One Dweeb's Phishing Expedition

Forum: LinuxTotal Replies: 10
Author Content
DarrenR114

Jan 12, 2007
7:26 AM EDT
Yesterday, I received an email to my Yahoo! account with the subject "Activate Your Account Now". The sender was "service@paypal.com".

The gist of the HTML email was that my account with PayPal would be terminated if I didn't act now to re-activate it.

I don't have an account with PayPal, so it was obviously a phishing email with me as one of the targeted phish. Normally, I simply ignore this sort of email, because they are so lame. But this one was different - in examining the email, most of the links actually linked back to paypal. Except one.

This email was very well constructed - it even had security warnings explaining that PayPal personnel would never ask for passwords through email.

There was one link - the one I was expected to use to login to my soon-to-be terminated account - that did not go to PayPal. Normally, in these sort of emails, such links consist of an IP address. This one was different - it was an actual Domain Name.

I proceeded to do a WHOIS on the domain, cooasrt.com, and found it registered to one Sara Jett in South Carolina. There was even a phone number. I thought the email given, robert.baca3@yahoo.com, was rather odd considering that the Admin contact was named Sara Jett.

The technical contact was legitimate enough - the site was being hosted by Yahoo!. It was one of their business accounts. And therein lies the frustrating part of my tale.

To verify that this was indeed a Yahoo! hosted site, I did a nslookup on the domain, cooasrt.com, and traced the IP through one of the online reverse-IP lookups. It was indeed a Yahoo! owned IP address.

I should mention that the first thing I did, before taking the trouble to track down the IP and domain host, was to forward this phishing email, in its entirety to abuse@paypal.com and webmaster@cooasrt.com. I almost immediately got two automated replies in return - one from Yahoo! saying that there was no such account "webmaster@cooasrt.com" and one from Paypal advising me to forward any suspicious emails to "spoof@paypal.com". This was yesterday morning, before I went to work.

When I got home from work yesterday, I then proceeded to track down the information on this phishy email, as described above. I first called the Admin contact listed in the WHOIS record. The person at the other end told me that they did not know who Sara Jett or Robert Baca were. I informed them that their phone number, which I rattled off to them, was being used to commit internet fraud. I didn't expect that they would admit to anything, I just wanted make sure they were aware of what was going on. My next call was to the Technical Contact phone number listed in the WHOIS record. I got an answering machine that doesn't take messages. This was a legitimate phone number for Yahoo! but was a dead end for any further action. Personally, I think it's a bit unethical for Yahoo!, but I'll write more on that later.

At this point, I was a bit irritated on how difficult Yahoo! was making it to report real fraud. By the way they set things up, they were/are complicit in acts of computer-based fraud. They obviously did not verify the information listed in the WHOIS when they set up the business website for cooasrt.com. More on that in a bit, as well.

Using the domain name, yahoo-inc.com, from the technical POC email address, I surfed with my browser to yet another non-working site, but at least this time, Yahoo! had the decency to set up a HTTP re-direct mechanism that took me to the yahoo main page. From there, I selected "Web hosting" under the Business section.

The only phone number on that page was the 866 number for sales, which had just closed by the time I got to that page. I dug around a little and got another number for their customer service - it wasn't a toll free number, but it was a start. The tech at the other end couldn't help with my problem, but gave me the abuse email address and a toll-free customer service number. Before ending that call, I suggested that he give some feedback to the higher-ups that the salespeople for Yahoo! should verify contact information in the DNS records before setting up new domains.

After disconnecting on that call, I proceeded to forward the phishing email to the abuse email address, reportabuse@cc.yahoo-inc.com, that I was given by the Yahoo! tech. I got an immediate response saying that email had been bounced. The reason it was bounced is that it contained HTML phishing code. NO SH*T SHERLOCK - that's why I'm forwarding it to them in the first place.

So I called the toll-free number to explain the situation. The teleservices rep at the other end wasn't sure how to handle the problem I was presenting to her. She kept asking information about *my* account. It didn't dawn on her that I wasn't calling about my Yahoo! email, but about a site Yahoo! was hosting that I didn't own. She finally transferred me to a tier-2 individual, Bill, who gave me 2 new abuse email addresses to try. Considering that at that point that my email attempt to their abuse department failed for a very stupid reason, I told him that I preferred that he simply take down the domain information and handle the whole thing himself. He informed me that the Customer Service was not equipped to handle the situation in any way but email. I thanked him for the information and ended the call.

I proceeded to forward that email to those two abuse addresses, sore-abuse@yahoo.com and reportabuse@yahoo-inc.com, and got the same bounce message as reply from both. I called the toll-free line again, explained my dilemma to the latest teleservices rep, Dave, who informed me that there was nothing he could do.

I told him in no uncertain terms that this was making Yahoo! guilty of being complicit in a case of fraud. I told him that it was nice to know that if I ever decided to go crooked, all I had to do is set up a phishing site under a Yahoo! hosted domain, send out emails from their system, and there wouldn't be anyway for anyone to really report it, because all the emails with any evidence would get bounced back. It was at this point that Dave took down the domain name, because I insisted, and he offered to transfer me to the legal department. He informed me up front that I would only get a voicemail, but they would call me back. I took him up on his offer.

I proceeded to leave my name, my phone number, the litany of my experience with the Yahoo! customer service, and my expectation that the domain, cooasrt.com, should be disabled with 12 hours of my leaving the message.

Then I noticed something about the bounced emails from the abuse addresses - they all contained a "cleansed" version of the original emails. So I took the latest bounce reply and forwarded *it* to the three abuse emails that I had been given. I included a small blurb about my dissatisfaction with Yahoo!'s abuse process. Lo and behold! That email did not bounce back.

When my wife checked this morning, the domain was disabled - the DNS record had been cleansed. I haven't received any reply from Yahoo! nor do I expect any.

What leaves a bad taste in my mouth is the fact that I received the email at all - if the filters on the Yahoo! servers were able to block it for the abuse addresses, then why didn't they block it for all yahoo addresses. Why does Yahoo! make it so difficult to report the situation? It wasn't like I was attempting invade anyone's privacy.

This site was so polished - it looked just like PayPal's home page, including the Verisign logo in the middle. If my mail client had worked like MS-Outlook, it would have opened a browser without the toolbar. Anyone looking at the page at that point would have had *no* way of knowing they weren't looking at the real PayPal site.

I'm writing this long post in the hopes that maybe, just maybe, more people will get on the butts of the webhosting companies everywhere to make the reporting of abuse and fraud a lot easier.

What I feel should be done: 1. All webhosts should be required by the Domain Registrars to provide active phone numbers in the Technical POC section of DNS records. 2. Webhosts and Internet Providers should all provide multiple mechanisms for the reporting of abuse and fraud - simply providing an email address, like Yahoo! does, is *not* good enough.

Ok - I think I'm done ranting now. Thanks for reading.
azerthoth

Jan 12, 2007
7:47 AM EDT
Darren, I would like to point out that you may have saved a few people a much larger head ache and they might not even know that they were saved. For as much trouble as you went through, and I agree that there could be an argument for Yahoo's complicity, cleaning up the problem had some poor sap gone for it would have been a possible nightmare.

So for them, the unknowing and unwashed masses, I thank you. You did a good thing and I atleast appreciate your actions and determination. Maybe if more of us actively fought back instead of just deleting we could make it not such a lucrative business.
DarrenR114

Jan 12, 2007
7:53 AM EDT
On a lark, I just clicked on the link in the original email - it sent me to a whole new domain: stunt322.com

Anyone with any ideas who to send this email to so that they can get these domains killed as the link redirection changes.

Here is the link in the email: http://ebay.doubleclick.net/clk;13012399;10693575;h?http://t...

I'm thinking that doubleclick.net should be involved somehow.
DarrenR114

Jan 12, 2007
8:08 AM EDT
FOUND IT ... the bastards are using a redirection HTTP at: http://trurnmeon.com/index.php

Oh yeah ... now the real fun begins.
jimf

Jan 12, 2007
8:48 AM EDT
Phishing is nothing new. Maybe I'm a Luddite, but I've always had the idea that email is pretty much a text based thing. As a result I've pretty much always used a text based client which eliminates 90% of phishing and makes the rest pretty simple to spot. I strongly recommend this as a definitive answer to a lot of email problems. Sylpheed-claws-gtk is my first recommendation as a text based client. Lots of connection, viewing options, and plugins. Claws gives nothing away to the html based junk clients.
DarrenR114

Jan 12, 2007
9:08 AM EDT
jimf -

I absolutely agree about email being text-based with the exception of attachments.

In this case, I am talking about receiving email at my Yahoo! address, which is browser based.

I have 2 other emails that I don't seem to have nearly the same problem with.

My biggest concerns here are twofold: 1. This email would be very difficult to spot as a fake by most people who simply use the internet. 2. Reporting the problem is made nearly impossible by Yahoo!

As for email with HTML - I'm afraid we're fighting a losing battle. The marketing people who drive much of the economy like the bells and whistles that they can push at their audience, and many in their audience don't know any different.
dcparris

Jan 12, 2007
9:34 AM EDT
Why didn't you submit your story for publishing here? If you don't, can I paste your story into our news queue? Literally, all you have to do is read the howto (http://lxer.com/story_howto.php) and use the link to submit the story. Don't put an external link, since it's an original story.

Paste the first paragraph into the Lead box, and the whole text of your first thread into the Body box. You could include a link to this thread in the body text (just use the standard HTML tags). :-)
tuxchick

Jan 12, 2007
9:56 AM EDT
I second what Don said. Howcome you folks can all write beautiful useful comments, but not take ten extra seconds to submit them as features? Make them LXer features! They'll live on in easy-to-find archives and make many readers happy! Like me! And wouldn't you rather have me happy? Hmm?
jimf

Jan 12, 2007
10:16 AM EDT
> In this case, I am talking about receiving email at my Yahoo! address, which is browser based.

And knowing that html web based email (and yahoo in general) is the pits, why are using it in the first place ;-)

>As for email with HTML - I'm afraid we're fighting a losing battle. The marketing people who drive much of the economy like the bells and whistles that they can push at their audience, and many in their audience don't know any different.

You're probably right, but, I think we can and should be be advising people to avoid html and browser based email. As for those who insist on remaining ignorant and buying into the trendy crap.... the same group that enables virus in the Windows world. I have little sympathy.
DarrenR114

Jan 12, 2007
10:21 AM EDT
To be honest, I didn't really consider it "feature" worthy. But I did consider the experience important enough to share in some way. I'll do like you said, Don, and submit it as a story ...

Thanks.
DarrenR114

Jan 12, 2007
10:46 AM EDT
jimf - I actually have 3 main personal email addresses - I've layered them along the same lines as our personal zones:

zone 1 is the outside, or public zone - that's my yahoo.com address. They've gotten pretty good about filter spam into its own folder, and it doesn't count against my 2Gig of storage. zone 2 is my private zone - that's my gmail.com address. I pass that along to personal aquaintances and work colleagues. I get very little spam here, and gmail is very good at filtering it out for me. zone 3 is my intimate zone - that's my rr.com address and no one but family and *close* friends get that one. I don't get much mail here, but the filtering sux. About once a week, I end up deleting 6 or 7 pieces of spam.

Like I said in my original narration, I normally ignore emails like this in my zone 1, but this particular one was so much better done than normal, it was almost a work of art.

My wife's grandmother has harped on about getting a computer, but those of us who are in a position to help her all refuse - she would be one of those individuals activating her PayPal account and helping those poor families of people in Africa who were assassinated, but not before leaving a fortune to their family who need our help to get to the money. There are many people out there like my wife's grandmother that *do* have computers. And they do have my sympathy, because there aren't enough people out there like you and me to protect them from people like Steve Ballmer and Michael Dell.

You cannot post until you login.