Monday, July 2, 2007

Paypal phishing

Another little story from my past...

On june 16, 2007 I received an email in my inbox which was suppose to look like it came from Paypal and it instructed me to reactivate my account. When clicking the link in the email I was lead to a site looking exactly like paypal but I could see that the address was wrong.

I did a lookup on the ip-address and found it to be located in Massachusetts, United Status and looked like a standard DSL/Cable address not a hosted server. I took a quick look at the services running on the address and found an old version of VNC (remote management program) server, which has a major security hole that makes it possible to logon and remote manage the computer without using username and password.

My curiosity was of course too big and I went on a little visit on this computer using VNC. I quickly found the proves I was looking for, the scripts running the fake paypal site and also a file where credit card numbers was written too, so there was no doubt at all this was the computer that people clicking the link in the phishing email was redirected to. At the time I was visiting the computer the owner of the computer also came online, so I could just sit and wait until he identified himself as I could follow every move on the screen...

I had hoped that it would turn out to be the actual person behind the spam / phishing that I caught so I could hand over the information to the police, but I quickly came to realize that this person was just being used.... it turned out to be a 14 year old guy which was not very confident with computers and he was way more interested in chatting with lot of different girls on myspace than he seemed in the credit cards numbers on his computer. So I identified myself and had a little talk with him, it was clear that someone else had used the same backdoor as me (VNC) to place the fake paypal site on his computer and that he was totally unaware of this.

I couldn't convince him to call the police and ask them if they were interested in looking at the things installed, so I did the second best thing. I helped the young guy delete everything from his computer that was installed by the persons behind the spam/phishing, including the credit card numbers already collected and I helped him uninstall VNC as he was clearly not using it anyway.

I felt to sleep that night with a little smile on my lips.... thinking of the persons behind the spam/phising and the look on their face when they came back to get the collected credit card information and found everything being deleted and the backdoor (VNC) removed..... They should think twice before placing their f***king spam in my inbox.

No comments: