This article was published on July 10, 2010

Counter-Phishing a Phisher


Counter-Phishing a Phisher

Editors Note: I came upon this piece and thought it was a fascinating example of the tables being turned on someone attempting to scam someone out of their money via the act of phishing . Tal Raviv, the individual who decided to take the matter into his own hands, has kindly shared the story with us.

The emails begin with an email to Raviv from his friends mother’s email account. The phisher had managed to gain access to her account and  decided to send Raviv an email impersonating her requesting money…urgently.

From: Victim’s Email Account
Sun, Jul 4, 2010 at 7:24 AM

Hello

How are you doing? we had a visit to London (United Kingdom) unannounced some days back, Unfortunately we got mugged at gun point last two nights. All cash,Credit card and cellphones were stolen,It was so traumatic;Thank God we have our life and passport saved,we have been to the embassy they are not 100% helpful so i concluded that returning back home will be the best option.we also have limited means of getting out of here,as we have canceled our cards So i won’t get a new card till i get back home.I really need your support & assistance as my flight leaves in few hours,but i have problems checking out of the Hotel,as i need to sort out some bills, Wondering if you could loan me some bucks to sort out the hotel bills and also take a cab to the airport,

i wait to hear from you

Kind Regards

[Name of Victim].

The victim was a mother of a friend. Not only was her email password hacked, but she was completely locked out of her own account. The scammers had also changed her backup ‘alternate’ email.

What would be the harm in responding gullibly?

Sun, Jul 4, 2010 at 10:22 AM
Oh no!!!!!!!! How can I help!? Can I send you money??

Sun, Jul 4, 2010 at 10:46 AM
Thanks for your quick response,at the moment am mentally unbalance as i can’t think straight,it was so traumatic,i will brief you in full as soon as i get home,i will appreciate you help me wire $1850 via westernunion asap so i can add up and sort my bills.don’t worry i will def refund it as soon as i get home.

this is all you need in sending the money via western union

Receivers Name: [Victim’s Name]

Location: 3 King Street Cloisters, London, United Kingdom

i wait to hear from you

Kind Regards

The Goal

The goal was not to identify or prosecute the individual since that’s likely impossible. The goal was simply to get back the victim’s password.

Two Ideas

Idea #1

Assuming they use the same password on all accounts they hijack, give them another email account that’s an easy one to take control of and see what they change the password to.
This would not work with the way most free email providers manage security.

Idea #2

They’re after money, so put the “money” behind a page that requires them to verify their identity [as the victim] via an “authenticate with your id” type page, hence phishing them back.

The Bait

After about ten more emails of me asking to send even more money “How can $1850 be enough to return first class?” I decided the only way to get the new password from the scammer would be to create one of those “log in with your credentials” pages on and old domain I still owned.

I used an old domain, made the index page all about “getting money during travel” and “saving for the future”

I made a page at the URL:

www.*****.org/talsraviv/fund_request/emergency/

That looked similar to a “Sign in using your email credentials” page.

It had added details to make it seem more legit that there was money waiting on the other side.

Then, I responded:
Sun, Jul 4, 2010 at 12:24 PM

I am SO sorry this has taken so long.
They are saying it’s currently on hold or something so they won’t take my money. Something about the london branch has made it unoperational. I don’t understand and I think this is ludicrous.

Fortunately, my son reminded me that two years ago I created an emergency travel funds account on ———.org I can’t believe I didn’t think of it!!!!!

I just listed your email account as authorized to get money from it . . (it’s you and my five children who can access it in case of this situation.)

http://www.—————.org/talsraviv/fund_request/emergency/

and then use your email credentials to prove your identity and then it will give you the paypal code for redeeming the money.

There’s only $1500 there right now and you can take it out in $500 increments every 30 minutes I believe my son said.

I can’t wait to have you here safely!! What a story I’m sure you have to tell!

Tal
Success!

It took a lot of e-mail acting and coaxing the scammer, but it turned out the best motivation was to stop communicating with them until they simply became desperate and just went ahead and tried it.

The bait was taken at approximately 6pm

Turns out the culprit had caught on that he got phished, and changed the victim’s email password again. So we were too late there.

BUT – and this is quick thinking on my friend’s part – what about the backup account (from another provider) he had used as the primary account’s “alternate email” that he also used to correspond with me?

IT WORKED ON THE ALTERNATE ACCOUNT! Our criminal had forgotten to reset THAT password too.

Then my friend told the primary account to send the alternate account reset instructions, re-secured the victim’s email account, and completely shut out the scammer.

Conclusions

  • Is there an opportunity here to help other victims on a larger scale?
  • Phishing is way too easy. There’s got to be a way to make login pages unique to disrupt large-scale phishing attacks. I’m not going to dedicate too much thought here. Banks better already be on this since there’s far more at stake for them.
  • Was my self-defense phishing illegal?
  • Are the scammers that stupid?

Oh. And one more thing.

When phishing gets broken, you get interesting data. Like the password they used was the name of a Nigerian man – my friend found him on MySpace.

And you can see login records, which allow one to do this.

Get the TNW newsletter

Get the most important tech news in your inbox each week.