4

I received an email the other day purporting to be from a bank I hadn't even heard of, so I decided to poke around. On some quick investigation, it looks like something has just latched onto some poor Joe's WordPress based site and has dropped a whole bunch of pages designed to look like those of this bank.

Included also are confspy logs and a PHP-based remote administration tool, which is cleanly open to any persons at least as curious as I. It even has such helpful options as "format the box".

It's worth noting that the pages that are linked to in the emails don't really stand up to scrutiny - Google Chrome immediately picks it up as a phishing attempt, and I'd imagine all the other major browsers would too.

I had half a mind briefly to just format the box, but alas I don't want to ruin poor Joe's WordPress website, nor do I want to ruin any information that might be used for more skilled people than myself. While I do doubt this would be something new and amazing in the wild, there's certainly some interesting stuff here. What are some relevant avenues to pursue in relation to either reporting this or finding out just what's going on? Is it even ethical to poke at this box as a learning exercise as long as any hat I wear is white?

edit: There is apparently a self-remove function as well. Looks like all information collected is sent to two different email addresses, which I notice have been used in other phishing exploits, so there's nothing new here - same php template, new bank facade.

JBirch
  • 151
  • 3

1 Answers1

5

Firstly, "poking around" with a compromised box without prior consent of the owner is not ethical.

The first thing you should do is contact the owner of the site, or the company/ISP who owns the webserver, and provide the URL, date and time of accessing the site, and a description of what you observed as being wrong.

Secondly, in terms of reporting incidents like this, as far as I know, there are no authoritative bodies to whom this should be reported.

If identity theft is involved, however, you can report it to: http://www.ftc.gov/bcp/edu/microsites/idtheft/

Hope that helps.

ralfe
  • 171
  • 3