A sobering example of the problem of trying to seperate the wheat from the chaf when it comes to law enforcement and public safety…the guy who spotted the Ohio sniper in Las Vegas had to repeatedly try and report it to law enforcement. He spoke directly to the people with the training, authority, and resources to take action, and he had to be persistent and keep calling back.
This is exactly why Abuse desks (staffed by folks who do not have the training, authority, or resources to take action on law enforcement issues) stress the importance of involving law enforcement as quickly as possible. It isn’t that the allegations aren’t taken seriously. We are in no more a position to do something proactive than the reporter is, and injecting another middle-man in the exchange of information only delays the start of any investigation or action.
The system is so clogged with what John Q. Public perceives as being an issue worthy of law enforcements attention, that trully urgent issues are often over-looked, IMHO.
Port 80 handles http traffic, and with a little digging, I came up with this on destination port 1933:
xmapi 1933/tcp IBM LM MT Agent
xmapi 1933/udp IBM LM MT Agent
xmapi = eXtended Messaging Application Program Interface (API)
This doesn’t scream network unfriendly or exploit to me, especially if it is an isolated log as opposed to having pages and pages of similar traffic.
Here is a decent firewall forensics site, where you can find help dissect logs and better understand what specific logs and port numbers mean.
One thing to always keep in mind if you notice activity that resolves to applications or services that you don’t use or recognize…if you’re on a dynamic IP, your IP may have been recently assigned to someone else who was just communicating with the the same host now attempting to connect with you. There may be a delay as the remote system realizes that the previous conversation is no longer happening.
I assume that you’re refering to a hypothetical “phishing” site being served up on our web hosting farm?
Since we and our customer base are targets for phishing, we have high sensativity to this issue. Once we are aware of such a fraudulent site existing on our network, we’ll usually have the site offline well within an hour, usually within a few minutes. Our Abuse desk is not quite 24x7, but our network operations center is. Responsibility for such action is split between these two groups.
Our experiences as the entity requesting removal of fraudulent sites is the same as your’s. Some hosting providers respond quickly, some don’t. Sometimes we have to move upstream to get anything done. Compared to a financial institution or online merchant who is trying to protect their customers by requesting a phisher site be removed, larger ISPs do have a value-added negociating chip at their disposal, “Take down the site ASAP, or your network goes dark for all of our subs…your choice…”.
Oh, yes, I do know. The thing lasted for perhaps two weeks, and worried me a lot. That’s also why I asked this canadian woman to call the police too. I needed to be sure they would investigate.
What are the giveaway tells that something is likely to be a product of phishing?
It’s my impression that a lot of the joke, virus, activist e-mails that people send me are fishing for e-mail addresses that are retained in the forwarded message. Eventually, they make their way to a spammer and they add those addresses to their lil’ black books. Does this at all resemble the way things really work or have I become too paranoid?
If you could address all the newbie computer users in the world with regards to basic internet security, what would you tell them?
Some off the top of my head, in no particular order of signifigance:
[ul]
[li]Exclamations in the Subject!![/li][li]Random characters in the Subject %%#GGjjs[/li][li]From: address domain is different than the company being targeted. (IE Phisher targeting/impersonating AOL uses address of “aolbilling@msn.com”[/li][li]Poor spelling and grammar in both subject and body of the e-mail.[/li][li]Message about billing issues falls outside of the normal billing schedule/amount. (IE you know you just paid the bill three days ago, from your bank statement, where the charge was $19.95. An e-mail arrives the next week, saying that “there’s been a problem charging your montly fee of $21.95 to your credit card.”[/li][li]You have never registered or used the site where you allegedly have an outstanding billing issue. (IE you won’t touch eBay with a 10 foot pole, so how could you need to “verify your eBay” account information?)[/li][/ul]
Many of these things can also indicate viral traffic, as many viruses now come pre-packaged with similar “shock and awe” content. Apparently people are more likely to open an e-mail if they think they’re in trouble or may be over-charged or have an interruption of service. Who woulda thunk it.
The most important advice to be given is, when in doubt, call the company you have the relationship with and confirm the status of your account. While you’re at it, confirm what they will and will not request from you via e-mail, what the web page looks like where your information will be requested, how they would phrase their mail.
However, the phishers can easily gain access to the same templates. Some are very slick, they leave no trace, they are perfectionists. Many folks will be sitting ducks for these guys, but there are some sharp counter-phisher intelligence folks too. As the fight against spam has been a constant eb and flow from the good guys to the bad guys and back…the same is happening with phishers.
I neglected to state my assumption in the above post.
Assuming the e-mail is warning of a billing or account status issue, threatening some sort of negative consequence if you don’t quickly comply with the e-mail’s instructions.
I have a question for the Internet Abuse/Fraud Investigator…
Do these stupid… sigh… PEOPLE… who open every piece of SPAM filth that they receive DESERVE to be bailed out? Maybe natural selection is a better option here…
Don’t think so. Many people aren’t very well informed about computer or internet-related issues. Say, your 75 y.o. great-aunt who began using the internet for the first time last year. Even forgetting about such an extreme example, many people won’t spend much time on the web, and won’t have many chances to be informed about the scams which are going on, the risks involved, the precautions one must take, etc…It’s not like it’s innate knowledge or common sense.
The only people who, IMO, deserve their fate are those who are willing to knowingly help some former african dictator/corrupted minister/whatever to secure money which has been stolen or embezzled. They are morally bankrupt, ready to become accomplices in a criminal act commited by someone who admits to being at least corrupted and sometimes worse, and deserve to have their dollars milked away. I possibly despise the “victims” more than the scammers, in this case.
I’d add multiple copies of the same message. Actually, I have never gotten a real message like this from any company I do business with, and because of phishing my guess is that they would be less likely to send any.
The last one I got I opened to see what would happen. You could see the url of the fake form had a “.ru” suffix - another giveaway. They also opened a window showing the real company website., so one should be careful about trying to judge the authenticity of where you are directed.
I do have a question - are you considering suing the spammers, and do you try to track the source? I had my email address hijacked a while back, which was annoying because of the bounce messages before I fixed my filter. Being on Solaris means that you don’t have to worry about your computer being compromised, though. For fun I tried to find the site listed in the spam, and it was gone. What’s the point of spamming when even a sucker couldn’t buy anything from you?
“Harvesting” e-mail addresses from such places is certainly a spammer technique, but I think it is more often due to the opportunistic philosophy if spammers. They’re piggy-backing on the exploits of hackers and script kiddies who probably have nothing to do with their spamming operations.
I got my first phishing e-mail the other day. It was very professionally done. I might have not fallen for it even if I hadn’t read your thread, but I certainly felt ahead of the curve thanks to you.
Way behind…I’ll try to catch up this weekend. Work is really busy, spilling over into my free posting time. One of the things I can happily share is a free toolbar application from EarthLink, available for download for all internet users who use Internet Explorer as a browser. The feature of this toolbar that I’m more intimately aquainted with is the ScamBlocker function, redirecting the browser to a cautionary page if you try to visit a url that is known to be a phisher.
Here’s something I’ve worried about: from one of your links, this article http://www.antiphishing.org/news/03-31-04_Alert-FakeAddressBar.html on faking the address bar in IE so that you appear to be at, say, your bank’s website, but you’re actually at the phisher’s site.
This scam works via an email link, according to the article. My question is, would it be remotely possible for me to open a new browser window, type in www.bankofamerica.com (for example), be taken to a phisher’s clever fake site and start entering my SSN and bank account #?
First of all, this particular exploit you refer to can be avoided by available patches/updates for your software.
An older article about an exploit, while full of good information, will be outdated quite quickly.
The way the exploit worked, was to launch an IE window from a hypertext link within an e-mail. A hyperlink can be made to look like a legitmate website. I’ll give a quick demo using the features of this board, just in case it is helpfull to anyone.
I’ll make a couple of links to straightdope pages with misleading hyperlinks.
So if you’re paying attention, you’ll see that clicking on the link that should have taken you to the Straightdope homepage, actually takes you to this thread.
You can often find these redirects in the sourcecode of html e-mails, or by mousing over the link, or by watching your browser’s location bar and the field at the bottom left hand corner of your browser screen.
The exploit bypassed this last method of phisher detection. The misleading hyperlink technique from above was applied to redirect people to a fraudulent link. Navigating to the fraudulent site triggers code that hijacks your browser location bar and rewrites it to look as if your are indeed at the exact link that you clicked on in the e-mail. Still with me?
So, to return to the specifics of your question, even if you navigated to the phisher site, but you opened a new browser window and hand typed Bank of America’s legit url, your second browser window will take you to the correct site. Your first browser window is now a fraud and should not be trusted. I’ve seen these get pretty buggy. Like when the I’d try to navigate to an unrelated legitimate site after visiting a phisher exploit site, and even though I’d be on Google, the toolbar would read http://phisher.url.
Ok, I promise to answer the older questions in order now…
[ul]
[li]Keep your OS patched and up-to-date.[/li][li]Use a variety of login/passwords, and change your passwords regularly. Don’t choose “chucky” as your login everywhere you have an account, and don’t choose passwords like “chucky”, “password”, “123456”, “qwerty”. Don’t use dictionary words or straight number strings, as these are vulnerable to dictionary/brute-force cracking. Use a combination of letters, numbers and allowable symbols in your passwords.[/li][li]Run up-to-date anti-virus software at least once a week. There are many options available for purchase, and there is decent freeware available as well (I use http://www.free-av.com/ on my girlfriend’s HP). Also take advantage of any server-side AV filtering that may be available from your ISP.[/li][li]Filter for spam. Check with your ISP to see what anti-spam products/services may be available to you as part of your service. There are also many spam-filtering services that you can buy, and many that are also free. You can also sign up at http://www.spamcop.net/ and use the service to report your spam to the appropriate network [/li][li]Install a firewall, configure it to a level of sensativity that protects you, but doesn’t interfer with your usage habits. You can also sign up at http://www.mynetwatchman.com/ and forward the output of your firewall logs to the service to facilitate reporting network unfriendly activity to the appropriate network. [/li][/ul]
As often as I have been inclined to agree with you, my philosophy remains to educate folks so that they are no longer “stupid”. I want the internet to stay around. I don’t want it to become so polluted and risky that people stop using it.
Civil suits and criminal prosecution of spammers/phishers/hackers are certainly on the agenda of ISPs. We recently were able to win a civil suit and cooperate with a criminal investigation to nail the Buffalo Spammer.
The CAN-SPAM, while widely debated/criticized, has opened the door to prosecution a wee bit farther. EarthLink, AOL, Microsoft, and Yahoo! have recently joined forces behind this law to go after spammers.
There are many issues that make litigation/prosecution difficult. The perps are able to obscure their tracks by using compromised internet accounts/domains, compromised e-mail addresses, and compromised computers. When not using compromise as a method, they’ll used stolen credit profiles to purchase accounts, e-mail addresses, domains, etc.
The best way to track down the responsible parties is to follow the money. This requires a signifigant amount of cooperation between ISPs, Financial Institutions, Law Enforcement, etc.
“Seeding” spam and fraud attempts with fake, trackable payment information is one way to try and follow the money trail.
To answer your second question, the life-cycle of a spammer/phisher domain can be extremely short. They will only survive as long as they are undetected. However, since the perp has no out-of-pocket overhead, they don’t care if their site is only up for a few hours. Anyone who hits their site while it is alive is gravy, and they can just set up shop elsewhere.
[ul]
[li]Keep your OS patched and up-to-date.[/li][li]Use a variety of login/passwords, and change your passwords regularly. Don’t choose “chucky” as your login everywhere you have an account, and don’t choose passwords like “chucky”, “password”, “123456”, “qwerty”. Don’t use dictionary words or straight number strings, as these are vulnerable to dictionary/brute-force cracking. Use a combination of letters, numbers and allowable symbols in your passwords.[/li][li]Run up-to-date anti-virus software at least once a week. There are many options available for purchase, and there is decent freeware available as well (I use http://www.free-av.com/ on my girlfriend’s HP). Also take advantage of any server-side AV filtering that may be available from your ISP.[/li][li]Filter for spam. Check with your ISP to see what anti-spam products/services may be available to you as part of your service. There are also many spam-filtering services that you can buy, and many that are also free. You can also sign up at http://www.spamcop.net/ and use the service to report your spam to the appropriate network [/li][li]Install a firewall, configure it to a level of sensativity that protects you, but doesn’t interfer with your usage habits. You can also sign up at http://www.mynetwatchman.com/ and forward the output of your firewall logs to the service to facilitate reporting network unfriendly activity to the appropriate network. [/li][/ul]
As often as I have been inclined to agree with you, my philosophy remains to educate folks so that they are no longer “stupid”. I want the internet to stay around. I don’t want it to become so polluted and risky that people stop using it.
Civil suits and criminal prosecution of spammers/phishers/hackers are certainly on the agenda of ISPs. We recently were able to win a civil suit and cooperate with a criminal investigation to nail the Buffalo Spammer.
The CAN-SPAM, while widely debated/criticized, has opened the door to prosecution a wee bit farther. EarthLink, AOL, Microsoft, and Yahoo! have recently joined forces behind this law to go after spammers.
There are many issues that make litigation/prosecution difficult. The perps are able to obscure their tracks by using compromised internet accounts/domains, compromised e-mail addresses, and compromised computers. When not using compromise as a method, they’ll used stolen credit profiles to purchase accounts, e-mail addresses, domains, etc.
The best way to track down the responsible parties is to follow the money. This requires a signifigant amount of cooperation between ISPs, Financial Institutions, Law Enforcement, etc.
“Seeding” spam and fraud attempts with fake, trackable payment information is one way to try and follow the money trail.
To answer your second question, the life-cycle of a spammer/phisher domain can be extremely short. They will only survive as long as they are undetected. However, since the perp has no out-of-pocket overhead, they don’t care if their site is only up for a few hours. Anyone who hits their site while it is alive is gravy, and they can just set up shop elsewhere.
Can you give any recommendations to a geek (computer engineer with a pretty strong background in Unix, networking, hardware and digital logic) any ideas on how to move from teaching all of this stuff into a more computer crime, or computer forensics kind of field?
As the fight against spam has been a constant eb and flow from the good guys to the bad guys and back…the same is happening with phishers.