After years of ignoring the emails it’s finally time to get into a conversation with that Nigerian prince you keep hearing from. Robbie Gallagher — an Application Security Engineer with Atlassian in Austin, TX — wanted to find out where perpetrators of phishing emails actually live. Of course you can’t count on the headers of the emails they send you. A better way to track them down is to actually draw them into a conversations, and this means making yourself a juicy target.
Robbie gave an excellent talk on his project Honey-Phish at this year’s Shmoocon. Part of what made it stand out is his narrative on each step of exploring the social engineering technique. For instance, there is already a vibrant community that specializes in forming relationships with scammers. Those who frequent 419 Eater have literally made it into a sport called Scambaiting. The ultimate goal is to prove you’ve baited a scammer is to get the person to take a picture of themselves balancing something on their head. Now the image a the top of this post makes sense, right?
Writing personal emails to your scammer is a great system if you have a lot of time and only want to track down one scammer at a time. Robbie wants to catalog geographic locations for as many as possible and this means automation. Amusingly, the solution is to Phish for Phishers. By automating responses to phishing emails, and enticing the people originating those phishing scams to click on a link, you can ascertain their physical location.
How It’s Done
The needs for the project are as follows: collect as many phishing emails as possible, parse each email and send replies that are believable, include a method of collecting the information from the people on the other end.
To start, Robbie set up a Gmail account to collect the emails. He recruited friends and colleagues to forward phishing emails to the account but this doesn’t cast a very wide net. To increase his input he set out to sign up the account for spam by searching “sign up for spam”, leading him to sites like MailBait, Revenge Spam, and Spam Sign Up. Unfortunately these put him on mailing lists rather than making the account a target for phishing. Not to fear, after all the 419 Eater site makes a sport out of this and that’s where Robbie found the best way to get his account noticed. The group has a few honeypots set up in the form of “guest books” like you would sign at a wedding. Within 48 hours of putting the contact information onto these, the email had been scraped by scammers and phishing messages were hitting the inbox.
One response isn’t appropriate in all situations, Honey-Phish needed a way of responding that had the highest likelihood of eliciting clicks from the Phishers. To explain this part of it, Robbie gave the crowd a history of Andrey Markov and his facial hair. He is, of course, the father of Markov chains which do a very fine job of forming natural language when given a suitable input pool. Robbie gave a few examples to peruse, like Garkov which is Garfield cartoons whose text is replace with Markov chains, and Tony Fischetti’s Markov chain wine reviews.
Robbie’s first couple of input pools were complete fails. The script from The Big Lebowski doesn’t read in the first person, and books from the Gutenberg Press use English that is too archaic. The sweet spot turned out to be the Personal Finance Subreddit since almost every post is first person and the discussion revolves around strife, financial burdens, and personal successes… exactly the topics phishing emails are targeting.
Does It Work?
The early results include a sample size of 41 unique email exchanges, there were 2 click-throughs (4.9% success rate). Using Jack Spirou’s ClientJS library a lot of data was collected on these two clicks… for the purposes of this post the countries are enough: Brazil and Romania. Robbie plans to greatly expand the search and eventually release heat maps of where Phishing originates.
Perhaps the most entertaining story shared during the talk is at the expense of the Democratic National Committee. Honey-Phish was subscribed to their mailing list as part of hunting for scammers. The DNC sent so many emails, and Honey-Phish responded to each of them, that the IP address was eventually banned by the DNC. No, they’re not phishing, but there’s something not right about that interaction. These talks were recorded and when published you simply must see Robbie’s entire presentation.