Advice wanted – Stumbled across active phishing scam

[zefman]

So yesterday I received a suspicious sms message with standard phishing speil asking to follow a link and renew a subscription to well known app.

Out of interest I followed the link to see how the attack would work, and before I knew it I had discovered that the attacker had left directory listings enabled on their server!

After looking through the PHP used to perform the scam, I could see that the results of the form victims are asked to fill out were being emailed to the attacker, and logged into a text file on the server. I just want to stress this is all publicly available if you know the url, not behind any kind of authentication.

After looking at the log file I could see that this scam was very and active and very effective. New entries were being added throughout the day including credit card and bank information. At this point I realised it was probably time to inform the police, and after many many painful hours I finally had a report logged.

Its now been 24 hours and I can still see the scam is active and collecting real peoples' details, the majority of whom are elderly.

What should I do? It feels wrong just to sit here and watch these people lose their details while the UK police take their time figuring out what a zipfile is. It would be very easy to disrupt the scam by flooding it with fake data. Good or bad idea?

[tdeck]

Much of this sounds like a standard phish kit. Unfortunately I don't think the police can do much. Often you can actually find the perpetrator's info, but they're in Nigeria where nobody cares.

First of all, I'd report the site to Google Safe Browsing and to PhishTank: https://safebrowsing.google.com/safebrowsing/report_phish/?h... https://www.phishtank.com/

Once Chrome starts blocking the site, that will stop the bleeding. The contact the host and domain registrar, if possible. If the phish kit is piggybacking on a WordPress site (very common), find the person who owns that site and message them if you can.

[zefman]

Yeah whoever set this up knows very little about the web and has obviously purchased this. They have made a number of mistakes including not withholding their domain registration info! So the police actually have a name and address in the UK. Whether that is a decoy or not remains to be seen, but given the other mistakes that have been made I wouldn't be surprised if it was the attacker.

The site has already been reported to netcraft and is now showing as dangerous in chrome. Unfortunately this doesn't appear to show on mobiles, where most of the of the victims are falling for the scam.

[nirmalkant]

Its a hazardous menace affecting almost all Internet powerful nations of the world. If you are attacked, probably you won't be able to do much now and just wait for them to do something for you. I think the cyber cell will take care, it takes time but you'll get solution lately. From next time the first and the foremost you should do is to steer clear of spams and e-mails which are from suspicious senders. Read about the Cyber Plague..http://gotowebsecurity.com/cyber-phishing-attack/

[detaro]

You could try contact their hosting provider? (assuming it is a somewhat legitimate one)

[zefman]

Have tried that and unfortunately the abuse email bounces :/

[wazanator]

Is there a way you can anonymously alert people who have been scammed?

[zefman]

Yeah this should be possible, their emails are listed in the data. I suppose I could write a script that watches the log file and instantly warns anyone added to it.

[techthroway443]

This is making me paranoid. How do I check if my website has listing enabled?

[zefman]

Haha given the context I'm not sure I should say. Are you running your own phishing site?