So I got an unsolicited e-mail yesterday and it turned out to be a pretty blatant phishing attempt related to...wait for it...PayPal. To make a long story short here, I had some free time on my hands so I began investigating this particular e-mail by looking at the message header as well as the phishing site which was setup to collect people's personal data, etc. After a short while, I was able to determine that both the phishing site as well as the origin of the e-mail were both on the same ISP and from two seperate, but geographically close locations to each other in the Los Angeles county area. I was also able to link this attack to an underground Chinese hacking group who seemed to be located in the same area.
Well at this point, I thought it would be a good idea to start compiling notes and make a report to submit to the LA County Sheriff's Department and depending on the response, the California Department of Justice, the F.B.I., the Secret Service or the Department of Homeland Security. And then of course some of the local news papers and news stations in LA and even the national news. I realize that one phishing attack isn't such a big deal, but with the amount of evidence I had compiled and the ease with which warrants would of been able to be obtained, this would've been a slam dunk and could potentially have led to the arrests of an entire underground hacking group. Also, California specifically has a state law to use when prosecuting cases related to phishing in their "Anti-Phishing Act of 2005."
Yes, I can be pretty optimistic sometimes.
Well this is where things get interesting, and where the purpose for my post here begins. Before I finished compiling all my notes and generating a report, I stopped for the day and decided I would pick up again today. This morning I noticed that I didn't have the link to the actual phishing site itself written down. In the e-mail, the unsub included a link to a page which had been hacked and was redirecting users to the phishing site in LA...I didn't have the URL for that site or the IP, and when I went back to the page which was redirecting, I was greeted with something entirely different.
The redirect page had been replaced with a page letting everyone know that the e-mail they received was not legitimate and was a phishing attempt and included links to a description of what phishing was and an e-mail address for people who wanted to report more instances of phishing, etc. Well this wasn't what I was looking for - I needed the IP address of the original phishing site. So I sent an e-mail to the person who put this new page up asking them if they had the original page which was there with a justification behind why I wanted it.
The response I recieved was from the owner of this anti-phishing site who claims to make it a personal mission of his to thwart phishers. Very admirable, but after a few back-and-forth e-mails with this man I learned a few things and definately questioned his actions. In his response to me he stated that he had replaced the page himself and that he wasn't sure he had the original still, but that he would look. In my second e-mail to him, I asked him as an aside, that if he wasn't able to get in touch with the owner of the site or the ISP (which he claimed would be a waste of time), how he had replaced the phisher's page with his own. His response was that there was an account on that site with a very weak password which he found and was very common, and that if he couldn't take down the phisher's site, changing the redirect page was just as good.
This set some bells and whistles off in my head.
My take on this was that not only what he did was also illegal and unethical - unauthorized access to a web server owned and operated by someone other than himself, but he had also possibly destroyed, and definately corrupted what could have potentially been very crucial evidence to the prosecution of the perpetrators of this phishing attack. The page itself would only have given me the IP of the original phishing site, which most likely has since been taken off-line, however the logs for the redirect web server may have indicated when the server was hacked and who had uploaded the redirect page, and had this IP tracked back to the same ISP in the same geographic location and maybe to one of the members of this group I'm tracking, that would've been the proverbial nail in the coffin.
Well I brought all of this to his attention and basically his response was that he didn't see how a redirect page would've been valuable in the grand scheme of things. Moreover, he wasn't concerned with his act of "ethical hacking" because in his experience, the FBI doesn't respond to electronic crimes where there is no monetary loss greater than $10,000 (which is acurate, but irrelevant). He also said that he saw himself as serving the greater good by preventing any further individuals from becoming a victim to this particular attack. Basically, his justification was vigilanteism.
I recommended to him that in the future he might want to first contact the owner of the site before accessing it (I was able to find both names, 5 phone numbers (both personal and work) and 2 e-mail addresses for the husband/wife team who owned and operated the site with a few brief searches) and before replacing anything, to first make a copy of the original content, including logs in the case that any criminal prosecution would arise. His response to that was that in his experience law enforcement took these kinds of "attacks" not very seriously at all but that he would be more diligent in the future.
And now my 2 comments for the group. First, what's your opinion of what transpired, as it was related? And secondly, and more important, in your ITSEC travels, please, please be aware of issues such as chain-of-custody, evidence contamination and what is legally permissible when it comes to computer crimes and computer forensics!!!
FWIIW, I lART my spam with spamcop, and forward phishng emails to: Anti-phishing working group, APWG - firstname.lastname@example.org US CERT phishing report - email@example.com PIRT, Castlecops (PIRT) - firstname.lastname@example.org