Go Backindexsitemap

Phishing

Definition

Phishing is to gain unauthorized access to one's personal data or account for malicious or fraudulent purposes. A person who practice's phishing is called a phisher.

PHishing derives from Password Harvesting

Introduction

So what is this: phishing. Phishing is trying to trick people into thinking, that when clicking on a link in their mail to their login page of their internet banking account, the page they are presented is the correct one. They start to enter their username, password and other data. Click on a button and start e-banking. What can happen is that you'll be told that the code was wrong and transferred back to the entry page. You will have absolutely no suspicion. You'll be asked again to enter a the codes, now on the real e-bank page. And business proceed as usual. in the meantime codes you have transferred the first time will be sent not to you e-bank but to the email box of some criminal who is going to plunder your account some minutes or hours later. Phishing pages can look awfully genuine, and pages that do not look exactly the same as the original is mostly sloppiness of the maker. And you don't have to be paranoid to raise a brow or having a smile at some of the cleverness with what Phishing is executed. At the same time you'll be surprised how many people still fall into this type of trap, from all sorts of people, young to relatively old savvy users. more young persons than old by the way.

On this page you'll be presented with some cases that serve to illustrate phishing.

Index

 

Case 1

A fine example is shown below. Here someone requests that you fill out all personal data, pincode et cetera. You must be pretty naive to fill this form and send it back. The next thing you know is that your account is emptied, checks are written or some crook has done some lavish shopping with your account or credit card.

 

 

Case 2

Here is another example. This is the mail one receives:

 

Doesn't this sounds rather plausible? To the experienced 'ear' NO IT DOESN'T, because a client conscious bank would never send an email like this. But to the unsuspecting, law abiding, inexperienced nettizen it might look as a legitimate request. The phishermen use your fear for having your account emptied or at least suspended. So what do you do? Click on the link of course! You'll type in your account number, password and BINGO! The person watching at the other side is now a rich person.

Is this something you have to shame yourself for. If you are an eva rage internet user, no, not really because how can you tell the fake from the real one without being some sort of knowledgeable person on this kind of thing. For the eye both screen pictures look the same and very authentic.

So which one is fake?

 

You can't tell the difference, can you?

 

 

 

Now have a look at the address line at the top of your browser screen.

Correct, the above link above does not show the correct address!

That one does not point to the official site but to some server not owned by the Bank of the West. See above for the correct address.

   

Lets have a look at the address info in our mail: "http://80-219-219-193. dclient.hispeed.ch/"

It does not look like a valid IP address But don't be fooled, as long as your domain name is not longer than 64 characters you can make up any address.

With a simple trace command you can follow the path. And this leads to:

6 21 ms 21 ms 21 ms tengig-2-4.mlrOTF008.gw.cablecom.net [62.2.33.6]
7 29 ms 29 ms 31 ms 80-219-219-193.dclient.hispeed.ch [80.219.219.193]

Cablecom is a Swiss company. And the server behind is probably owned by a hacker with an ADSL subscription with a not so smart idea.

What else can we say to determine this is not the original site? If you press your right button and view the source of both pages you'll see quite a few differences. What is most visible for this matter is the code to get the pictures.

On the original site:

<td id="hometopleft">
<img
src="assets/vcmStaticContent/images/curve_left.gif" width="194" height="17" alt="" />

If you have a peek at the source of this fake page you'll notice that all images are taken from the original site:

<td id="hometopleft">
<img src="http://www.bankofthewest.com/BOW/assets/vcmStaticContent/images/curve_left.gif" width="194" height="17" alt="" />

That does not look so original does it?

But protection against this type of scam is very easy to do by disallowing deep linking. Meaning not to allow pictures to be loaded from outside the original site. The BOW should have implemented this minimal security. So they are in part to blame to make this type of scam so easy.

But again that's easy to counter-counter as well, some of these hackers are smart believe me. It's just a tug of war.

 

Case 3

Every now and then you'll receive a pretty innocent email, with a link to pornographic content. (By the way porn is not limited to males alone). Just to have a thrill you click on the link and you'll be in the "red area". There, to give you free access to the site you'll be asked to solve a riddle, easy you think. And the next thing you do is typing in the code you see on your screen:

code puzzle
image taken from the 'whois.com' security server

steganography
image taken from spamarrest.com

The method of hiding a message in a picture is called steganography (1), and for this purpose it works good enough.

Why are you asked to do so? Criminals are seeking to get access to someone's account or site and use it for their own profits. The image you have just been presented is one of the security measures used to prevent mass attacks by unfriendly computers. And it works like this. Programmers creating secure site's have established that a picture with a hidden message cannot be read by a computer. The hidden message is a code. And the user is asked to enter that code in a form and send the answer back to the site's security program. With the proper code you can continue, a wrong code stops you from using the site. Since a computer can not read the code, automatic attacks can not be executed.
So the phishermen thought up something smart. A computer program scrapes or extracts the image from a page that gives access to bank accounts, site administration, digital vaults, storage area's, internet shops, and other secured sites. It is then presented as an image on the site you want to access for free, and you are asked to enter the code. As said, without sophisticated image rendering software, which is awfully expensive, a computer can not "see" what the code is. But you as a human can, no problem there, and the phishermen are using you as a human translator. So when lured with free access to the site you type in the code, click on verify and then have some fun on the free site.
What happens next after you have sent the code is that it will be received via your "free site" by another program running on a different computer. The code is then fired against the secured page that uses that image and gains access to information not intended for them. Criminals are a step closer to the precious stuff.

 

Case 4

Paypal is a very attractive target for phishers to make money. At least twice a month some sort of a request from "PayPal" reaches our office to do something. This is one example how the mail looks like:

P a y P a I - Notification

You have added cutter1@msn.com as a new e-mail address for your account.
If you don't agree with this e-mail and if you need assistance with your account,
click here and process your login.

Please do not reply to this e-mail.

E-Mail ID: PP998787

And there are more sophisticated ones looking just the same as a genuine PayPal mail. But this one is a nice example since it redirects the request. A new technique used by Phishers.

Off course Paypal does not send you this kind of mail. So lets have a look at the mail source code:

<p class="style2"><font face="Verdana" size="2">P a y P a I - Notification</font></p>
<p class="style2"><FONT face="Verdana" size="2">You have added <b>cutter1@msn.com</b> as a new e-mail address for your account.<br>
If you don't agree with this e-mail and if you need assistance with your account,<br>
<b> <a target="_blank"
href="http://www.google.com/url?sa=U&start=4&q=http://220.181.9.249/.www.paypal.com/bin-cgi/webscr_cmd=_login-run/">
click here</a></b> and process your login.</font></p>
</p>
<p><font face="Verdana" size="2">Please do not reply to this e-mail.</font></p>
<p><font face="Verdana" size="2">E-Mail ID: PP998787</font></p>

When you study the url, where is it sending us? All the way to 220.181.9.249 towards: http://220.181.9.249/.www.paypal.com/bin-cgi/webscr_cmd=_login-run/

Tracert gives us the pathway to our culprit:

dcr2-so-2-0-0.LosAngeles.savvis.net [204.70.192.86]
208.173.56.198
202.97.51.193
202.97.53.85
202.97.57.218
219.141.130.110
219.142.1.70
220.181.16.6
220.181.9.249

Again made in the USA, 70-80% of all hacks come from there. And just checking PayPal: www.paypal.com gives us 216.113.188.66. Not a good sign.

And browsing towards 220.181.9.249 give a Linux test page. Very suspicious!

Arriving at the login page it asks us again to move.

paypal phishing

<a href="javascript:Start('sysdll.php')" class="style1" onMouseOver="window.status=''; return true" onMouseOut="window.status=''; return true">Click here to go to our main page </a></p>

Arriving at the final page shows:

paypal fake 2

Remarkably it does not show the address line, nor does it show us that the page is secured, as it should. For your convenience see below the original PayPal page.

paypal real

Observe the differences in layout and contents. Well if this does not raise your suspicions what will?

The technique to redirect you from one page to another is used since April 2006 by Phishers to divert the attacks by security people. So they make you hop from one page to another. The mail will be send out a few times to anticipate on the shutting down of pages by security to redirect the user to other pages which are not yet shut down. However most of the times sites like this are only live for a few days, attacked by security and strange enough by PayPal clients typing in their login and password. By doing so they open their vault to the Phisher who then plunder their accounts. Of course you will be put through the real site as soon as the phisher has your login so you will suspect nothing. That users are visiting the site can be seen from the time it takes to make connection. When the invitation was fresh it took some 350 ms to get to the final screen it now takes over 700 ms. A clear indication that users are actually logging in. It would take much more time, even resulting in a time out, when security would do a DOS attack. Or just ask the provider to disconnect the user from its internet services.

 

 

 

More to come...

Go Backindexgo to home pagesearch this sitesitemap Last Update 24 May, 2006 For suggestions please mail the editors 

Footnotes & References