Internet Attackers on Phishing Expeditions - ' Page Two ' (
Page 2 of 2 )
If youre resourceful enough to look at the source code of an HTML message (the command can be found under the View menu in your browser), look at the links in the message itself. (These may be in a regular A HREF tag, or handled by JavaScript in an onclick handler, or perhaps in a FORM ACTION clause.)
If the domain in the link is not clearly for the right company, treat the message as suspicious. If the domain uses HTTP obfuscation tricks like decimal IP addresses, hex characters or an @ symbol (which redirects the domain to the last one in the URL), then its almost certainly a scammer.
For example, the URL http://3479379682 is the equivalent of www.2600.org. For a technical explanation of some of this, see the How to Obscure Any URL page at PCHelp.
Now, Id like to be able to tell you that you can just click on links to see where they go, but this isnt a great idea. Its possible for a Web page to contain malicious code that can attack a weakness in Internet Explorer, and you wont know where you are going until you get there.
Of course you can mitigate this risk considerably by keeping your browser up to date and running personal firewall software, but you cant eliminate the risk. If the link in an e-mail is at all suspicious, try to prescreen the link before following it.
The Mimail worm, the latest major phishing attack, took a giant step forward in sophistication by blending its phishing attack with a mail worm application. The "link" in the Mimail e-mail was actually an executable that asked the viewer for personal and credit card information in an official-looking interface, with the added capability of being able to spread itself through the usual worm-spreading techniques.
Mimail strikes me as a real wave of the future. Its a classic example of the threat "blending" that malware experts have spoken of for years. Luckily, since its an executable attachment, its easily blocked with any relatively modern version of Outlook or Outlook Express and probably by any antivirus program.
I have received a few Mimails myself. The messages came from Do_Not_Reply@paypal.com, showing that the senders are clever enough to try to look legit. The subject line contained the red flag of spam: random characters after a long string of blanks. In this case it read: "IMPORTANT onxoamaa". The attachment was named www.paypal.com.pif. If Outlook hadnt blocked the attachment, my antivirus software probably would have.
Many anti-spam vendors are jumping on the antiphishing bandwagon. Brightmails Anti-Fraud service leverages the companys significant amount of e-mail filtering to uncover fraudulent uses of identities in e-mail. It looks for such uses, notifies the company named as the source of the message and then filters against the fraudulent use.
We can expect other antispam companies to enter this business. Still, large companies such as Brightmail, especially ones that filter both business and Internet service-provider mail, will have a big advantage because of the reach of their coverage.
Phishing is one of those sad developments in the Internet that make anyone turn paranoid. I recently received an e-mail apparently from E-ZPass, a system for using transponders on cars to automate the collection of tolls, which is particularly handy here in the Northeast U.S. The message, like others before it, notified me that my monthly statement was available and provided a link for it.
In the past that these messages came from an address at Chase.com (as in Chase, the bank). In this case though, the message came from postmaster@ezpass.acsonline.com and its link was to https://63.87.171.246/index.asp?rid=1234567 (Ive changed the last number in the URL). Because the URL is an IP address, its not possible to verify that the certificate at the address is valid or matches the site.
I went to some effort to verify this one, because even if it was completely valid it betrayed some atrociously bad practices on the part of E-ZPass or its contractors. Calling up E-ZPass wasnt a practical option; as a customer, I know that the least call involves waiting a minimum of 30 minutes on hold. But I did confirm that the ACSonline address is probably legit, since E-ZPass appears to hold the registration rights for Ezpass.com. However, it appears that the company is just sloppy about handling identity and site security—no surprise to people of New Jersey.
The real lesson of this E-ZPass debacle is that its not always easy to distinguish frauds from sloppy, but legitimate business e-mails.
This is a really bad situation, since most people are in no position to evaluate the many possibilities and doing so would take more time than most people are willing to spend. This is why mass-phishing will be the hot threat of 2004.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer
