Detecting and Fighting Phishers
Picture credit: Stern
Here's another wonderful phishing email I just received. Not familiar with the term phisher?
Key Bank defines it as, "a fraudster [who] spams the Internet with email claiming to be from a reputable financial institution or e-commerce site. The email message urges the recipient to click on a link to update their personal profile or carry out some transaction. The link takes the victim to a fake website designed to look like the real thing. However, any personal or financial information entered is routed directly to the scammer."
The scary thing is that, according to the Houston Chronicle, about 5% of adults receiving a phishing email provided some sort of personal information to the phisher.
Want to fight back? We'll break this phishing scheme down, show you how to trace back a phishing email, and -- in some cases -- alert the parties who, wittingly or unwittingly, provide phishing infrastructure.
First, let's look at the email I received as it appeared in my email client:
PLEASE READ THIS NOTICE CAREFULLY.
You have received this Notice because the records of PayPal, Inc. indicate you are a current or former PayPal account holder who has been deemed eligible to receive a payment from the class action settlement in accordance with PayPal Litigation, Case No. 02 1227 JF PVT, pending in the United States District Court for the Northern District of California in San Jose.
In your specific case you have been found to be eligible for a payment of $252.99 USD.
The aforementioned settlement funds may be transferred directly to your bank account providing you have a linked card. The funds may not be credited directly to your PayPal account as this would render Paypal to be accumulating interest and thus profiting on litigation settlement funds which contravenes Federal law.
Your bank account will be credited within 7 days upon submission of account details.
To credit your bank account please click here*...
*Hyperlink and additional legal-sounding mumbo jumbo removed
Step 1 - click the "view source", "show original message" or equivalent button that exposes the original, underlying message text. This will allow us to see the message header, which tells us how the email got to our inbox.
|Received: from clust05-www02.powweb.com ([188.8.131.52])|
by ***.att.net (***) with ESMTP
id <***>; Sat, 14 May 2005 05:30:01 +0000
Received: by clust05-www02.powweb.com (Postfix, from userid 10775)
id **********; Fri, 13 May 2005 21:58:46 -0700 (PDT)
Subject: Award Notification
Aside from the comical misspelling of the reply-to address ("costumer"?), note how the spam arrived at our door. The mail was sent through one of powweb's mail servers. So, our first action-item is to email or call Powweb (for contact information, I simply went to their web site to find a toll-free number (1-877-476-9932) and a support email address (email@example.com and firstname.lastname@example.org). You can forward the phishing email to them and lodge a complaint with both the sales and support departments.
Step 2 - let's see where the information collected by someone naive enough to fall for this scam really goes. While we're still viewing the email source (the raw text of the mail message), let's look for some suspicious URL's or form submission actions.
<B>To credit your bank account please <a href="http://184.108.40.206:443/">click here</a>.</B>
Hmmm... why the address 220.127.116.11, if this is a message from PayPal? Well, obviously, it's not from PayPal. Let's find out where this phishing site is hosted. Instead of tracking the site back from our PC (called a "trace-route"), we'll do it from a web site designed to help us for reasons just like this one. One I particularly like is called DNS Stuff. We'll go there and use the tracert tool to figure out the location of the phishing site.
Here's what we come up with: ecad.el.cycu.edu.tw [18.104.22.168]. So, somewhere in Chung Li, Taiwan (I just surfed to their central web site at http://www.cycu.edu.tw/), a bad guy has taken over at least one of the University machines for nefarious purposes. Maybe it's just an "entrepeneurial" student. Or maybe it's a remote user who's co-opted one or more of their machines.
Let's take a look at the phishing site (I went through an anonymous proxy to disguise my real location).
Phishing Site: PayPal
This looks so good, no wonder 5% of the general public falls for it.
Second action-item: let's contact the University and get their IT staff on the case. From their web site, we can find phone and fax numbers (886-3-265-9999 and 886-3-265-8888, respectively). Since I can't read Taiwanese, I use a Google search to find some email addresses. I come up with a couple: email@example.com and firstname.lastname@example.org. Let's email them.
What should our message be? A forwarded version of the phishing email with a polite introduction. Subject heading: Phishing Scam at cycu.edu.tw.
|Please be advised that at least one computer on your network appears to be part of a phishing scam, which may indicate significant criminal activity. The machine in question is:|
Also, please be advised that the authorities are being notified.
Hopefully, that gets their attention. Last action-item? Don't forget to delete this scum from your inbox.