alt Hacker News> “This was an email address that looked like the real thing,” says Exempt, explaining the mechanics of how he tricked Charter Communications. “The real domain of the Jacksonville Sheriff’s Office in Florida is jaxsheriff.org. We purchased jaxsheriff.us and then spoofed our number as the department’s, so that when we called them to verify receipt of the legal process, when they searched the number, it would come back to the sheriff’s office, giving them no reason to doubt it. We use real badge numbers and officer names as well.”
I'm honestly impressed. It's an interesting situation where the companies can only verify the same information that the hackers have access to
Replies
> The real domain of the Jacksonville Sheriff’s Office in Florida is jaxsheriff.org. We purchased jaxsheriff.us
This would not be an issue if RFC 1480 had been taken seriously.
"No problem, Deputy Smith. I'll call you back at your listed number now to complete your request."
What am I missing? Not doing this is negligent. Same advice we'd give to phishing targets.