Thursday, May 26, 2005

Security Briefing #3 - Phishing


From - Definition:
The practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking email with the real organization's logo, in an attempt to steal passwords, financial or personal information, or introduce a virus attack; the creation of a Web site replica for fooling unsuspecting Internet users into submitting personal or financial information or passwords.

You've probably seen email con messages. Although not officially 'phishing,' they marked one of the first uses of the Internet and email to defraud people. Usually, these messages pretend to be from someone claiming to need help in transferring a large amount of money from a foreign bank. Usually the author promises (in fake broken English and LOTS OF CAPITALIZATION) that in exchange for your assistance in getting money out of their country, they will give you a cut of the stash. There's usually a hint at illegality or, at the very least, a need for 'URGENT CONFIDENTIALITY.' Normally, the goal is to get you to wire the sender cash or provide them with enough data so that they can steal your identity. Some of these messages may actually be from the third-world country they claim. (This is actually a very profitable cottage industry in Nigeria, although it's frowned upon by their government.) Others are copycat criminals, right here in the U.S. or in Eastern Europe or China. Most of these messages rely on you replying to the email or calling a phone number to begin the transaction. I seriously doubt that any of us have fallen for these ploys. But the rule here is to never give out personal information to strangers. Even if they promise you a cut of their 'US $15.5M.'

Do these scams work? Yes. More info can be found by Googling 'email hoax', 'Nigerian hoax' or 'Nigeria 419' (419 is the id for the Nigerian criminal code written to combat this type of fraud.)

The next level of Phishing is a bit sneakier. The sender, pretending to represent a bank, eBay, PayPal or some other financial institution, sends you an email to alert you that someone else has either charged merchandise to your account or somehow compromised your account's security. Or they may be telling you that it's now time to update your account information. Some of these are pretty slickly done. They'll use the same fonts, graphics and even language and phrasing that the legitimate site uses. Occasionally, you'll see a misspelling or typo, though. (A recent 'eBay' message I received had a subtle clue: it mentioned that if I didn't update my information immediately, it would later cost me a 'fee of 350 $.' Why would a U.S. company write a currency amount like that, in European style?)

In this style of phishing, the sender will give you a link to follow to fix the alleged problems. If you follow that link, (BUT DON'T DO THIS) the page you see will look and feel like the real financial institution's site. And if your browser software isn't patched for the latest security exploits -- the location shown in the location bar at the top of the screen may appear to be the legitimate one. For example, Bank One's real online banking address is
Let's say I get a phishing email pretending to be from Bank One and I follow the provided link. Once I reach the page (If I have a vulnerable version of Internet Explorer) the location in the location bar may read '' -- even if the site is actually hosted on a hacker site in Eastern Europe and has an entirely different address.

A few things to learn from this:

  1. Keep your browser / computer / operating system up to date.
  2. Never follow a link sent to you in an email address. I know this sounds extreme, but this is the safest route to take.
    (Maybe I can convince you to follow this rule once you read the next installment of these security briefs: Phishing Gets Sophisticated.)
  3. Financial institutions will NEVER, NEVER contact you via email to get information from you. Visit PayPal or the eBay site or any online bank and you'll find the same disclaimer. Any such contact must be initiated by you. They will NEVER ask you to update your information via an email message.

If you view an suspicious email's header information you can get some information about the real source of the message. Some of the information in the header may be faked -- but there's one thing that can't be altered - the sender's IP address. You won't be able to tell who really sent the message (most phishers either move around, switching ISPs almost daily, or they know how to obfuscate their real location.) But, by looking at the header you will be able to tell who the message is NOT from. Example: This week alone, I've received about a dozen messages purportedly from eBay telling me my account information needs verification. If I look at the header information for any of these emails, I should see an IP address. (Your email software will have a menu choice saying something like 'view long headers' or 'view full headers,' so that you can view header information.)
Here's a sample header from one of these suspicious 'eBay' messages:
Subject: eBay Verify Accounts
Date: May 17, 2005 1:57:54 PM EST
Received: from (
[]) Mime-Version: 1.0
Content-Type: multipart/related; boundary="29a61181-8f6b-4b7a-afa8-
Content-Length: 4981
Look at the line labeled 'Received:'
Notice, there is a mention of 'ebay' on that line. But that part can be faked. You'll notice a number -- []-- listed twice in that line. That's the IP number used by the computer which sent the message. Again, you're probably not going to be able to find the original sender using this number, but you will be able to tell if this is really coming from eBay. How? Go to the American Registry for Internet Numbers: (OK, given what I said above, don't follow this link. Type it into your browser.)
When you get to the ARIN site,
Type in (or cut and paste) the IP number from above into the 'Search Whois' field.
You'll get the following:
OrgName: RIPE Network Coordination Centre
Address: P.O. Box 10096
City: Amsterdam
PostalCode: 1001EB
Country: NL
Since the search pulls up an address in the Netherlands, this definitely is not eBay. In fact, the site lists RIPE (the European counterpart of ARIN).
The fact that the sender's IP address is listed in RIPE means the sender was sitting at a computer somewhere in Europe when they sent the email to me.
ARIN is only one of five Regional Internet Registries (RIRs) sites where you can conduct a "WhoIS" search to look up IP addresses. (See the whole list below.) All work about the same: you type in an IP address and the site spits out whatever relevant information it has about the number. Sometimes it has a lot of information, including contact people's names and phone numbers and sometimes it has nothing. Sometimes you have to search multiple sites for an answer, because each registry corresponds to a different area globally. But, the fact that our number was not in ARIN (which lists North American websites), and eBay is headquartered in California, means this email did not come from eBay. If a number doesn't show up in any of these
registries, that, too, is a very good sign that your email was not legitimate. Not all numbers are in these registries, because data has to be voluntarily submitted by the organization which owns the IP address. And not all domain registrars do this. But just about all legitimate businesses -- especially those concerned about Internet security, like banks and eBay -- are listed in the registries.

Does phishing work? According to the May 2005 issue of Community Banker (Found through INSPIRE), phishing scams have led to losses of more than $3 billion since April 2003. And phishing attempts have increased by 400% in the past six months.

Next Security Briefing Installment: Phishing Gets Sophisticated.

Regional Internet Registries:
Asia Pacific Network Information Centre
American Registry for Internet Numbers
Latin America and Caribbean Network Information Center
RIPE (Réseaux IP Européens) Network Coordination Centre
African Network Information Centre
Other Whois Registries:
United States of America
Department of Defense
Network Information Center
(A commercial domain name registry company)


Post a Comment

<< Home