zefman

So yesterday I received a suspicious sms message with standard phishing speil asking to follow a link and renew a subscription to well known app.

Out of interest I followed the link to see how the attack would work, and before I knew it I had discovered that the attacker had left directory listings enabled on their server!

After looking through the PHP used to perform the scam, I could see that the results of the form victims are asked to fill out were being emailed to the attacker, and logged into a text file on the server. I just want to stress this is all publicly available if you know the url, not behind any kind of authentication.

After looking at the log file I could see that this scam was very and active and very effective. New entries were being added throughout the day including credit card and bank information. At this point I realised it was probably time to inform the police, and after many many painful hours I finally had a report logged.

Its now been 24 hours and I can still see the scam is active and collecting real peoples' details, the majority of whom are elderly.

What should I do? It feels wrong just to sit here and watch these people lose their details while the UK police take their time figuring out what a zipfile is. It would be very easy to disrupt the scam by flooding it with fake data. Good or bad idea?