Spotting Phish and Phighting Back

Even a wholesome business like campaign fundraising isn't immune to attack from Internet fraudsters. What's next?

It was only a matter of time before the authors of phishing attacks became more clever. Ive always been disappointed, in a perverse way, by the lack of creativity they have shown. But in a way it doesnt matter how clever they are since you can protect yourself with a healthy dose of skepticism and a little bit of scrutiny. If you can read some HTML source, you should be able to pick out even a well-designed attack.

Your bread-and-butter phishing e-mail is fairly predictable. It appears as a request of some kind from eBay or PayPal or some bank, probably asking you to "reverify" your account information. By now this is so tired a modus operandi that you can pretty much ignore it without any scrutiny. But its not just the familiar attacks you need to watch out for.

A colleague of mine just received one of the more interesting phishing messages Ive ever seen. Its a clone of a Kerry-Edwards campaign contribution solicitation, this one an appeal from Kerrys brother Cam. I dont know if Kerry actually has a brother named Cam, but thats the angle the message takes.

28571.gif

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

This one is professionally done and uses several of the classic phishing techniques. Ironically, because of those techniques, it was easy for the Kerry-Edwards Web administrators to "phight back."

Within about 24 hours the same e-mail replaced the picture of Cam with a graphic that said "WARNING! If this e-mail is from any address that includes @JohnKerrys.com it is not an official e-mail from Kerry-Edwards, 2004, Inc. Do not donate using any link in this e-mail."

Since the graphic link was to the actual JohnKerry.com site the Webmaster could make this change. The downside is that they had to change one of their actual graphics, but I guess its lucky for the campaign that the phishers used Cam and not John.

Like my colleague, my first look at the message set my Phishing Alert Level at Red (Severe).

Would the Kerry campaign actually spam me with a donation request? Well, maybe, maybe not, but it was certainly suspicious.

I also noticed the From: address in the message, online-voteuz@Johnkerrys.com. What does "voteuz" mean? And I know the actual campaign domain is johnkerry.com.

The next obvious step is to view the source on the message. Aha! It all falls into line. Most of the graphics in the message come from johnkerry.com, but the actual "donate" form links go to http://testhost.yahoogoogle.biz/JohnKerry/contribute.html, a page which, unsurprisingly, is now down.

Hmmm. Who is this yahoogoogle.biz company? A quick trip to the home page (I wont dignify them with a link) finds one of those shyster outfits that guarantees you a Top 10 search result in Google and Yahoo. It surprises me that any of these creeps fly under the radar at all, but I suspect this particular company is in trouble, especially if the election goes the wrong way for them.

Next page: The donation process.