FYI Re: PayPal
Posted by: Bob Zumbrunnen
In reply to: IH Admin [Matt] who wrote msg# 49513 Date:2/18/2005 9:32:42 PM
Post #of 49529
All 3 of us (Matt, Dave, and I) are leaving no stone unturned on this one. I'm so glad most people savvy enough to use a site like this know a phish when they see it.
Here's what we do and don't know so far.
1. We know the originating address of the phish email hasn't been located in our log files yet. Neither has the IP address of the site that links in the email take you to.
2. It seems pretty apparent that we did get hit/hacked or something. Most evidence says so. However, not *all* accounts got these emails. I didn't get one at an email address I've used for two accounts here. Meaning: It's possible they didn't grab email addresses from all accounts but instead grabbed some range we haven't determined yet.
3. Interesting, the source code of the site linked to in the email contains Javascript variables with names starting with "vuln", which I'm sure is short for "vulnerable". I don't know Javascript, so can't tell if simply going to the site exposes you to malicious Javascript, but it's a good assumption to go with. No, I didn't go to the site. There's a way to grab html from a site and store it for inspection without actually going to the site.
4. These kinds of things are often done using a technique called "SQL Insertion". I've tried to be very careful to make sure this trick isn't possible anywhere. The only place I know of where it's even close to possible (a requirement is that you have a form field into which you can input something and get results -- including a SQL query) would be Search, but it's not possible there. If multiple words are submitted to Search, I parse them and insert "AND" between each word after stripping out words that're too short or are "noise" words.
So, an input of "select * from member" ends up being "select AND member" before being submitted to the db. The asterisk is removed because it's too short, and "from" is removed because it's a noise word.
5. We're throwing ALL of our energies into finding out what happened, how to prevent it happening again, and, if possible, make the perpetrator wish they hadn't done this. Which will likely be difficult. The IP addy of the email goes to Russia and the site the email links to was registered via what's almost certain a bogus name and address in the Marshall Islands.
6. We were one of who knows how many sites got targeted. We know for certain we're not the only one.
7. The site that the email links to was registered only 2 days ago.
The company that hosts the website the emails links go to doesn't seem to give a damn. I'm going to get more insistent Monday that they shut down the linked-to site if they haven't by then. If they'd simply shut down that site, which they've been informed is doing something illegal, they can prevent anyone falling victim.
