On Mon, Jan 12, 2004 at 04:41:40PM -0500, Jim Gonzalez composed: > I just received this a few hours ago not sure if it is legit. Here is the > header info if someone would like to invesigate. Seems like the like is down > already. Tracking down a Phishing scheme takes a little work. First, you need to look at the email message source, as it is almost invariably html or txt/html. Look at the URLs in the HTML form. They are often of the form http://www.citibank.com/whatever.whatever@realsite/realdata... THese days, most web browsers will warm when you follow such links (they use the username@site URL syntax) but there are occasional bugs where a browser will NOT issue a warning, likewise OLD browsers will often not issue a warning. THe other thing to look at is the headers of the message, to see where it comes from. Often, like most spam, its some random open relay or compromised machine which will often lead nowhere. Now that you have the URL, visit it. Use some browser other than IE (Internet Explorer is such a big target, with a history of 0 day exploits running around), and ideally in VMware (paranoia is a good thing here, you're dealing with criminals) and start digging through the site. Odds are good it is a corrupted site, often through some managed hosting or similar operation. Now is where it gets hard: You NEED to get law enforcement, the hosting company/machine owner, and the credit card company involved. I'm not sure if its even possible. I've not gotten past this step myself, only getting an ack from the hosting company, and a black-hole from the credit-card company. But ssuming you CAN do that, now there are two ways to go about tracking the phiser further: track the breakin (LEO, hosting company/machine owner looking through logs/forensics) and/or track where the credit card info goes (send out honeytoken/deliberately bad data and THEN start taking the site down/apart, look at the script functionalities etc). And then be prepared to groan when, at the end of it all, it turns out to be some kiddiot in a foreign contry... -- Nicholas C. Weaver nweaver@cs.berkeley.edu
