OK – so you don’t install software from servers you’ve don’t know, you’ve started using anything other than Internet Explorer and have an virus/firewall solution. You are ready for some more advanced topics. Today we will talk about Phishing. Phishing is the art of sending an email out pretending to be someone you are not in the hopes that the person receiving the email will give up some personal information. Phishing often leads to identity theft, further spamming or even real-world social engineering attacks. Its not something you want to fall victim too.
Phishing often starts with an email. I think we’ve all seen emails from banks where we don’t have accounts telling us we have triggered a security lock down, we just need to visit their magic unlock page to get access to our money again. Knowing that we don’t have an account at that bank makes it easy to detect that we have been “phished.” Other easy ones are emails that appear to be from Ebay, Paypal, Hotmail or the like. Because these vectors are so well known the baddies have moved on to new ideas. Today we will review a recent email that has been going around from the “Global Who’s Who” directory. This is a very sophisticated attack, so let’s go through it a step at a time.
This is the email you’ll get. Looks very professional. No misspelled words, broken English or other clues that something might be wrong. I’m a longtime IT worker, and am also well aware that most Who’s Who listing require only that your check clear the bank so nothing to be worried about, right? There are 4 clues in the email that should start you thinking maybe there is something to worry about.
1 – See the little square in the bottom? That is what is called an image bug, or a way to know if you’ve read the email. Most real email marketers have moved on to more sophisticated ways of tracking your actions, so that is a small warning that all may not be as it appears.
2 – This is a cheat on my part as I didn’t include the headers in the picture, but the email was sent from “Global WW [firstname.lastname@example.org].” The Global Who’s Who would have their own address, and you can be 100% that it won’t be photographyonlinedunes.com. Sometimes companies will engage other companies to do marketing for them, but not wit that name.
3 – Again, you can’t see it, but if you hover your mouse over the links in the email your client (in this case Outlook07) will tell you where they go. In this case, both the unsubscribe link and the visit here link point to the same address. Lazy on the part of the scammer, and a clue for us.
4 – Finally, the address we are asked to “visit here” is http://isopod.photographyonlinedunes.com/c/c/29245/5379/665469/, once again an address unlikely to be associated with The Global Who’s Who. This is the biggest clue, and also why you were told in part 1 to always look at links before you clicked. When there is a disconnect this big between the text and the link you should always delete and move on. Always.
Ok – so we didn’t move on and we clicked the link. You browser now looks something like this.
Once again, looks very professional. If you click to the real Who’s Who you will see that the bag guys did a fairly good copy of the original. Once again, though, there are some clues for the wary. If you clicked to the real page, you will notice that the URL was http://www.theglobalwhoswho.com/ instead of what shows up on the fake page: http://globaldirectoryofwwonlineform.com/index.php.
This address is a little closer to what we would expect that the photographyonlinedunes one that was int he email, but it is still a little “wonky.” Also, because you looked before you clicked you also noticed that they changed. That is not normal and almost always indicates you’ve wandered into a bad part of town.
Notice that there are no other active links on the page. On a normal we site you would have a ton of other content to look at, if you have a single purpose page your can be sure that you are looking at a page designed to harvest your personal information.
That’s all the clues we have in this case without getting really geeky, but even then the baddies did a pretty good job of covering their tracks. The DNS is registered to a company in Colorado instead of the third world country I would expect. The server is hosted on a Rackspace account in Dallas, once again more legitimate than I would expect. If you put in the address from the email without the directory you get an Apache setup page, but that only helps reinforce the idea that the server in the email was one the bad guys had hacked. Not much information, but it all adds to the idea that this was a phish.
This is one of the more sophisticated phishing attempts I’ve seen. It goes to show that we need to be ever vigilant and click with our eyes wide open. The bad guys are getting better and we need to tread with caution every day.