
Advice wanted – Stumbled across active phishing scam - zefman
So yesterday I received a suspicious sms message with standard phishing speil asking to follow a link and renew a subscription to well known app.<p>Out of interest I followed the link to see how the attack would work, and before I knew it I had discovered that the attacker had left directory listings enabled on their server!<p>After looking through the PHP used to perform the scam, I could see that the results of the form victims are asked to fill out were being emailed to the attacker, and logged into a text file on the server. I just want to stress this is all publicly available if you know the url, not behind any kind of authentication.<p>After looking at the log file I could see that this scam was very and active and very effective. New entries were being added throughout the day including credit card and bank information. At this point I realised it was probably time to inform the police, and after many many painful hours I finally had a report logged.<p>Its now been 24 hours and I can still see the scam is active and collecting real peoples&#x27; details, the majority of whom are elderly.<p>What should I do? It feels wrong just to sit here and watch these people lose their details while the UK police take their time figuring out what a zipfile is. It would be very easy to disrupt the scam by flooding it with fake data. Good or bad idea?
======
tdeck
Much of this sounds like a standard phish kit. Unfortunately I don't think the
police can do much. Often you can actually find the perpetrator's info, but
they're in Nigeria where nobody cares.

First of all, I'd report the site to Google Safe Browsing and to PhishTank:
[https://safebrowsing.google.com/safebrowsing/report_phish/?h...](https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en)
[https://www.phishtank.com/](https://www.phishtank.com/)

Once Chrome starts blocking the site, that will stop the bleeding. The contact
the host and domain registrar, if possible. If the phish kit is piggybacking
on a WordPress site (very common), find the person who owns that site and
message them if you can.

~~~
zefman
Yeah whoever set this up knows very little about the web and has obviously
purchased this. They have made a number of mistakes including not withholding
their domain registration info! So the police actually have a name and address
in the UK. Whether that is a decoy or not remains to be seen, but given the
other mistakes that have been made I wouldn't be surprised if it was the
attacker.

The site has already been reported to netcraft and is now showing as dangerous
in chrome. Unfortunately this doesn't appear to show on mobiles, where most of
the of the victims are falling for the scam.

------
nirmalkant
Its a hazardous menace affecting almost all Internet powerful nations of the
world. If you are attacked, probably you won't be able to do much now and just
wait for them to do something for you. I think the cyber cell will take care,
it takes time but you'll get solution lately. From next time the first and the
foremost you should do is to steer clear of spams and e-mails which are from
suspicious senders. Read about the Cyber
Plague..[http://gotowebsecurity.com/cyber-phishing-
attack/](http://gotowebsecurity.com/cyber-phishing-attack/)

------
detaro
You could try contact their hosting provider? (assuming it is a somewhat
legitimate one)

~~~
zefman
Have tried that and unfortunately the abuse email bounces :/

------
wazanator
Is there a way you can anonymously alert people who have been scammed?

~~~
zefman
Yeah this should be possible, their emails are listed in the data. I suppose I
could write a script that watches the log file and instantly warns anyone
added to it.

~~~
techthroway443
This is making me paranoid. How do I check if my website has listing enabled?

~~~
zefman
Haha given the context I'm not sure I should say. Are you running your own
phishing site?

