 |
 |
How do phishing .coms like this stay in business?
|
|
|
|
|
Mac Elite
Join Date: Mar 2001
Location: CO
Status:
Offline
|
|
A couple weeks ago I got my first clever phishing (for my Amazon acct). An anchor that purported to link to https: amazon.com actually linked to http://secure.amazon.com.login-secure-page.com .
A quick eyeballing of that makes it look like Amazon.com ... uh, not so much.
(Full address includes my .mac email: http ://secure. amazon. com.login-secure-page. com/signin.php?exec/obidos/flex-sign-in/ref=gw_hp_si/103-3177084-7567864?opt=a&page=recs/sign-in-secure.html&response=tg/recs/recs-post-login-dispatch/-/recs/pd_rw_gw_ur/ref=192930_1/3-3&ref=bel&emaddr=lovecalmquiet @ mac.com )
(another great use for PHP/MySQL, eh?)
Going to that page (which resolves to http://secure.amazon.com.login-secur...com/signin.php Gives you a RIPOFF of amazon.com's sign-in page.
When I check WhoIs.net for "login-secure-page.com" they don't find it. How are these rogues pulling this off?
I've been forwarding these Phishies to [email protected] for a couple weeks. (They always send me a nice "thank you".) I've no idea how they might try to pursue this, but meanwhile I'm *sure* a bunch of aol (and other naifs) users are "signing in" - i.e., giving their amazon passwords to somebody (?who's then ordering a Segway or plasma TV, I guess).
Anyway... what I'm most curious about is why the phishers can't be traced back via their web info and be put out of business
|
|
TOMBSTONE: "He's trashed his last preferences"
|
| |
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Aug 2004
Location: FFM
Status:
Offline
|
|
The server seems to sit in South Korea. Maybe Amazon has no legal means to shut down the site?
|
|
|
| |
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Jan 2004
Location: Boston, MA
Status:
Offline
|
|
cool, TETENAL...
How do you find out where something's server is (if it's not on WhoIs.net?)
Also, as much business as US & SK do, you'd think there'd be law enforcement connections?
|
|
|
| |
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Aug 2004
Location: FFM
Status:
Offline
|
|
Originally Posted by gopikrishna
cool, TETENAL...
How do you find out where something's server is (if it's not on WhoIs.net?)
http://www.visualroute.ch/
I typed in the address in there and it says the server is in Korea. Strangely enough you need to use the whole URL. The login-secure-page.com part alone does not resolve.
|
|
|
| |
|
|
|
|
|
|
|
Junior Member
Join Date: Oct 2003
Status:
Offline
|
|
Gosh, my German is SO weak. www.visualroute.ch resolves to www.bbox.ch - german language. I'd love to read what it has to say. Anybody got an english-language version of this?
|
|
|
| |
|
|
|
|
|
|
|
Junior Member
Join Date: Oct 2003
Status:
Offline
|
|
PS: what is the ".ch" domain?
|
|
|
| |
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Aug 2004
Location: FFM
Status:
Offline
|
|
Originally Posted by macsfromnowon
Gosh, my German is SO weak. www.visualroute.ch resolves to www.bbox.ch - german language. I'd love to read what it has to say. Anybody got an english-language version of this?
Look a little bit closer. The right column has the instructions in English and the Java-applet is English only anyway. The .ch top-level domain is Switzerland (Confoederatio Helvetica).
|
|
|
| |
|
|
|
|
|
|
|
Junior Member
Join Date: Oct 2003
Status:
Offline
|
|
Ah! thanks. I was looking at their home page rather than m=15
An interesting way to keep up on what's happening with my own IP.
|
|
|
| |
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Jan 2004
Location: Left Coast
Status:
Offline
|
|
Man, that is WEIRD if the US doesn't have enough pull to armtwist another high-tech country like S Korea into enforcing web crime!
|
|
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status:
Offline
|
|
It's almost a certainty that the South Korean company serving that scam site would comply with a major corporation's notices. Maybe Amazon is still unaware of it.
|
"The natural progress of things is for liberty to yield and government to gain ground." TJ
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Mar 2005
Location: Netherlands
Status:
Offline
|
|
Originally Posted by macsfromnowon
PS: what is the ".ch" domain?
Switserland
|
|
Apple Powerbook 17" 1,67 GHz, 2 gig RAM, 100 gig HDD, ATI Mobility Radeon 9700 128MB, Superdrive 8X
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Mar 2001
Location: CO
Status:
Offline
|
|
Big Mac:
When I first contacted Amazon they emailed me, saying that I could help by forwarding the complete phish email - which I did. A couple different ones in last couple weeks.
Who knows: there's probably an Amazon.co.korea they need to protect
|
|
TOMBSTONE: "He's trashed his last preferences"
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Mar 2001
Location: CO
Status:
Offline
|
|
So there's another thread about such phishing ( http://forums.macnn.com/showthread.php?t=276342). I haven't gotten the CIA one yet, but it does seem that a lot of my spam comes shows (at least in headers) that it's going to another .mac address as well. Are names/emails getting harvest from MacNN forums? is it possible / likely for folks to be able to do that?
|
|
TOMBSTONE: "He's trashed his last preferences"
|
| |
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Jan 2004
Location: Boston, MA
Status:
Offline
|
|
(OT): So how come this thread acts wierd in FireFox (requires horizontal scrolling)? Or does it for others?
... there's no pix or nothing...
Oh, nevuh mind... I see it's the long URL posted. But Safari deals with that.
Would you call that a Firefox bug? feature?
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
Top