Fishing For Phishers
Came home from watching Madagascar to find a poorly formatted email half-appearing to be from eBay, saying that I had to update my account details.
Gmail it seemed had already picked up on the fact that the "Return-Path:" was different to the "From:" field and had removed all the links, but I felt in the mood for a little reverse phishing. Just curious I guess, amazed at the depths some people will sink to and not wanting to imagine the floundering few that may already have been hooked.
First thing was to check the bait, the email source; found the link, taking me to a page that looked very much like an eBay page with boxes to enter credit card information and all that. The server ip was in the address, so I decided to give my Linux box a little bit of a workout, running nmap and traceroute on the ip.
I noticed the ssh and ftp ports were open and the address had /~demo/ in it, so I tried the obvious, using Putty to ssh to the server, 'demo' as the username and 'demo' as the password. I couldn't believe they would be that stupid, but evidentially they were. Seems their fishing boat had a few holes in it.
There was no shell access, but I got in through ftp and had a look around, downloaded all their fake eBay files and thought about either deleting them or editing them, but didn't. I wanted to see how much more information I could gather.
The actual files were encoded using the JavaScript 'unescape' function in an attempt to hide the source code from inquisitive fish like me. However the very long string of %3C%42%4F%44%59%20%7... is easily decoded with a tool like this. Still following the lure, I ended up at the php file that seemed to do the actual sending of the private information to the little phishermen. The mail() commands were in base64 ready to be decoded and executed by the server.
I changed the code a little and put it through my Linux server, making it only echo the base64_decode() output instead of running it. And there I had them, hook, line and sinker, the two email addresses that the credit card details were being reeled into.
Googling the names brought up information for only one of the little phishermen on a music related message board profile, a sixteen year old Eminem fan from Romania. He even had a picture.
I was satisfied at that. Fish matching wits with phishermen. The one that got away, staring into the eyes of his would be, puerile captor. Catch you next time.
Fishing at Moonlight, Kunsthistorisches Museum, Vienna
posted by Joshua @ 6/19/2005 03:08:00 AM
8 Comments:
I think I got that same e-mail, I forwarded it to pay-pal. you should post the pic of the kid.
its spellt Madagascar
dear or else
Sorry Katty and/or Natty, my own personal spell checkers :) I'll get on that right away.
its spelt spelt. not spellt
dear or else
lol yarr dork
so josh has a spell checker and that spell checker has a spell checker
having 2 spell checkers is the thing of the future!
dear or else
Clever little hunting foray there, I'm with warrenzone, post the little gnat's picture.
Purposely didn't include any detailed info in this post. Didn't really want to get too personal with these people.
I sent the info on to eBay security, but doubt they'll do anything. Watch for his picture on Romania’s most wanted :)
yarr dork doesnt make sense. yarr is used as "your" or "you're" and "you are dork" doesnt make sense, it'd have to be "yarr a dork" unless, of course, you were saying "yarr" as "you" because we're pirates of the future and we can say "yarr" in any context but no one else can, and if so, then thats ok.
dear or else
Post a Comment
<< Home