Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Spotting Phish and Phighting Back



 By: Larry Seltzer
2004-08-02
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Spotting Phish and Phighting Back
  2. ' The donation process '

Rate This Article:
Poor Best
Spotting Phish and Phighting Back
( Page 1 of 2 )

Even a wholesome business like campaign fundraising isn't immune to attack from Internet fraudsters. What's next?It was only a matter of time before the authors of phishing attacks became more clever. Ive always been disappointed, in a perverse way, by the lack of creativity they have shown. But in a way it doesnt matter how clever they are since you can protect yourself with a healthy dose of skepticism and a little bit of scrutiny. If you can read some HTML source, you should be able to pick out even a well-designed attack.

Your bread-and-butter phishing e-mail is fairly predictable. It appears as a request of some kind from eBay or PayPal or some bank, probably asking you to "reverify" your account information. By now this is so tired a modus operandi that you can pretty much ignore it without any scrutiny. But its not just the familiar attacks you need to watch out for.

A colleague of mine just received one of the more interesting phishing messages Ive ever seen. Its a clone of a Kerry-Edwards campaign contribution solicitation, this one an appeal from Kerrys brother Cam. I dont know if Kerry actually has a brother named Cam, but thats the angle the message takes.

Resource Library:

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

This one is professionally done and uses several of the classic phishing techniques. Ironically, because of those techniques, it was easy for the Kerry-Edwards Web administrators to "phight back."

Within about 24 hours the same e-mail replaced the picture of Cam with a graphic that said "WARNING! If this e-mail is from any address that includes @JohnKerrys.com it is not an official e-mail from Kerry-Edwards, 2004, Inc. Do not donate using any link in this e-mail."

Since the graphic link was to the actual JohnKerry.com site the Webmaster could make this change. The downside is that they had to change one of their actual graphics, but I guess its lucky for the campaign that the phishers used Cam and not John.

Like my colleague, my first look at the message set my Phishing Alert Level at Red (Severe).

Would the Kerry campaign actually spam me with a donation request? Well, maybe, maybe not, but it was certainly suspicious.

I also noticed the From: address in the message, online-voteuz@Johnkerrys.com. What does "voteuz" mean? And I know the actual campaign domain is johnkerry.com.

The next obvious step is to view the source on the message. Aha! It all falls into line. Most of the graphics in the message come from johnkerry.com, but the actual "donate" form links go to http://testhost.yahoogoogle.biz/JohnKerry/contribute.html, a page which, unsurprisingly, is now down.

Hmmm. Who is this yahoogoogle.biz company? A quick trip to the home page (I wont dignify them with a link) finds one of those shyster outfits that guarantees you a Top 10 search result in Google and Yahoo. It surprises me that any of these creeps fly under the radar at all, but I suspect this particular company is in trouble, especially if the election goes the wrong way for them.

Next page: The donation process.





  Reader Comments: Spotting Phish and Phighting Back
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Larry Seltzer
 


x}r8s;iW1ŋK-JӶTTFh)ئHIҽ~fMZs\QD d"3H$$SW7-gB\snS;sa@ Z.%>; ()o1mnf]( _hoL|Aშ :#:D.Rk2 Z575'4o/Nne0S-:Iq>)֐NմnI>شQ$)q@P.w@~Th= \2ITߦuB)~{Te䆡;g? CKt/"(?c&c?9; fw^B(ƻFՉziZgdd vu=yͨ /B1r!f-{74ɿT݉[͛ L=iLVG;%0Ýtf?Dk> NZ] Z3ˆ辥{$)5= \o4QL1H6}~8MZ QM%$7 .mq_0/<mdRr-2QȲnMw3a[Mѡl7ZkuE9,},^+Y-\hoF_JU4E?w?]HQPwÑ;7@VVa(κǗ~d@{Wy@N{A~$?Fj}&UJDZ-gi& 0h!5tt򰚅AX{t\獒A7ny#ܲ_/ivdf1{PdXIc/YTUGf9vm9t./.t?]v;'>ߘecfy3?TrJw3F~ V'kyw''K\u;}d/'t6 +?;VU'_ZUկz 6O{:$~54Y01\ \^Kjgdڽ1)H|]:MipvJ X-t[;RH }yp)#,_0f k$LJFo$3NE - uvPy۬)MZ!rƒ uKsQ8nZK0[RFp\ ДQ#|`Mab&DJH?Ӕ>-`i˫ TE嗋mESq>]Q4{3Bɭ`g@ɋ BD4?CC0!pl/\~_L.ãQwWڲ9Q[ kK\M}2Eя1-+}י4O:N/z~:xD18,]evb`\77Zu?1ß}52o+r%(NMf[ԑplPòǔIz<g 6aϨ>|鎓z>:AGAtišwh4?YnL-rӇtw@>+wOݺzL^TŞ+LКk}0#GE 6]LR}t 9q HhR0|s70Z[3aP#[ѽk:Fz?a#0.Zm{Ae^~}¢!1y@Xȁf`so뷺e#97(u%2J}cn.O)))?]HPw9DJ B!B0H`P ar T<ʦBI}vn2V{TKh!+K@fsfd(4{~4 cbB|#'fXr`Y \d+|i)lb ը6؛ri:|:ioBg< 0uy=[IZ-z'$mLcF0pql0߽h7,kRχ +L+f9N)A\_XHL[nlSr`8) 0:|Ch2i{M?g[,:L:%qC.{]:0s k2'y='.Q1jWuϙܑm˹JoBoڅRU眺_dA_fMjlȜu>IVB17O)wz@aex**#wT4tj~#JwCݼ~hé;h{q#%MAw=e河xOuXKnuo?Jյ݋pz1TKúJj'/odm_EڠueLGeK-# IHf(XK+ezlxӇ8$&le6LE6pȞZcnP jrIjS#SVhVK^Ma+ L 4 p*w`bB0N`Ncy6:#}=r=C6]?C14x>JeHכAB6ҧ[BSjj33-F  o _׆K ȁUzq3ҝtia?, {yKJZq>O.; V!2DD+ه0`-E}ݛZA_a V&H~1:2.eX \kOa3<(yR+r!)'ֈI4U$]g ĕQ/ay@٘*#܊k Bo` 2l3sG/.zr|t݉M% ynssQ*/K7+ )R|;Oz^*k 5ǩUUR;,Z 7;z&9̓)V3G q'|a_ћz?_3ch9{䋲?ה  `3\x gשUXT8ᔱe10kfW S#Sq_TҔgDF(/9 ΔsTNjZ|jwVQ=/YQSןfca "Զwkq 5\`EYۇ>Z}n)rdd8+ё,Xr]TՑnR UtT#CWta)X]QiSZm;m?UN᧜ZЁ P}{tVPBK&nΚ77Ϣ=+ob"9ygm2$8zN0JM;%95$_ۂ3FitLeb`l "Z`|i/X`&c1 s*? .|l3pڳ.`Ϙɧb_߯Xcփ0 HG}7sOnyUc{6~zi1b`{7=;#(4OQ5rRl2y6P}m*lֳ>A>qHl_¹^OR4r{_7)~(zC9KmuA>TU]~T#U\+ԊR?YTAty]n?cVPVW`Zd&{ڜ%\sLi0o(Q멋~ fTmZ/)+iQ/ ~ dwm! PG c[,Y2a^G #~wab>$:ݏqa^wԸ'^`>*u۝!E//{RÏ.F0r`R(; J@F$bw}Wsh%a=; Fk)^9 3u{.d};]z{ޑҽN zs5A nTHF_!yO;FS̠o2XHz0<㥑a+"ATKݹ̂q ՜4"z ON3bn,qmj19²VXȬE`&|C7$>T1r(`$X)XAU:_':Ki56P^S(+RJ"4FYO |Fڝe3_f} Rt<~UrvHעo9Kj}J_cNfo4~ ѶP=8Y,rh縵vR{Ez{Nbp jviSr!,/Dec]ZimwչN> S4sJd":A%;)~ڰOCT䵴f[YUHO~%!\8a=!l Qڕ~Mb۽cscE)vwR6x}y9b1ݾne)ܱr0jw;操~;Oj9vЛ3LةEݘtvzNhs3 {c1Tuv0؁H*Ero5 &k Omzcl3ȲÈǥܷrtg ހNK:2ju`~%X@2oBOH4b5~ǿ뢧G r[k_=3r°Y}l(=hGt?vJwѧmE4 tijVTcf;i6$BUU+jA\EVe.tޗN|2<9:k ,Fsd3rT?#ziВ116onP;=4zC߼ˤaW*]c{*{7wﰧ]VZtC.qB1nVd/)&%/OE L OKt1ڬ/ۥ{HkYXdbS;Oٞ ?֘ '|Ȟ8^@C|Wyg!,daзF0[+-)$Ιd<$J;omoݍnL M A;&JX<%N>۴ rUCaC_:(0i0pDa $\}5 ߈;6bE IM1XQ|=L8s{C4pU_s wޘPE?\=3q DxQ0e\ڊ]aKn~ V~/w,Viuˏv.Gr]1]NQҁX?a*ޠ"=;"C|"UQշ&RJiۮӏJi0$Gv.`rJu!;7tYCN`(tL櫀t1 #EK Ң[#1t^OR%)IJC w/kZISeCqHMvc"qQ2ގmŹMh'5XR1f}]tRdlM+"ar0(<%fK;^_K23SO,&<6'""Ö7[K*U٪6t mnS{K U7eʋ3OϣN/X0t&Y[Ro-E/,fN&ksAGu تHf#079 45"!m )Ԟ "r GY_H}w2\ ,A:ЕZ>:6*\dcH Df aRs Fe h a{=? 4^^JUDR4V|XU!;k([\X]|RUK{:17K,EHW6}`/npSTlKWsۡMG5ia;H|sƷA4 T6DPO7065'T:6kQ-EgLr\9-{rPuYPSEJU/aȎu3ZD% ?Ϟ/HΈ/K拂ېK'-0A4 # <}@gy;YNl{S:w-u$än%;6BF̗4«D9"&6oy,*l4 YnZ舸 ӹ=?ٕ:x0,x;q\!Z/0%q >a3_vI?Њg]}e,i|> 9-Xbvu?P O"F֘%A`d;6-LHj~6}A+?V4Y mX[`8NËK;_<@VE[6bV̽K 畲lPR;`i#m2tAm)j?  ZRˬk!EI3Ʊ)+{G`4cT1,,>dn+;sHyIv|wouv1ASpn]|8d]"6y@buߒ`2YAړYİO:)x-{8Rxr1JBv1c2:"˜.-twFw0GxqsR\,cT"y| [DxQ)w<.ob\y z|/峚bfģ Zkah;Xÿ́kj=!vc`n.қ≡37:USX ÑR,;cOnHȷ٢ 2>TXoD\^atdӇn-& ~iXx>H'*t}jh ܻTVδJd i XTϡVR*jZ?";М|gyj]SjZYS#-&OD^)J\j˜Y>=>KW .kXl; #W*ZTf0@ZRa )d Hw@֌2JdO}TK[RJH`o2?oa's@ r|{\כ5NqtPDŽ)D$R7xo/5!oI{m >;byg#m:s_ai;t]kt+ s>f3B[w^?r}sι}?CX1pNi ͬͱj-%Fd]F5Rx 3}c0c{±@::Iߣx8?_J)}#Qi^oD~d#nϪ5q%YOXt1);ԲrZ#ZMIxe5J7[]|_#Ƅs&b82E \ЍB9ϪͲ;IoP}sY?e=a ' 2u?|{vBJ{?Lm~##dM-ãk|U:f|%wcܶi#:&  ):b]БܟޕjmO*IgOn4}|}A6ڄyiǥ4YR gMr+/\ixc#V݌k3du rF@Yf!s}=H]YUc `xyG$!f=%ig0\*ލC9k/p[fM B E=D <8uE)͜U=R*]Q. UC~M l  \Zp4pBoF󾲯0I=a?ÈGs{KZ"cZ1ш@Q>ɹgMN:vJE< ,iMYC) \i3ۈ) v+9f_A(I6FKGET&}fA=bAa~L­!Rfjs# x_𮳹Y1W  :la`t.tϼðq7]gÁAfVYpRt=:rtԨ)ʞ*|{#`  sXDej@̐0{(ˏIJ uXZFB(s ֞Oou7@F`p3W VjMDO"ӡRs]j%uF\]ÀYU^&*۷Ӕ^*BI] / (HZ W{}K1 t0 c3brLufZ_IeCǗ݋AwN:kB)Qe3ʋ qW~4ab ^)oۗ~_˧VRk!X_;9P~sC9?/-4?uחwۅfS3r7 _9_SfYg9<@߳}rsyßgg92z_O9唟AYN9y9y@rOK/G\\%e~}o@?֗_WP~W]wʡ5_^55u:Iʙ#g \8=JW ͣ~TA__y+%IN>質9+f/_ȡsTh=*Я#Uߗdnldڽ8 aqʍz^S_xڙ閽pLڭe]9hwp_l(%^a/ ^敽ɤ< xEB+gٔ@#X{#uO'NW6#ﹺ d^)Wsr>V=ןbMedG,D<mJ5BfaO@y6^$4(c#h .Ǒrۿ剹?|k2yi8>{7].6tqS0no,0 4` +%WxZӛ\ڎwڝGf{ueeDb;w6 oCdx^$ٝzÀ}G]Vl<-t&n\ef(/@FA@a0-0ŸeZ 7㌰6և { C:Ec=tF}Yʪ9(Ѱ~H"79<R9Gq`F}f$&BfȺTo4pGn L\wFn )xT-kZYoZԪw俒K$2c=bsUUEVrp` VU+D`I9#Tx|Dei櫌:9IC@b&;h8[b4wp%EЧ v̆H˘H͛YHMu?2{_ۉ #HbfA0Jb'c{z18$Û?y0`dͬf.fж!%v[F8lc6г&& 3K]$]!Z-^m&=ȁv=Eccx uq<X!鞠W,9ӽtLdp!gB-ZӋl^@e)D ˺暻ą:X~ sn7@aƘSkDMIn_!]x@eĪ"91>G${)V 1>raE1`˙B0H_(Ss Tv螾L tR -`Z}vҸIn|1@u4b5V$G3x7X%05:%xrQf]r{^f$$6,wls]90'O='8 CqzvwʱDeqgڮ "d`{0k&X02^g~1Q>ಓ_b!8+3>/BlKzV@U}È# 1*;ԟ1HDY/ZY{N6 )4MϫH΢P-]zlo()y+:*نxN*x:f[BI<<>,D*9"aIo Q@EikA/?H3ۉd쥽%}Yq v.}xFʫu\N_T~7)btwў|7(6؎|%O`A0^|eKF$u' ;F?Q11|j;;C@_ܙeUhJl[9U2xEy?ĵ w-/ [Oulg8E Pr3қKt?_0ԕU`7gS~* 3VA>h4M(_ k0F?EHÿˍtf_d%\ df3@ƷD0k"66i֘DR*,l'f , ~sf㿶;|ZPwȑ( l}i.͜GK@g0mҕh_nq7V0] +B#V|JrX}P?):OOgsZ^Hʶ!_,{ QIbV@#q좢UnD,lp/>cwϏq` 3﮳z/'8KiJ epClkZK (Jq] XN´âȖWITR6!;ٯD?8- cĬ;acXJXR!& ?O80Ux|-h\l}[xpmx0#Ÿrz,ɀ~/'[]r*\d7sl#^"foa*H|rR$aHbV\3z7ZОsq=C Cga+ecPXvc2G=L.@| փ X{څGSE6:|,%݈bVS"N$J i-99N*LX6f?rCf *$ @˽ō]Ng*a7:&ah~q >/F"FԂ'g"eW~)ID~y)/́/P>I&'E.t ʢTb{ T.7?_N;KwcA <Y$W7uG@@;LwD a ѸTǓ_w? VN{ XٺqKZǿ|}>oKQEe遢%!.۝,!ջhx_ο`(XEhMc01B4