March 21, 2005Three Cheers for Fast Anti-Phishing
The companies whose names and logos show up on the most phishing mailings have been working toward reducing the amount of time it takes to shut down the phishing Web site. I suspect that the most damage to individual victims occurs in the first 24-48 hours of a phish attack, so getting the bogus forms taken down quickly is important to protect victims from themselves.
I may have seen a result of that work today. Although I don't know when this particular eBay attack started, the message that found its way to me arrived at my server at 12:12pm local time. I spotted the message at about 12:25pm and got disgusted at the hidden domain name of the button that recipients are supposed to click. The domain name (registered way back yesterday) included the words "safeharbor" and "ebay." Domain registration data showed what looks to be a real name and address—very likely the data of a previous phishing victim (it has been done before). Unlike some phishers who hijack existing sites, this was an outright attempt to set up a scam Web site from the get-go.
The site was hosted at a small Pennsylvania ISP I had not heard of before. Like automated domain registration, I take it that signing up for a five-bucks-a-month-on-a-stolen-credit-card Web hosting account doesn't have any human intervention that might have taken notice of the fishy/phishy domain name.
But somewhere along the line, the ISP got the message before I had a chance to report it. By the time I tried to look at the phishing form no more than 20 minutes after the phishing message hit my server, the entire site was gone. History. Non est. In the bit bucket.
The domain name record is still active, so our crook may popup again, but not today.Posted on March 21, 2005 at 12:33 PM