Author Topic: Phish or No?  (Read 2135 times)

Offline joe53

  • Dell Community Colleague
  • SpywareHammer Staff
  • Bronze Member
  • Posts: 241
  • Certifiable
    • Free PC Security Software- A Primer
Phish or No?
« on: July 01, 2013, 02:20:58 PM »
I'm not sure this is the right place to post this, but here goes:

I received a "cease and desist" email, apparantly from my ISP, wich forwarded an email to them apparantly from 20th Century Fox. Fox is accusing me of illegally downloading copyrighted content using BitTorrent. Specifically an entire season of a certain Fox TV show I never heard of.

It is rubbish, as I have never installed/used any torrent, nor illegally downloaded anything. I was inclined to delete it, but on closer examination, it does seem to lack the hallmarks of a phish, and does seem convincing. It does quote as evidence a home IP that my ISP phone support has confirmed is registered to me.

I would reproduce the Fox message here, but it specifically prohibits me from doing this. So instead I refer you to the following recent post from the internet, that reproduces the boilerplate of the message I received (certain identifying details/#s are different from my mesage, but the gist and other text is the same):
http://forums.quattroworld.com/canada/msgs/93255.phtml

My ISP phone support could not confirm either way whether this warning came from them, but did confirm that they are required by law to forward such complaints. Under Canadian law, they are not required to release my identity to the complainant at this stage. They were able to confirm that my downloads in many months have been low volume, and unlikely to support the accusation.

I am the sole user with physical access to my home computers, and all are behind a NAT-enabled router with a strong password. It is inconceivable to me that anyone else could have done this using my IP address.

If this is a valid message (albeit mistaken) it leaves me in a quandary. Do I respond to Fox, as they insist, via phone or email? (The contacts seem legit). To do so seems to leave me open to certain identification, and possible accelerated harrassment over a clear error not of my making. I have no wish to lock horns with the Piracy Police of 20th Century Fox!

On the other hand, if this is a phish, it certainly seems sophisticated.

Any opinions appreciated!

Offline PCBruiser

  • Malware Removal Mentors
  • Ambassador
  • Diamond Member
  • Posts: 8146
Re: Phish or No?
« Reply #1 on: July 01, 2013, 02:53:21 PM »
The key to determining where the email actually originated is to take a really good look at the email header.  Analyzing email headers can reveal some interesting and confusing information.  Fortunately, there is an easy way to analyze email headers these days, courtesy of Google.  Here's the link:  https://toolbox.googleapps.com/apps/messageheader/.  The first thing you need to do is find the email header and this Google link provides detailed instructions for grabbing the header from the email:  https://support.google.com/mail/answer/22454?hl=en.  Then copy/paste the header into the web based analysis tool, and you should be able to find out where the email originated.  Depending on how the email was forwarded, the originating email IP should be either Fox, or your ISP.  If it is Russia, the Ukraine, China, etc., you have your answer.  If you have problems doing the analysis, PM me the header and I will look at it for you.  Do NOT post it here publicly since it will contain your personal email information, and you really do not want spammers to harvest that.
Don't Read?  Can't learn!

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27138
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: Phish or No?
« Reply #2 on: July 01, 2013, 06:16:08 PM »
Got a lawyer in the family or one on retainer?

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline joe53

  • Dell Community Colleague
  • SpywareHammer Staff
  • Bronze Member
  • Posts: 241
  • Certifiable
    • Free PC Security Software- A Primer
Re: Phish or No?
« Reply #3 on: July 02, 2013, 12:55:19 AM »
Thanks, PC Bruiser. I forgot to mention I had already eye-balled that email header, and it seemed legit. Your links confirmed it did indeed come from my ISP, and not from some dubious country.

Hoov: I wish I did have a lawyer! I might need one yet.

My plan is to ignore this fiasco for now, and hope it will go away. Meanwhile, I feel no need to respond to false accusations from a foreign country. If Fox wants to escalate this, then bring it on. I'm feeling scrappy ...
« Last Edit: July 02, 2013, 12:58:29 AM by joe53 »

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27138
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: Phish or No?
« Reply #4 on: July 02, 2013, 09:09:52 AM »
When you do not contact them, they will probably send you a second letter at which point I would reply in your nastiest snarky way, just make it entirely polite. Tell them you require evidence of your guilt because you have never installed any torrent, and you would not download such rubbish even if you had.  That should make them fold up like a cheap suit.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline PCBruiser

  • Malware Removal Mentors
  • Ambassador
  • Diamond Member
  • Posts: 8146
Re: Phish or No?
« Reply #5 on: July 02, 2013, 10:19:36 AM »
All right, I think I know what this is all about.  I think your ISP uses dynamic IPs.  What this means is that you may be assigned different IPs each time you go on the Internet. 

In fact, I checked your account here, and over the years you have logged in here with at least 5 different IPs.  So, someone using one of those IPs may, at some time, have used an IP you have also have used, to download some of their materials.  I'm not accusing anyone, but that's a real possibility.  Fox tracked that IP, and since you had that allocated at some point also, they come after you, although someone completely different was allocated that IP at the time of the download. 

Allocated dynamic IPs do not change that often, with 24/7 connections like we all have on broadband, those IPs tend to stay the same for longer periods of time, but there is no question that over time they do change.  They need to go after the right person, or alternatively prove you used that IP at the time of the download.  I bet they can't do that.

If I'm right about the dynamic IPs, you should respond to your ISP and ask them to prove you were using the IP at the exact time that Fox claims their material was illegally downloaded.  Ain't going to happen.  I bet they can't even begin to do that.
Don't Read?  Can't learn!

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27138
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: Phish or No?
« Reply #6 on: July 02, 2013, 10:27:45 AM »
The only time I have had a dynamic IP address was when I was on dialup, so I may be wrong. But do not ISP's keep track of what address gets assigned to what user? I thought that was the way that RIAA was tracking down the music downloaders and suing them.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline PCBruiser

  • Malware Removal Mentors
  • Ambassador
  • Diamond Member
  • Posts: 8146
Re: Phish or No?
« Reply #7 on: July 02, 2013, 10:34:41 AM »
Nope, ISPs use both static and dynamic IPs for broadband as well as dial-up.  With broadband they don't change as frequently, but they do change over time.  I'm on Comcast, and they do use dynamic IPs unless you pay a small monthly fee to get a static IP.  I don't care, so I passed on static, and let them change the IP occasionally.  Over the time here, I too have used 5 different IPs to log in here.  You have used 13.  Some of them must have been when you were traveling.  I'm sending you a PM with your list.
Don't Read?  Can't learn!

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27138
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: Phish or No?
« Reply #8 on: July 02, 2013, 10:47:12 AM »
With the wireless and when I was on satellite I was private IP address's because that is the way those two networks are setup. When I was watching my Firewall logs like a hawk, I paid more attention. But to be honest, I am not nearly as paranoid as I used to be, simply because I have few problems that I do not create myself.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline PCBruiser

  • Malware Removal Mentors
  • Ambassador
  • Diamond Member
  • Posts: 8146
Re: Phish or No?
« Reply #9 on: July 02, 2013, 11:05:01 AM »
I don't look at my firewall logs often either.  There is so much random garbage it stops that it isn't worth the time to check the thousands of entries unless I am experiencing a network slowdown or some such.
Don't Read?  Can't learn!

Offline joe53

  • Dell Community Colleague
  • SpywareHammer Staff
  • Bronze Member
  • Posts: 241
  • Certifiable
    • Free PC Security Software- A Primer
Re: Phish or No?
« Reply #10 on: July 02, 2013, 01:47:17 PM »
Thanks, guys. The plot thickens ...

I was finally able to reach a security tech from my ISP. He confirmed that I have a "dynamic IP" address, and that my downloads in recent months are not commensurate with a season's worth of a TV show. He suggested that the MAC address for my modem being spoofed was the likely culprit, and recommended I upgrade from my old DOCSIS 2 modem to a DOCSIS 3 unit. (How someone could do this, he could not say). As my old modem has been losing connectivity recently, I thought this reasonable. I have yet to do this.

But at least I now have sufficient ammunition to respond to Fox. I'm not sure I can be "nasty", "snarky" and "polite" at the same time,  but I'll give it my best shot!  I'll let you know how this turns out.  :)1

Offline PCBruiser

  • Malware Removal Mentors
  • Ambassador
  • Diamond Member
  • Posts: 8146
Re: Phish or No?
« Reply #11 on: July 02, 2013, 02:10:57 PM »
OK, DOCSIS3 is the newest broadband modem protocol, and has better connectivity, security and higher speed limits.  To upgrade, you need to buy a new broadband modem with DOCSIS3 onboard.  In broadband modems, I think Motorola has them all beat.  I'm not sure what is available in Canada, but the Motorola SurfBoard 6120 and SurfBoard 6121 are both DOCSIS3 modems.  I have the 6120, and have used it for 4 years now without an ounce of trouble.  Amazon has them both in the US for $81 and $68 respectively.  Once you get one, you simply connect it up and call your ISP to have them input the new MAC number into their system.  It should take about 5 minutes for it to "take" and boot up and you should be off and running.
« Last Edit: July 02, 2013, 02:15:44 PM by PCBruiser »
Don't Read?  Can't learn!

Offline joe53

  • Dell Community Colleague
  • SpywareHammer Staff
  • Bronze Member
  • Posts: 241
  • Certifiable
    • Free PC Security Software- A Primer
Re: Phish or No?
« Reply #12 on: July 04, 2013, 11:44:09 AM »
Thanks for that info, PCBruiser. My current modem is a Motorola SB 5120, several years old. It works well, apart from the increasing need to recycle it on occasion.

My ISP offers only one DOCSIS 3 modem (from Hitron Technologies) and when I tried it, it was a disaster. Had to return it. So I'm back to the old modem from Motorola, which at least works (most of the time). Unfortunately, my ISP informs me that none of the Motorola DOCSIS 3 modems are compatable with them. So I'm back to square one.

On a more positive note, I responded to the Fox email, balancing snarky with polite. Basically I promised to expose this entire affair, on all the security forums in which I participate. I have yet to hear back from them.


Offline PCBruiser

  • Malware Removal Mentors
  • Ambassador
  • Diamond Member
  • Posts: 8146
Re: Phish or No?
« Reply #13 on: July 06, 2013, 08:42:49 AM »
Hi,  I would check Amazon and see what they carry in DOCSIS3 modems available in Canada, pick one that is well rated from a known brand, compatible with your ISP, and run with it.  DOCSIS2 has a lower maximum theoretical speed, and is being phased out by most ISPs these days.  If whatever you get isn't satisfactory, at least Amazon is very easy to deal with if you need to return the modem and switch it out with a different brand or model.  All the manufacturers have DOCSIS3 modems so there should be a good selection to choose from.  Personally, I have been having good results from Netgear networking hardware over the last few years.  I use their router/firewalls, switches, wireless and home power line adapters pretty much exclusively these days and have been happy with the results.  I'm sure that others have had good results with the other major brands of networking hardware.
Don't Read?  Can't learn!