This morning, a rather well-crafted phishing attempt squirmed through my spam filter; my EBay account was due to be suspended, and so on. Very polished and professional and concerned, only I don’t have an EBay account. So, by investing about 45 seconds of source-viewing I ascertained they wanted me to go visit 18.104.22.168 which turns out to be “ThaiEdResearch.org”, a plausible-looking website, at least to one who like me doesn’t read Thai. But obviously, they are either criminals, or their webmaster is a criminal, or their ISP is a criminal. If anyone cared, it wouldn’t be too hard to find out. This feels to me kind of like walking into a bank, waving a gun around, and giving them a stamped self-addressed envelope to mail the stolen money in. What am I missing? [Update: lots of feedback on this one.]
Several people wrote to suggest that the “ThaiEdResearch” site had
probably itself been hacked by the bad guys, and indeed, the name of the
script it wanted to run was
/.aw-cgi-sk/eBayISAPI.php; note the
But I think my point stands; if this is going to work at all, at some point
it’s going to have to send the phished goodies back to the bad guys, so if
you wanted to, you should be able to smoke ’em out.
But as Lauren points out, maybe nobody wants to. That is, wants to badly enough to fight the jurisdictional issues when they’ve got other work to do. I don’t know, if the police forces of a few countries wanted to team up, it wouldn’t take that much work to lay a pretty severe hurt on a bunch of phishers, maybe the point of convincing them that it’s not easy money.