Spotting Phish and Phighting Back

By Larry Seltzer  |  Posted 2004-08-02 Print this article Print

Even a wholesome business like campaign fundraising isn't immune to attack from Internet fraudsters. What's next?

It was only a matter of time before the authors of phishing attacks became more clever. Ive always been disappointed, in a perverse way, by the lack of creativity they have shown. But in a way it doesnt matter how clever they are since you can protect yourself with a healthy dose of skepticism and a little bit of scrutiny. If you can read some HTML source, you should be able to pick out even a well-designed attack. Your bread-and-butter phishing e-mail is fairly predictable. It appears as a request of some kind from eBay or PayPal or some bank, probably asking you to "reverify" your account information. By now this is so tired a modus operandi that you can pretty much ignore it without any scrutiny. But its not just the familiar attacks you need to watch out for.

A colleague of mine just received one of the more interesting phishing messages Ive ever seen. Its a clone of a Kerry-Edwards campaign contribution solicitation, this one an appeal from Kerrys brother Cam. I dont know if Kerry actually has a brother named Cam, but thats the angle the message takes.

For insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.
This one is professionally done and uses several of the classic phishing techniques. Ironically, because of those techniques, it was easy for the Kerry-Edwards Web administrators to "phight back."

Within about 24 hours the same e-mail replaced the picture of Cam with a graphic that said "WARNING! If this e-mail is from any address that includes it is not an official e-mail from Kerry-Edwards, 2004, Inc. Do not donate using any link in this e-mail." Since the graphic link was to the actual site the Webmaster could make this change. The downside is that they had to change one of their actual graphics, but I guess its lucky for the campaign that the phishers used Cam and not John.

Like my colleague, my first look at the message set my Phishing Alert Level at Red (Severe). Would the Kerry campaign actually spam me with a donation request? Well, maybe, maybe not, but it was certainly suspicious. I also noticed the From: address in the message, What does "voteuz" mean? And I know the actual campaign domain is

The next obvious step is to view the source on the message. Aha! It all falls into line. Most of the graphics in the message come from, but the actual "donate" form links go to, a page which, unsurprisingly, is now down. Hmmm. Who is this company? A quick trip to the home page (I wont dignify them with a link) finds one of those shyster outfits that guarantees you a Top 10 search result in Google and Yahoo. It surprises me that any of these creeps fly under the radar at all, but I suspect this particular company is in trouble, especially if the election goes the wrong way for them.

Next page: The donation process.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel