I've been playing digital vigilante for the past couple of days. It occurred to me that phishing scams are far more vulnerable to counterattacks than traditional spammers. Phishers are soliciting input online, so why not give them what they want? Lots and lots of what they want.

It should be pretty easy to flood them with form postings full of obscenities. Or better yet, flood them with bogus names and credit card numbers that are indistinguishable from the few real ones they get. If done properly, this would force them to sift through thousands of bogus credit card and social security numbers just to find a single stolen identity.

This seems like a pretty obvious idea, but I was surprised to see that a quick google search did not turn up much discussion about it. There are lots of consortiums and working groups trying to come up with passive, technological defenses against phishing. That's all well and good, but I decided I wanted to take a crack at a more direct approach.

The Attack Begins

I chose to use Python for this since it seems like a pretty good language for this kind of thing. I also don't know Python, so at the very least it would be an educational experience. I also decided that obscenities are easier to code (as well as more fun). So, I made it my first goal to learn enough Python to write a simple script that repeatedly POSTs the personal information of a "Mr. Fuck You" including his account information at the "Bank of Fuck" and so forth. I figured this would at least annoy them, though it would probably have little practical effect, since it would be easy enough to filter. So, I wrote my script and started it running against a phisher that recently sent me an email.

Interestingly, it seemed to elicit a response from them fairly quickly. After a few hundred iterations, I started getting connection timeouts. I presume they blocked my IP, because when I moved to an anonymous proxy server things started working again. That is, until about 10 minutes later when it seems they blocked that one as well.

I then downloaded a big list of anonymous proxy servers and modified my script to cycle through them. This seemed to do the trick as I was able to run several thousand iterations. But then I started getting 404s; they had rearranged their website so that the form POSTed to 'update2.php' instead of 'update.php.' My script isn't yet smart enough to figure this out, so I manually tweaked it to POST to the new page. A few more hundred successful iterations, then more 404s - they had moved it to update2345.php. Lather, rinse, repeat.

Success?

I soon grew weary of this game and gave up on it for a couple of days. However, before I went to sleep last night, I started it running again. The phishers seemed to be asleep as well because this time they deployed no countermeasures. Looking at my logs, it seems that their site went completely dark at about 3am, after about 20,000 posts. I'm happy to say it is still down as I write this. Am I responsible? It's impossible to know, but I like to think so.

Next Steps

I'm now working on a toolkit that will generate random valid names, addresses, phone numbers, credit cards, social security numbers and so forth. I want to be able to swamp these guys with bogus responses that are indistinguishable from the genuine article. I also need to make the tool smart enough to analyze the input page so that it can adapt automatically to simple rearrange-the-website defenses.

Ideally, I'd also like to be able to more quickly generate new attack scripts for a phishing sites - there is no shortage of targets out there.