"Phishing attacks involve the mass distribution of 'spoofed' e-mail messages with return addresses, links, and branding which appear to come from banks, insurance agencies, retailers or credit card companies. These fraudulent messages are designed to fool the recipients into divulging personal authentication data such as account usernames and passwords, credit card numbers, social security numbers, etc. Because these emails look “official”, up to 5% of recipients may respond to them, resulting in financial losses, identity theft, and other fraudulent activity. "

Read all about the Anti-Phishing organization www.antiphishing.org and the important work being done to stop this criminal activity.

2/27/04

It was a Tuesday afternoon, bright and sunny, and the elderly lady who lived down the street wasn't expecting any visitors.   A knock at the door alerted her to an unexpected thrill - a very nicely dressed, clean-shaven man in a suit standing outside with an official looking briefcase. His shoes were shined, his suit impeccable, so she opened the door.

"Good afternoon Mrs. Jones, my name is Inspector Hatten and I am from National City Bank.  May I talk to you for a few minutes?"

Mrs. Jones was startled that anyone from the bank, much less an inspector, would show up at her door.  The man looked very sincere and spoke politely, so she let him in.  Shortly, Mr. Hatten led her to believe that a problem at the bank may have led to some account irregularities, so he was asking for her help in correcting the problem and finding out who was responsible.  Somewhat flustered, but eager to help, Mrs. Jones went with Mr. Hatten to her branch to withdraw the rather large sum of 20,000 dollars from her savings.

When the money was withdrawn, Mr. Hatten asked to see the money so that he could count it and make sure it was both correct and to record the serial numbers.  Mrs. Jones sat at one of the unoccupied tables the bank had in the lobby while Mr. Hatten went to see the manager and finish the transaction.  After 20 minutes, Mrs. Jones got worried.  She asked to see the manager, since Mr. Hatten had been gone for a while.  She then found that no such test or inspection had been underway, Mr. Hatten was not a bank employee, and finally her money had been stolen. 

The story related above is an example of the popular (with con artists) "Bank Examiner's Fraud" that has been occurring with some regularity for many years.   There are endless variations using a telephone, wire transfer, insurance - but the theme is the same.  The victim wishes to help clear up a problem or assist authorities, and in all cases the victim loses their money, dignity, and rarely is the perpetrator caught.  Now, however, there is an updated Digital Age version of this con game using computers, web sites, databases - but the results are identical if not even more damaging.  These attacks are called "spoofing" or "phishing" attacks.

Phishing is the latest big thing in criminal online activity and a sizable amount of it is being conducted by former Soviet (Russia, Ukraine) block and eastern (China) country malicious hackers.  The name comes from fishing for passwords or credit card details, spelt in the malicious hacker (illiterate) style. It seems to date from 1996 when criminals were stealing AOL account names and passwords from gullible new users, with a hacked account known as a "phish".  Now it has spread from stealing access to someone's e-mail to stealing their credit card details, PayPal balance or even the contents of their bank account.

Following is an example of "phishing" (click to enlarge):

This looks like a sincere, legitimate attempt to correct a problem.

Now let's look at some of the source code:

------------988453712075B50
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Dear eBay Member,

Dear customer, you have been billed for $15.00 recently. Please update your billing information at eBay Billing Center.

This is eBay auto generated message, if you think you received it by mistake or you want to remove these notifications, please update your profile at Billing Center.

**Note eBay never asks for your credit card number, pin code or any of your passwords.

Thank you
Accounts Management

As outlined in our User Agreement, eBay will periodically send you information about site changes and enhancements. Visit our Privacy Policy and User Agreement if you have any questions.

Copyright © 1995-2004 eBay Inc. All Rights Reserved.
Designated trademarks and brands are the property of their respective owners.
Use of this Web site constitutes acceptance of the eBay User Agreement and Privacy Policy.

------------988453712075B50
Content-Type: text/html
Content-Transfer-Encoding: 7bit

<html>
<body bgcolor="#FFFFFF" link="#0000FF">
<........

<br>
Dear eBay Member,
<br>
<br>
<br>
<p>Dear customer, you have been billed for $15.00 recently. Please update your billing information at eBay Billing Center.</p>
<p>This is eBay auto generated message, if you think you received it by mistake or you want to remove these notifications, please update your profile at Billing Center.</p>
<br>
<br>
<center><button onclick="location.href=unescape('http://198.173.234.225/stats.htm');" style="font: 8pt verdana, sans-serif;">
Go to eBay Billing Center</button></center>

<P align="left">

**Note eBay <b>never</b> asks for your credit card number, pin code or any of your passwords.<br><br>

Thank you <br>

Accounts Management </P>

<p align="left">As outlined in our User Agreement, eBay will periodically send

you information about site changes and enhancements. Visit our Privacy Policy

and <a href="http://r.aol.com%5Ccgi%5Credir-complex?url=http://pages.ebay.com/help/community/png-user.html?ssPageName=ADME:X:EOA:US:24">User

Agreement</a> if you have any questions. </p>

<P align="center">

</P>

<TABLE cellSpacing=0 cellPadding=0 width=600 border=0>

</html>

------------988453712075B50--
 

Two sections of code have been highlighted because they illustrate what clicking on the button leads you to.  The button is linked to a site at 198.173.234.225:

[billk@penguin billk]$ nslookup 198.173.234.225
Note: nslookup is deprecated and may be removed from future releases.
Consider using the `dig' or `host' programs instead. Run nslookup with
the `-sil[ent]' option to prevent this message from appearing.
Server: 192.168.1.122
Address: 192.168.1.122#53

225.234.173.198.in-addr.arpa name = www.test-feb-silver.testgroup19.com.

Doing a whois on 198.173.234.225 yields:

[asdfk@linux asdfk]$ whois 198.173.234.225@whois.arin.net
[Querying whois.arin.net]
[Redirected to rwhois.verio.net]
[Querying rwhois.verio.net]
[rwhois.verio.net]
Verio Web Hosting (SME) (NETBLK-WH-198-173-234-0-24) WH-198-173-234-0-24
198.173.234.0 - 198.173.234.255
Verio Web Hosting - Sterling (NETBLK-W062-198-173-224) W062-198-173-224
198.173.224.0 - 198.173.255.255
Verio Inc. (NETBLK-VRIO-198-172) VRIO-198-172 198.172.0.0 - 198.173.255.255

Verio is a perfectly legitimate ISP, but this site is definitely not EBay!  Other spoofs that have come across are from sites in South Korea, Italy, France, China, Germany, UK, Russia, Ukraine, etc.  You get the point:  The phishing expedition is targeting unsuspecting Ebay and other institution's customers with an attempt to get the victim to follow the link to another site.  At the remote site a look-alike page will attempt to steal account IDs, passwords, financial information - whatever the criminal may find useful to purchase goods or perhaps to simply clean out an account.    Particularly humorous in this attack is the phrasing "EBay never asks for your credit card number, pin code or any of your passwords (sic)".  However that's exactly what this site does.   The author has gone to the trouble of copying EBay's privacy statement and other legalese to attempt to make the site look real.  It is important to understand that EBay, Amazon, PayPal, banks, and other financial institutions will not send you an email of this type - ever.  They know that criminals are spoofing their sites, so they are going to some significant effort to protect their customers.  Let's look at another example:

Click on image to enlarge.

This is a classic example of using an "account problem" to lure the unsuspecting to follow a link where their account name, password, and other data can be stolen. In this case the following source code was used:

To update your eBay records click here: <br><p>
<a href="http://207.182.246.69/images/.accVerify/index.php">http://www.ebay.com/verification/%?6488820019</a><br>
<br>
<br><p>
Thank you <br>
Accounts Management </P>
 

You can bet the account management will thank you if you follow that link.  207.182.246.69 traces out to:

[asdfk@linux asdfk]$ nslookup 207.182.246.69
Note: nslookup is deprecated and may be removed from future releases.
Consider using the `dig' or `host' programs instead. Run nslookup with
the `-sil[ent]' option to prevent this message from appearing.
Server: 192.168.1.122
Address: 192.168.1.122#53

69.246.182.207.in-addr.arpa name = present2.presentanytime.com.

Which sure isn't EBay! What do the perpetrators gain from these sorts of attacks? Typically the scam involves the following:

What does the thief do with the data?

How do you avoid getting ripped off? There are some simple rules to avoid falling for this sort of scam. First, never to click on a link in an e-mail, even if it looks OK. It is safer to type it in yourself or to cut and paste it from the e-mail into your web browser. If you have clicked on the link inadvertently, close the browser, run a spyware detection program like the excellent AdAware or SpyBot Search and Destroy to remove any possible keystroke loggers, and then when you re-launch your browser only type the name of the site directly in the address bar. It is best to manually remove any cookies or files that may still be there (in Internet Explorer use Tools / Internet Options /  Delete Cookies and Delete Files to remove anything that is left).

This is really important because a recently discovered bug in Microsoft's Internet Explorer means that a scammer can make a fake website look real.  A link which claims to be take you to PayPal might point to a fake site, but thanks to this  bug it will still say www.paypal.com in the address bar.  To patch for this bug, use Microsoft's WindowsUpdate site (www.windowsupdate.com) to make sure your system is up to date.

You can also set your e-mail program so that it does not display HTML e-mail automatically, but shows you the HTML so you can check it out first.  This is an excellent method to see what the email is actually trying to send you to (like the examples above). Pay particular attention to anything that says "redir" - that is an attempt to redirect your browsing to another site.  Also look for any URLs that have odd coding, which may be using Unicode to camouflage where you are being sent.

If you cannot rely on technology to protect you, you can think carefully about whether the organization you are dealing with would really be asking for this sort of information.  Ask yourself, is this message reasonable?  Do I have an account there?  Don't hesitate to call your bank to ask if the problem is real.

By and large, companies like eBay and PayPal do not send out e-mails asking for details, they wait for you to log in and then tell you there is a problem.  They are not being lazy or careless, they don't want to train you to be lured into a trap. And banks do not ask for customer passwords in e-mails.   Finally, ask yourself - if a stranger showed up at the door, would I give them this information? All email is simply a message from a stranger until and unless there is a way to verify the source of the message.  Don't fall for one of the oldest con games in its new disguise, the Phishing Scam.