Fishing For Phishers
Came home from watching Madagascar to find a poorly formatted email half-appearing to be from eBay, saying that I had to update my account details.
Gmail it seemed had already picked up on the fact that the "Return-Path:" was different to the "From:" field and had removed all the links, but I felt in the mood for a little reverse phishing. Just curious I guess, amazed at the depths some people will sink to and not wanting to imagine the floundering few that may already have been hooked.
First thing was to check the bait, the email source; found the link, taking me to a page that looked very much like an eBay page with boxes to enter credit card information and all that. The server ip was in the address, so I decided to give my Linux box a little bit of a workout, running nmap and traceroute on the ip.
I noticed the ssh and ftp ports were open and the address had /~demo/ in it, so I tried the obvious, using Putty to ssh to the server, 'demo' as the username and 'demo' as the password. I couldn't believe they would be that stupid, but evidentially they were. Seems their fishing boat had a few holes in it.
There was no shell access, but I got in through ftp and had a look around, downloaded all their fake eBay files and thought about either deleting them or editing them, but didn't. I wanted to see how much more information I could gather.
I changed the code a little and put it through my Linux server, making it only echo the base64_decode() output instead of running it. And there I had them, hook, line and sinker, the two email addresses that the credit card details were being reeled into.
Googling the names brought up information for only one of the little phishermen on a music related message board profile, a sixteen year old Eminem fan from Romania. He even had a picture.
I was satisfied at that. Fish matching wits with phishermen. The one that got away, staring into the eyes of his would be, puerile captor. Catch you next time.
Fishing at Moonlight, Kunsthistorisches Museum, Vienna