On Friday evening, I received an email from Beth Givens of the Privacy Rights Clearinghouse reprinting an email message sent to the Clearinghouse. I've obtained permission from both Ms. Givens and the author of the original email to post it here:
Last week I received a Bank of America phishing email. Nothing out of the ordinary in that. If I have a spare moment, I usually look to see if the phishing site is still up, then do a DNS lookup and blast off an email to let the site owner know of the scam.
I figure that is more effective than whining to BofA (or whoever). Though I also cc the Bank's abuse address, too.
Call it my little piece of spare time electronic civic duty.
Well, last week's phishing was particularly sophisticated. So I became more intrigued than normal and did a little amateur digging. The email pointed to a hacked site in Singapore. Not too surprising. But the Singapore page was a re-direct script, and when you popped back up, the phishing site was actually on what appeared to be a zombie home PC in Canada.
More intriguing, the phishers had not done a good job of creating secure folders or files on the zombie PC. I pointed to the source directory of the phish page and there were all the source files. So I could poke around and look at just what it took to set up a fake phishing site. Not much, as it happens.
And there were the data files, created by the phishing page when people entered data. In other words, there was the payoff, in an open, un-encrypted file for anyone to download.
So I downloaded it. I was curious to see how successful (or not) this type of site might be.
The results were a little depressing. More on that in a moment.
Even more depressing, a couple of days later: the site was still up. The data file was still there. And people were still dutifully entering their personal info into this burgeoning repository.
So that left me in a moral dilemma. In effect, I was witnessing some bad stuff happening in real time. .... What to do? I downloaded the latest version of the harvested data and pondered.
I had already alerted BofA and the owners of the domains. The harvested data file contained no email addresses, so I couldn't alert the people downloading data by email. I couldn't delete or alter the source files or the data file.
I finally decided to simply write letters to all the people who had been duped into entering their street address, informing them of the scam and advising them to do all the sensible things necessary after your identity has been stolen.
That would be _forty_ letters. Three days; one web site; forty people who had entered every precious fact about themselves into this data file: names, addresses, phone numbers, account numbers, credit card numbers & security codes & expiration dates, SSNs, birth dates, mother's maiden name etc. etc. etc.
I just got back from the Post Office. Ten letters down, thirty to go. I include in each letter a redacted copy of the data associated with the street address. If the data are genuine, the owner will be able to recognize them, despite having every nth character replaced by a "*."
In case there is any feedback or fallout, I will pass that along.
But the thing that sticks with me is just how normal and ordinary all these people seem to be. Something in their lives made the scam seem plausible, so they fell for it. And now they are about to get [conned], if they haven't been already. With luck, my letters will help some of those people avoid major hassles in the future. If they take them seriously.
So the PSA part: Be aware that, sometimes, ordinary intelligent people get conned. Don't be one of them. Don't let any of your friends or relatives be one of them. Take a little pro-active action. Especially if things drift into view that can't be ignored. Don't just walk on by.
And one last thing to mull over: Several people didn't enter street addresses, just all their account and card info and their SSNs. Nothing I can do for them. That really, really [stinks].
The author of the original email added the following in the email granting me permission to post the email:
First, I would not recommend repeating my experiment. I have heard that some phishing sites also incorporate malicious spyware, and simply visiting those sites can lead to spyware being downloaded and installed on a visiting computer, if that computer is vulnerable (because OS security updates aren't current, or firewalls are not installed or active etc.).
Second, by downloading the file I found, which contained confidential personal data, I may have placed myself in a legal grey zone and I don't recommend following that course of action, even if the motivation is to help prevent fraud. The safest and most responsible course of action still seems to be to report phishing emails to abuse contacts at the target institution, to abuse contacts at any compromised or host IPs and to the owners of hacked servers. Sometimes it is hard to stand aside and wait for things to get fixed by the professionals, but that is probably the best thing to do.
* * *
* * * I have summarized everything I did and found here:
One comment on all this: The email obviously raises questions about whether phishing scams can be stopped quickly enough to prevent additional consumers from being ensnared by them. The FTC web site suggests that consumers report phishing activity to spam@uce.gov, the organization impersonated in the phishing email, and reportphishing@antiphishing.org. (the email address for the Anti-Phishing Working Group, a consortium of ISPs, security vendors, financial institutions and law enforcement agencies; you can visit their web site at www.antiphishing.org). I have no idea how fast these entities respond.
Jeff, Thanks a terrific post! I thought it was so useful that I sent the link to everyone at my office. Do others have similar stories? Brian
Posted by: Brian | Sunday, February 11, 2007 at 08:24 PM
I don't know of any similar stories, which is one of the reasons I posted the email. We wouldn't know about this one but for the good heart of the email's author.
Posted by: JeffSovern | Monday, February 12, 2007 at 09:35 AM
I suspect a lot of people respond because the spam happens to be from a bank with which they do business. A lot of these emails look rather official, so if you happen to have an account with that company, it's easy to get caught. And, of course, some people do their banking online, so they expect to get bank email. And others are just relatively new to computer spam and aren't sufficiently aware.
The best advice to give people is that they should go to the bank (or other institution's) website and check their accounts directly, rather than responding to the email or using the URLs listed in it.
Posted by: Nancy Jane Moore | Tuesday, February 13, 2007 at 08:55 AM