[linux-elitists] Go phish

Rob McGee list+Elite@nodns4.us
Sun Oct 31 10:56:24 PST 2004


Phriends, here it is, the business opportunity of the 21st Century:  
good old-phashioned misrepresentation fraud ... illegal in most 
jurisdictions worldwide, yes ... but with a little high-tech twist YOU 
TOO can phind your phortune in phishing.

I phound a phishy message in one of my old POP3 accounts a week ago. 
Usually I don't even look at them, but I did look at the headers of 
this one, and I saw that it was coming phrom my very own co-lo 
provider, Hurricane Electric (he.net) in Phremont, Caliphornia USA.

I didn't like the sound of that. When people blacklist all of he.net 
they blacklist me. So I reported it to abuse at the phisher's domain, 
risingwire.com, and to he.net.

Note again, this isn't just plain spam, this is criminal phraud. Phour 
phine pholks posted this phish:
http://groups.google.com/groups?oi=djq&as_q=risingwire.com

The night I got it I had some phun with the payload URL, which was a 
very convincing-looking phake of a Paypal page ...
URL='http://www.paypal.com%00@mein.digitalkamera.de/DKFM/index.htm'
while true ; do
  wget -O- "$URL" &> /dev/null
  COUNT=$(($COUNT +1))
  echo -n ${COUNT}\  # whitespace for readability
done

I had that running in phive terminals, and when I got up the next 
morning my phinal $COUNT totals were 185576. I phigured that site 
couldn't exactly report me to abuse@$MY_ISP, and even if they did, 
MY_ISP="comcast.net" # well known for poor handling of complaints. 
(That phollowing morning the page was returning 404's. I have no way of 
knowing at what point they took it down, but I hope they enjoyed my 
phlooding.)

When my complaint hit abuse@risingwire.com I got an immediate auto- 
response; phast because it's in the same building as my server. They 
assured me they would investigate and take action. Gave me the warm 
phuzzies, that did.

What the heck, I went to one of the URL's ... "This account has been 
suspended," it says, "see http://abnormis.net/". Nice.

So in one of my phew remaining terminals (this was while all the 
phlooding phun was going on) I looked up "whois risingwire.com". Then,
"whois abnormis.net". Damon Andrews (dns@risingwire.com), registrant of 
abmormis.net, has suspended the account belonging to Damon Andrews 
(dns@risingwire.com).

Now mind y'all, I'm a dumb Southern redneck, but to my dumb Southern 
redneck eyes, that looks like it might be the same pheller.

I stayed up late that night and wrote again to abuse@he.net. This time  
I added abuse@enom.com, the registrar. Please cut off this criminal's 
network access and DNS, I asked.

The next day, Monday, I looked around ophicial Caliphornia gov't sites. 
I came to a place where I could put in a complaint to the Attorney 
General. Sounds like they should have jurisdiction, right? Both the 
physical machine and the phisher's address are in Caliphornia.

(The auto-response from the CaAG ophice came using a phalse sender 
domain, so initially my server rejected it. I had to whitelist them to 
be able to receive it!)

http://www.risingwire.com/ ... it's still there. (Look around, it 
appears to be a skeletal site. Most of the PHP links have no content.)

So ... let's not let this opportunity pass us by. Let us all place our 
co-lo boxes with Hurricane Electric, and get rich off of people who are 
too stupid to hitchhike on the Inphormation Super-highway. Have no 
phear of interpherence.
-- 
    Rob - /dev/rob0 -- http://nodns4.us/dev/rob0



More information about the linux-elitists mailing list