Monday, February 19, 2007

How to report a phishing incident ?

Yet another email I received from what appears to be a phishing site
The phishing site is intended to steal user name and password and other information from Capital One customers by sending emails from what appear a legitimate Capital One site and email (

The site try to collect username and password through HTTP POST from the fake login:

Other credentials such as customer address and PII such as SSN, DOB, account No, CVV, Card Number, Expitation can be also collected through HTTP POST from the page

The host of this phishing site appears to be that resolves to the IP address: The web server is an Apache server: Apache/2.0.53 (Fedora)
X-Powered-By: PHP/4.3.11

Further discovery info about the phishing hosting site seem to
indicate a web-related production site in Japan, with address
501-3954 Gifu prefecture Seki city and TEL (0575) 28-4131.

The first thing I'll do is to call Capital One support and alert them about the phishing I will also report the phishing by sending an email to and to the Anti Phishing Working Group at

Tactically you want to make sure that your respond to every phishing attack like any other vulnerability that triggers an immediate incident response. As a next step, there is a lot that you can do strategically to limit phishing especially through security training and awareness.

If I were in charge of the anti-fraud of a financial institution like Capital One this is how I would respond to phishing threats:

1) Advise all your customers to block email that carry phishing attacks. Typically phishing attacks are directed toward users through email. A spam filter should be able to detect the email as a spam by checking the Received-SPF for fail or softfail and either have it rejected or issue a warning.

Received-SPF: softfail ( transitioning domain of does not designate as permitted sender) client-ip=;;;
Received: from ( [])
by (Postfix) with ESMTP id 87762BD0045
for ; Sun, 18 Feb 2007 05:59:09 -0600 (CST)
Received: from User ([]) by with Microsoft SMTPSVC(6.0.3790.1830);
Sun, 18 Feb 2007 07:04:48 -0500
From: "Capital One Security"
Subject: Security: Online Banking Update
Date: Sun, 18 Feb 2007 06:04:09 -0600
MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-OriginalArrivalTime: 18 Feb 2007 12:04:48.0346 (UTC) FILETIME=[FC96FBA0:01C75354]
To: undisclosed-recipients:;

2) Do some discovery of the site hosting the phishing attack. Query whois for the domain registration information and google the site to find more information about who is hosting and administrating the site

3) Once you have identified the hosting site, contact the administrator and have the content removed (the page will show Content Removed 777 when reached) . If the phishing comes from a site in USA you can appeal to anti-phishing laws like the Virginia’s anti-phishing law that makes phishing a criminal offense punishable as a felony (Virginia Code § 18.2-152.5:1.)

4) Inform and educate customers and internal employees about phishing threats and social engineering. Eventually create a white-hat phishing site that look like your company site and send an email to your internal users inducing them to provide username and passwords. For example you can send an email to your internal users asking them to register to receive a new upgraded PC. Collect the reponses both positive and negative to assess how proficient is the security awareness both within your organization and your customers. If security awareness is bad your users might need a focused security training.

5) Be proactive and learn from other phishing attacks, learn how you mail gateway can defend against them and increase security awareness by alerting users and customers with proper advisories.

According to the latest data from the Anti-Phishing Working Group (APWG), there are now more than 2,600 active phishing Web sites on the Internet and more than 13,000 unique phishing emails in circulation. The threat is real and alive.

A nice list archive of phishing sites is provided at

While you might find some resources to learn on how to protect from phishing here:

The Anti-Phishing group at Indiana University: maintains a site revoted to phishing research that is a very good resource to learn about phishing.

One way to win the security game is to be ahead of the threat by being smarter then the attacker and more educated on threats and countermeasures.

No comments: