This site will look much better in a browser that supports web standards, but it is accessible to any browser or Internet device.

Anatomy of a Phishing Expedition

Dave Piscitello, Core Competence, Inc.

Visit Core Competence

 

 

 

Privacy Policy

 

 

 

This page uses style sheets created by Ruthsarian Labs

The Wordspy defines phishing as, "Creating a replica of an existing Web page to fool a user into submitting personal, financial, or password data". A phishing expedition is a two-pronged attack. First, the phisher creates a spoof email message: posing as a legitimate e-merchant operator, the phisher tries to lure a victim into visiting a web page. Here's an example of a spoof email message from "Paypal": 

X-Persona: 
Return-Path: 
Received: from [12.158.34.234] (HELO psmtp.com)
  by fe2.hargray.com (CommuniGate Pro SMTP 4.1.6)
  with SMTP id 10553709 for yodave@hargray.com; Thu, 06 May 2004 23:59:26 -0400
Received: from source ([209.92.50.54]) by exprod5mx55.postini.com 
  ([12.158.34.245]) with SMTP;
	Thu, 06 May 2004 21:54:47 MDT
Received: (qmail 19286 invoked by uid 3330); 7 May 2004 03:51:12 -0000
Delivered-To: corecom-dave@corecom.com
Received: (qmail 22345 invoked from network); 7 May 2004 03:51:09 -0000
Received: from unknown (HELO 209.92.50.51) (61.182.248.183)
  by vws0101.fast.net with SMTP; 7 May 2004 03:51:09 -0000
X-Message-Info: HSEJnFMiEHvBri+XEXLpfOFPU
Received: from mail.gzi.optusnet.com.au ([76.80.202.216]) by 
   qp-f.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824);
	 Fri, 07 May 2004 10:58:50 +0600
Received: from FZZA (n148.85.144.70.bvvfk.pdd.optusnet.com.au [84.54.82.49])
	by mail.zqg.optusnet.com.au (..p/..) with SMTP id fKRs;
	Fri, 07 May 2004 01:55:50 -0300
Message-ID: 
From: "Support" 
To: "Craig1" < craig1@corecom.com >
References: 
Subject: Paypal Account Verification
Date: Fri, 07 May 2004 00:58:50 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="--"
X-pstn-levels:(S: 0.01306/84.31360 R:95.9108 P:95.9108 M:100.0000 C:86.3330 )
X-pstn-settings: 4 (1.5000:1.5000) r p m c 
X-pstn-addresses: from  forward (user good) [1741/75] 

Content-Type: text/html;
Verify Your Account. 

Dear PayPal Member,

As part of our continuing commitment to protect your account and to 
reduce the instance of fraud on our website, we are undertaking a 
period review of our member accounts.

You are requested to visit our site, login to your account and we will 
verify the information you have entered.

Click Here 

This is required for us to continue to offer you a safe and risk free 
environment to send and receive money online and maintain the experience.
Thank you,

Accounts Management

As outlined in our User Agreement, PayPal will periodically send you 
information about site changes and enhancements. Visit our Privacy Policy 
and User Agreement if you have any questions.

---------------------------------------------

Thank you for using PayPal

---------------------------------------------

Do not reply to this email.

The phisher wants to lure you into visiting and completing the form at the URL when you Click Here. The phisher hopes to gather as much of your personal, banking, credit, and of course PayPal information as possible.

The phisher is trying to steal your identity.

Let's examine the web form the victim might visit.

The first part of the form appears legitimate enough. This is intentional, part of the overall social engineering attack. The phisher wants you to feel comfortable that this is really a PayPal form. Visit PayPal, and you'll see it is very similar to the personal account registration form (choose Sign Up in the upper right hand corner).

Read the hostname in the URL carefully: paypal-supports.com is not a PayPal domain name. A WHOIS lookup on this hostname confirms this.

personal information gathered by the phisher

The phisher next asks for your credit card, checking, and bank routing information. Some information requested should immediately set off alarms. The CVV is an anti-fraud security feature to help verify that you are in possession of your credit card. Use common sense here: if you enter the number in a web form, the phisher doesn't need to actually possess your card!

You should question any site that asks for your Social Security Number. A quick look at the legitimate PayPal registration form confirms that PayPal does not request this information: if they didn't want it when you created your account, why would they want it now?

The final clue in this part of the phisher's page is the request for your Credit/Debit card PIN. Again, use common sense: the Personal Identification Number is your "shared secret" with your bank. You punch it into an Automatic Teller Machine or brick-and-mortar store to withdraw money. You don't type it into a web form!

personal information gathered by the phisher

The last part of this web form completes the seduction and seals the deal for the phisher. If the form asks you for security information, and actually makes you take a security test, how can it be anything but legitimate?

The User Agreement and Policy (again copied from the legitimate form) are window dressing. Complete this form, and the phisher's off on a shopping spree in a flash.

personal information gathered by the phisher

Think before you click. Don't fall prey to such attacks. If you receive a message of this kind, report it. I did:

personal information gathered by the phisher

If you want to read more about spoof email and phishing, read my column, Recognizing and Responding to Spoof email, at Loop.interop.com. The url is

https://www.paypal.com/cgi-bin/webscr?__track=_registration-run:p/gen/signup_initial:_registration-submit.

Hopefully, after reading this column, you be thinking, "It's a secure (SSL) page. He didn't create a hyperlink, but typed a URL. I can verify LOOP.interop.com at WHOIS, then find this column when I get there...".