you have the URL, visit it.  Use some browser other than IE
(Internet Explorer is such a big target, with a history of 0 day
exploits running around), and ideally in VMware (paranoia is a good
thing here, you're dealing with criminals) and start digging through
the site.

Odds are good it is a corrupted site, often through some managed
hosting or similar operation.  



Now is where it gets hard: You NEED to get law enforcement, the
hosting company/machine owner, and the credit card company involved.
I'm not sure if its even possible.  I've not gotten past this step
myself, only getting an ack from the hosting company, and a black-hole
from the credit-card company.



But ssuming you CAN do that, now there are two ways to go about
tracking the phiser further: track the breakin (LEO, hosting
company/machine owner looking through logs/forensics) and/or track
where the credit card info goes (send out honeytoken/deliberately bad
data and THEN start taking the site down/apart, look at the script
functionalities etc).

And then be prepared to groan when, at the end of it all, it turns out
to be some kiddiot in a foreign contry...


-- 
Nicholas C. Weaver                                 nweaver@...berkeley.edu


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ