DreamHost Blog » Phishing Phor Phishers

Phishing Phor Phishers

August 31, 2006 on 4:56 pm | In Foobars, Funnyish, Insider View, Musings, Rants by Josh Jones |

Phinding Nemo!

A funny thing happened to me on Tuesday.

Well, really it happened to my wife. But I hear being married is all about sharing.

We had just finished dinner when she casually mentioned we were getting a tax refund.

“Oh?” I responded…

“Yeah, I got an email”

“OH???????”…

I immediately had a sinking feeling.. had she been PHISHED?

How aLUREing!

I asked if she’d given her credit card number out?

“Yes.”

Social Security Number?

Yes.

MY Social Security Number?

NO! Sheesh, what do you take me for?!

Which credit card?

Our Visa check card.

Oi! That’s a bad one! I’m not sure the kind of fraud protection we have on it, and it’s tied to our bank account directly!

Before even inspecting the email, I called in and had them cancel the card. Hooray, no charges had gone through yet!

Honey, didn’t I warn you before about PHISHING scams?

Well, yes.. but I forwarded it to you on Monday and you never wrote back! So I just did it.

I never saw that email! (Sure enough.. it was caught in my spam filters. Makes sense!)

Couldn’t you have called me on the phone or even asked me in person on Monday night or Tuesday morning?!

I forgot about it until I checked my email again!

Anyway.. let me see the email you got.

And here it was..

Date: Mon, 28 Aug 2006 11:58:14 -0500
To: joshswife@yahoo.com
Subject: Tax Information - joshswife@yahoo.com - (Code 7863-3843)
From: “IRS.gov” Add to Address Book Add Mobile Alert

Account : joshswife@yahoo.com Number : 7863

After the last annual calculations of your fiscal activity we have determined that you are eligible
to receive a tax refund of $191,40. Please submit the tax refund request and allow us 5-7 days in orders to process it.

A refund can be delayed for a variety of reasons. For example submitting invalid records of applying after the deadline.

To access the form for your tax refund, please click here.

Regards,
Internal Revenue Service

Here are the immediate red flags that go off in my head when I get emails like this:

Right off the bat, any email I get from an address I’ve never received one from before has a 99% chance in my mind of being a spam, scam, or some kind of an annoyance.

I never get tax refunds! Ever ever ever. It’s not fair.

The IRS and state taxing authorities don’t send notices via email.

The IRS and state taxing authorities don’t have my email address.

They DO have my name and SSN, and would probably put those in an email, IF they had my email address and IF they sent emails.

There’s a typo in the email.. it says “of” where it should have said “or”.

They used a comma instead of a period for the decimal point in the dollar amount! That may fly in Europe, but god bless the IRS, this is America!

The link takes you to thistlejack.com!

But, believe it or not, my wife is not stupid. In fact, she has a PhD from Harvard!

Not my wife.

For real.

Too bad she doesn’t run a web hosting company!

There’s no better training against phishing scams than having dozens of fraudsters a day attempting to send them from your servers!

But for the rest of you LOWLY Internet users, phishing scams work. And I think I know why:

They send a lot of phishing emails.

Just by sending a lot of messages, they’re going to catch a tiny percent of people who were specifically waiting for that email!

Even the almighty Josh nearly fell for an Ebay phishing scam once when I got the phish the very moment I had just won an auction.

And of course, a tiny percent of people are going to go for it even when they weren’t expecting an IRS refund, a paypal payment, or an ebay auction.

They prey on people’s greed or fears.

To my wife’s credit, (she claims) there were a LOT of red flags and alarms going off in her head while she filled out that form. But the lure of the $191,40 was just too strong!

And we’re rich!

People are getting really comfortable with “e-commerce”.

My wife doesn’t really care too much about giving out her credit card info online. Really, why should she? You’re not generally liable, and we should have the replacement card in the mail tomorrow. I do wish she was a little less comfortable with giving out her SSN though…

The thing is, how often in the real world do you come across an individual or business who is really trying to scam the crap out of you? Hopefully not too often in this country at least. It just doesn’t really happen. But on the Internet, it really does happen. Millions of times per day.

Fortunately, a lot of people are still deathly afraid of this “Internets”, and won’t give out anything to anybody! Or maybe that’s not fortunate.. because really, you’re not generally liable.

People are technically naive.

Honestly, it’s pretty easy to look at a URL and know if it’s legit.

Or is it?

I was trying to explain to my sister-in-law how to know. Basically the best I could do was “If the VERY first part of the URL is the correct domain name, and only the domain name, and doesn’t have a dash or something before it, but it’s okay if it has a dot before it, as long as it doesn’t have a slash before the dot, then it’s the right site!”

In fact, my wife was even like:

Well, I knew thistlejack.com wasn’t irs.gov, but you know how sometimes websites link off to some other server for their payment processing? And when I clicked all the links on the site, they were legit.

Because the links WERE to irs.gov!

Even the fact the page wasn’t secure didn’t faze her!

What was I to do?

I already canceled the credit card. But I wanted more! I wanted to shut this guy down, and I wanted to make sure nothing happened to my wife’s SSN.

First, I did a whois lookup on thistlejack.com and called the owner, Mr. Robert Stirling.

I knew he wasn’t the phisher. Nobody in the US phishes, and nobody uses real contact info when registering a domain for phishing! It looked like from the URL that the phisher had exploited a hole in a photo gallery script he had installed. (Which is why we have mod security for our happy hosters!)

Fortunately, he answered the phone.. I explained the situation and he was very, very, cooperative and helpful!

He logged in to his domain, took the phishing site down (it’s down now), and then at my request emailed me the source code for their web form. I wanted to see what was happening to the data.

Just as I might have guessed, it was being emailed off to two separate anonymous yahoo.com email addresses.

I immediately emailed abuse and postmaster@yahoo.com, got a tracking number back and started waiting. And waiting. (I’m still waiting…)

I couldn’t wait anymore!

I had to do something (besides call the credit reporting agencies and tell them what happened)!

And then it hit me!

Maybe I could fill this jerk’s mailboxes with enough BOGUS DATA that he’ll just give up on it all and not realize that my wife’s info was for reals!

Of course, it wouldn’t be too hard for him to realize all submissions after a certain time were fake.. but hey what did I have to lose?

I took the source code from that script and made up my own that sent an identical email to those two addresses, but with randomly generated info!

In this picture, are you on the left or right? I know that I'M on the left!

It was fun!

I set it up with a cron job to run every 20 minutes (but I put a random sleep of 1-20 minutes at the front so they didn’t come in too regularly).. it’s still going right now.

I’m going to keep it going until I hear back from Yahoo!.. and just FYI, here’s the output they were receiving from their phish:

Date: Thu, 31 Aug 2006 16:58:15 -0700 (PDT)
From: thistlej@server4.whmsecure.com
To: phisher@yahoo.com
Subject: IRS - Full

[ . . . : : : IRS FOUNDS : : : . . . ]
Social Security Number: 356 - 00 - 0258
Name On Card: Robert Rieger
Card Number: 6105341453830068
Expidation Date: 12 / 2007
CVV: 123
PIN: 5702
[ . . . : : : IRS FOUNDS : : : . . . ]

(Don’t worry, that’s a fake one I generated!)

In closing…

Phishing scams are pretty darn effective. They’re tricky, and they’re lucrative!

Or do!

Anyway, my wife’s pretty embarassed about the whole thing and made me promise not to tell anyone.

154 Responses to “Phishing Phor Phishers”

viperteq Says:
August 31st, 2006 at 5:35 pm
So, um, I guess she’s gonna kill you now huh?
Doufer Says:
August 31st, 2006 at 5:53 pm
And you’re spamming!!! Strange thing to read from you…. But fear in this case, I think.

( :
compulov Says:
August 31st, 2006 at 6:07 pm
I won’t tell her, I promise!
Dufus Says:
August 31st, 2006 at 6:51 pm
Oh! - This explains the Comcast fiasco!!
Andy Says:
August 31st, 2006 at 6:52 pm
Josh, why you not like the way European use of grammar?
ttancm Says:
August 31st, 2006 at 7:02 pm
My wife used to use my computer, but I ended up buying her one of her own after weekly virus infections, trojans and being emailed from having email sent from me/her by every “SMS buddy circle” BS scam on the planet.

Now her pc is isolated from the home network, and she’s not allowed to sign up for or buy anything without showing it to me first after sending a lot of information to some very bad people.

In Japan, where I live, the Japanese and Chinese mafia both run phishing and extortion scams, they even have sites here they call “one click obligation” sites, where if you click any link on the site it runs through a fake signs up process which shows an animated gif which makes it look like you just agreed to pay for something and at the end it displays a bank account number for you to transfer money to, usually at least $500, and people actually transfer the money, no services received. But if you were unfortunate enough give out your telephone # or email you get contacted by some less than friendly people. You can hear an example phone call at http://www.youtube.com/watch?v=bBENSGykwwo
the video is actually from the news here where a “legal” big corporation who makes loans called this old man and threatened him, the screaming end of the conversation is the “company”, this story made big news here, but while that company is temporarily shut down there are at least 4 other big corporations who work the same way… gotta love a government controlled by the mafia.

I’d like to pretend we got rid of our problem by me toughing it out and threatening to kick their proverbial asses, but I just always pretended I couldn’t speak Japanese when I answered phone calls from them and they eventually got sick of it and gave up, mobsters = not the most multi-lingual bunch of people on the planet.
Nathan Friedly Says:
August 31st, 2006 at 7:32 pm
> Anyway, my wife’s pretty embarassed about the whole thing and made me promise not to tell anyone.

LOL

but I hope your wife doesnt look like the asian fellow in the for real picture!
Getting Nothing Done / DreamHost CEO Josh Jones’ Wife Falls for Phishing Scam Says:
August 31st, 2006 at 7:37 pm
[...] DreamHost Blog [...]
Sylvain Says:
August 31st, 2006 at 8:29 pm
have you thought of puttiing a freeze on your credit file with the three credit bureaus? there is a how-to on California gov page (it might not be possible in other states for some odd reasons — anyone knows?):

http://www.privacy.ca.gov/sheets/cis10securityfreeze.htm

If you are used to apply for credit and/or open new bank account often, it can be a bit of a drag, but it can help protect you from the consequences of having been ‘phished’.

–Sylvain
Unofficial DreamHost Blog Says:
August 31st, 2006 at 10:16 pm
Maybe your wife need a spam filter?
not important Says:
August 31st, 2006 at 10:36 pm
Spam Filter for and against all women in this world! Yeah. Just imagine all the talk that would be blocked in real life.
helge Says:
August 31st, 2006 at 10:57 pm
hilarious! thanks for sharing!
Phishing. Says:
September 1st, 2006 at 12:21 am
[...] Nice story, Phishing Phor Phishers. [...]
Matthijs Says:
September 1st, 2006 at 1:12 am
> Anyway, my wife’s pretty embarassed about the whole thing and made me promise not to tell anyone.

Won’t tell anyone!
Norm Says:
September 1st, 2006 at 1:17 am
I have often thought about replying to those phishers with incorrect information but never bothered. I suppose thinking about it and what you did is probably the best thing to do.

If everyone replied to a phish with incorrect details it would swamp any phishae sent by gullible people. (not suggesting your wife is gullible)

$191,40 instead of $191.40 would be the wrong way in the UK as well. So that *proves* we are not in Europe :)

What would your wife do with an email from a Nigerian Chief who sadly had all his chickens killed but still managed to save $118,000,000.00 and just needs help to …
greggles Says:
September 1st, 2006 at 6:52 am
Heh - very entertaining as always. And I like the vigilante bent to it. I recently engaged in my own vigilante measures against a keyword stuffing, no good, trademark enforcing fool.

http://knaddison.com/seo/trademarks-and-keyword-stuffing

It’s nice when you can find someone using technology to screw people, and then use the technology right back on them.
Ian Clifton Says:
September 1st, 2006 at 7:49 am
Yeah, I always give out my credit card number to people who say they are going to give me money. Now my statement online shows really big numbers in red, so it must be working!
Sheldon Kotyk Says:
September 1st, 2006 at 8:02 am
The #1 red flag for me was the the IRS would never send an email saying that they OWE money. Why? It’s way too fast.

They send it over land by carrier pigeons that can’t fly. That way they can collect as much interest on your money as possible.
Josh Jones Says:
September 1st, 2006 at 8:22 am
Update!

Yahoo Abuse is retarded!

I got a response from them this morning:

Hello,

Thank you for writing to Yahoo! Mail.

Unfortunately, your message to us was missing the full Internet headers.
Without the full headers we will be unable to further investigate this
matter.

Email headers are used to deliver a message over the Internet and
contain a record of the specific route that the message took. Full
header information is included in every message that is sent. Depending
on the setup of your email account and/or server, however, this header
information may not be visible or otherwise available to you. Please
consult with your email administrator or email program help information
to determine the availability of this full header information.

At this time, we will need you to forward a copy of the message, as
opposed to sending it as an attachment, because we are currently unable
to accept attachments. Please include the following in your report of
email abuse to assist us in a prompt and full evaluation:

1. Original subject line — Please forward the email with a subject
identical to the original subject.

2. Complete headers — Email programs often display abbreviated
headers. To learn how to display the full headers in a Yahoo! Mail
account, please visit the Yahoo! Mail Help Desk at:

http://help.yahoo.com/help/us/mail/config/config-11.html

For non-Yahoo! Mail users, please refer to the URL below for information
on how to get the full headers for your particular email client:

http://www.haltabuse.org/help/headers/index.shtml

3. Complete message body — Please include the complete, unedited
content of the email message in question. Please do not change or edit
the message in any way.

If reports of email abuse are missing any one of these three items, we
may not be able to further investigate such reports. We appreciate your
efforts in reporting this abuse to Yahoo!.

Thank you again for contacting Yahoo! Customer Care.

Regards,

Michael

Yahoo! Customer Care
http://www.yahoo.com/

25643879

This was in response to my message:

Hello Yahoo!

My wife got a phishing spam (joshswife@yahoo.com .. in her \”To Keep\” folder now) that led her to:

http://www.thistlejack.com/photobus/g2data/sessions/www.irs.gov/pas.php

(the http://www.irs.gov part has been renamed to dorkdorkdork by the website\’s owner whom I contacted. His gallery photo album software installation had been hacked.)

It turns out the phishing results were getting emailed to two yahoo addresses you host: phisher1@yahoo.com and phisher2@yahoo.com, with the subject \”IRS - Full\”.

I was hoping you could disable those accounts, and if possible delete the emails from them with that subject? My wife fell for it today and gave up her ssn and a credit card. I already canceled the card but was hoping to mayyyyybe save her SSN from any future nefarious purposes!

Also, if you have any logs of ips used to log in to those accounts and times, I\’d love to have them if you would give them to me.

Thanks,
josh!

Urgh.. where do email headers enter into it?!

And you thought our support was bad! :)
TB Says:
September 1st, 2006 at 8:25 am
Ask your wife to use Thunderbird, it’s got a nice scam detecting feature, there’s a button that shows up top of every scam positive email in case it isn’t a scam.

Shame on you for spamming though. Another one of those “ends justifying the means” arguments…
Nate Cavanaugh Says:
September 1st, 2006 at 9:06 am
The benefit of Josh spamming this guy is that he no doubt is some script kiddie in Bangladesh or wherever who has multiple phishing sites set up on multiple exploited servers.

Now he is getting polluted information, and will hopefully scratch the whole bunch because it will be too much of a pain to validate all of it.
*Hopefully*.

BTW, there is nothing wrong with spamming a phisher. In the same way that it’s not wrong for a government to “kidnap” and imprison a criminal, it is not wrong for a person to “spam” a phisher.

ESPECIALLY when it has a zero casualty liability.

Or maybe my view of vigalante spamming is a bit lax.
CarlenLea Says:
September 1st, 2006 at 9:14 am
Dude - that\’s a f—ing brilliant response to a scam like that. Anyone can get taken — no matter how smart you are. I love flooding his mailbox with fake emails.

That should get Yahoo\’s attention too!
bwd Says:
September 1st, 2006 at 9:40 am
She gave out her social security number? I can understand a lot of mistakes, but that’s a huge one.
blue_halo Says:
September 1st, 2006 at 10:35 am
Wonderful entry! I’ll be showing this to everyone I attempt to explain phishing to! I especially liked the bit where you gave ‘em a taste of their own medicine.
AlanCase Says:
September 1st, 2006 at 10:42 am
Great thing you did. Wish I was savvy enough to do the same thing - I get 4 or 5 a week of those things.

Two more things going on at eBay I’ve experienced (but did not get caught): (1) you get a message looking like a question from a prospective buyer and the REPLY button takes you to a logon port where they collect your name and password, (2) you get a cashiers check for thousands more than the item you’re selling directing you to - after the check “clears” - send money to a third party by Western Union for “shipping” fees. That cashiers check is bogus, but will not bounce for two weeks as it takes the system that long to get to the listed issuing bank. You are then liable for the amount of the phony check. Nice.
aswmbo Says:
September 1st, 2006 at 10:43 am
Great story!

That’s going to all my friends as a way of educating/warning them about phishing!
Blackmoor Vituperative » Phishing Phor Phishers Says:
September 1st, 2006 at 10:50 am
[...] Phishing Phor Phishers [...]
Byron Canfield Says:
September 1st, 2006 at 10:52 am
I was going to send the URL of this blog to some relatives, including my mother, to increase their awareness of Phishing, but there is uncalled for vulgarity in one of the messages, above, that make it imprudent for me to do so.

Too bad — this would have been quite educational for them.
anonymous government cog Says:
September 1st, 2006 at 10:53 am
I had a similar thing prepared. I work for a state government agency that is responsible for distributing large sums of mony to people. We found out that someone was sending out emails from @yahoo.com.

Lots of people responded, apparently, so I requested a copy of the letter he was sending out. At which point I crafted a boilerplate response, then gave it randomization through xslt transforms so that it could not be filtered without removing useful data as well.

Then I incorporated all of this into an application called Azrael.exe. Unfortunately, working for the state or federal government involves numerous layers of obfuscation and responsibility, and by the time I had approval to do it, yahoo had shut them down.

Next time, however, I’ll just do it from home :D
Spelling Fascist Says:
September 1st, 2006 at 11:15 am
[sigh]…

faze

phase
Dirk Penus Says:
September 1st, 2006 at 11:34 am
You have to see the positive side: a couple of blowjobs and maybe some anal are in order.
Paper Brigade News » Blog Archive » DreamHost CEO Josh Jones’ Wife Falls for Phishing Scam Says:
September 1st, 2006 at 11:37 am
[...] Jones’ wife thought they were due for a fat tax refund do to a courteous IRS email. She promptly emailed away their Social Security and Visa Check Card Number. Josh stated, “But, believe it or not, my wife is not stupid. In fact, she has a PhD from Harvard! “read more | digg story [...]
DV Says:
September 1st, 2006 at 11:44 am
Can you post a copy of your script?

Might come in handy one day!
discarded lies - hyperlinkopotamus Says:
September 1st, 2006 at 11:47 am
They’re phishing for you; don’t bite….

They’re phishing for you; don’t bite….
DreamHost CEO Josh Jones’ Wife Falls for Phishing Scam » News around the World Says:
September 1st, 2006 at 11:52 am
[...] Jones’ wife thought they were due for a fat tax refund do to a courteous IRS email. She promptly emailed away their Social Security and Visa Check Card Number. Josh stated, “But, believe it or not, my wife is not stupid. In fact, she has a PhD from Harvard! “read more | digg story [...]
shmu Says:
September 1st, 2006 at 11:53 am
Some companies, I believe ebay is one of them, say NEVER to respond to a click request in an email. Log into the company’s site and go to your account that way. I know not everyone operates that way. If I’m suspicious, I take the time to email the company’s abuse department and ask for advice.

P.S. I love Josh’s response, too.
GPS Says:
September 1st, 2006 at 12:00 pm
It’s funny…how so well educated ans smart people can be victim of phishing.
What about all of us…not so smart people? I won’t blame myself if I got phished some day..:)-
Josh Jones Says:
September 1st, 2006 at 12:00 pm
Okay, here it is… phish.pl!

#!/usr/bin/perl
my $sendmail = "|/usr/sbin/sendmail -t"; sleep 60*rand(20); # since this runs every 20 mins, let's let it randomize within 20 minutes when it runs. open (IN, 'names.txt'); my @names = ; close (IN); my $name = $names[int(rand(@names))]; $name =~ s/\n//; my ($ssn1,$ssn2,$ssn3,$ccnumber,$expdate_month,$expdate_year,$cvv2,$pin) = &GetRandoms; foreach my $email (’phisher1@yahoo.com’,'phisher2@yahoo.com’) { my $message =”From: thistlej\@server4.whmsecure.com To: $email Subject: IRS - Full “; $message.=”[ . . . : : : IRS FOUNDS : : : . . . ]\r\n”; $message.=”Social Security Number: $ssn1 - $ssn2 - $ssn3\r\n”; $message.=”Name On Card: $name\r\n”; $message.=”Card Number: $ccnumber\r\n”; $message.=”Expidation Date: $expdate_month / $expdate_year\r\n”; $message.=”CVV: $cvv2\r\n”; $message.=”PIN: $pin\r\n”; $message.=”[ . . . : : : IRS FOUNDS : : : . . . ]\r\n”; $message.=”\r\n”; open (MAIL,$sendmail); print MAIL $message; close MAIL; } sub GetRandoms { my $ssn1 = int(rand(10)) . int(rand(10)) . int(rand(10)); my $ssn2 = int(rand(10)) . int(rand(10)); my $ssn3 = int(rand(10)) . int(rand(10)) . int(rand(10)) . int(rand(10)); my $ccnumber = int(rand(4))+3; my $times = 15; $times = 14 if $ccnumber == 3; my $i = 1; while ($i < = $times) { $ccnumber .= int(rand(10)); $i++; } my $expdate_month = int(rand(12))+1; if (int(rand(2)) == 1) { if ($expdate_month < 10) { $expdate_month = '0'.$expdate_month; } } my $expdate_year = '0'.int(rand(4)+6); $expdate_year = '20'.$expdate_year; my $cvv2 = int(rand(10)) . int(rand(10)) . int(rand(10)); if ($times == 14) { $cvv2 = int(rand(10)) . int(rand(10)) . int(rand(10)) . int(rand(10)); } my $pin = int(rand(10)) . int(rand(10)) . int(rand(10)) . int(rand(10));
return ($ssn1,$ssn2,$ssn3,$ccnumber,$expdate_month,$expdate_year,$cvv2,$pin); }
Dave Says:
September 1st, 2006 at 12:07 pm
The saddest part of the whole matter it that it wouldn’t be funny unless we all know at least one person who has fallen for such things. Trying to teach people to spot such things before they act is nearly impossible, the idea of getting something for nothing is always too tempting to the public as a whole.
Anonymous Says:
September 1st, 2006 at 12:09 pm
“But, believe it or not, my wife is not stupid. In fact, she has a PhD from Harvard!”

Actually, my friend, your article makes her seem like the biggest idiot on the planet.

I hope she doesn’t realize that your post is on the Internet, otherwise you should prepare to sleep on the couch.

Other than that, thanks for the heads up.
Teeth Maestro Says:
September 1st, 2006 at 12:13 pm
Well done - I hope with all this work we can nab all of them one by one

Love then entire narration
GL Says:
September 1st, 2006 at 12:15 pm
A PhD doesn’t absolve someone from every day shit. Your wife is stupid. Stupid is ignorant and ignorant is the only thing I can consider this.
geoffreyhale Says:
September 1st, 2006 at 12:19 pm
Dahaha, he messed with the wrong family.

Ps. Attending Harvard doesn’t make you smart. Getting there doesn’t mean you’re smart. But graduating from Harvard is a good sign you’re not a dumbass. =)
Elze Says:
September 1st, 2006 at 12:19 pm
> It looked like from the URL that the phisher had exploited a
> hole in a photo gallery script he had installed. (Which is why > we have mod security for our happy hosters!)

Could you point me to more information about mod security?

What was the photo gallery software he used, if I may ask? Was it Gallery, by any chance? I installed Gallery on my website because it’s one of the one-click installs DreamHost provides, which made me think Dreamhost thinks Gallery is a good choice both feature-wise and security-wise. Later I read somewhere that Gallery has security holes. And now your post made me wonder if the unwitting hoster of the scam site used the same software. I am quite worried about this scenario happenning to me (i.e. unknowingly ending up hosting a scam site).

Anyway, can you please let me know what “mod security” is, and how do I use it, and how would I use it to help protect myself from this problem?

Thank you.
Daniel Says:
September 1st, 2006 at 12:20 pm
Wow, you write great blog posts. Just wanted to say I came from digg, nice story, and great hosting (I’m hosted with dreamhost.com as we speak).
DisgruntledCustomer Says:
September 1st, 2006 at 12:21 pm
So, your wife doesn’t use Dreamhost as her email provider? I can tell, because she actually received an email sent to her.

If only you could provide the same for us…
Vanyel Says:
September 1st, 2006 at 12:21 pm
I have to agree: anyone with a PhD ought to know by now you *never* trust a link in email. I don’t even try to tell people how to tell if it’s good or not, because it can be hard to tell even for people who are experts. You can go to the known good url manually and login. If it’s legitmate, there will be info there that matches the email. And you never do anything financial that isn’t SSL protected and verified.
Chris Says:
September 1st, 2006 at 12:23 pm
http://unitt.myby.co.uk/scam.zip

This is something I knocked together in about 10 minutes when I was really bored and tired of getting phishing emails.

I know its the most hacked together thing ever and you have to have popups disabled on your browser for it to work but I’m sure it will annoy the phishers, or at least fill up their mailbox with junk.
The Grubesteak Says:
September 1st, 2006 at 12:25 pm
Visa check cards have the exact same protection as Visa credit cards. It’s in the fine print.
Chris Says:
September 1st, 2006 at 12:26 pm
oh yeah, your going to have to change the form in scamkiller to match the form on the phishers site :)
Chuck Says:
September 1st, 2006 at 12:33 pm
Sign up for lifelock or a related credit protection service ASAP!
simplehiker Says:
September 1st, 2006 at 12:46 pm
Man Josh you totally owe me for this one… getting your wifes most embarrassing story on digg front page! This will have to go down a legendary story in your house.
mra Says:
September 1st, 2006 at 12:50 pm
there are no phishers in US? pls give me a break; i almost got hooked for one on the phone where this nice white sounding girl wanted to sell me something.
Daniel Aborg Says:
September 1st, 2006 at 12:56 pm
Are you generating valid CC numbers (with valid hashes)? Otherwise they could easily figure out which entries are bogus by dropping the ones with invalid CC numbers.
Josh Jones Says:
September 1st, 2006 at 12:59 pm
Blogs work!

I just got this:

Subject: Please have Josh Jones contact me re: blog phishing
Sent: Sep 1 2006 13:42 PST

I work at Yahoo on phishing-related matters (and I’m one of your customers) and I can both report the phishers he wrote about and tell him where to send future reports. Thanks, Jen King
cardoso Says:
September 1st, 2006 at 12:59 pm
Think Yahoo is bad? Try reporting to Google. Both don´t give a shit about scammers. I run a security-related site in Brazil and believe me, there´s nothing worse than Starmedia and other french/spanish providers. Some don´t even list a contact mail, just phone numbers.

I advise my users to simply block the entire domain in their HOSTS file.

Oh, there are a lot of phishing sites using chinese hosts. Never received a reply from them, even when I manage to find a mail address (HTML source is your friend).
Jon Says:
September 1st, 2006 at 1:00 pm
Honestly, why did you email them?

I would have called the Yahoo offices and get them on the phone. I also would have called the IRS and FBI.

You have current info on a phishing scam - if yahoo played along, they could have been waiting on that account to log in and track down the user by IP (assuming they’re not going through proxies )
Josh Jones Says:
September 1st, 2006 at 1:03 pm
Whoaza, and I also just got:

Subject: Josh Jones Phishing Scam
Sent: Sep 1 2006 13:27 PST

Hello,

I am the Internet Crimes Program Manager for the Criminal Investigation Division of the IRS. I linked Mr/Mrs. Jones’ story off of Digg.

I would be very interested in hearing from Mr. Jones about his wife’s Phishing experience.

Sincerely,

Special Agent James M. Adriansen
Internet Crimes Program Manager
IRS-CI / Electronic Crimes Program

I’ll give him a call!
pax Says:
September 1st, 2006 at 1:03 pm
Way to Go!! I have always wanted to get back at these guys!
Jenny Says:
September 1st, 2006 at 1:07 pm
It’s good to know that the hosting company I use is run by someone who is both clever and attentive.
Good show.
Seal Says:
September 1st, 2006 at 1:08 pm
My mom once got an phishing email from eBay.
She didn’t have an eBay account.

The mail, which didn’t identify her by name or anything, warned her that her account had been compromised at eBay. She was asked to log in to rectify the situation.

As she had no login, she registered on the phisher’s fake eBay site and submitted all her information. That’s when I walked by, and she asked me what I thought of that website.

D’oh.
john Says:
September 1st, 2006 at 1:15 pm
oh sure, you had to say you’re rich…

no sympathy now!

heh
Mark Lyon Says:
September 1st, 2006 at 1:25 pm
You have Zero liability for unauthorized Visa Debit Card use:

http://usa.visa.com/personal/security/visa_security_program/zero_liability.html

“The Zero Liability policy covers all Visa credit and debit card transactions processed over the Visa network—online or off. The only transactions not covered under the Zero Liability policy are commercial card, ATM, and non-Visa-branded PIN transactions.”
Black hand Says:
September 1st, 2006 at 1:26 pm
Now Josh is gonna get all the kiddies from DIGG posting here trying to cause trouble… great.
Karvin Rhodes Says:
September 1st, 2006 at 1:33 pm
“Nobody in the US phishes”

Huh? One of the most greedy, corrupt places in the world and you don’t think phishing occurs there? I think you are mistaken.

Other hosts offer easy updates through CPanel. Security updates to Gallery, Coppermine, and about fifty other web apps. Dreamhost seems to prey on the clueless AOL-user type of person, keeping them uninformed and hiding what possibilities are available to them at other hosts.
sal Says:
September 1st, 2006 at 1:34 pm
Hey Josh:

Could you post a better picture of your wife. The one in the story makes her look a little bookish.
DLCam in Oregon Says:
September 1st, 2006 at 1:35 pm
Thank you for posting this, you will certainly save some poor unforntunate souls out there who are not aware of scams like this. Sick the FBI on their asses! And if Yahoo refuses to cooperate, sue them. Good Luck!
Shish Says:
September 1st, 2006 at 1:37 pm
“I’ll give him a call!”

Are you sure that’s a genuine email? I’ve never had a government related agency respond to any of my queries so quickly and openly…
Eric Says:
September 1st, 2006 at 1:41 pm
I’m a seller on Ebay and get PayPal/Ebay phish attempts multiple times per day. I did try and click through and enter some invalid data a couple of times. However, it may be a wierd coincidence, but my PayPal account got frozen due to suspicious activity both times I’ve tried to do that. I didn’t get a good explanation from PayPal on why they did this, so I can only assume that PayPal was somehow able to figure out the people who they “think” fell for the phish.. Perhaps they shut down the phisher and found their database of people who actually clicked through..

So.. it might not be a good idea to click through even for the purpose of entering bad data.
Keith Gilbert Says:
September 1st, 2006 at 1:43 pm
Wow, that’s awesome! Good job with the cron script and everything ;)
S Says:
September 1st, 2006 at 1:56 pm
“Anyway, my wife’s pretty embarassed about the whole thing and made me promise not to tell anyone.”

who’s dumber, you or your wife now?
Duder Says:
September 1st, 2006 at 2:01 pm
“But, believe it or not, my wife is not stupid. In fact, she has a PhD from Harvard!”

uuh, what does a PhD from Harvard have to do with this? I’ve met plenty PhDs that have no clue how the real world works and now I’ve just read about another one. Maybe you meant PhD = Smart HAHAHAHAHAA …that’s a good one.
James Says:
September 1st, 2006 at 2:09 pm
I hope you ran your cron from diffrent IP’s:)
otherwise they would have been on to you in less then 2 sec…
Z Says:
September 1st, 2006 at 2:11 pm
You are awesome.
MD Says:
September 1st, 2006 at 2:20 pm
Could you not improve your nice phish.pl script by adding a date header to the email, faking the date sent?

e.g. Date: Mon, 28 Aug 2006 16:08:19 -0500\n

The date would be randomly chosen from a, say, 3 day span of time…

Would this solve the problem of the phisher knowing emails after a certain date would be fake because some of your phish.pl generated emails would be mixed in with the good ones?
Zeal’s Blog · Dreamhost的CEO，他的Harvard博士夫人，以及Phishing Scam Says:
September 1st, 2006 at 2:26 pm
[...] 昨天，Dreamhost的CEO Josh Jones在Dreamhost Weblog上图文并茂得写了一下他夫人的遭遇以及他的措施，简直是笑翻了。 [...]
Ash Haque Says:
September 1st, 2006 at 2:27 pm
Great article, nicely handled
George Says:
September 1st, 2006 at 2:28 pm
Lets hope she doesnt read this blog…haha.
vicm3 Says:
September 1st, 2006 at 2:52 pm
Thats a very good history :D Josh. I only expect you had a spare bed. Or your wife has a really good humor sense.

Regards.
Ted Says:
September 1st, 2006 at 3:01 pm
Just because she has a PhD doesn’t mean she isn’t stupid. Look at Ted Stevens.
Clayton Says:
September 1st, 2006 at 3:14 pm
Sadly, I know of many people that have fallen to these phishing scams.

Two people of which fell for those Nigerian scams. Both of which actually took all their life savings, and flew to Nigeria…

My mother fell for a couple dozen scams already, and she just not seem to learn. Even setup a decent spam filter for her, and explained to her several times what not to do, but seems to not listen. Once she thought she even won $21,000,000 and just needed to pay a $500 fee to get the cheque…
John Says:
September 1st, 2006 at 3:17 pm
No wonder your wife fell for this - if she married you she obviously has a serious problem.

You are a complete idiot Josh and I hope to god you get busted hard for this. Not only did you engage in illegal activity by executing that mail script, but you published it so hundreds more people can either jam up the already overtaxed mail servers, and hundreds of kiddies now have the tools they need to defraud others.

I’m seriously thinking about reporting YOU right now - what an ass, what an ass.

John
Dan Says:
September 1st, 2006 at 3:42 pm
Super l337 conning the con job.

On a side note, this is funny.
Dave Says:
September 1st, 2006 at 3:43 pm
Ok so John, maybe you should think about better ways to utilise your time than to troll on this blog. You can feel acomplished that you got a reaction from me.

out of curiosity, who are you going to report him to… his hosting provider? ;-D

Kudos Josh for an awesome way to get even with phishers, I had thought of that same idea before but i never had the scripting ability to do anything with it.

This type of thing is the reason I will stick with Dreamhost for my hosting, even if cheaper options exist. I guess this is how you differentiate yourselves and add value to go all business about it. Keep up the good work!

-Dave
John Says:
September 1st, 2006 at 3:44 pm
John I think your the idiot, all that perl script does is send a load of mail with random data, and the only mail servers that are going to get “overtaxed” are those that are already hosting mailboxes for illegal activity. This can’t be used so “hundreds of kiddies now have the tools they need to defraud others” - that would require an entirely different script.
Jason Says:
September 1st, 2006 at 3:44 pm
I have a suggestion for your perl script, to help filter out invalid credit card numbers you can generate numbers that pass the MOD 10 check. I wrote a perl script to generate them when I got sick of all the paypal phishing emails. Unfortunately I don’t have access to it right now, but here is the psuedo-code I worked up for it: http://qbfreak.net/stuff/gencard.txt

Can anyone suggest a good place to discuss anti-phishing ideas? I started to design something similar to Josh’s perl script for filling out the forms when you don’t have access to the backend code. I’ve got one snag (which James has noticed too) and I could use some ideas. Drop a line to phishflood@qbfreak.net if you know of anywhere appropriate to discuss it.
danny Says:
September 1st, 2006 at 3:47 pm
Geez John. Were you not hugged enough as a kid?
Jason Says:
September 1st, 2006 at 3:48 pm
Note to self, don’t change sentance structure mid-stream :)

I should have said something more like “…to keep the phishers from easilly filtering out invalid credit card numbers you can generate numbers that pass the MOD 10 check.”
Unknown Says:
September 1st, 2006 at 3:51 pm
It might be a good idea to remove the links of the Phishing attempt from the blog above. Although this is a blog about it, undoubtedly someone will try to click on the link and not realize whats going on. Better yet, it’ll get cached and someone else using that computer will see the link while typing in their URL and pull it up, and say “Hey - what the heck, I’ll give it a shot.”
Randy Jensen Online Blog | randyjensenonline.com/blog Says:
September 1st, 2006 at 4:03 pm
[...] Read Phishing Phor Phishers [...]
anonymous Says:
September 1st, 2006 at 4:05 pm
i’m a consultant to the irs on a taxpayer correspondence workflow project, and i just wanted to let you know that any IRS email correspondence you receive (if any) will not have your social security number on it.

additionally, we get notified of any IRS-related phishing scams as soon as the IRS is notified. i’ll be interested in seeing if this one pops up on the list. =)
Harvard Irving Says:
September 1st, 2006 at 4:11 pm
John,

Won’t somebody think of the tubes?

I’m glad there is someone out there willing to stand up to evil people like Josh who want to clog up the internet tubes, and stop my web browser from working. Like you said, he even wants to brainwash children to achieve his goals. They would never learn to erite a script without reading this article first.

Truly you are a hero among men, the internet’s equivalent to Drano.
George Chen Says:
September 1st, 2006 at 4:33 pm
Josh, I have to ask. The picture of your not wife. Who is it and where did you get it. I ask because it looks almost exactly like my dad a couple of years before he passed away.
dnsnipper Says:
September 1st, 2006 at 4:34 pm
thanks for the info guys I have really learnt a lot but still I hope you dont believe all Nigerians are phishers I happen to know a couple of them who are disgusted by that act
Ryan Says:
September 1st, 2006 at 4:36 pm
(clean up our own backyard first)

Thanks for spreading the word about these nefarious attempts to steal and use technology for evil. I can appreciate your “vigilant” vigilantism in trying to spam a spammer, but it really does nothing more than trouble them a bit before they move onto the next scam or if bothered by you, may up the ante and spam you back and overload the DH web servers, which hurts us all.

I was unable to receive an e-mail the other day from a client who hosts with Dreamhost because my web/email host blocks mails originating from Dreamhost servers (because of the amount of spam coming from DH servers). This sux!

If you did more to crack down on those who might be using your servers to send spam, I think we would all be better off.
Anonymous Says:
September 1st, 2006 at 4:41 pm
“Of” instead of “or” is probably not a typo. It’s Dutch. Maybe a hint to where the phisher sits?
Pent Says:
September 1st, 2006 at 4:49 pm
Great story
Also to the digg wackos… “get off my internets!”
Dreamhost phishing at thirteenCents Says:
September 1st, 2006 at 4:53 pm
[...] More info at the Dreamhost blog. [...]
Jennifer Says:
September 1st, 2006 at 5:17 pm
I loved this story, but your wife might kick her Harvard foot up your derriere!

I’ve gotten pretty savvy at spotting phishing scams. The URLs they want you to click on to get to their forms are a dead giveaway for me, plus my email programs show me where the links link to without even having to run my mouse over them. They also tend to have poor English usage. All the reasons you posted about covers it.

I wish I had the skill you did to do what you did. It’s also because of a lack of time. I used to send spam and phishing emails to “abuse@whatever.com,” but that got tedious and I didn’t know if it was really doing any good. I have gotten more strict with my email.

Good luck hearing from Yahoo! And, since you’re rich, would you adopt me? I spend most of my money on books (and never have enough for all I want), so you’d save on other expenses, and be doing the world of literature a favor! :D

Well, I can dream.
Heimir Says:
September 1st, 2006 at 5:25 pm
On the same subject has anyone seen this little mooooovie called “On the streets of america” at

http://www.cosmicrealms.com/blog/2005-11-16/

God bless you all.
Jon Says:
September 1st, 2006 at 5:30 pm
That’s phucking great.
phill Says:
September 1st, 2006 at 6:07 pm
Josh, I thought you were making up the “joshswife@yahoo.com” address. “Surely,” I thought, “He’s making up the whole thing. There’s no way josh would make his wife use a Yahoo account.”

Fooled me.
gj.
pb
Will’s Blog - Even the smart ones get Phished Says:
September 1st, 2006 at 6:20 pm
[...] Posted in Uncategorized by will on September 2, 2006. Yep, even those with PhDs from Havard will fall prey to a carefully worded phishing email. [...]
Not In Kansas Anymore » Phishing Phor Phishers Says:
September 1st, 2006 at 7:17 pm
[...] Let this story by DreamHost’s owner serve as a reminder to all: never email your credit card info, and never reply to an email that’s asking for money, even if it seems legit. Instead, check out the website, do research, make a phone call. Tags: geek [...]
Nightshifter Says:
September 1st, 2006 at 8:34 pm
way to GO! ha ha - justice like we used to do it back in the day
Al Says:
September 1st, 2006 at 10:34 pm
Wow. I’ve never seen that site (http://www.dreamhost-sucks.com/) To be honest, my personal experience with DH has been outstanding. However, I haven’t really pushed the limits with respect to CPU utilization and bandwidth.
me Says:
September 1st, 2006 at 11:32 pm
Josh, maybe your wife should watch this quick video:
http://www.identitytheftsecrets.com/videos/ebay-phishing-tips-1-24-06/ebay-phishing-tips-1-24-06.html

It’s from identitytheftsecrets.com and walks you through a live screen capture with voiceover of what happens when you click a link in a spam email and are taken to an eBay phishing site. It explains why the link is so deceptive with easy to understand mouse highlighting and explains all aspects of phishing perfectly in about threee minutes–I recommend it to anyone who needs to learn what phishing is and why it’s bad!

And no, I have no connection to that website but I write about phishing and many other Internet scams on my website, which is how I came across that link.

I promise not to tell your wife either!

Seriously, you must have told her by now that what she did is getting to be known all over the Web???

Good luck, hope you get justice!
Salman Sheikh Says:
September 2nd, 2006 at 12:08 am
Josh,

I had the same thing happen on my website..I installed a photo album called yappa-ng and it was nice until my host suspended it 3 times. Apparently somebody was using the mail scripts in it to spoof Barclays, Bank of America and an armored car company whose name I couldn’t recall. All 3 times, I had them remove the script but then finally I ended up blowing away the whole online album..It was scary..they pinged the sites of these companies at the rate of thousands of access in minutes and that caused these companies to contact my host and say I was spamming them or their customers..
Michael Says:
September 2nd, 2006 at 1:05 am
Aren’t you breaking the law by spamming him?
Sesa Woruban Says:
September 2nd, 2006 at 1:50 am
Firstly, everyone complaining that Josh is spamming people - one mail every twenty minutes doesn’t really count as spamming IMO.

Secondly, I really hope this works. I was a little disappointed not to see new shiny stuff in the month of August but this kinda makes up for it.

Thirdly, your wife is going to kill you.
Quibbles and Bits Says:
September 2nd, 2006 at 2:05 am
Phishing the Phishers…

Dreamhost is the company that provides (for a small fee) hosting for Quibbles-n-Bits, Man Meets Baby, and the Garage of Xanadu. The CEO of Dreamhost got phished, and decided to phire back…….
pauldwaite Says:
September 2nd, 2006 at 2:56 am
If that’s your wife in the picture, with the glasses, and the book on her knee, I can’t see she has any reason to be embarrassed.
Essential Says:
September 2nd, 2006 at 4:01 am
No software is 100% bug proof and no human is 100% phish proof ;)
ME Says:
September 2nd, 2006 at 5:09 am
Sorry, but anyone who is ‘phished’ is a total complete moron. PhD aside. There are 2 kinds of smarts:
1: book smarts — Someone knows how to read a book, retain the information long enough to spit it back out on paper and receive their A. Someone who can consistently do this will be lucky enough to get a PhD.

Fact of the matter is — I have never been offered free money by anyone. Especially the government — and especially by the government by email (how would they even have my address?)

You make points about the content of the email — What idiot would even waste time reading the email?

In her defense, maybe she had the dumb and couldn’t brain that day. :) lolololol

morons.
Blog no oficial de Dreamhost » Archivo » Newsletter de agosto Says:
September 2nd, 2006 at 5:58 am
[...] Introducción. (… nada …) Nos dicen que tienen planes ultrasecretos para septiembre (¿en serio?, ya veremos) y que como es verano se han ido a la playa y de “pesca” (un post sobre el phishing en su blog oficial). [...]
Hurt Spam » Blog Archive » Even dreamhost’s CEO suffers phishing attacks Says:
September 2nd, 2006 at 7:36 am
[...] In this post on their official blog, dreamhost CEO Josh Jones relates how his wife fell for a phishing scam - and the measures he took to remedy the problem. [...]
jon Says:
September 2nd, 2006 at 10:54 am
to those bashing josh for sending spam: it’s not evil if it was only directed at one person and that person was a spammer.

spammers spam large number of random people. josh spammed one person to prevent fraud. there’s a difference, and it’s not the “end justifying the means”.
KM Says:
September 2nd, 2006 at 11:18 am
I’ve been using Debix’s ( http://www.debix.com ) fraud prevention system for a while now. It works great. If anyone tries to open an credit-bearing account with your ssn/name, they will call your cell phone and you have to type your pin code and pass a voice authentication (very James Bond-esque) before the account can be created. If you deny the account creation, the phisher can’t open up the account and your credit is safe.
Dan Oetting Says:
September 2nd, 2006 at 1:44 pm
Josh, I appreciate your anti-spam attitude. That is why I moved to Dreamhost over a year ago. And as much as I love your response to the phisher I think you could do better.

Foremost, you should not squander the opportunity to educate the victims. One way to achieve this education is to leave the phishers hacked website in place but intercept the reporting function and after the victims have supplied their CC and/or SS numbers, redirect them to your own site where they can be informed “You’ve just been phished!”. Then proceed to tell the victim that you will be sending a report to their bank/credit card company and that they should also contact their bank/credit card company for instructions on how to safeguard their account.
PixelFactor Says:
September 2nd, 2006 at 4:33 pm
Wow….very impressed. Nice way to get back at those fools!
Mike Says:
September 2nd, 2006 at 5:56 pm
I worked with Josh’s wife at Harvard and SHE IS ONE SMART COOKIE!

This is an interesting story though, of all the Phishing scam that I got, the IRS is the first one I heard - esp. I acutally got a *REFUND* this year for the first time in a million years.

Kudos to JJ for the script - I fucking hate those bastards who does identity thefts. Have known too many people who fell victims of this…
Emma Says:
September 2nd, 2006 at 6:45 pm
I wish you could take care of every internet scam out there for us. Move over Superman.
Frank Says:
September 2nd, 2006 at 9:39 pm
Does anyone know if this is true about the dedicated server?

http://blog.dreamhosters.com/2006/08/31/dreamhost-dedicated-servers/

$400/mo and MySQL on a shared environment?
Tinos Says:
September 2nd, 2006 at 10:21 pm
This was the best story ever! I always wanted to do something to those people, but I wouldn’t know where to start.
FMKaiba Says:
September 3rd, 2006 at 12:43 pm
Get your wife thunderbird in the future if possible, its spam catcher is top notch.

and flooding his inbox… brilliant! i usualy reply with fake info, but never tried flooding them. nice job!
James Says:
September 3rd, 2006 at 12:50 pm
So everyone knows emails can’t be trusted, but when Josh says “his wife” fell for a phisher, everyone believes him?

I think it makes for a personable story and -most importantly- gets the point across.

By the way, eBay does NOT tell you to avoid clicking on links. Their emails have many links to pay for items, respond to messages, and so on.
Richard Says:
September 3rd, 2006 at 4:09 pm
From eBay’s info on phishing:

—

What to do when you receive suspicious email

* Do not send sensitive personal information ….

* Never click on a link in an email if you are unsure of its origins, especially ….

—

eBay does indeed have “many links to pay for items …” and the sincerity of their anti-phishing advice can be measured by the number of those links. Typically, the useful content of their email is drowned in the noise from all the pointless links.

If they were sincere they might point out that you have to be unsure of an email’s origins unless you view the full headers. They might also point out that html email benefits spammers, crackers, and phishers and should be disabled. Instead they use it by default.

(Maybe I should have said *on balance* “benefits only …etc” as some people obviously value text formatting and inline pictures, not to mention ebay links that read “pay here” rather than “http://subdomain.ebay.com.6linesofencyptedgarbage.html”. I don’t think that weighs much compared to all the crap that html email enables.)
Vertino » Phishing Phor Phishers Says:
September 4th, 2006 at 12:19 am
[...] Getting back at Phishers! [via dreamhost’s newsletter] » « 23:13 1/09/06 · permalink · blogs, hacks,spam [...]
Nathan Says:
September 4th, 2006 at 4:12 am
Oh how I wish I had a SPAM filter that actually worked.

Perhapse DreamHost can impliment one.
Andrew Says:
September 4th, 2006 at 12:56 pm
Wait… so is *your* spamming the phishers the reason DH is constantly getting blacklisted?
Jonathan Says:
September 4th, 2006 at 2:43 pm
Hi Josh!

That is absolutely brilliant to return the mail to the scammers. Could something more permanent be set up like this?

In other words, I find out about a scammer’s email address, submit it to you, and you start sending them all sorts of false positives? We come across quite a few jerks on the Internet and I would love to harass them to the point that the business becoes significantly less lucrative.

I found out about this posting because of my traffic logs, and someone was nice enough to post a link to one of the IdentityTheftSecrets videos, so to whoever did (they just posted as “me”, thanks!

http://www.identitytheftsecrets.com/videos/ebay-phishing-tips-1-24-06/ebay-phishing-tips-1-24-06.html

Someone else posted above as “ME” and called anyone who gets phished a moron. I would love to show that person a few of the scams that they couldn’t possibly avoid.

Anyway, this was brilliant, and I would love to work with you Josh, if you want to brainstorm some more permanent solutions to harass the phishers.

IdentityTheftSecrets.com
Deb and Michael’s Curio Hut and Mystery Emporium » Don’t Fall for Phishing Scams Says:
September 5th, 2006 at 3:16 am
[...] And no, that does not refer to one of my favorite bands. It refers to luring people into providing personal information online. Here is one hosting provider’s story of fighting back: http://blog.dreamhost.com/2006/08/31/phishing-phor-phishers [...]
Hello Says:
September 5th, 2006 at 7:22 pm
I hope you don’t randomly generate someone’s real information.

But yeah, phisers are no fun. Once I got one of those “so-and-so died and left $880,000,000 dollars..” emails and I actually emailed them back with fake information.

And then the person emailed me back, and added me to their y!m contact list (and of course, they sent me several IMs while I was offline). Very annoying.
genehack.org » Blog Archive » Laptop tab dump Says:
September 5th, 2006 at 7:48 pm
[...] Great post on phish attacks from one of the guys over at Dreamhost. [...]
Caesar79 Says:
September 5th, 2006 at 8:12 pm
Just wondering if publicizing this story helps the phisher…
Net Crap (9/6) at Musings of a Chicagoan Says:
September 5th, 2006 at 9:24 pm
[...] DreamHost Blog » Phishing Phor Phishers “But, believe it or not, my wife is not stupid. In fact, she has a PhD from Harvard!” (tags: geekery funny) Related Posts Net Crap (5/15) Cute Overload: …and, Happy Step-mom/adoptive mom’s day too “Holy MUFFLEPUFF!” Net Crap (4/30) Rush Limbaugh got his butt thrown in jail. Hee hee. Net Crap (5/6) Wikipedia: Eutheism, dystheism, and maltheism I have never read about maltheism before. I don’t believe that I’m a maltheist — a belief that seemingly canEarly Blogger &mdash 10/29 11:20 PMSome days, I want to call up my college’s alumni association, and say, “Hi. Yes. You know how you send me about twentyHowdy, Boing BoingersHey, I got on Boing Boing, for, of course, tying in a Simpsons reference to a news story. Ah, Simpsons, what would I do Search [...]
Angela Says:
September 6th, 2006 at 9:00 am
You guys should go check out UltimateMatch’s WealthTrack service (http://angela.umwealthsite.com). For a monthly fee they allow you to check your credit report every month and also offer $25k in internet identity theft insurance.

Josh, even if you shut down your credit card, you should be checking your credit report every month for unauthorized activity.
Mark Says:
September 6th, 2006 at 10:16 am
I host through you guys and I love it (4 sites in all I think hehe)… recommend you to everyone that’s looking and then I come to your blog and read this…

I’m at a loss for words, dreamhost admin can’t properly train their spouses on phishing techniques and how to avoid them, then what CAN they do. /sarcasm.

Nice story with comical touches abound… I have enough trouble posting more than 3 words on how much I drank the night before… but this… masterpiece!
Luiz Says:
September 6th, 2006 at 5:57 pm
Josh, about the response from yahoo. Yahoo Abuse is not retarded! Quite the opposite in fact, they just use a standard reply asking for some information, that the email sender would have some trouble to acquire or don’t know how to acquire or just to make the sender fed up. Why do they do that? Because, this way they don’t have to do anything about it, just like what happened in your case.
Something like it:
- Let’s ask this guy his whole family tree….(it has nothingt to do with the subject) and he will eventualy give up about this complain and we can have our coffe.
Noop Says:
September 7th, 2006 at 6:51 am
“scams then having” should be “scams than having”

:D
Matteo Says:
September 7th, 2006 at 6:20 pm
You DreamHost guys are the best in the world. Dreamhost for president!!
DreamHost Blog » I Am Your Shepherd Says:
September 8th, 2006 at 6:46 pm
[...] So, a lot of people apparently liked making fun of my wife last week. [...]
David Says:
September 9th, 2006 at 6:13 am
Good on you, mate! I love messing with phisher and spammers and such. They really do ask for it.
The AV Club Blog » Blog Archive » Dreamhost 419 Says:
September 13th, 2006 at 11:19 am
[...] This is getting a little old (what with the half-life of stories on the web being 36 hours and all), so I guess I should stop procrastinating and blog this bad boy. It is a simple tale, one told over and over the world… over. An email arrived at Josh Jones’ wife’s email from the IRS informing her that she was owed a tax refund. She dutifully gave them her social and check card number and forgot about it for a while. Then she remembered and told her husband Josh about the refund they would be getting and he FREAKED OUT. See, Josh knows a thing or two about phishing scams, because Josh runs Dreamhost, a large web hosting company. He knew they had been caught in a scam, so he shut the account down and prayed. It all ends well, and the moral of the story is that anyone, no matter their intelligence (his wife has a PhD), can get caught up by their own greed. Josh’s blog is not only well designed, but has the full story, read it, its good. [...]
Tech Industry » DreamHost CEO Josh Jones’ Wife Falls for Phishing Scam Says:
September 14th, 2006 at 1:44 am
[...] Jones’ wife thought they were due for a fat tax refund do to a courteous IRS email. She promptly emailed away their Social Security and Visa Check Card Number. Josh stated, “But, believe it or not, my wife is not stupid. In fact, she has a PhD from Harvard! “read more | digg story [...]
TheHeartSmasher Says:
September 14th, 2006 at 5:37 pm
Someone tried to get me.

Warning to all of you.

The server is in Japan. BankofAmerica doesn’t exsist in Japan I don’t think it does but they never send me emails why would they start now especially sending it to my yahoo account in which I don’t use for bankofamerica.

http://www.superbdevelopment.com/forums/main/showthread.php?p=509#post509

Is where the post is everyone is welcome to read it.

Quote:
X-Apparently-To:MyEmailAddress@.com via 216.252.110.237; Thu, 14 Sep 2006 09:45:22 -0700 X-YahooFilteredBulk: 196.200.176.80 X-Originating-IP: [196.200.176.80] Return-Path: Authentication-Results: mta150.mail.scd.yahoo.com from=bankofamerica.com; domainkeys=neutral (no sig) Received: from 196.200.176.80 (HELO etylkqk) (196.200.176.80) by mta150.mail.scd.yahoo.com with SMTP; Thu, 14 Sep 2006 09:45:22 -0700 Received: from xgnopu by etylkqk with local (Exim 4.42 (FreeBSD)) id 1GNsRv-000EZX-7R for MyEmailAddress@.com; Thu, 14 Sep 2006 16:44:19 +0200 To:MyEmailAddress@.com Subject: Important Notice - Bank of America From:”Bank of America” Content-Type: text/html;charset=iso-8859-1 Content-Transfer-Encoding: 7BIT Message-Id: Sender: User xgnopu Date: Thu, 14 Sep 2006 16:44:19 +0200 Content-Length: 1348

Quote:
Your Online Banking is Blocked
We recently reviewed your account, and suspect that your Bank of America account may have been accessed by an unauthorized third party. Protecting the security of your account is our primary concern. Therefore, as a preventative measure, we have temporarily limited access to sensitive account features. To restore your account access, we need you to confirm your identity, to do so we need you to follow the link below and proceed to confirm your information:
https://www.bankofamerica.com/cgi-bin/imcpprd. dll/Ctrl.jsp?BV_UseBVCookie=yes
Tank you for your patience as we work together to protect your account.
Sincerely,
Bank of America Customer Service
*Important*
Please update your records on or before 48 hours, a failure to update your records will result in a temporal hold on your funds.
Bank of America, N.A. Member FDIC. Equal Housing Lender
© 2006 Bank of America Corporation. All rights reserved.

Thing is this is not from bankofamerica

Let me explain:
https://www.bankofamerica.com/cgi-bin/imcpprd. dll/Ctrl.jsp?BV_UseBVCookie=yes

The real address is:
http://210.134.0.36/www.bankofamerica.com/index.htm

Bank of america doesn’t send emails they send actual mail.
If they do send an email it would not have went to my yahoo account

Trying to SCAM TheHeartSmasher haha :)
I don’t think so, guess they will be recieving a little something from yahoo very shortly :)

This is the information collected on the owner of the actual ip address:

Quote:
Location: Japan

ARIN says that this IP belongs to APNIC; I’m looking it up there.
status = “Looking up at APNIC…”;
NOTE: More information appears to be available at whois.nic.ad.jp.
Using 0 day old cached answer (or, you can get fresh results).
Displaying E-mail address (use sparingly — this will make it more likely that you will trigger our rate limiting system).

% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 210.128.0.0 - 210.135.255.255
netname: JPNIC-NET-JP
descr: Japan Network Information Center
country: JP
admin-c: JNIC1-AP
tech-c: JNIC1-AP
remarks: JPNIC Allocation Block
remarks: Authoritative information regarding assignments and
remarks: allocations made from within this block can also be
remarks: queried at whois.nic.ad.jp. To obtain an English
remarks: output query whois -h whois.nic.ad.jp x.x.x.x/e
mnt-by: MAINT-JPNIC
changed: apnic-ftp@nic.ad.jp 19991208
status: ALLOCATED PORTABLE
source: APNIC

role: Japan Network Information Center
address: Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda
address: Chiyoda-ku, Tokyo 101-0047, Japan
country: JP
phone: +81-3-5297-2311
fax-no: +81-3-5297-2312
e-mail: hostmaster@nic.ad.jp
admin-c: JI13-AP
tech-c: JE53-AP
nic-hdl: JNIC1-AP
mnt-by: MAINT-JPNIC
changed: hm-changed@apnic.net 20041222
changed: hm-changed@apnic.net 20050324
changed: ip-apnic@nic.ad.jp 20051027
source: APNIC

inetnum: 210.134.0.0 - 210.134.0.255
netname: INAKER-ADMIN
descr: INAKA-NET
country: JP
admin-c: MN125JP
tech-c: KS689JP
remarks: This information has been partially mirrored by APNIC from
remarks: JPNIC. To obtain more specific information, please use the
remarks: JPNIC WHOIS Gateway at
remarks: http://www.nic.ad.jp/en/db/whois/en-gateway.html or
remarks: whois.nic.ad.jp for WHOIS client. (The WHOIS client
remarks: defaults to Japanese output, use the /e switch for English
remarks: output)
changed: apnic-ftp@nic.ad.jp 19970417
source: JPNIC
daryl Says:
September 19th, 2006 at 7:27 am
response #31 needs to be removed and the author shot.
Falls Church Office Of Hearings And Appeals Social Security (News Dollar) Says:
September 29th, 2006 at 3:15 pm
[...] http://blog.dreamhost.com/2006/08/31/phishing-phor-phishers/ from http://digg.com/tech_news/DreamHost_CEO_Josh_Jones_Wife_Falls_for_Phishing_Scam .Jones’ wife thought they were due for a fat tax refund do to a courteous IRS email. She promptly emailed away their Social Security and Visa Check Card Number. Josh stated, “But, believe it or not, my wife is not stupid. In fact, she has a PhD from Harvard!”–Ant @ The Ant Farm: http://antfarm.ma.cx . Please do not IM/e-mail me for technical support. Use the forum (I check often)! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer. [...]
EveryDigg » Blog Archive » DreamHost CEO Josh Jones’ Wife Falls for Phishing Scam Says:
October 4th, 2006 at 4:10 am
[...] Jones’ wife thought they were due for a fat tax refund do to a courteous IRS email. She promptly emailed away their Social Security and Visa Check Card Number. Josh stated, "But, believe it or not, my wife is not stupid. In fact, she has a PhD from Harvard! "read more | digg story [...]
TBT Blog » Blog Archive » How To Prevent Phishing: Create Awareness Says:
November 21st, 2006 at 10:43 pm
[...] Phishing advice from Dreamhost [...]
Get Safe Online (The Blog) / Falling for phishing Says:
December 7th, 2006 at 7:24 am
[...] The CEO of a US website hosting company, Dreamhost, recently made a splash with the revelation on his blog that his wife had fallen victim to an email con trick. [...]
ab mitternacht wird zurückgephisht · Helge's Blog Says:
April 5th, 2007 at 1:38 am
[...] arme phisher: jones phisht jetzt retour. Tags: dreamhost , phishing Categories: Sideblog, Fun, [...]
DreamHost Blog » Mobile Spam Says:
June 9th, 2008 at 2:56 pm
[...] My wife recently started a floral design business, and so she got a couple of those door magnets for our car advertising her business URL, phone number, and email address. [...]
Josh Says:
June 24th, 2008 at 11:54 am
When the scammer reads this post, they’ll search their inbox for “Jones” in the card name and get your info o.o

Phishing Phor Phishers

154 Responses to “Phishing Phor Phishers”

Leave a Reply

Categories:

Archives:

Meta:

Phishing Phor Phishers

154 Responses to “Phishing Phor Phishers”

Leave a Reply

Categories:

Archives:

Other Sites

Meta: