Last night I was up a little late, and, right about the time I was ready for bed, I got this message talking about my eBay account. It smelled fishy to me, and the link it directed me to was obviously not an eBay link, so I forwarded it off to the eBay people, the Yahoo and AOL people the links were through (it ran from a redirector on Yahoo to a member document on AOL).
Then I looked at the document, and found that it was pretty good work -- it looked rather official, using the graphics and links from the AOL branded version of eBay, and it collected the following fields (all but the last of which was marked as "required"):
- Ebay ID
- Ebay Password
- Full Name
- Phone Number
- Name on Credit Card
- Credit Card Number
- Expiration DAte
- Verification Number
- Type of card,
- Credit Card Limit
- Bank Name
- Bank Phone Number
- Date of Birth
- Social Security #
- Drivers License #
- State issued
- Mother's Maiden Name
- Mother's Birth Date
Pulling the source on the document, I found that the form was pointed at what turned out to be an out-of-date (and insecure) copy of formmail.pl (with a different filename), with an intended recipient account on netscape.net. Oh, and the subject line was to be "LukeOwnzMe".
Clearly, this was a nasty scam -- very official looking, and information you really don't want a bad person to have. So I started digging around to see if there was any way I could get to some sort of expidited communication process so that this could be shut down more quickly.
This was very frustrating. I dug around the various services looking for phone numbers. I didn't expect anybody to be there to answer the phone, but I was hoping there might be some way to get to some kind of operator or leave a voice-mail for someone indicating a security problem. Of the big services involved, there was no way to leave a voice message unless you already knew the extension number or name of the person you wanted to talk to. I did manage to twink around the small server with the insecure formmail.pl and leave a voice message there with a secretary or something, but there wasn't an option with any of the other services.
Being frustrated, and knowing this was a federal crime (having involved more than one state), I decided to get ahold of law enforcement, because I know that they have access to contact channels I don't. So I called the FBI office closest to me and, for the first time in the night, had a human answer.
I described the situation, and he told me I needed to talk to the Secret Service, and gave me the phone number there. I called that number, and found that there was an option that took me to an answering service that took my information. At this point, I'd spent about an hour longer than I wanted to be awake trying to get this thing shut down before normal people would be waking up and finding it in their inboxes.
I waited another hour for a call back, and didn't get one. I did get a call around 9:00 or so from a friend of mine who not only works for the Secret Service, he also lives about 100 yards from my house. He happened to be the agent on duty for this area, and the message went to him. I described the situation, and he asked me to forward it off to an address within the Secret Service having to do with financial crimes. This I did. He also told me the FBI agent I spoke with during the night had as much ability to address this as anybody else did.
Then I decided to try some of my phone numbers from the night before. I spent a whole ton of time on hold, getting passed from place to place. When I finally got to someone on Yahoo, the guy there said there was nothing he could do to stop their redirector, and there wasn't anybody else to talk to. The guy from AOL, after talking for a while, gave me his email address so I could send the info off to him and he could forward it on to "the proper people." The guy at the small company with the vulnerable formmail.pl had gotten some kind of message about this (perhaps one of my emails last night). He sounded a little ill as I described to him what I thought was going on (I hadn't confirmed yet that it was an old copy of formmail.pl). He said he'd call me after he'd had a chance to look into it.
I verified that it was by creating my own little form that I could use to send email messages back to those folks to see if it was still open to messages being sent from other servers -- it was, and it showed the version number and copyright date -- 1997. I got burned by an old copy of formmail myself, and know that the newer version is more secure, and I've checked a couple times today to see if they'd at least changed the file name to break the return loop of the scam -- as of just now, I see that they've upgraded their formmail.
About an hour later, I checked the form on AOL to see if it was still working, and found that it had been removed about 8 hours after I had started trying to get this addressed. My guess is that the timing -- middle of the night Sunday -- for sending this out is not just coincedental. The Yahoo redirector was still working -- afaik, it still is.
Since then, the responses have trickled in. Ebay told me that, in fact, this was not one of their messages (um, really?). Yahoo told me that this message hadn't come from their server (didn't think or say that it had), and that there was nothing they could do about this, but they take these problems seriously, so to feel free to contact them again if I had any concerns (I really have concerns about these Yahoos, frankly).
Lessons learned from this experience:
- eBay verification scams are getting more sophisticated (and more nasty).
- There is no apparent expedited communication channel when there is a breaking security issue with any of these services. If you send an email notification, it will sit in the queue until someone gets around to it. If you make a phone call, you're going to sit on hold waiting to talk to two or three customer service reps (not techs) with 15-30 minutes on hold between each one, with a one in three chance that anybody that you are able to talk to will have any ability to respond to the situation.
- Whether it's fatigue or lack of concern, trying to stop an identity theft operation doesn't seem to be a very high priority for anybody.
- More people need to understand that old copies of formmail.pl are dangerous. I get an average of one hit per day to my website looking for some variant spelling of that script to see if it exists and can be exploited.
- Yahoo support doesn't seem to be competent at dealing with serious problems with their service.