« Phishers Are Too Cheap to Hire a Copy Editor | Main | "This is Not Spam" and Other Lies »
Home | The Book | Training | Events | Tools | Stats |
December 24, 2007
Argh! The Frustration of Big CompaniesTrying to report abuse to some organizations can drive the reporter to drink (or, in my case, chocolate).
I'll begin by saying that I understand it is necessary for organizations with gigantic user bases to have ways to handle the 90% of support questions that have been asked and answered in Frequently Asked Questions areas and other online support documents. I grant you that the bulk of support questions that come in are sent by those who are too lazy to search the archive or don't know how to phrase the question. Spending corporate support dollars on staff to answer the same questions over and over must take a low priority. I even saw an ISP's site today that explicitly tells visitors that there is no email contact address for the Support Department—you must be a customer and follow the Yellow Brick Road through its automated help facilities.
Whenever I take the time to report alleged abuse to a company, I perform some due diligence ahead of time. I try to be as accurate and succinct as possible in my report. In sympathy for the overloaded recipient of my report, I get to the point and supply all necessary documentation to help them get to the source of the issue quickly.
The problem with companies who receive huge amounts of support queries is that in so many cases, they don't even seem to read my subject line, much less the brief summary of my issue. In return for my researched report, I receive a form reply answering a question that had nothing to do with my report.
Here's the latest:
On December 21, 2007, I received a typical PayPal phishing message. In checking the content of the target page (without rendering it), I saw something very out of the ordinary for phishing. The page's content was created entirely using an encoded JavaScript technique very common to malware installer pages.
I captured the script and evaluated it without rendering the HTML results. Had the page rendered in a browser (as would happen with any visitor from the phishing message who had JavaScript enabled in the browser), it would have triggered a URL to googlesyndication.com. Whoa, Nellie!
Google, itself, was no help in leading me to find out what this could be, although I suspected it had something to do with advertising, probably through Google's AdSense service. I did some more digging elsewhere and learned (possibly) that links to googlesyndication.com cause the click-on-the-ad counter to fire before navigating the user to the advertiser's site. My suspicion, therefore, was that anyone who followed the phishing message's link, visited a page whose mere visit caused an ad click counter to fire, putting money into the crook's pocket (and stealing it from the advertiser and Google).
Click fraud is supposedly a pretty big deal in the high-volume Internet advertising business. I read about it all the time in mainstream business press. Advertisers fear it, and the ad-serving sites (like Google's AdSense) reassure advertisers that they're doing everything possible to counter the fraud. Thus, I thought Google's AdSense program might be interested in this potential fraud technique.
I found a Support area at Google's site, where I could choose the AdSense Program as the target of my support query. They actually provided an email address to which I could address my "question." The Subject: line of my message was far from ambiguous:
Possible abuse of googlesyndication.com
In the body of the message, I included the rendered version of the encoded JavaScript, which included identification numbers of the advertiser and commission earner in plain HTML. And, because I'm not an AdSense guru, I made my accusation in the following manner:
If rendering this page causes the issuer to earn a commission from a Google advertiser upon display of the ad, then he used fraudulent means to obtain that ad display and commission.
I then also included the source code of the phishing email message for good measure.
So, there it was. I had presented my case and provided enough evidence for Google to look into it.
Three days later (not too bad for a Big Company), I received a response, which began:
Hi,Thanks for your email. We'll be more than happy to provide you with
information on your AdSense earnings.
This was followed by a bunch of standard support questions and answers related to viewing AdSense earnings.
Hello? Earth calling Google!
I have some Qs for which I doubt I'll ever receive As:
- Did a human read my original message?
- If so, was that person awake/alive at the time?
- If this is a completely automated response, why did it take three days to respond?
- If I was wrong in my accusation, can you simply tell me that my fears are unfounded?
- Do you really give a Rémy's ass about click fraud?
As for what this episode means for everyday email users, the point is that clicking a link in any unsolicited email message can put money into the crook's pocket, even if you don't hand over any personal info (which this "phisher" didn't even want).
As for me on this Christmas Eve, I'm sending a big "Bah, humbug!" down to Mountain View, CA.
Posted on December 24, 2007 at 10:36 AM