Spotting Phish and Phighting Back - ' The donation process ' (
Page 2 of 2 )
I actually clicked on the Donate link, which is usually safe if youre all patched up and have anti-virus software, but its still a bit scary. Since the page is down you cant verify any of this anymore, but there were a bunch of other red flags on it.
First, the links in the e-mail had said that it would take me to "Make a secure donation," but the page it took me to was HTTP, not HTTP Secure. Funny how most phishers dont want to get an actual digital certificate.
There were also "contribute by mail" and "contribute by phone" links on the page, but they were dead. Gosh, I wonder why?
The Web site JohnKerrys.com—the From: domain—is even more interesting. The ownership records are incomplete, but the domain is for sale. The address and phone number, if you want to buy it, are in Cape Verde, an island off Senegal in the north Atlantic Ocean.
I didnt go through with the payment process so I dont know how well-done it is, but certainly nobody with a modicum of sophistication about the Web should be fooled. Of course, the Web isnt supposed to require a modicum of sophistication in order to be used. So whats the solution?
First, the owner of yahoogoogle.biz (its registered to someone in India) should get in big and conspicuous trouble. Actually, just in case its unclear that they are responsible, it should be even easier to track who the credit card payments would have gone to. I want everyone to see this person carried away in chains.
Another part of the answer is SMTP authentication. This particular message may actually have come from the mail domain it claims to have come from, but the vast majority of the ones Ive seen have appeared to come from "ebay.com" or "citibank.com" and so on, and they can do that because SMTP is unauthenticated. All these attacks lose some credibility when the mail spoofing aspect of them is gone, and that also makes it a little easier to track down the senders, too.
A survey by MailFrontier shows a series of e-mails and asks whether you think they are real or phishing attacks. MailFrontier actually eliminated the message sender information and changed all the Web links in the messages to point to them, so in fact as a practical matter the survey is useless (and arguably dishonest). Your best tool is taken away. But look at the survey anyway and approach it as a test of how you would judge the messages if you didnt know how to look at a Web link and figure out that it isnt what it should be. Its not easy to tell.
Blithely proclaiming that "education is the answer" is a cop-out in this situation because normal users shouldnt have to learn what theyd need to learn to tell the difference—and they wont. The solution will have to come elsewhere, probably from technology.
The beginning is the adoption of MARID or some standard like it, and the next step will be anti-fraud systems based on accreditation and reputation. In that sense, phishing is part of the same exact spam problem that will kill off e-mail unless we stop it.
To read Larry Seltzers in-depth analysis of MARID, the Internet Engineering Task Forces attempt to standardize SMTP authentication, click here.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: 
More from Larry Seltzer
