[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040112150705.A8489@ring.CS.Berkeley.EDU>
Date: Mon, 12 Jan 2004 15:07:05 -0800
From: Nicholas Weaver <nweaver@...berkeley.edu>
To: Jim Gonzalez <gonzj@...inmaryland.com>
Cc: "Sullivan, Barbra A" <barbra.a.sullivan@...igroup.com>,
bugtraq@...urityfocus.com
Subject: How to track a Phisher... Re: FW: Abuse report email for CitiBank/CitiCards?
On Mon, Jan 12, 2004 at 04:41:40PM -0500, Jim Gonzalez composed:
> I just received this a few hours ago not sure if it is legit. Here is the
> header info if someone would like to invesigate. Seems like the like is down
> already.
Tracking down a Phishing scheme takes a little work.
First, you need to look at the email message source, as it is almost
invariably html or txt/html.
Look at the URLs in the HTML form.
They are often of the form
http://www.citibank.com/whatever.whatever@realsite/realdata...
THese days, most web browsers will warm when you follow such links
(they use the username@...e URL syntax) but there are occasional bugs
where a browser will NOT issue a warning, likewise OLD browsers will
often not issue a warning.
THe other thing to look at is the headers of the message, to see where
it comes from. Often, like most spam, its some random open relay or
compromised machine which will often lead nowhere.
Now that you have the URL, visit it. Use some browser other than IE
(Internet Explorer is such a big target, with a history of 0 day
exploits running around), and ideally in VMware (paranoia is a good
thing here, you're dealing with criminals) and start digging through
the site.
Odds are good it is a corrupted site, often through some managed
hosting or similar operation.
Now is where it gets hard: You NEED to get law enforcement, the
hosting company/machine owner, and the credit card company involved.
I'm not sure if its even possible. I've not gotten past this step
myself, only getting an ack from the hosting company, and a black-hole
from the credit-card company.
But ssuming you CAN do that, now there are two ways to go about
tracking the phiser further: track the breakin (LEO, hosting
company/machine owner looking through logs/forensics) and/or track
where the credit card info goes (send out honeytoken/deliberately bad
data and THEN start taking the site down/apart, look at the script
functionalities etc).
And then be prepared to groan when, at the end of it all, it turns out
to be some kiddiot in a foreign contry...
--
Nicholas C. Weaver nweaver@...berkeley.edu
Powered by blists - more mailing lists