Phish Snooping for Beginners

So I get a phishing message telling me “Your Bank of America account has been closed, click here to reactivate it.” Nothing new. I don’t even have a BoA account, and even if I did, I know enough to avoid phishes. But before clicking on the “Report phishing” link, I try a click on the target domain: timeunolefale.net. That domain does a 302 redirect to timeforboaaccs.us. That domain shows a standard phishing form asking for the usual name, SSN, credit card number, etc.

I wonder if the original domain has been 302 hijacked, and where both sites are hosted. At the time of this writing the domains seem to be freshly registered, so whois info hasn’t propagated enough to return me any useful results, but tracert with the domain (used from the command line) returns a host in the 68.142.212.* range — also known as p10w7.geo.mud.yahoo.com, which means the phisher is using Yahoo Webhosting. Their phishing report form is here. Other web hosts will have other ways to take action, usually an abuse report form or email address.

As for the phish email itself, headers show it comes from 172.174.228.95 — AOL (Yeah, that’s right. An AOL user using Yahoo Webhosting. Classy. Or it might be an AOL user whose PC was hijacked by a trojan, the more likely scenario.), which has a phishing security section, but when you try clicking on Online Help to look for a phishing report contact, it asks you to log in to AOL. Screw that.

So there’s a sample of what you can do to sniff out phishers, and hopefully do a little bit more to stop them beyond your web mail app’s “Report Phishing” function: tracert the domain, get whois info, find out where it’s hosted, check the headers for the email’s origin, and report the phish to the internet service providers involved.

Next time: using PHP and Tor to crapflood phishers’ forms with fake data.

Update: Well, both sites are gone. Pretty fast action.