Another Amazon Phishing Attempt

Published onJune 4, 2007

46 hours ago I received an email from Amazon. Things looked somewhat official, although my tech "sixth sense" told me it was a phishing attempt. Maybe it was the poor grammar, yet still not particularly obvious when I skimmed quickly through the email.

Bastards 1

Naturally I wanted to see if the phishing site was still live, and if not, report it. The linked site was of special interest because it was hosted in New Zealand, where I used to live. I first looked at the TLD and it didn't look like a site designed for phishing, and the location of the index.html file (in /images/) strongly indicates a compromised system.

index.html 
<html>
<head>
<meta http-equiv="refresh" content="0; URL=http://polo.ceit.metu.edu.tr/icons/amazon/exec.php?cmd=sign-in">
<meta name="keywords" content="automatic redirection">
</head>
<body>

Ok, a regular redirect, obvious compromise. I fired up my email and sent the website owner (whois), the owner of the IP block in New Zealand and the university in Turkey (where the phishing site is actually hosted) an email.

To all it may concern:

Today I received an email alerting me that my Amazon records are out of
date, and need to be updated.  While this phishing attempt was obvious
to me, it may be less obvious to other customers.

Investigating further revealed that both the initial site which includes
the meta refresh, and the host server, are still live.

[owner]: Please secure your server.

[ISP]: Please contact [owner].  I will also try to contact the people I
know in New Zealand directly through IRC.

[University]: Please contact the authorities.

Code from http://www.[url].co.nz/images/index.html:

[code snippet from index.html]

I jumped online this morning and started working on some things. Initially I totally forgot about the whole incident, but started to wonder if the site was shut down or not. I checked, and had two surprises.

Surprise 1: Bastards 2
Surprise 2:

Both sites are still live! Fancy that. I guess I shouldn't have expected anything else. So, I propose this question:

What do you do when you see a phishing attempt? Report it? Contact anybody? Ignore it?



Tagged As: All Things Networking | Security | The WTF | Web

Comments are currently closed for this entry.

About this page

This entry is from my tech blog and was written on June 4, 2007. It's been tagged with All Things Networking and Security and The WTF and Web. There have been 0 comments so far.

List By Tag