One Dweeb's Phishing Trip

On January 11th, I received an email to my Yahoo! account with the subject "Activate Your Account Now". The sender was "service@paypal.com".

The gist of the HTML email was that my account with PayPal would be terminated if I didn't act now to re-activate it.

I don't have an account with PayPal, so it was obviously a phishing email with me as one of the targeted phish. Normally, I simply ignore this sort of email, because they are so lame. But this one was different - in examining the email, most of the links actually linked back to paypal. Except one.

This email was very well constructed - it even had security warnings explaining that PayPal personnel would never ask for passwords through email.

There was one link - the one I was expected to use to login to my soon-to-be terminated account - that did not go to PayPal. Normally, in these sort of emails, such links consist of an IP address. This one was different - it was an actual Domain Name.

I proceeded to do a WHOIS on the domain, cooasrt.com, and found it registered to one Sara Jett in South Carolina. There was even a phone number. I thought the email given, [e-mail:robert.baca3@yahoo.com], was rather odd considering that the Admin contact was named Sara Jett.

The technical contact was legitimate enough - the site was being hosted by Yahoo!. It was one of their business accounts. And therein lies the frustrating part of my tale.

To verify that this was indeed a Yahoo! hosted site, I did a nslookup on the domain, cooasrt.com, and traced the IP through one of the online reverse-IP lookups. It was indeed a Yahoo! owned IP address.

I should mention that the first thing I did, before taking the trouble to track down the IP and domain host, was to forward this phishing email, in its entirety to [e-mail:abuse@paypal.com] and [e-mail:webmaster@cooasrt.com]. I almost immediately got two automated replies in return - one from Yahoo! saying that there was no such account "webmaster@cooasrt.com" and one from Paypal advising me to forward any suspicious emails to "spoof@paypal.com". This was in the morning, before I went to work.

When I got home from work on the 11th, I then proceeded to track down the information on this phishy email, as described above. I first called the Admin contact listed in the WHOIS record. The person at the other end told me that they did not know who Sara Jett or Robert Baca were. I informed them that their phone number, which I rattled off to them, was being used to commit internet fraud. I didn't expect that they would admit to anything, I just wanted make sure they were aware of what was going on. My next call was to the Technical Contact phone number listed in the WHOIS record. I got an answering machine that doesn't take messages. This was a legitimate phone number for Yahoo! but was a dead end for any further action. Personally, I think it's a bit unethical for Yahoo!, but I'll write more on that later.

At this point, I was a bit irritated on how difficult Yahoo! was making it to report real fraud. By the way they set things up, they were/are complicit in acts of computer-based fraud. They obviously did not verify the information listed in the WHOIS when they set up the business website for cooasrt.com. More on that in a bit, as well.

Using the domain name, yahoo-inc.com, from the technical POC email address, I surfed with my browser to yet another non-working site, but at least this time, Yahoo! had the decency to set up a HTTP re-direct mechanism that took me to the yahoo main page. From there, I selected "Web hosting" under the Business section.

The only phone number on that page was the 866 number for sales, which had just closed by the time I got to that page. I dug around a little and got another number for their customer service - it wasn't a toll free number, but it was a start. The tech at the other end couldn't help with my problem, but gave me the abuse email address and a toll-free customer service number. Before ending that call, I suggested that he give some feedback to the higher-ups that the salespeople for Yahoo! should verify contact information in the DNS records before setting up new domains.

After disconnecting on that call, I proceeded to forward the phishing email to the abuse email address, [e-mail:reportabuse@cc.yahoo-inc.com], that I was given by the Yahoo! tech. I got an immediate response saying that email had been bounced. The reason it was bounced is that it contained HTML phishing code. NO SH*T SHERLOCK - that's why I'm forwarding it to them in the first place.

So I called the toll-free number to explain the situation. The teleservices rep at the other end wasn't sure how to handle the problem I was presenting to her. She kept asking information about *my* account. It didn't dawn on her that I wasn't calling about my Yahoo! email, but about a site Yahoo! was hosting that I didn't own. She finally transferred me to a tier-2 individual, Bill, who gave me 2 new abuse email addresses to try. Considering that at that point that my email attempt to their abuse department failed for a very stupid reason, I told him that I preferred that he simply take down the domain information and handle the whole thing himself. He informed me that the Customer Service was not equipped to handle the situation in any way but email. I thanked him for the information and ended the call.

I proceeded to forward that email to those two abuse addresses, [e-mail:sore-abuse@yahoo.com] and [e-mail:reportabuse@yahoo-inc.com], and got the same bounce message as reply from both. I called the toll-free line again, explained my dilemma to the latest teleservices rep, Dave, who informed me that there was nothing he could do.

I told him in no uncertain terms that this was making Yahoo! guilty of being complicit in a case of fraud. I told him that it was nice to know that if I ever decided to go crooked, all I had to do is set up a phishing site under a Yahoo! hosted domain, send out emails from their system, and there wouldn't be anyway for anyone to really report it, because all the emails with any evidence would get bounced back. It was at this point that Dave took down the domain name, because I insisted, and he offered to transfer me to the legal department. He informed me up front that I would only get a voicemail, but they would call me back. I took him up on his offer.

I proceeded to leave my name, my phone number, the litany of my experience with the Yahoo! customer service, and my expectation that the domain, cooasrt.com, should be disabled with 12 hours of my leaving the message.

Then I noticed something about the bounced emails from the abuse addresses - they all contained a "cleansed" version of the original emails. So I took the latest bounce reply and forwarded *it* to the three abuse emails that I had been given. I included a small blurb about my dissatisfaction with Yahoo!'s abuse process. Lo and behold! That email did not bounce back.

When my wife checked this morning, the domain was disabled - the DNS record had been cleansed. I haven't received any reply from Yahoo! nor do I expect any.

What leaves a bad taste in my mouth is the fact that I received the email at all - if the filters on the Yahoo! servers were able to block it for the abuse addresses, then why didn't they block it for all yahoo addresses. Why does Yahoo! make it so difficult to report the situation? It wasn't like I was attempting invade anyone's privacy.

This site was so polished - it looked just like PayPal's home page, including the Verisign logo in the middle. If my mail client had worked like MS-Outlook, it would have opened a browser without the toolbar. Anyone looking at the page at that point would have had *no* way of knowing they weren't looking at the real PayPal site.

The next day, on a lark, I clicked on the link in the original email and it brought up another spoofing site, identical to the one that I reported previously. I checked the DNS information from WHOIS and found that like the first site, it also is hosted by Yahoo! with phony contact information: [HYPERLINK@www.stunt322.com]

Since there was the real possibility that the person or persons responsible for these frauds has any number of phishing sites, I took a closer look at the link in my email, because I knew it could not possibly have changed: [HYPERLINK@ebay.doubleclick.net] [HYPERLINK@trurnmeon.com] was set up to redirect traffic to a different domain, changing the target domain periodically.

I proceeded to call the 866 number to the sales department at Yahoo! and told the person on the other end of the line that I wanted to set up a site so I could rip people off. Reciting the difficulty I'd had in reporting the obvious fraud to his company in the first place, I suggested that they might want change their reporting process. Making my disatisfaction plain, I told the salesman that they should seriously consider change their sales process and verify the information given by calling the phone numbers and sending an email before registering a domain. It's not that difficult.

I'm writing this in the hopes that maybe, just maybe, more people will get on the butts of the webhosting companies everywhere to make the reporting of abuse and fraud a lot easier.

What I feel should be done: 1. All webhosts should be required by the Domain Registrars to provide active phone numbers in the Technical POC section of DNS records. 2. Webhosts and Internet Providers should all provide multiple mechanisms for the reporting of abuse and fraud - simply providing an email address, like Yahoo! does, is *not* good enough.

Ok - I think I'm done ranting now. Thanks for reading.