Anatomy of a Phishing Expedition
Dave Piscitello, Core Competence, Inc.
The Wordspy defines phishing as, "Creating a replica of an existing Web page to fool a user into submitting personal, financial, or password data". A phishing expedition is a two-pronged attack. First, the phisher creates a spoof email message: posing as a legitimate e-merchant operator, the phisher tries to lure a victim into visiting a web page. Here's an example of a spoof email message from "Paypal":
X-Persona: <HARGRAY> Return-Path: <service@paypal.com> Received: from [12.158.34.234] (HELO psmtp.com) by fe2.hargray.com (CommuniGate Pro SMTP 4.1.6) with SMTP id 10553709 for yodave@hargray.com; Thu, 06 May 2004 23:59:26 -0400 Received: from source ([209.92.50.54]) by exprod5mx55.postini.com ([12.158.34.245]) with SMTP; Thu, 06 May 2004 21:54:47 MDT Received: (qmail 19286 invoked by uid 3330); 7 May 2004 03:51:12 -0000 Delivered-To: corecom-dave@corecom.com Received: (qmail 22345 invoked from network); 7 May 2004 03:51:09 -0000 Received: from unknown (HELO 209.92.50.51) (61.182.248.183) by vws0101.fast.net with SMTP; 7 May 2004 03:51:09 -0000 X-Message-Info: HSEJnFMiEHvBri+XEXLpfOFPU Received: from mail.gzi.optusnet.com.au ([76.80.202.216]) by qp-f.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Fri, 07 May 2004 10:58:50 +0600 Received: from FZZA (n148.85.144.70.bvvfk.pdd.optusnet.com.au [84.54.82.49]) by mail.zqg.optusnet.com.au (..p/..) with SMTP id fKRs; Fri, 07 May 2004 01:55:50 -0300 Message-ID: <heulk$ottk$lur@OPAX> From: "Support" <service@paypal.com > To: "Craig1" < craig1@corecom.com > References: <Law-AFnbaYddeTJf@hotmail.com> Subject: Paypal Account Verification Date: Fri, 07 May 2004 00:58:50 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--" X-pstn-levels:(S: 0.01306/84.31360 R:95.9108 P:95.9108 M:100.0000 C:86.3330 ) X-pstn-settings: 4 (1.5000:1.5000) r p m c X-pstn-addresses: from <service@paypal.com> forward (user good) [1741/75] Content-Type: text/html; Verify Your Account. Dear PayPal Member, As part of our continuing commitment to protect your account and to reduce the instance of fraud on our website, we are undertaking a period review of our member accounts. You are requested to visit our site, login to your account and we will verify the information you have entered. Click Here This is required for us to continue to offer you a safe and risk free environment to send and receive money online and maintain the experience. Thank you, Accounts Management As outlined in our User Agreement, PayPal will periodically send you information about site changes and enhancements. Visit our Privacy Policy and User Agreement if you have any questions. --------------------------------------------- Thank you for using PayPal --------------------------------------------- Do not reply to this email. |
The phisher wants to lure you into visiting and completing the form at the URL when you Click Here. The phisher hopes to gather as much of your personal, banking, credit, and of course PayPal information as possible.
The phisher is trying to steal your identity.
Let's examine the web form the victim might visit.
The first part of the form appears legitimate enough. This is intentional, part of the overall social engineering attack. The phisher wants you to feel comfortable that this is really a PayPal form. Visit PayPal, and you'll see it is very similar to the personal account registration form (choose Sign Up in the upper right hand corner).
Read the hostname in the URL carefully: paypal-supports.com is not a PayPal domain name. A WHOIS lookup on this hostname confirms this.
The phisher next asks for your credit card, checking, and bank routing information. Some information requested should immediately set off alarms. The CVV is an anti-fraud security feature to help verify that you are in possession of your credit card. Use common sense here: if you enter the number in a web form, the phisher doesn't need to actually possess your card!
You should question any site that asks for your Social Security Number. A quick look at the legitimate PayPal registration form confirms that PayPal does not request this information: if they didn't want it when you created your account, why would they want it now?
The final clue in this part of the phisher's page is the request for your Credit/Debit card PIN. Again, use common sense: the Personal Identification Number is your "shared secret" with your bank. You punch it into an Automatic Teller Machine or brick-and-mortar store to withdraw money. You don't type it into a web form!
The last part of this web form completes the seduction and seals the deal for the phisher. If the form asks you for security information, and actually makes you take a security test, how can it be anything but legitimate?
The User Agreement and Policy (again copied from the legitimate form) are window dressing. Complete this form, and the phisher's off on a shopping spree in a flash.
Think before you click. Don't fall prey to such attacks. If you receive a message of this kind, report it. I did:
If you want to read more about spoof email and phishing, read my column, Recognizing and Responding to Spoof email, at Loop.interop.com. The url is
https://www.paypal.com/cgi-bin/webscr?__track=_registration-run:p/gen/signup_initial:_registration-submit.
Hopefully, after reading this column, you be thinking, "It's a secure (SSL) page. He didn't create a hyperlink, but typed a URL. I can verify LOOP.interop.com at WHOIS, then find this column when I get there...".