Nigerian princes, shipping invoices, and special offers: Where are the people behind these phishing scams located? One way to find out is to manually reply to each phishing email. Another is to automate the reply process and see what the scammers reveal.
Robbie Gallagher, an application security engineer with Atlassian, opted for the latter approach. His Honey-Phish project, which he described at the recent Shmoocon security conference, automatically replied to phishing messages with an email containing a specially crafted link, then analyzed the resulting click-through data. In essence, he phished the phishers to find their location
The goal is to eventually release heat maps of where phishing attacks originate. Gallagher had two clicks in time for his presentation: one from Brazil and the other from Romania. It's not a lot, but it's a start.
It's easy to get spam and phishing messages; the hard part, according to Gallagher, is to send replies that are believable enough that the person on the other side is willing to click on the link. For that, he needed to customize the messages so that he wasn't simply sending the same message over and over. And if he was going to eventually make the project big enough to track where phishing messages were coming from, he couldn't craft each reply on his own. Automation was key to this project, and that's where Markov chains turned out to be useful.
A Markov chain takes a specific input pool and randomizes the variables. It's a great way to generate gibberish that sounds legitimate. Websites may use Markov chains to score high on SEO terms, for example. Gallagher had a few other examples of Markov chains on the Internet, such as Garkov, which replaces random text to Garfield cartoons, and a site that generates fake wine reviews.
In order to use Markov chains to craft honeypot responses to phishing emails, Gallagher needed the right kind of input. The script from the movie "The Big Lebowski" and books from Gutenberg Press didn't work well because one wasn't in the first person and the other used archaic and outdated English. The Personal Finance sub-Reddit, with its first-person accounts of financial burdens, personal problems, and victories, turned out to be perfect, since the posts there were thematically similar to the type of messages reflected in phishing emails.
Gallagher put out his specially created Gmail address on various sites to get on different mailing lists. The 419 Eater site operates phishing honeypots, and within 48 hours of signing up, Gallagher started seeing phishing emails in his inbox.
These initial efforts resulted in a sample of 41 unique email exchanges, of which there were two click-throughs. He used Jack Spirou's ClientJS library to collect a lot of data for those two clicks, including the clicker's physical location. The two clicks came from Brazil and Romania. For the next step in the project, Gallagher plans to expand the search to generate a detailed list of locations.
It's always helpful to know where cyber crime originates, and this project attempts to beat the phishers at their own game -- for a particularly satisfying form of justice.