While surfing through Reddit this morning, I stumbled across an interesting submission from a Redditor going by the username “Tomble”. Apparently, Tomble received a standard PayPal phishing mail demanding personal information for “verification purposes”. However, unlike most of us, who would simply report it as a phishing attempt and be done with it, Tomble decided to do some snooping around.
Tomble noticed that the domain name had a structure similar to “http://www.example.net/~joe”, which indicated that the username for that domain’s control panel as well as ftp account was probably ‘joe’. He then decided to try his luck by assuming that the ftp address will be similar to the domain name. His guess turned out to be correct. He still didn’t know the ftp password. However, the domain indicated that this particular webspace was provided by an ISP. Hoping against hope that the webmaster hadn’t changed the default password, which is often just ‘password’, he entered ‘password’ as the ftp password. Amazingly, it worked, and Tomble managed to break into the server.
The website actually belonged to some clueless gentleman who probably had nothing to do with the scammer. The scammer probably managed to break into the server in the same way Tomble did, and planted a few PHP scripts to collect PayPal authentication information.
Tomble found all of this information stored in a single text file. So far, three gullible PayPal users had fallen for this scam. He immediately notified the concerned ISP. However, he didn’t receive any immediate response. On the other hand, two more users had fallen victim within the next thirty minutes.
Tomble now decided to intervene. He made a few modifications to the phishing website (see screenshot below). All of the victims, with the exception of one guy from Thailand, had left their phone numbers for verification purposes. Tomble emailed the Thai guy, and called up the other four with the following helpful suggestion.
Hi, my name’s Tomble, this might sound weird but I received a scam email pretending to be from PayPal this morning. I was able to follow it back and discovered your contact information there. You should contact your bank and let them know your credit card has been compromised, so they can protect you from fraudulent charges.
While one of the victims was initially suspicious, all of them eventually realized that Tomble was one of the good guys. In one case, he had to leave a message with the wife of the victim, who will probably find himself in some minor domestic trouble due to his gullibility.
It’s unfortunate that even today people are falling for phishing scams and Nigerian scams. Significantly, all of the victims were between the ages 39 and 60. While the younger ‘cyber-generation’ is by and large aware of the threats they face online, many from the older generations still need to be educated. Do you bit today, and educate your parents and grandparents about online security. As our fine Australian friend, Tomble, has shown, a little effort can go a long way.