Phishing Phor Phishers

Phinding Nemo!

A funny thing happened to me on Tuesday.

Well, really it happened to my wife. But I hear being married is all about sharing.

We had just finished dinner when she casually mentioned we were getting a tax refund.

“Oh?” I responded…

“Yeah, I got an email”

“OH???????”

I immediately had a sinking feeling.. had she been PHISHED?

How aLUREing!

I asked if she’d given her credit card number out?

“Yes.”

Social Security Number?

Yes.

MY Social Security Number?

NO! Sheesh, what do you take me for?!

Which credit card?

Our Visa check card.

Oi! That’s a bad one! I’m not sure the kind of fraud protection we have on it, and it’s tied to our bank account directly!

Before even inspecting the email, I called in and had them cancel the card. Hooray, no charges had gone through yet!

Honey, didn’t I warn you before about PHISHING scams?

Well, yes.. but I forwarded it to you on Monday and you never wrote back! So I just did it.

I never saw that email! (Sure enough.. it was caught in my spam filters. Makes sense!)

Couldn’t you have called me on the phone or even asked me in person on Monday night or Tuesday morning?!

I forgot about it until I checked my email again!

Anyway.. let me see the email you got.

And here it was..

Date: Mon, 28 Aug 2006 11:58:14 -0500
To: joshswife@yahoo.com
Subject: Tax Information – joshswife@yahoo.com – (Code 7863-3843)
From: “IRS.gov” Add to Address Book Add Mobile Alert

God bless the IRS!

Account : joshswife@yahoo.com Number : 7863

After the last annual calculations of your fiscal activity we have determined that you are eligible
to receive a tax refund of $191,40. Please submit the tax refund request and allow us 5-7 days in orders to process it.

A refund can be delayed for a variety of reasons. For example submitting invalid records of applying after the deadline.

To access the form for your tax refund, please click here.

Regards,
Internal Revenue Service

Here are the immediate red flags that go off in my head when I get emails like this:

Right off the bat, any email I get from an address I’ve never received one from before has a 99% chance in my mind of being a spam, scam, or some kind of an annoyance.

I never get tax refunds! Ever ever ever. It’s not fair.

The IRS and state taxing authorities don’t send notices via email.

The IRS and state taxing authorities don’t have my email address.

They DO have my name and SSN, and would probably put those in an email, IF they had my email address and IF they sent emails.

There’s a typo in the email.. it says “of” where it should have said “or”.

They used a comma instead of a period for the decimal point in the dollar amount! That may fly in Europe, but god bless the IRS, this is America!

The link takes you to thistlejack.com!

But, believe it or not, my wife is not stupid. In fact, she has a PhD from Harvard!

Not my wife.

For real.

Too bad she doesn’t run a web hosting company!

There’s no better training against phishing scams than having dozens of fraudsters a day attempting to send them from your servers!

But for the rest of you LOWLY Internet users, phishing scams work. And I think I know why:

They send a lot of phishing emails.

Just by sending a lot of messages, they’re going to catch a tiny percent of people who were specifically waiting for that email!

Even the almighty Josh nearly fell for an Ebay phishing scam once when I got the phish the very moment I had just won an auction.

And of course, a tiny percent of people are going to go for it even when they weren’t expecting an IRS refund, a paypal payment, or an ebay auction.

They prey on people’s greed or fears.

To my wife’s credit, (she claims) there were a LOT of red flags and alarms going off in her head while she filled out that form. But the lure of the $191,40 was just too strong!

And we’re rich!

People are getting really comfortable with “e-commerce”.

My wife doesn’t really care too much about giving out her credit card info online. Really, why should she? You’re not generally liable, and we should have the replacement card in the mail tomorrow. I do wish she was a little less comfortable with giving out her SSN though…

The thing is, how often in the real world do you come across an individual or business who is really trying to scam the crap out of you? Hopefully not too often in this country at least. It just doesn’t really happen. But on the Internet, it really does happen. Millions of times per day.

Fortunately, a lot of people are still deathly afraid of this “Internets”, and won’t give out anything to anybody! Or maybe that’s not fortunate.. because really, you’re not generally liable.

People are technically naive.

Honestly, it’s pretty easy to look at a URL and know if it’s legit.

Or is it?

I was trying to explain to my sister-in-law how to know. Basically the best I could do was “If the VERY first part of the URL is the correct domain name, and only the domain name, and doesn’t have a dash or something before it, but it’s okay if it has a dot before it, as long as it doesn’t have a slash before the dot, then it’s the right site!”

In fact, my wife was even like:

Well, I knew thistlejack.com wasn’t irs.gov, but you know how sometimes websites link off to some other server for their payment processing? And when I clicked all the links on the site, they were legit.

Because the links WERE to irs.gov!

Even the fact the page wasn’t secure didn’t faze her!

What was I to do?

I already canceled the credit card. But I wanted more! I wanted to shut this guy down, and I wanted to make sure nothing happened to my wife’s SSN.

First, I did a whois lookup on thistlejack.com and called the owner, Mr. Robert Stirling.

I knew he wasn’t the phisher. Nobody in the US phishes, and nobody uses real contact info when registering a domain for phishing! It looked like from the URL that the phisher had exploited a hole in a photo gallery script he had installed. (Which is why we have mod security for our happy hosters!)

Fortunately, he answered the phone.. I explained the situation and he was very, very, cooperative and helpful!

He logged in to his domain, took the phishing site down (it’s down now), and then at my request emailed me the source code for their web form. I wanted to see what was happening to the data.

Just as I might have guessed, it was being emailed off to two separate anonymous yahoo.com email addresses.

I immediately emailed abuse and postmaster@yahoo.com, got a tracking number back and started waiting. And waiting. (I’m still waiting…)

I couldn’t wait anymore!

I had to do something (besides call the credit reporting agencies and tell them what happened)!

And then it hit me!

Maybe I could fill this jerk’s mailboxes with enough BOGUS DATA that he’ll just give up on it all and not realize that my wife’s info was for reals!

Of course, it wouldn’t be too hard for him to realize all submissions after a certain time were fake.. but hey what did I have to lose?

I took the source code from that script and made up my own that sent an identical email to those two addresses, but with randomly generated info!

In this picture, are you on the left or right? I know that I'M on the left!

It was fun!

I set it up with a cron job to run every 20 minutes (but I put a random sleep of 1-20 minutes at the front so they didn’t come in too regularly).. it’s still going right now.

I’m going to keep it going until I hear back from Yahoo!.. and just FYI, here’s the output they were receiving from their phish:

Date: Thu, 31 Aug 2006 16:58:15 -0700 (PDT)
From: thistlej@server4.whmsecure.com
To: phisher@yahoo.com
Subject: IRS – Full

[ . . . : : : IRS FOUNDS : : : . . . ] Social Security Number: 356 – 00 – 0258
Name On Card: Robert Rieger
Card Number: 6105341453830068
Expidation Date: 12 / 2007
CVV: 123
PIN: 5702
[ . . . : : : IRS FOUNDS : : : . . . ]

(Don’t worry, that’s a fake one I generated!)

In closing…

Phishing scams are pretty darn effective. They’re tricky, and they’re lucrative!

Or do!

Anyway, my wife’s pretty embarassed about the whole thing and made me promise not to tell anyone.