Example of email Phishing

What is Phishing (from Wikipedia)

In computing, phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. eBay, PayPal and online banks are common targets. Phishing is typically carried out by email or instant messaging, and often directs users to enter details at a website, although phone contact has also been used. Phishing is an example of social engineering techniques used to fool users. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical measures.

How can it cheat people?

1. A perfect mail from famous website, such as online shopping site like eBay, PayPal, Amazon, etc. And online banks (if you don't have any online accounts except email, you can sleep or leave now :). Some problems you may concern, like account stolen,, win a prize, etc.

2. Give a link to a phishing site, most often using a URL redirection which is perfect like the origin site

3. Input you private information

Analysis the steps

Step 1 is achieved by spam email. But it is not easy to filter such emails claimed from famous websites. The most important thing is to tell you a good story and make you believe it. They have many talent writers. They are social engineering techniques.

Step 2 is obvious to expert but difficult to normal users. You have trusted the story in step 1, so you will move your eye from the ball. To expert, by instinct they will try to see something behind the surface.

Step 3 is also easy. Hiring a professional to build a website is very cheap, especial just making a copy of some website.

A real STORY

A professor of SIS received an email from: "Amazon.com Service Center" <support@amazon.com> at Fri, 01 Sep 2006. The email asks the user to update member information for security reasons, because "we are unable to verify or authenticate any information you provide to us.” through a link "http://www.amazon.com/exec/obidos/sign-in.html"

The mail is perfect when we look at it, but in fact danger under the surface. Look at the source code of the link:

hre=f=3D"http://rds.yahoo.com/_ylt=3DA0geurgnV4VEPnoB98hXNyoA;_ylu=3DX3oDMTE5a=XJmaGJ2BGNvbG8DZQRsA1dTMQRwb3MDMTIzBHNlYwNzcgR2dGlkA0Y3NTFfMTA4/SIG=3D12hh=jkhah/EXP=3D1149675687/**http://www.google.com/url?q=3Dhttp://211.94.240.2=1/_us/obidos/index.html?ref=3Dpd_irl_gw_r/102-8758036-5777720?opt=3Doa&pag=e=3Drecs/sign-in-secure.html&response=3Dtg/recs/recs-post"target=3D_BLANK

It is MIME email and use Quoted-printable code. Following is decoded:

href="http://rds.yahoo.com/_ylt=A0geurgnV4VEPnoB98hXNyoA;_ylu=X3oDMTE5aXJmaGJ2BGNvbG8DZQRsA1dTMQRwb3MDMTIzBHNlYwNzcgR2dGlkA0Y3NTFfMTA4/SIG=12hhjkhah/EXP=1149675687/**http://www.google.com/url?q=http://211.94.240.21/_us/obidos/index.html?ref=pd_irl_gw_r/102-8758036-5777720?opt=oa&page=recs/sign-in-secure.html&response=tg/recs/recs-post"target=_BLANK

Look at the URL: it is a URL from yahoo.com and google.com. They are big company. If we don't trust them, what we should trust?

In fact it is Phishing and Redirection Vulnerability in Yahoo and Google!

The URL combines the Yahoo Redirection and Google Redirection and redirect to a phishing website. The redirection now has been proved an official redirection hole used for spam, phishing.

Why they choose Yahoo and Google?

Because 99% of Internet users trust Google and when they see a link starting with "www.google.com" they think its part of Google or a site Google knows about and has included it in its structure. The same is the Yahoo.

More analysis for URL Redirection

URL redirection, also called URL forwarding, domain redirection and domain forwarding, is a technique on the World Wide Web for making a web page available under many URLs. More information is at http://en.wikipedia.org/wiki/URL_redirection

If you try "http://www.google.com/url?q=http://www.uncc.edu/", what will you see? That is good news because 1) clearly Google now can no longer deny it’s a hole - they themselves fixed it 2) some consumers may now be slightly safer, kinda. But this really isn’t a complete fix as this is only one of many known redirects in Google that have the potential of aiding phishing attacks. There are 10 more redirects in Google that are still functional on this one URL alone.

A severe redirection and phishing vulnerability have been found in Yahoo Network. The specific URL linked to any further yahoo website can be manipulated by the attacker to redirect the traffic and used for phishing. The critical point is the URL can be called by third party for phishing.

[Original URL]

http://rds.yahoo.com/_ylt=A0geu4qjI3hGYOEAIjJXNyoA/SIG=14oi6m38j/EXP=1182364963/**http%3a//search.yahoo.com/search%3fp=Hacking%26y=Search%26rd=r1%26meta=vc%253Din%26fr=yfp-t-501%26fp_ip=IN%26xargs=0%26pstart=1%26b=11

The above stated URL's are taken from the next page of query set as "Hacking". the network used is rds.yahoo.com. the phisher exploits it by stripping off full yahoo search and appending the rogue website.

[Phishing URL]

http://rds.yahoo.com/_ylt=A0geu4qjI3hGYOEAIjJXNyoA/SIG=14oi6m38j/EXP=1182364963/**http%3a//[PhishingWebsite]

http://rds.yahoo.com/_ylt=A0geu4qjI3hGYOEAIjJXNyoA/SIG=14oi6m38j/EXP=1182364963/**http%3a//www.google.com

Anti-Phishing

Beat the weakness of human being! “Training people to recognize phishing attempts” is the best way.

We also have technical tools to help us. Phishing in fact is impersonating a victim site. If we can identify a website, it is easy to find out a faked one.

• Web browser or tool bar: it can remember the selected website. So if the victim site redirected to a different IP using URL redirection or DNS poison, the browser will warm user or just block the visit.
• Two-factor authentication: for example BOA online bank provide Site-key for user. You can choose a personal image and three questions. Every time when user login, it will display the image to verify the truth of the website.
• Eliminating phishing mail: make the email system smarter to reduce phishing mails
• Monitoring and takedown: Several companies offer banks and other organizations likely to suffer from phishing scams round-the-clock services to monitor, analyze and assist in shutting down phishing websites. Individuals can contribute by reporting phishing to both volunteer and industry groups, such as PhishTank. (from Wikipedia)

Phishing = a good story + some system vulnerabilities

= the weakness of both human being and machines