« 'Tis the Season... | Main | Treble CAN-SPAMmery »

December 19, 2004

The flood of phishing messages continues. A PayPal one arrived late one night that I naturally checked into to see if perhaps the link led to an insecure server somewhere that had been hijacked. Because the actual link (as revealed in the message body's source code) led to a numeric IP address (one that looks like 192.168.1.100), I thought I'd check it out.

These types of URLs are often followed by a slash and some subdirectory where all the phishing forms and programs are hosted. The home page of the URL may be a legitimate Web site, and the site's owners are none the wiser. In this case, however, the home page was just some meaningless non-phishing form that didn't lead to anywhere, and didn't identify itself as belonging to any particular entity. I'm not sure what, if anything, it may have been.

Looking up the IP address (I like the whois facility of openrbl.org), I found that it belonged to a small block managed by a Los Angeles-area ISP. I visited the ISP's Web site, where I learned it was a subsidiary of a larger ISP (who isn't these days?). There was a support phone number so I could call somebody there to alert them that one of their addresses was being used as a phishing hole. Since the message had just arrived, perhaps not too many recipients will have been suckered into giving up their user IDs and passwords.

Calling the tech support line at an ISP can be a frustrating experience. The larger the ISP, the worse it is for those callers who phone only when there is a serious problem. The first line of support folks tend to be trained to handle such weighty matters as those that can be solved with "Make sure your modem is plugged in" and such. But I'm a patient guy and know how the game is played (hoping that eventually I could get bumped up to the next level of support tech).

So, I call the ISP, and only have to wait on hold for a few minutes (it was nearly midnight). I explained that I wasn't a customer but had received the phishing message that led to an address in one of their IP address blocks. Maybe the tech was taken aback that I wasn't calling to complain about something or that I wasn't all hyper about my spamware-infested PC. I had to tell him again why I was calling. I gave him the IP address and URL to the phishing form (which was a little complicated over the phone because the HTML file name had spaces in it, which translate to "%20" characters).

He checked the URL and came back to tell me it looks like a phishing page. Oh, really! Well, at least he got the message.

Then he said he couldn't do anything about it, and would leave a message for the system administrator to look into in the morning. Aaargh! How many victims would be suckered into giving up their identities in the intervening hours? I felt completely helpless. Before I closed down for the night, I checked again, and the page was still up.

I don't know how much longer it ran, but when I checked again at about 6:30 am the next morning, the IP address came back to a "no longer available" page, and the phishing form's URL was inaccessible. Still, it would have been much better if the ISP had some policy and process in place that allowed such reports to be acted upon in minutes rather than hours.

Most phishers must know that they'll be closed down eventually, sometimes sooner than later, so I assume they are most interested in the first few hours following the spamming effort. That's the critical time when reports of such activity—especially at an ISP—should be quickly investigated and handled.

Phishing is one of those activities that undermines the credibility of the Internet. As long as amateurs set up phishing sites that are easy to trace, we should oblige, and shut them down immediately.