« It's Dangerous Out There | Main | An Invitation To Be Pwned »

January 04, 2007

Oh, the arrogance of some tech companies!

I received the umpteen-billionth phishing message today, this one purporting to be from amazon.com. Yawn. The web page with the fake amazon.com userid/password page is hosted on a server belonging to a high-tech company in Silicon Valley. From my long experience in seeing and tracking the URLs of offending pages, I could see that the server had been compromised, with the phishing stuff thrown into a semi-hidden directory (one whose name begins with a period).

The contact info in the company's main web site didn't list an email address, but since the company was so close, I chose to telephone the company directly to report the problem. Although the company is more into semiconductors that Internet technologies, I was transferred to someone in "Support" (whether it was internal computer support, or support for their products, I still don't know).

I explained that I had received the message claiming to come from amazon, and the phishing page was hosted within "Support's" domain. Mr. Support got all uppity and sneered at me that it couldn't be at their company, and it was a result of domain spoofing.

First of all, "domain spoofing" is more usually associated with email, not hosting. The phishing message I received was a case of domain spoofing because it wanted me to believe the message originated from amazon.com, when, in truth, it originated from gte.net. That's not what I was reporting.

There are cases of web site address spoofing, when tricksters register domains that are either lookalikes (using zeros for "o"s, for instance) or employ some international character tricks. But in this case, I reached the home page of the company by stripping off all the subdirectory stuff from the URL in the browser's Address bar. I didn't confuse or mistype anything that wasn't in the phishing page's URL.

This type of "It can't possibly be us" response is, unfortunately, all too common. I've lost count of the times the reportee zips a flaming message back to me—how dare I accuse them of having been cracked by a phisher. A half hour later, I get another message thanking me for reporting the encroachment and that the offending page has been removed.

This time, it took 11 minutes:

Thanks for the forward. I thought they were spoofing the domain, sorry
about that. Our web team have been notified.

Sure, it's embarrassing to acknowledge that your server has been cracked. It could even happen to one of my domains some day. But until I can get to the bottom of the issue, I won't shoot from the hip to deny the occurrence if someone reports it.