Shmoocon 2016: Phishing for the Phishers

After years of ignoring the emails it’s finally time to get into a conversation with that Nigerian prince you keep hearing from. Robbie Gallagher — an Application Security Engineer with Atlassian in Austin, TX — wanted to find out where perpetrators of phishing emails actually live. Of course you can’t count on the headers of the emails they send you. A better way to track them down is to actually draw them into a conversations, and this means making yourself a juicy target.

Robbie gave an excellent talk on his project Honey-Phish at this year’s Shmoocon. Part of what made it stand out is his narrative on each step of exploring the social engineering technique. For instance, there is already a vibrant community that specializes in forming relationships with scammers. Those who frequent 419 Eater have literally made it into a sport called Scambaiting. The ultimate goal is to prove you’ve baited a scammer is to get the person to take a picture of themselves balancing something on their head. Now the image a the top of this post makes sense, right?

Writing personal emails to your scammer is a great system if you have a lot of time and only want to track down one scammer at a time. Robbie wants to catalog geographic locations for as many as possible and this means automation. Amusingly, the solution is to Phish for Phishers. By automating responses to phishing emails, and enticing the people originating those phishing scams to click on a link, you can ascertain their physical location.

How It’s Done

The needs for the project are as follows: collect as many phishing emails as possible, parse each email and send replies that are believable, include a method of collecting the information from the people on the other end.

To start, Robbie set up a Gmail account to collect the emails. He recruited friends and colleagues to forward phishing emails to the account but this doesn’t cast a very wide net. To increase his input he set out to sign up the account for spam by searching “sign up for spam”, leading him to sites like MailBait, Revenge Spam, and Spam Sign Up. Unfortunately these put him on mailing lists rather than making the account a target for phishing. Not to fear, after all the 419 Eater site makes a sport out of this and that’s where Robbie found the best way to get his account noticed. The group has a few honeypots set up in the form of “guest books” like you would sign at a wedding. Within 48 hours of putting the contact information onto these, the email had been scraped by scammers and phishing messages were hitting the inbox.

Andrey Markov
Andrey Markov

One response isn’t appropriate in all situations, Honey-Phish needed a way of responding that had the highest likelihood of eliciting clicks from the Phishers. To explain this part of it, Robbie gave the crowd a history of Andrey Markov and his facial hair. He is, of course, the father of Markov chains which do a very fine job of forming natural language when given a suitable input pool. Robbie gave a few examples to peruse, like Garkov which is Garfield cartoons whose text is replace with Markov chains, and Tony Fischetti’s Markov chain wine reviews.

Robbie’s first couple of input pools were complete fails. The script from The Big Lebowski doesn’t read in the first person, and books from the Gutenberg Press use English that is too archaic. The sweet spot turned out to be the Personal Finance Subreddit since almost every post is first person and the discussion revolves around strife, financial burdens, and personal successes… exactly the topics phishing emails are targeting.

Does It Work?

The early results include a sample size of 41 unique email exchanges, there were 2 click-throughs (4.9% success rate). Using Jack Spirou’s ClientJS library a lot of data was collected on these two clicks… for the purposes of this post the countries are enough: Brazil and Romania. Robbie plans to greatly expand the search and eventually release heat maps of where Phishing originates.

Perhaps the most entertaining story shared during the talk is at the expense of the Democratic National Committee. Honey-Phish was subscribed to their mailing list as part of hunting for scammers. The DNC sent so many emails, and Honey-Phish responded to each of them, that the IP address was eventually banned by the DNC. No, they’re not phishing, but there’s something not right about that interaction. These talks were recorded and when published you simply must see Robbie’s entire presentation.

22 thoughts on “Shmoocon 2016: Phishing for the Phishers

  1. There are some hi-larious recordings out there of scamers scamming scammers. My favorite had the scammer on the phone as his “mark” was on his way to the “bank”. It was a very convincing and thorough production as the mark was talking on his cell phone and driving very fast through traffic. The call was interrupted by a scream, a terrible crash and minutes later sirens. The Nigerian in question was audibly confused and terrified as someone, a police officer maybe, picked up the phone and said hello.
    You’d have to hear it to really appreciate the work that went into it.

  2. Nice work, but how can you tell what the real location of the phisher is if they are using a compromised machine as a proxy? I would have thought that the only way to be sure would be to compromise the phiser’s machine and run a security audit to prove that the text coming from them came off their keyboard. What if they just use Internet cafes, cash and stolen ID?

    You know where I think this work would be better directed? Into having an email system that detected when a user was being drawn into a scam so that it could pop up a warning before any harm was done. But users would have to consent to that sort of oversight of their communications, even if it was automated and no human ever looked at their email. A great application for artificial intelligence.

    1. Scammers may not feel they’re revealing anything about themselves by clicking a link, and might not go through the effort to protect their identity while doing so, even if they go to great lengths otherwise.

      The Cloudmark service is fairly similar to your proposed system. I can attest that it works very well, and I don’t endorse commercial services lightly. On an account that receives 500+ spam emails daily, it’s a rare occurrence that one makes it through, yet I’ve never seen a false positive.

      A similar account under Gmail averages 2-3 spam daily, and I’ve had to deal with quite a few false positives, which are really the bigger annoyance as they may go unnoticed. Many I can’t figure out why they were flagged. Though some are explained because Gmail appears to use the Composite Blocking List (CBL), which blocks entire IP addresses, even if a fraction of what’s coming from that address is spam. That’s been a serious pain in the arse for me because many webhosts host hundreds of websites at a single IP, which may have thousands of email accounts. If any one account is compromised or misused, then everything from all senders at that IP is blocked. I wish the CBL were done away with, honestly. Cloudmark is smarter than that, and does not use the CBL, so far as I can tell.

      1. You don’t need a click-able link if a custom img tag will do, just have it refer to high port number and have your firewall log it. That has worked for a long time against Windows users where their set up happily renders HTML mail including linked images. A lot of machines would have been compromised that way when there were still a lot of buffer overflow flaws in image processing code. As soon as you looked at the email you got owned.

        Anyhow the point being that you never can tell so assuming the IP is really the criminal is dangerous.

      1. The phishing warnings? Yeah, but this guy is talking about going after them and I am saying you can’t tell for sure if that IP number is them or an innocent middle man with a compromised computer.

  3. I had an acquaintance in an overseas government office in South Africa who made a hobby of this. Since he’d previously been posted in Nigeria he knew Lagos well and would set up meetings with the scammers only to miss them again and again because of cancelled flights, cab failures etc. etc. No pictures of things balanced on their heads but much hilarity ensued.

  4. When I was younger, I used to screw with the telemarketers until they would hang up on their own. I had one dude convinced I would off myself if he hung up or called for help. I ended up slamming the phone on a table to give the impression I had shot myself and then listened as the guy lost his mind on the phone screaming. Then when his supervisor got on the phone I told him calmly that he should take my number off his call list or I would continue to break his employees. I never got a call back from that particular company again.

    I never tried that particular stunt again, as I was afraid somebody might call my bluff and call the cops.

    My favorite telemarketer prank was to pretend like they had actually called an adult chat line and try to convince them to give me their credit card numbers in return for “sensual talk therapy”. No one ever gave me a card number, but I did get alot of enjoyment listening to people squirm while trying to do their job. Something about a deep, not very sexy male voice trying to convince them to open up about their adult desires really seemed to put off alot of people. Most of them weren’t allowed to hang up first unless it got really bad.

    Now I never get any telemarketers calling me… I wonder why….

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s