Shmoocon 2016: Phishing For The Phishers

After years of ignoring the emails it’s finally time to get into a conversation with that Nigerian prince you keep hearing from. Robbie Gallagher — an Application Security Engineer with Atlassian in Austin, TX — wanted to find out where perpetrators of phishing emails actually live. Of course you can’t count on the headers of the emails they send you. A better way to track them down is to actually draw them into a conversations, and this means making yourself a juicy target.

Robbie gave an excellent talk on his project Honey-Phish at this year’s Shmoocon. Part of what made it stand out is his narrative on each step of exploring the social engineering technique. For instance, there is already a vibrant community that specializes in forming relationships with scammers. Those who frequent 419 Eater have literally made it into a sport called Scambaiting. The ultimate goal is to prove you’ve baited a scammer is to get the person to take a picture of themselves balancing something on their head. Now the image a the top of this post makes sense, right?

Writing personal emails to your scammer is a great system if you have a lot of time and only want to track down one scammer at a time. Robbie wants to catalog geographic locations for as many as possible and this means automation. Amusingly, the solution is to Phish for Phishers. By automating responses to phishing emails, and enticing the people originating those phishing scams to click on a link, you can ascertain their physical location.

How It’s Done

The needs for the project are as follows: collect as many phishing emails as possible, parse each email and send replies that are believable, include a method of collecting the information from the people on the other end.

To start, Robbie set up a Gmail account to collect the emails. He recruited friends and colleagues to forward phishing emails to the account but this doesn’t cast a very wide net. To increase his input he set out to sign up the account for spam by searching “sign up for spam”, leading him to sites like MailBait, Revenge Spam, and Spam Sign Up. Unfortunately these put him on mailing lists rather than making the account a target for phishing. Not to fear, after all the 419 Eater site makes a sport out of this and that’s where Robbie found the best way to get his account noticed. The group has a few honeypots set up in the form of “guest books” like you would sign at a wedding. Within 48 hours of putting the contact information onto these, the email had been scraped by scammers and phishing messages were hitting the inbox.

Andrey Markov
Andrey Markov

One response isn’t appropriate in all situations, Honey-Phish needed a way of responding that had the highest likelihood of eliciting clicks from the Phishers. To explain this part of it, Robbie gave the crowd a history of Andrey Markov and his facial hair. He is, of course, the father of Markov chains which do a very fine job of forming natural language when given a suitable input pool. Robbie gave a few examples to peruse, like Garkov which is Garfield cartoons whose text is replace with Markov chains, and Tony Fischetti’s Markov chain wine reviews.

Robbie’s first couple of input pools were complete fails. The script from The Big Lebowski doesn’t read in the first person, and books from the Gutenberg Press use English that is too archaic. The sweet spot turned out to be the Personal Finance Subreddit since almost every post is first person and the discussion revolves around strife, financial burdens, and personal successes… exactly the topics phishing emails are targeting.

Does It Work?

The early results include a sample size of 41 unique email exchanges, there were 2 click-throughs (4.9% success rate). Using Jack Spirou’s ClientJS library a lot of data was collected on these two clicks… for the purposes of this post the countries are enough: Brazil and Romania. Robbie plans to greatly expand the search and eventually release heat maps of where Phishing originates.

Perhaps the most entertaining story shared during the talk is at the expense of the Democratic National Committee. Honey-Phish was subscribed to their mailing list as part of hunting for scammers. The DNC sent so many emails, and Honey-Phish responded to each of them, that the IP address was eventually banned by the DNC. No, they’re not phishing, but there’s something not right about that interaction. These talks were recorded and when published you simply must see Robbie’s entire presentation.

24 thoughts on “Shmoocon 2016: Phishing For The Phishers

  1. There are some hi-larious recordings out there of scamers scamming scammers. My favorite had the scammer on the phone as his “mark” was on his way to the “bank”. It was a very convincing and thorough production as the mark was talking on his cell phone and driving very fast through traffic. The call was interrupted by a scream, a terrible crash and minutes later sirens. The Nigerian in question was audibly confused and terrified as someone, a police officer maybe, picked up the phone and said hello.
    You’d have to hear it to really appreciate the work that went into it.

  2. Nice work, but how can you tell what the real location of the phisher is if they are using a compromised machine as a proxy? I would have thought that the only way to be sure would be to compromise the phiser’s machine and run a security audit to prove that the text coming from them came off their keyboard. What if they just use Internet cafes, cash and stolen ID?

    You know where I think this work would be better directed? Into having an email system that detected when a user was being drawn into a scam so that it could pop up a warning before any harm was done. But users would have to consent to that sort of oversight of their communications, even if it was automated and no human ever looked at their email. A great application for artificial intelligence.

    1. Scammers may not feel they’re revealing anything about themselves by clicking a link, and might not go through the effort to protect their identity while doing so, even if they go to great lengths otherwise.

      The Cloudmark service is fairly similar to your proposed system. I can attest that it works very well, and I don’t endorse commercial services lightly. On an account that receives 500+ spam emails daily, it’s a rare occurrence that one makes it through, yet I’ve never seen a false positive.

      A similar account under Gmail averages 2-3 spam daily, and I’ve had to deal with quite a few false positives, which are really the bigger annoyance as they may go unnoticed. Many I can’t figure out why they were flagged. Though some are explained because Gmail appears to use the Composite Blocking List (CBL), which blocks entire IP addresses, even if a fraction of what’s coming from that address is spam. That’s been a serious pain in the arse for me because many webhosts host hundreds of websites at a single IP, which may have thousands of email accounts. If any one account is compromised or misused, then everything from all senders at that IP is blocked. I wish the CBL were done away with, honestly. Cloudmark is smarter than that, and does not use the CBL, so far as I can tell.

      1. You don’t need a click-able link if a custom img tag will do, just have it refer to high port number and have your firewall log it. That has worked for a long time against Windows users where their set up happily renders HTML mail including linked images. A lot of machines would have been compromised that way when there were still a lot of buffer overflow flaws in image processing code. As soon as you looked at the email you got owned.

        Anyhow the point being that you never can tell so assuming the IP is really the criminal is dangerous.

      1. The phishing warnings? Yeah, but this guy is talking about going after them and I am saying you can’t tell for sure if that IP number is them or an innocent middle man with a compromised computer.

  3. I had an acquaintance in an overseas government office in South Africa who made a hobby of this. Since he’d previously been posted in Nigeria he knew Lagos well and would set up meetings with the scammers only to miss them again and again because of cancelled flights, cab failures etc. etc. No pictures of things balanced on their heads but much hilarity ensued.

  4. When I was younger, I used to screw with the telemarketers until they would hang up on their own. I had one dude convinced I would off myself if he hung up or called for help. I ended up slamming the phone on a table to give the impression I had shot myself and then listened as the guy lost his mind on the phone screaming. Then when his supervisor got on the phone I told him calmly that he should take my number off his call list or I would continue to break his employees. I never got a call back from that particular company again.

    I never tried that particular stunt again, as I was afraid somebody might call my bluff and call the cops.

    My favorite telemarketer prank was to pretend like they had actually called an adult chat line and try to convince them to give me their credit card numbers in return for “sensual talk therapy”. No one ever gave me a card number, but I did get alot of enjoyment listening to people squirm while trying to do their job. Something about a deep, not very sexy male voice trying to convince them to open up about their adult desires really seemed to put off alot of people. Most of them weren’t allowed to hang up first unless it got really bad.

    Now I never get any telemarketers calling me… I wonder why….

  5. Look up Tom Mabe on youtube.
    I don’t know if he still does what he does to mess with telemarketers,
    but one of his famous bits is the police murder one.
    Quite good for a laugh.
    THese days with caller ID spoofing, you never know who is on the other
    end of the phone call, even if the number is a legitimate number in
    your contacts list. When I was younger, my favorite thing to do to these
    telepests was repeat the following: “Please enter security code.” in a monotone
    voice. Eventually I got bored and just stopped answering telepests.
    If it’s important, they can leave voicemail.
    I love it when stores ask me for my phone number, and I point to my hat which
    has my amateur radio callsign. Somehow, magically if I don’t provide a number
    and use cash, my purchase still manages to be completed.
    I’ve come to the conclusion that no one “needs” my information, and I refuse to
    provide it. Insist I do so, and I take my business elsewhere.

  6. Although I am retired from my business, I still answer the phone with “Technical Support; B—- speaking” , particularly when it rings at tea-time. After the long pause which indicates that the phone service is being redirected to Deepest Darkest Timbuctoo or wherever, there is a hurried hang-up. Only one caller has ever tried to engage by asking “oh, is this a business number?” and then hung up after I affirmed that it was.

Leave a Reply to Bart Derudder (@qwaxys)Cancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.