Ask the Internet Abuse/Fraud Investigator

Miscellaneous and Personal Stuff I Must Share
1

These always seemed fun.

My friends call me “dewbie” for short. I’m a dyke. I’m 29. I work for a large ISP.

I began my internet exposure surfing at my 4th year of college at Humboldt State University, using linux shells, gopher, pine, lynx, telnet. Full image browsing was a bit slow on the school network back in the mid-nineties, but I spent a lot of time eagerly watching the pages slowly load. I’ve always found text-only chats, information browsing and e-mail my default preferences.

I was a pre-veterinary Zoology undergrad at the time. I first got goosebumps as to the potential of this amazing medium was when I was able to pull up digital photographs of a horsehead that had been sliced in cross-sections about an inch thick (Anyone remember that scene in The Cell ?), from a veterinary school in Australia. I was wanting to expose a very bright elementary school girl that a friend and I were mentoring to what online research had to offer, and I was blown away myself.

So 6 years of college and a few life decisions and “real world” years later (including deciding against Veterinary School) I found myself working as a Customer Service phone rep for MindSpring. That was the winter of 1999.

6 months later I was working the Abuse desk, investigating complaints of Appropriate/Acceptabe Usage Policy violations, enforcing those policies. For 4 years I was nuking spammers from orbit…ping-flooding the script kiddies off of our network…constantly beating back the flood of fraudulent and abusive accounts that are set up with stolen identities, forged financial information,…cherry picking the victims of the pests stealing service via the good old standby of cracked usernames/passwords…having countless surreal conversations with the chronically virus-infected…

“Yes, it is nice to talk to you again. Mrs. Smith. Ok, remember last time we spoke? I told you that if we had further reports indicating your computer was still infected that we’d have to terminate your accont? Yeah…so can you put little Timmy on the line please? Thanks…”

Then last year I was presented an opportunity to shift my focus to combat Fraud with a capital F, or should I say capital Ph. Phishing is the hot exploit of the moment. It is quite the mix of all of the old favorites. Slight of hand, subtle deceit, the confidence game, the finesse of social engineering, the manipulative scare tactic, the demise of the gullible. Toss in a metric-assload of spam, and a healthy dose of browser exploits, and it is hours of family fun. When not fishing for phishers, I handle pretty much whatever our customers define as “online fraud”. Never a dull moment, as they say.

So if anyone has any questions about internet abuse and fraud, shout 'em out. If I don’t know the answer, I will do some digging.

2

What is the best part of your job?

3

How did phishing get its name? Does it have anything to do with the band?

4

These are fun, I think, and thanks for starting this one. :slight_smile:

I have a question for you about why a Yahoo! account I started up recently was deactivated, and why Yahoo! won’t talk to me. (I think they thought the account was owned by a spammer, but they were wrong, and I’d really like to convince them otherwise. But they don’t provide any contact info, as far as I can tell, and their only response to my feedback forms was to send me a link to a suvery asking me to evaluate how they resolved my problem.) Should I go into more details, or are the vagaries of another service beyond your control? :slight_smile:

Thanks!

5

I’m an Admin at an official site/postboard for a popular rock group (not some Ezboard–although I have a personal board too), and my question pertains to the abuse investigation side of ISPs.

It seems that the “abuse@whateverISP.com” --the address that they provide when researching IP addresses from banned people and other offenders–do they actually give a damn? (forgive me for that, I really was frustrated with a few of them).

Recently some poster posted a thread in which he asserted that he had murdered his mother and her body was in the bathtub in the house. Now, naturally I have no way of knowing if this is the truth–no one did. However, members reported the post in question, and I got ahold of it. The poster was put on moderation for the time being, the thread closed, and the IP address recorded.

I used an IP locator which revealed the IP as originating from a town in England. I also found the ISP provider for that IP address, and immediately e-mailed them from our official e-mail, and provided the link to the thread in question, and the IP address.

Half an hour later I get a reply that says I should contact my local police department. Hello? I’m in Hawaii, this murder which may or may not have happened, is somewhere in the UK. What, excatly does the ISP expect HPD to do about it? WHY DO THEY HAVE AN ABUSE EMAIL??? I was absolutely confounded, and wrote another e-mail, explaining that my local police department couldn’t really do anything; at least anything that could be remotely effective in this scenario.

They replied back, telling me they were “sorry”. And that was it. :confused:

So, uh…I guess my question is…why are there even abuse departments when they don’t DO anything?

Anyway, that poster never came back, and people in that area said that there were no incidents in the local news…at least nothing they have heard of…yet.

There were other similar incidents which have been reported to different ISPs, and the same result:utter indifference and “noreply” type replies.

6

I’m a Libra so this might take a while…

[ul]
[li]The folks I work with. You can’t beat what a few hundred internet geeks find online or talk about around the water cooler. It is a mad, mad world.[/li][li]Applying ecosystem management philosophy to the corporate beast. It really is like a living, breathing animal. Ok…or perhaps a huge collection of symbiotic slime molds, fungus, and bacteria. Always the bio-geek at heart.[/li][li]Helping people understand what technology has to offer by teaching them how to defend themselves out in the ether. I think there is a signifigant gap in the comprehension of the impact of technology on our world. We owe it to ourselves to try and bridge that gap before it leaves too many of us behind. We need all of the humanity we can get to try and keep one step ahead of “progress”, IMHO.[/li][/ul]

As for Mr. Blue Sky’s question:

Nothing to do with Phish actually. There’s always some debate about such things, but my vote for most likely goes to the early campaigns where AOL customers were targeted, often by other AOL users, for their screennames and passwords in order to hijack them for free service. The hook was e-mail or messenger, the bait was content written to mimic what could be an “official communication from AOL” asking for “confirmation of your username and password for our records, in order to keep your account active”. Low and behold, there were nibbles. Not exactly “fishing”, but pretty damn close, and “phishing” was born.

7

As for the ‘ph’ aspect of phishing, it probably goes back to the early days of telecommunication hijinks perpetuated by “phone phreaks.” The replacement of ‘f’ with ‘ph’ was a way of denoting an activity that’s been given a high-tech spin. “Phishing” could be a logical extension of that.

Gread thread, though! And I did come prepared with a question. :slight_smile: What kind of verification (if any) is done to keep people from having 50 different email addresses? Or a hundred? Is that even an issue for ISP’s?

Thanks!

EZ

8

How often do you see “socks” on your ISP, people who, after their accounts are terminated, keeping coming back and sign up under a different name/address or other information? Is there a “blacklist” of persistent spammers and other Internet abusers that is maintained in some sort of master database used by all ISPs to try keeping problematic users offline for good?

What are the most clever spam tactics you are seeing people using these days? What percentage of accounts are terminated due to spamming or other forms of abuse?

Do you take responsibility for terminating an abuser’s account when their actions involve a third-party service (such as a message board) if their actions are not directly connected to your ISP?

9

Free relationships such as a Yahoo! account are not based on a financial contract between you and Yahoo!..it is a financial relationship between Yahoo! and their advertisers. That being said, they don’t have to have more than a whim to end that relationship between any given login name and their network. Once that relationship is inactive, they have no way to confirm that you were indeed the person who used the account that you reference.

Did they ever communicate with you prior to the account being closed? Free account providers often don’t give you the courtesy of a warning, but some do.

The abuse contact address for most (responsible) networks is simply abuse@domain_name, as LolaBaby mentioned. You may be able to get a cursorial answer from that address, or you may just get an auto-response. I’d still read the response, as they often do have decent information burried in them.

10

Some Abuse desks do. Some are busy putting out bigger fires, some are understaffed, some are neglectful, either because they’re big enough to be sloppy or their ignorant. (Those are the ones who won’t be in business for long)

An Abuse desk doesn’t have a crystal ball either, and they have the privacy of the poster in mind. People say crazy stuff online all the time. Abuse desks are not law enforcement and therefore deflect law-enforcement issues to the proper authorities.

I would have told you to contact law enforcement local to the subject in question, not local to you. A concerned private citizen with a report is one thing. An ISP calling up the cops saying, “Someone using the user ID of Mr. Green, who lives at 1234 Cherry Lane according to our records, just made a reference to killing his mother in a chat room.” Sometimes it might very well be a law enforcement communication between your local law in Hawaii and the local law overseas, though I doubt that level of cooperation would often arise from something like the bathtub example that you use.

There are exceptions for child porn. If we receive any reference to child porn, we have to pass on any information provided to us directly to law enforcement, but even then we don’t provide customer information without a subpoena.

The Abuse desk exists to prevent users of that network from being abusive to other networks. As I said before, they are not law enforcement officers and have no authority or ability to determine the validity of, or take action in, a law enforcement issue, unless asked to do so in an official, legal manner by law enforcement.

Departing from law enforcement issues and moving to general “network unfriendly activity”… message board, IRC, and chat room disputes are not going to receive the same priority as high volume spammers, large DDoS bot-net attacks, or high-level hacking issues. Some exceptions would be if a network is being blocked in such a way to generate a lot of complaints from customers trying to access the blocking network. Abuse desks are trying to keep their network in good standing with other networks, so that their customers are able to access as much of the internet as possible.

Abuse desks are also not the first line of defense against message board Abuse. The first line of defense are the usage policies and charters of the newsgroups, message boards, etc. Only issues that cannot be resolved using the policy enforcement of the boards should be escalated to the Abuse desk level. If the abusive behavior stops once you ban a username or block an IP, that is a victory without having to appeal to a high-volume Abuse desk. If the perp keeps changing screen-names or IPs, the admins can start blocking more aggressively against whatever network the perp is connecting from, that is the administrator’s perogative. If the blocking becomes signifigant enough that other users of the perps network are impacted, that is when you will be more likely to start interacting with an Abuse desk to rectify the problem user’s behavior. Warnings may be sent, accounts or connectivity may be terminated, etc.

11

Assuming ISPs with service fees, for the most part, as long as the individual is paying for all of the addresses and not violating any policies with those addresses, he/she can have as many as he/she wants.

Did you have a specific example in mind where one person’s use of multiple addresses have enabled or complicated an abuse issue? Perhaps I can give a more robust response if I had some more details to chew on.

12

Constantly. Stolen credit profiles, complete with name, address, phone number, credit card numbers, the three digit number on the back of the card, etc…all of these things are readily available and traded like currency in a black market of sorts. These profiles come from phishing as well as the old-school method of dumpster diving, or unscrupulous employees at merchants and restaurants. A true serial spammer or serial fraudster is only limited by the number of functional credit profiles that he has access too. The profiles are “good” as long as the victim has not reported anything to their credit card provider.

There are many such lists, lists of open relays, lists of networks who “cater” to spammers, or who are unresponsive to abuse/spam complaints. Lists of spamhausen. However, it can be relatively easy to stay “in business” as a spammer by changing the name of your company or the type of spam that you send on a regular basis. Fighting abuse requires vigilance, and there will always been networks who are more lax than others.

Each network is free to pick and choose which lists they wish to subscribe to and how they choose to use those lists on their own network. Some cost money, some are freely distributed. A good list is updated regularly, doesn’t result in overly-broad draconian blocking, and hopefully does some regular QA on the list content.

Using zombie/bot networks to relay their spam. With so many trojan-infected and compromised systems available on always-on broadband connections, they’ll be able to do this for a long time.

It fluctuates all the time. If we’re being targeted by a serial operator, we can shut down multiple newly spawned accounts daily. We either have to wait untill the spam starts spewing out of our mailservers to trigger alarms or generate complaints. If we aren’t being actively targeted the proportion can drop sharply.

Yes. Regardless if the IPspace of our network is actively being used to send spam or perpetrate abuse, if one of our e-mail addresses or domain names is used to facilitate network unfriendly activity or collect responses/revenue from such activity, we treat the account the same level of policy enforcement consequences.

If the third party can provide sufficient evidence that our subscriber is using our network’s IPspace or domain names to cause problems, and they are uncooperative to attempts at adjusting that behavior, will take steps depending on the severity of the abuse and the history of the account.

Most investigations are on a case by case basis. We don’t necessarily want to terminate a problem account if it is merely compromised. If we change the password and educate the account owner, we get to keep the monthly fee coming in to our coffer, the customer keeps their account, the abuse stops and the unauthorized user responsible for the abuse is no longer able to access the account that was used.

13

Thank you very much, honeydewgrrl.

So, I’d have to contact my PD and get them to contact them, then? Not very comforting if something was life and death, but there are too many kooks out there, I guess. :expressionless:

14

I’d heard the joke that “phishing” was used because you are directed to a web page that looks like the real thing, but isn’t just like Phish (the band) acts like the Grateful Dead, but isn’t.

15

Phish might not be The Dead, but they still put on a helluva show and have plenty of folks willing to follow them around. I can’t find anything on their site right now, but I’ve heard rumors that they acknowlege the other uses of their namesake from time to time.

16

I’m doing a shameless bump and encouraging any Sys Admins reading to please chime in with thier perspective on any questions asked. Often when a network cannot have a team of people devoted to abuse and fraud, these tasks are often undertaken by System Administrators. It is an even tougher job if you can only do it part time, especially when trying to maintain an educated base of users. Woefully ignorant users can flog the holy hell out of even the best network.

17

I once was handed on-line informations about a very serious crime in a foreign country. Though I had no clue whether the story was true or not, I contacted directly the local police in the town where the crime was supposed to have been/being commited (Hull, IIRC, in Canada). I also asked a canadian online friend to call them too in order to make sure there would be a follow-up, since I got the feeling when I talked to them that they weren’t taking the issue very seriously.

There’s no particular reason why you should contact the your local police department (which can’t do much apart from calling the other country’s police, if even they bother doing so, and possibly in this case there could be other issues…I don’t know if local police in country A would call local police in country B, or would call national/federal police in country A who then would call national police in country B, who then…etc…), rather than the local british police which is much more likely to be interested.

By the way, in my case, the crime was for real.

18

Wow, that’s scary to think about. It just shits me that “what if it was something that could have been prevented or the perp caught if it was taken seriously?” ya know?

There was also a perv posting there who was trying to prey on the underaged girls–he’d get them in an MSN or AIM chat–and he would even masturbate on a webcam to them. We’re still working with some people on that case.

19

I have a small server runing behind a Linksys™ Router/Switch for some stuff I put up fpr family. On my log viewer under out going I get an ocassional one showing that the server did thus:

04/14/04 12:57:22 192.168.1.XXX 80 129.100.220.83 1933

Which says to me that my server at that time went out over mu source port 80 to that addy on detanation port 1933 .

Neo trace resolved it to

            London ON N6A 5B7 Canada

Admin-Phone: 1 (519) 661-2151
Admin-Fax: 1 (519) 661-3486
Admin-Mailbox: debbie@uwo.ca
Tech-Name: Network Operations Centre Network Operations Centre
Tech-Title: Network Operations Centre
Tech-Postal: University of Western Ontario
Information Technology Services
Natural Sciences Centre Room 108
London ON N6A 5B7 Canada
Tech-Phone: 1 (519) 661-2151
Tech-Fax: 1 (519) 661-3486
Tech-Mailbox: noc@uwo.ca
NS1-Hostname: ns1.uwo.ca
NS1-Netaddress: 129.100.2.12
NS2-Hostname: ns2.uwo.ca
NS2-Netaddress: 129.100.2.51
NS3-Hostname:
NS3-Netaddress:
NS4-Hostname:
NS4-Netaddress:
NS5-Hostname:
NS5-Netaddress:
NS6-Hostname:
NS6-Netaddress:

So, is this somehow my server being used an dif so, for what?

Thanks. Interestiong thread…

20

honeydewgrrl,

What’s your avg turnaround time when responding to third parties who notice copycat sites on one of your network’s domains?

I work for a site that commonly encounters this and the response time varies from hoster to hoster pretty widely.

Thanks