Breaking Down another Phishing Scam
(Picture credit http://www.bbc.co.uk)
Here's another phishing scam-mail I just received. Let's break it down in a manner reminiscent of Genghis Kahn (or, at the very least, like an earlier blog entry).
I received an email from "Associated Bank, NA" with the subject heading "Account Notification". Let's take a look at the email source, which you can also view in your own email client by using "Show original message", "View Source", or similar means. I've abridged the email slightly for readability, but what you see here is essentially what I received.
|From: "Associated Bank, N.A" <firstname.lastname@example.org>|
Subject: Account Notification
Date: Wed, 18 May 2005 14:54:17 +0000
Well, this looks... okay. So far, so good.
|Received: from 12-222-1-154.client.insightBB.com ([188.8.131.52])|
by worldnet.att.net (mtiwmxc18) with SMTP
id <2005051814541701800592k0e>; Wed, 18 May 2005 14:54:17 +0000
X-Originating-IP: [184.108.40.206] ...
Received: from pfjklc (xg39.plumb-crazy.co.za [220.127.116.11])
by web2.plumb-crazy.co.za id <7BAFU4-096Ni4-00>
Wed, 18 May 2005 16:55:54 +0100
Received: from ISXU-74-951-325-210.plumb-crazy.co.za (localhost.localdomain [127.0.0.1]) by creole.plumb-crazy.co.za with Internet Mail Service (5.5.2657.72)
id <5Y9H11976I>; Wed, 18 May 2005 14:49:54 -0100
Date: Wed, 18 May 2005 17:53:54 +0200
From: "Associated Bank, N.A" <email@example.com>
Subject: Account Notification
Hmmm... I wonder why Associated Bank is routing messages through a South African mail server owned by the domain "plumb-crazy"?
Hey, wait just a minute, mister... you can't fool me...
|This is a multi-part message in MIME format.|
Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit
WASHINGTON - Hiring around the country picked up briskly in April, with employers boosting payrolls by 274,000 and raising hopes of better days ahead for jobseekers and the economy as a whole. The unemployment rate held steady at 5.2 percent. The latest snapshot of the nation's...
This is the first part of the email message content, which we were never intended to see. It's used for one purpose alone... to defeat spam filters. It does so by retrieving news content -- a valid news article -- that will help fool the filter into thinking it's legit.
Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: 7bit
<p>To protect the safety of your access, employs some of the most advanced security online systems in the world and our anti-fraud teams regularly scan the Bank system for fraud activity.Associated Bank, NA, is committed to maintaining a safe environment for our online customers. %</p><p>In accordance with Associated Bancorp's Customer Agreement and to guarantee that your account hasn't been compromised, internet access to your savings account was limited. Your account access will remain limited until this problem has been resolved. Customer Support are remind you that on May 18, 2005 our Account Review Team identified some unusual activity in your account. Account Support recommend you to log in and perform the steps requisite to return your account access as soon as possible. Allowing your online access to remain blocked for a long period of time may effect in further restrictions on the use of your Debit Card account and possible account closure.<p><a id="MALL" href="http://www.graphicjester.com/redir.html"></a></p><div><a href="https://rolb.associatedbank.com/SITE/welcomeie.asp"><table><caption><a href="https://rolb.associatedbank.com/SITE/welcomeie.asp"><label for="MALL"><u style="cursor: pointer; color: blue">https://rolb.associatedbank.com/SITE/</u></label></a></caption></table></a></div></p>
<p>Please understand that this is a safety measure meant to help protect you and your Debit Card account. Thank you for your attention to this problem. Review Team apologize for any inconvenience.</p>
<p>Associated Bancorp, Banking Support</p>
Hmmm... there's a link to a site called "graphicjester.com"? Hey, wait a minute......
Hopefully that helps you understand how to analyze phishing emails and to detect their attempts to grab your private data.
With more publicity like this, maybe phishing emails will become as common as Dolph Lundgren sightings at the Oscars.