« High-Tech Consultant, a.k.a. Idiot | Main | "Mister Spam Man" Now on iPhone »

March 21, 2008

It's one thing to see a phishing attack underway and reporting the hacked server to the site owner in the hopes of getting the fake lookalike site shut down in a hurry. It's quite another to see that a phisher has been successful in tricking everyday folks into giving up their passwords and credit card data.

Such, sadly, is the case of an amazon.com phisher who must have bought a very cheap phishing kit that stores the captured data in a plain text file on the hacked server. Worse still—for victims, that is—the text file is easily accessible to anyone who bothers to check out the root address of the URL. In this case, the root was just an IP address that is owned by a Polish internet provider and web hosting service. The destination is an unused web server, complete with PHP installation that allows phishing kits to install a little bit of software to simulate the appearance of any financial or retail institution.

Based on the timestamps of subdirectory creation on the server, the phishing email message I received came through within a couple hours of the phisher setting up the site. As I write this, it has been less than four hours since the email batch containing my address was sent (it's anybody's guess how many batches were sent or when). In that time, the phony form has been filled out and submitted 11 times. Of those 11, eight were submitted by those who knew phishing when they saw it.

It's the other three, however, that really make my heart sink. These three were taken in by the well-crafted email message and bogus web site. I say "well-crafted" only in the sense that it had the right professional graphics look, and the content or formatting errors could easily escape the eye of a harried user fearful of losing access to Amazon. But the come-on has been the same since the earliest phishes: the request to "confirm your identity." It's the oldest trick in the book, provided they've ever read the book (which, of course, they can buy at amazon.com...nnww [nudge-nudge, wink-wink]).

Data from three victims certainly isn't any kind of statistical sample, so I'm not about to draw any overreaching conclusions from what I see. Thanks to date-of-birth info, I see that this current group ranges in age from their 80s to their 20s; they are of both genders; and they are geographically diverse in the U.S.

By now, the phisher has probably hijacked the Amazon accounts and changed the passwords to prevent the real owners from regaining control. Amazon is a nifty account to hijack—just click on the Electronics department, and imagine how much damage a crook could do, putting a giant flat-panel TV and a digital SLR camera or two on the account's credit card, shipping as gifts to an accomplice's home.

The credit card data is a separate asset, which the crook will sell through numerous brokers in the electronic equivalent of back rooms. The phisher who bought the kit may actually be aced out of his score because the kit's author or any of the crooks who find the open text file might beat him to the back room.

I feel like I'm in one of those science fiction stories about someone who knows the future and sees across the street someone for whom disaster lies around the corner. This is going to end badly, and there isn't much I can do beyond trying to get the site shut down.

In the time I've spent editing and completing this article, two more victims have given up their Amazon account and credit card data. I don't think I'll sleep very well tonight.