« Imagine That: Phishers Are Cynical | Main | Do Spammers Lie or Bullshit? »

May 15, 2005

There was quite a bit of interest in my skirmish with a phisher last Tuesday night. I thought I'd write an epilog to the tale. Now that I got my most recent book (#42 if you're counting) into the hands of my editor, I can catch my breath.

The four phishing messages (one I believe to be an inadvertent mistake in that it pointed to no valid domain) were the only ones of that style to arrive that night. After the third site take-down, that was it for the night. It was my night—I don't know what it was where the phisher lived.

Since then, I've seen a couple of messages bearing the same source code hallmarks as the ones that caught my eye the other night. They usually arrived during my overnight hours or while I was away from the office. But I'm glad to say that most of the target sites were already closed down by the time I got to check them out.

Emboldened by the quick reactions of three large hosting providers last Tuesday, I've taken the time to report even more phisher sites to their site owners (there are tons of legitimate servers that get hijacked to host phishing sites) and host providers. (Don't tell my editor I was doing this instead of finishing the book. Shh!)

Despite my praise of quick action the other night, I may have spoken too soon about yahoo.com. A different phishing stream came my way, pointing to another domain hosted at yahoo.com. Several days later, the page is still up and running. [frownie emoticon]

ISP response to phishing site reports is all over the map, and highly unpredictable. Foolishly, I expect smaller ISPs to respond quickly if for no other reason than the level of abuse complaints they get should be rather small; an account hosting an obvious phishing page at a URL under their control should be easy enough to suspend for further investigation. Some are very good (iPowerWeb appears to do an excellent job from my observations), but others (I'm talking about small, U.S.-based providers) completely ignore the reports. The phishing sites hosted thereon are running long after they've trapped the bulk of their unwitting victims. I dare not mention those services here by name, lest phishers flock to them.

It would be great if ISPs, big and small, had a uniform phishing reporting system in place. All of the reporting I do is to the regular abuse or other whois contact email address, and sometimes through a provider's support form on its Web site. But I never know if the report will get past the droves of other spam complaints that certainly accrue to any provider.

Speedy closure of phishing sites is essential. A site that has been up 24 hours after the first mailings go out to victims has already done the bulk of its damage. My suspicion is that phishers who "buy" domains and cheap hosting space do so on stolen credit card numbers, fully expecting the domain and site to be gone after 48 hours. In contrast, hijacked legitimate sites (whose real owners do nothing about reports from the outside—often because they don't know English or because the systems administrator who set up the site in the first place is away at college) stay up for weeks, and the phish messages keep pouring in, pointing to the same numeric IP address. Those sites that stay up awhile even gain a further subdirectory with pages for other financial institutions. Hey, if the site owner ignores reports and lets anyone gain access through default passwords, why not adopt the server, and add more sites there?

In the meantime, I don't believe that phished institutions do a sufficient job of educating their customers about the threats. But that's a whole 'nother subject I'll leave for later. That you are reading this means that you're hip to the problem. Spread your hipness to every emailing family member and neighbor.