The question that people always ask about this type of forensics is “What do you do with the information once you’ve got it?” Unfortunately, there is no simple answer to that. In most of the instances that you investigate, you are not going to uncover a lot of information. But every so often you will come across a more complete picture, such as the Tidball example from Chapter 11. In those cases, I encourage you to pass the information on to the appropriate group. You may not get the response from them that you want. In many cases, you will get no response at all. But the information you submit may provide the critical missing link in an existing investigation. You have to view the process as providing a public service. It can be a frustrating business but that does not make it a waste of time.
Without wanting to sound too Zen about it, the process of exploring a web site or a scam can be its own reward. You are improving your skills with every site that you investigate. I learn something new from the majority of the scams that I look into.
A fundamental part of any forensic investigation is the gathering, documentation, and preservation of evidence. The photographs and DNA swabs taken from a real-world crime scene have their counterparts in the emails and downloaded web pages from an Internet scam.
In the case of phishing attempts, my interest is triggered by
receiving an email that introduces the scam. The first thing I do is
create a directory with a name that identifies this instance. I use
the date and the name of the company that is being
impersonated—20050204_fakebank, for
example. I save the email into the directory and open up a blank file
in my text editor. As I follow the path from that email to the web
site and beyond, I record exactly what I do in the editor. I cut and
paste URLs and Unix command-line strings and add comments that will
remind me later of the significance of each step.
With every domain name or IP address, I run dig and whois and capture the output to files with
informative names, such as http://whois_craic.com or dig_192.168.1.1. This takes some discipline
and can seem like a waste of time if the path ends up being a dead
end. But in the cases where you can make some progress, these early
steps are critical. You can easily forget to go back and capture that
information later. That can produce gaping holes in the picture when
you try and reconstruct it at some point in the future. Many of these
web sites have a lifespan of just a few days, and you may find that if
you don’t capture the information there and then it will have
disappeared forever.
For this reason, it is very important to mirror the contents of
entire web sites using wget. As I
discuss in Chapter 5,
one of the issues in doing that is the automatic updating of URLs in
the pages of copied sites. For that reason, making two copies, one
with updated links and one without, is an important step. You want to
have one version that is an exact copy of the target site, even if
that version does not contain functioning links on your local
system.
I can’t stress enough the importance of taking a lot of notes. Write down clues that look interesting even if you don’t follow up on them right away. Chances are you will forget about that odd email header by the time you have poked around the HTML pages on the web site.
There is no standard format in which to present evidence of this kind. First you need to document the information in a way that makes sense to you, so that you can look at it six months from now and still understand exactly what you uncovered. In addition, you need to present it in a way that will make sense to someone else. You can’t assume that anyone you pass the information on to will have the skills needed to make sense of HTML pages and email headers. The best way to present the big picture is to create a narrative, along the lines of those I have used with the examples in this book. That can take a lot of time, but if you are considering presenting a block of evidence to the FBI, for example, then you really need to invest that time in order for your submission to be taken seriously.
Once you have all your information in place, you need to decide where to submit it. In the case of a phishing site, you might contact law enforcement , the company that is being impersonated, the ISP that is hosting the fake web site, or one of the anti-phishing groups.
If you want to approach law enforcement then in the United States, then you should contact the Internet Crime Complaint Center (IC3) at the FBI (http://www.ic3.gov). This was previously called the Internet Fraud Complaint Center and was set up as a partnership between the FBI and the National White Collar Crime Center . It serves as a central clearinghouse for complaints, filtering out incomplete or frivolous submissions and routing legitimate ones to the appropriate FBI office for possible action. Very few FBI agents are experts in computer crime and so this ensures that your complaint reaches the right people as well as making the best use its staff.
Where to direct a specific complaint is a difficult issue. If someone robs a bank in your town then you know exactly which FBI office should handle the case. But it can be hard to define where an Internet crime took place. The server that sent out a piece of spam, the one that ran a phishing site, the computer of the victim, their ISP, or the bank that was defrauded are all candidate locations for that sort of fraud. So funneling all requests through this clearinghouse makes a lot of sense.
If you submit a complaint through this system, you will be directed through a series of forms. These will ask information about yourself, the type of fraud that you are reporting, information on the perpetrator, and so on. After initial review, legitimate complaints are forwarded to the appropriate people and they will contact you.
There is no need to contact your local police prior to submitting a complaint, with one important exception. If you have suffered an actual loss due to fraud or identity theft, then you do need to file a police report and you should get a copy of this for your records. Anyone reading this book is unlikely to fall victim to one of these scams, but if you do, make sure you get that report. Your bank will expect to see it.
The folks at the FBI are extremely busy so don’t sit by the phone waiting for their call. The annual report of the IC3 shows you the volume of work they have in their inbox (http://www.ifccfbi.gov/strategy/2004_IC3Report.pdf). In 2004, the IC3 handled 207,449 complaints, of which 190,143 were referred for follow-up work. That represented a 67% increase over 2003. Fraud, in its various guises, was responsible for 103,959 complaints and the total loss reported was over 68 million dollars. More than 70% of this was classified as Internet auction fraud. That category is a little misleading, however, as it includes some phishing scams. These numbers are staggering, and undoubtedly there are many other incidents that are not reported through this system.
In reporting your observations to law enforcement, you need to have a clear executive summary that describes what you have discovered. You need to do a good job of highlighting the critical pieces of information that will let the reader see any links between your report and other cases that they are already working on.
You would think that companies that are the targets of phishing scams would be eager to learn about new examples. Some of them provide a link on their home page that tells you how to report scams, typically via an email address to which you simply forward a phishing email. But others are less welcoming. To submit a report to eBay, for example, you have to first sign up for an account with them. After signing in, you have to search for the form through which you can submit a report. At that point your report seemingly disappears into a black hole with no response from the company whatsoever. This can be disheartening, but it should not stop you from reporting problems.
All these companies have people who are working on the problem of fraud, spam, phishing, and so on. They are actively looking for fake versions of their own sites and may already be doing a great job of that. Unfortunately they tend to keep their efforts to themselves so it is hard to tell just what they are doing.
Handling reports about scams may be as much of a headache as the scams themselves. Companies need to scan new reports, select ones that appear to be legitimate, and act upon those. They are probably swamped with regular users reporting the same phishing emails. The lack of any consistent reporting format just adds to the problem. A report like yours, which would actually give them specific information, may simply be lost like a needle in a haystack.
It may well be a problem of signal to noise ratio. If enough people submit reports that contain useful information then I expect that companies will become more responsive.
Perhaps the most productive way to report fake web sites is to contact the company that hosts the web site or the ISP through which it operates. Some of these companies profit from the activity and are more than happy to see it continue, but the vast majority are legitimate businesses that want nothing to do with criminal activity. They lack the resources to monitor all their clients, so they rely on concerned users reporting problems to them.
As with law enforcement, you need to present your case. They have a responsibility to themselves and to their clients not to take action without proper consideration. The better the evidence that you provide, the easier it is for them to justify their action. All ISPs have a terms of service agreement for their users, which invariably include one or more clauses that prohibit users from sending spam or taking part in illegal activities. Once they decide that those terms have been breached, they can immediately shut down the offending site.
While this approach may be effective, you should consider its implications. By getting a phishing site shut down, you may unwittingly interfere with any investigation by law enforcement that might be underway.
There are many examples where a legitimate web site has been attacked and a phishing site inserted within it. It is usually fairly easy to identify these. In almost all cases, the owner of the legitimate site is unaware that they are being exploited. It is critically important that you tell them about the problem.
Be aware that they may have limited web or systems expertise, so try and explain what has happened to their system, where the offending files are located and what they need to do to fix the problem. I view this as a very important service.
You might also like to tell the people responsible for a scam that you are on to them. Fill out the form that asks for your personal information using creative, yet polite, text that informs them that you know their site is a scam and that you are informing the appropriate authorities. If you are concerned about antagonizing the scammer, then use something like the Tor network to hide your identity. You don’t need to be offensive or untruthful—simply advise them that you know what they are up to. By putting them on notice we can shake their sense of security.