March 01, 2006Charter Communications: The Phisher's Friend
I've encountered plenty of clueless ISPs in my days as a phisher stomper, but Charter Communications is climbing rapidly to the top of my list. One of their customers' computer has been compromised since at least 27 February. The machine is acting as a Web server for a PayPal phishing collection page (just one of the many things that your computer can become if taken over by a botnet). I have received ten—count 'em—phishing emails with hidden links taking recipients to the fraudulent page. The messages have a variety of subject lines, and they are coming from yet other compromised PCs (botnet zombies) from a variety of U.S.-based providers.
I did my usual reporting thing to Charter's abuse address back on the 27th. As is my custom, I included a quoted copy of the phishing email message source code (including headers) just as further evidence that messages are spewing around the Internet leading users to the compromised computer.
At first I received a typical automated reply, which I tend to ignore because it doesn't really mean anything. But then I received another that said because the phishing message didn't originate from a Charter IP address, they're dropping the incident.
After counting to ten (not knowing it would become the number of phishing messages I'd soon have stacked up leading to the same Charter address), here was my reply:
I am reporting a fraudulent Web page in your IP space. The location of the fraudulent site is at charter.com, which is registered to Charter Communications.
Please advise if you wish me not to report such activity in the future.
Despite their initial quick first response (within minutes of my original submission), Charter has not responded to my second missive (not that I expected any response other than the removal of the offending page—that's all I care about). Two days later, the page is still up, and it must be performing well if the phisher is continuing to direct phishing victims to the site.
I understand the frustration that leads some spam fighters to want to flood an offending site with something like a denial-of-service attack. Perhaps if this customer's computer ground to a complete freeze under the burden of millions of request connections to the hidden PayPal phishing site, he'd give his support rep at Charter a call, and someone would look at the traffic at that IP address. Or at least the site might become inaccessible to the majority of potential victims.
But I do not agree with D-O-S tactics on principle. So that's out of the question.
Perhaps the word will get back to Charter that there is a hole in their support/abuse reporting system. There are forms of abuse other than sending spew. Hosting fraudulent Web pages (knowingly or un-) is another form of abuse, and believe it or not, dear Charter, it can happen to your customers. Get with it, and stop contributing to the phisher's cause by turning a blind eye to the problem (or turning a seeing eye verrrry slowly).
UPDATE (5 March 2006): It only took a week (HTML needs a contextual tag for sarcasm), but the offending Web page is finally down. The tally of phishing messages I received through the week pointing to that address was an astounding 17! That the page is now down could also mean that the Charter customer's computer got so sluggish with victim traffic that he restarted his computer and modem, in which case Charter's servers may have handed out a different IP address. If that's the case, it shouldn't take long before the infected machine announces itself to the botnet controller, and we'll be at it again. In any event, with a one-week window of operation, the phisher won this round Big Time. If I were a victim of this phisher, I'd first be mad at myself for falling for the scam; but I'd also be angry at Charter for allowing this activity to go on for almost a week after acknowledging the report.Posted on March 01, 2006 at 05:25 PM