3.1 Finding the Web Site
First, we wanted to identify the fraudulent web site, since it was still active and capable of collecting sensitive information. As was identified above (in step 8), the web site to which clients were directed was www.john33.netfirms.com. Theoretically, WHOIS records should help us to contact the right folks. However, since registration of domain names is open to anyone, the perpetrators of fraud frequently submit fraudulent contact information to these records. [3] Additionally, some otherwise legitimate domains populate the WHOIS records with bogus data to avoid being targeted by spammers.
NetFirms is a fairly well-known hosting service, so the likelihood that their WHOIS records were incorrect wasn't especially high.
Since registration of Internet numbers is much more tightly controlled, WHOIS records for network numbers are much better maintained and less likely to contain bogus information. So even though checking the WHOIS record for NetFirms would probably get us the information we needed in this case, we opted to match the IP address to the network contact, as it is more general, and will work even if the fraudulent web site were hiding on a network whose administrators were harder to contact.
Using command-line utilities like host or nslookup[2] would reveal the IP address as [209.171.43.26].
Using the command-line utility whois[3], we were able to identify TELUS Communications as the network administrator. A phone call placed to TELUS got us connected to some helpful folks there who gave us the telephone number for their security and abuse contact.
A gentleman who answered the phone asked us to email details, along with a forwarded copy of the message showing the link to the fraudulent site to the abuse contact, and to send him a copy as well. He then promised to call over to the security group to be sure that someone would look at it quickly.
3.2 Tracking the Email
Our next step was to identify the source of the email. By reading the mail headers [1, 2] (shown in Figure 4), we can see that the source is u201n212.hfx.eastlink.ca
[24.222.201.212]. A telephone call to Eastlink (in Halifax, Nova Scotia) alerts
Eastlink to the problem. The helpful folks there ask for a copy of the message to be sent to their abuse contact.
Had this message originated from overseas, finding a reasonable point of contact might have been more difficult. In this particular case, it appears to be a high-speed cable modem Internet connection sent into someone's home.
Technically, the telephone call was unnecessary, but I placed it because I wanted to alert them to what was probably an ongoing incident of international wire fraud, and probably a lot of other things. It's a much bigger mess than, say, sending spam, and I wanted to be sure that it didn't sit in a queue for hours or days before someone was aware of the situation. That might be the kind of thing to which an administrator would want (after verification) to respond immediately.
Return-path:
Received: from ms-mta-02.socal.rr.com ([10.10.4.126]) by ms-mss-03.socal.rr.com (iPlanet Messaging Server 5.2 HotFix 1.12 (built Feb 13 2003)) with ESMTP id
<0HGH006M6R8EL2@ms-mss-03.socal.rr.com>; Sat, 14 Jun 2003 14:48:14 -0700 (PDT)
Received: from lamx02.mgw.rr.com (lamx02.mgw.rr.com [66.75.160.13])
by ms-mta-02.socal.rr.com (iPlanet Messaging Server 5.2 HotFix 1.12
(built Feb 13 2003)) with ESMTP id
<0HGH0054OQDXBO@ms-mta-02.socal.rr.com>; Sat, 14 Jun 2003 14:29:58
-0700 (PDT)
Received: from ebay.com (u201n212.hfx.eastlink.ca [24.222.201.212])
by lamx02.mgw.rr.com (8.12.8p1/8.12.8) with SMTP id h5ELm8Vb002000;
Sat, 14 Jun 2003 17:48:09 -0400 (EDT) Date: Sat, 14 Jun 2003 14:25:40 +1000
From: support@ebay.com
Subject: Billing Update Requested (URGENT) To: mail@lamx02.mgw.rr.com
Message-id: <001400e8db46$dae47575$14814366@qijuhor.pgh> MIME-version: 1.0
X-Mailer: QUALCOMM Windows Eudora Version 5.1 Content-type: multipart/mixed;
boundary="----=_NextPart_000_00A0_62D10B0B.E5271C86"
Importance: Normal X-Priority: 1
X-Virus-Scanned: Symantec AntiVirus Scan Engine
Figure 4: Headers of Fraudulent Email
3.3 Reporting to FBI
Since this was potentially very large fraud involving many victims, crossing state and national boundaries, this is no doubt of interest to law enforcement officials. As I am a member of InfraGard, I decided to report the matter through InfraGard.[4]
3.4 Reporting to eBay
Finally, since eBay impersonated, it would likely want to be made aware of the incident in an effort to keep its users' accounts safe, perhaps locking out any that might appear to be involved in fraudulent activity.
It is noteworthy that the user who originally got the fraudulent email tried to find a way to report the incident to eBay, but was unable to find anyplace to report this kind of activity. Ultimately, we reported to fraud@ebay.com, and watched to see whether a bounce came in. One never did, but as of this writing—five days after the incident—we have yet to receive as much as an acknowledgment from eBay.
4 Self-Defense
There are some lessons here for end-users of systems that can help them to avoid falling victim to online fraud.
1. Don't be rushed.
Fraud often depends upon someone making a quick decision, before having time to consider possible ramifications. Consider the original text of the fraudulent email: "This is the quickest way of getting information to us."
If, as had been stated in the email, the account data had been deleted, the critical data would be safe, and the worst case scenario would be that the user would not get something for which he won a bid.
2. Follow established procedure
If it seems strange to be asked for some kind of information in a strange sequence of events, or at a strange time, beware. If you made a credit card purchase, it would be either accepted or rejected quite soon—usually immediately.
If the vendor has a mechanism for entering sensitive information, follow it. Beware of the dangers that could come from the appearance of deep linking.
3. Question things you don't understand
If it doesn't make sense for a vendor to ask for your credit card number, don't be afraid to question it. If the explanation sounds fishy, don't be afraid to question it. Remember that when you're doing the buying, you're the boss.
4. Verify that you're talking to the site you think you are
When you're connecting to a site that involves any kind of financial transaction, the connection should be "secured." In the browser, a small padlock will appear, and it will be locked. That tells you that the connection is encrypted, but it does not verify with whom you are speaking.
Clicking on the lock will open a new dialog and present you with the option of viewing the certificate in use. Look at it and be sure that the URI is exactly what you think it is.
In this particular case, the fraudulent site made no serious attempt to impersonate a secured eBay server, so the lock never closed.
No comments:
Post a Comment