Yesterday evening I created a small pishing demo for my class tonight. I essentially scraped the ebay login site, and made the POST action on the login form forward to a an aptly named pwnt.html. The idea was to illustrate how a “live” pish attempt in a safe controlled environment. I would pull it up on the screen then attempt to log in, and have the “YOU WERE PWND!” page come up. Then I would back up, and ask students about how they could distinguish it from the real Ebay login.
It all seemed like a great idea in my head. Unfortunately, I didn’t realize just how fast and efficient the anti-pishing league of justice can be these days. Today I visited the site and this is what I saw (click on the thumbnail to see the page)
Flagged and tagged! It appears that Google and Firefox now know about my evil pishing ways. But that’s not all. This is what I found in my email this morning:
We were wondering if ***/~maciakl1/ebay/index.htm is part of some project and thus not a phish with criminal intentions. Would you have further information?
Thank you very much in advance.
Kaspersky Labs Japan
Holly shit! These people work fast! I’m totally impressed. I’m just a little bit upset about being flagged this way, but I guess I can use it as part of the lesson. How do you identify a pishing website? Well, if Firefox haets it – you probably have no business going there! I don’t really use that site for anything other than random classroom stunts like that so I’m not overly concerned. If Terminally Incoherent got flagged this way I would be totally freaking out. That other site – meh. I can live with that. Hopefully I can figure out a way how to get myself off the blacklist – which might be a topic for a whole new post. :P
I wonder if this is the usual turnaround time? I’m suspecting that maybe my site got indexed by Google at some point – or perhaps they are just monitoring Netdrive because of past exploits. Or perhaps some ebay script detected the 2-3 POST sent requests from my site when I was testing and fired an automated pish report? I don’t know, but if they snagged me this fast then it means that a lot of other pishing gets canned this fast too.
I used to think that the lifetime of a pished website may be few days – maybe up to a week or two. Now I see that in some circumstances it might be hours before it gets flagged and visitors get nasty warning messages from their browser or anti-pish software. So I guess pishing ain’t easy – not as easy as it looks. My window of opportunity to do the most damage was maybe 3-4 hours – which is not much. It might be enough to snag few accounts though. After you get flagged the effectiveness of the pish is diminished due to these warnings. Not to mention that once you are on that list, it’s just a matter of time before your host gets enough complaints to take you down.
Which makes me wonder when will I get the angry letter/phone call from the sysadmin. Perhaps he will send minions up to my office on the 3rd floor to set up an ambush and verbally berate me when I arrive this evening. Oh wait, that won’t happen. Both the Sysadmin and the minions – as well as 99% of the University staff fall into Torpor state exactly at 4:05 pm. Which means that they start leavening campus, or burrow deep in their lairs around 3pm. So if you teach (or take) an evening class you will never actually see them. :P
[tags]pishing, pish, ebay, ebay pish, flagged by google, pish filter, kaspersky[/tags]