6/14/2006

The surreal world we're living in

Today I was planning to post something about spam and the constant fight between spammers and filters, but something happened that changed my day completely.
Well, not really, my day hasn't changed at all, only the time I had reserved for the blog. Is just that the events developed in a way that I think now I have something more interesting to write about.
It began at lunch time while I was doing my spam/scam/phishing mail check and, as usual, a Paypal phishing message was there waiting for me. I have almost an automated procedure for them, I report to the owner of the IP where the message comes from, the host of the phishing page and the owner of the IP block where the page is. I can get over with it in less than a minute and usually the page is gone by the end of the day. Unless is hosted in Romania, China and some other places where they really don't care about it. Anyway, this page was hosted somewhere in Comcast. I reported it through their web page and received a pre-formated response saying that an IP number is not enough to report the incident and asking for a log from my firewall. The answer didn't apply to this case, I guess is one they have for intrusion reports that have not enough information. But is this case there was no intrusion, the phishing page is a pasive trap, is the victim who goes to it so no firewall can have that recorded properly. But the point is I was upset because they didn't even care to read the report, they assumed that it was about intrusion, not enough information was included, sent the preformated answer, went back to coffee. At least that's how I felt at that time, so I went back to the phishing site to see what else can be reported. Sometimes is a site with a "legal" page on it and it can help to identify the owner, sometimes there's more than one phishing page in the same site, etc.
And I was in for a big surprise, while I was looking around I found out that the server had directory browsing enabled. This means that you can see the content of the site like you see the content of your own disk. The site was pretty simple, I didn't find other phishing page nor another page of any kind, I dind't want to go inside the code of the page and it wouldn't have helped to prove it was phishing. Then I fell into a text file that I though it may contain useful info. And it did. It was the file where the page stored all the data gathered from the page.
I was shocked, there in front of my eyes I had mail addresses, passwords, credit card numbers and PINs from all those who fell into that trap. Of course some were just garbage, people aware of the trap filled it with non sense. But some other looked real.
But now I had a huge problem, what to do?
My first reaction was to close the file and I did, but what's next?
I knew that Comcast eventually would close the page, actually they did after (I have to say almost inmediatly to be fair) I sent them another message explaining the previous report. But meanwhile the file was sitting there for everyone to see. Of course is not like it was published in the front page of a popular site, but the same way I fell into it anyone could. Plus, the one who was ready to use it, the phisher, knew where if was and how to get to it.
I was unable to erase it, I hope Comcast did, and I had no way to know if the phisher had taken it already.
It was a terrible situation because while I didn't want to know about the content, the same content was the only way to do something for the victims of the phisher. Comcast wouldn't warn them, they'd shutdown the site and that's it.
I though about Paypal and report to them too, usually is an exercise in futility because they have no control over the page. I guess they report to the same people I do to close the page or block the sender of the messages. But in this case they had a chance to get the file and protect their users.
Then I started to have second thoughs. I don't know what Paypal did, they sent me a thank you answer, "we'll contact you if we need more information", and that's all. I don't think they warned the victims and I don't think they will. And the problem here is not only their Paypal accounts were on the line, their credit cards too.
So, I had no choice (I did but I didn't want to take it). I went back to the site, opened the file and took note of the mail accounts ONLY. Then I erased my browser cache and sent a warning to each and everyone in that list. Not many, they were about 10. I tried to make the message as clear as posible, not scary but enough to make them react and move fast before the damage is done. I don't know what's the right thing to do in a case like this. Of course you have to change your password, now! But what about the credit card? The information they take from you, is enough to go and do some shopping over the net? If that's so, it should be treated the same way you do when you loose your card and that's not easy nor painless. Anyway, I feel sorry for them and for me too, being the messenger carrying the bad news is not nice.
Some things that surprised me today

How fast this thing works. From the reception of the message to the time I ran into that file it couldn't be more than 2 to 3 hours. Maybe the site had been running for a longer period, I din't check the dates of the files and directories (take a mental note for the next time). But I have to asssume that in that short period of time about 20 persons logged in and 10 of them used their real personal data. Amazing.

How clueless some people are. After I sent the warnings, one of the victims answered asking me to close his Paypal account. So you have this person that gets a forged message asking him to login and provide all his personal data and complies, then when he gets a warning message automatically assumes that is from Paypal without even looking at the address of the sender. Amazing again.

And yet again, how clueless some people are. Some other sent me this:

What's that supposed to mean? That all the Paypal security letters I've been receiving have been fradulent?

And I swear is a cut and paste of the original message. I was in total awe thinking that this person was login in to the phishing pages every single time posting all the information over and over again. But it was worse than that, and I know, how could it be worse?

For weeks I've been receving alerts from Paypal, saying my account is in danger. After many urgent responses I concluded that perhaps there's somebody trying to get into my account..."

So, instead of thinking that so many messages from Paypal were a sign that something was wrong, she took it as a confirmation that everything was right. And to top all this, she suspected me but at the same time asked me what to do. Instead of going to those she believes (at much as you believe your account officer, I don't trust mine at all), she goes to the total stranger who she thinks is the fraudster. Amazing, amazing, amazing.

I don't blame her or any other. When you face one of those messages or the page it takes technical knowledge to recognize the signs that something. The page look just like the original, the images, the look, the text, the form. In fact is taken from the original, how could it looks different. But on the other hand, with all the media coverage of this issue, with all the mouth to mouth around you, is hard to believe they didn't see it coming. Internet grew up to be popular before we were ready for it. It's not like other technologies that exceeds our comprehension but are manageable. Internet exceeds the comprehension of each and everyone and nobody can manage it.

They say live and learn but I think we have come to times where if you want to live, you'll have to learn first.


PS: One think that Paypal, eBay and others can do to help, or at least to make the work of the phishers harder, is to block external referrals of their images. All the phishing pages are taking images from the original sites. They don't even have to store the images, they just use the links and Paypal provides the images, pay for the storage and the bandwidth. It's insane. Because avoiding it is not something so complicated that can't be done. It's work, it takes time, for sure. But is doable and makes sense.

No comments: