It was only a matter of time before the authors of phishing attacks became more clever. Ive always been disappointed, in a perverse way, by the lack of creativity they have shown. But in a way it doesnt matter how clever they are since you can protect yourself with a healthy dose of skepticism and a little bit of scrutiny. If you can read some HTML source, you should be able to pick out even a well-designed attack.
Your bread-and-butter phishing e-mail is fairly predictable. It appears as a request of some kind from eBay or PayPal or some bank, probably asking you to “reverify” your account information. By now this is so tired a modus operandi that you can pretty much ignore it without any scrutiny. But its not just the familiar attacks you need to watch out for.
A colleague of mine just received one of the more interesting phishing messages Ive ever seen. Its a clone of a Kerry-Edwards campaign contribution solicitation, this one an appeal from Kerrys brother Cam. I dont know if Kerry actually has a brother named Cam, but thats the angle the message takes.
This one is professionally done and uses several of the classic phishing techniques. Ironically, because of those techniques, it was easy for the Kerry-Edwards Web administrators to “phight back.”
Within about 24 hours the same e-mail replaced the picture of Cam with a graphic that said “WARNING! If this e-mail is from any address that includes @JohnKerrys.com it is not an official e-mail from Kerry-Edwards, 2004, Inc. Do not donate using any link in this e-mail.”
Since the graphic link was to the actual JohnKerry.com site the Webmaster could make this change. The downside is that they had to change one of their actual graphics, but I guess its lucky for the campaign that the phishers used Cam and not John.
Like my colleague, my first look at the message set my Phishing Alert Level at Red (Severe).
Would the Kerry campaign actually spam me with a donation request? Well, maybe, maybe not, but it was certainly suspicious.
I also noticed the From: address in the message, online-voteuz@Johnkerrys.com. What does “voteuz” mean? And I know the actual campaign domain is johnkerry.com.
The next obvious step is to view the source on the message. Aha! It all falls into line. Most of the graphics in the message come from johnkerry.com, but the actual “donate” form links go to http://testhost.yahoogoogle.biz/JohnKerry/contribute.html, a page which, unsurprisingly, is now down.
Hmmm. Who is this yahoogoogle.biz company? A quick trip to the home page (I wont dignify them with a link) finds one of those shyster outfits that guarantees you a Top 10 search result in Google and Yahoo. It surprises me that any of these creeps fly under the radar at all, but I suspect this particular company is in trouble, especially if the election goes the wrong way for them.
The donation process
I actually clicked on the Donate link, which is usually safe if youre all patched up and have anti-virus software, but its still a bit scary. Since the page is down you cant verify any of this anymore, but there were a bunch of other red flags on it.
First, the links in the e-mail had said that it would take me to “Make a secure donation,” but the page it took me to was HTTP, not HTTP Secure. Funny how most phishers dont want to get an actual digital certificate.
There were also “contribute by mail” and “contribute by phone” links on the page, but they were dead. Gosh, I wonder why?
The Web site JohnKerrys.com—the From: domain—is even more interesting. The ownership records are incomplete, but the domain is for sale. The address and phone number, if you want to buy it, are in Cape Verde, an island off Senegal in the north Atlantic Ocean.
I didnt go through with the payment process so I dont know how well-done it is, but certainly nobody with a modicum of sophistication about the Web should be fooled. Of course, the Web isnt supposed to require a modicum of sophistication in order to be used. So whats the solution?
First, the owner of yahoogoogle.biz (its registered to someone in India) should get in big and conspicuous trouble. Actually, just in case its unclear that they are responsible, it should be even easier to track who the credit card payments would have gone to. I want everyone to see this person carried away in chains.
Another part of the answer is SMTP authentication. This particular message may actually have come from the mail domain it claims to have come from, but the vast majority of the ones Ive seen have appeared to come from “ebay.com” or “citibank.com” and so on, and they can do that because SMTP is unauthenticated. All these attacks lose some credibility when the mail spoofing aspect of them is gone, and that also makes it a little easier to track down the senders, too.
A survey by MailFrontier shows a series of e-mails and asks whether you think they are real or phishing attacks. MailFrontier actually eliminated the message sender information and changed all the Web links in the messages to point to them, so in fact as a practical matter the survey is useless (and arguably dishonest). Your best tool is taken away. But look at the survey anyway and approach it as a test of how you would judge the messages if you didnt know how to look at a Web link and figure out that it isnt what it should be. Its not easy to tell.
Blithely proclaiming that “education is the answer” is a cop-out in this situation because normal users shouldnt have to learn what theyd need to learn to tell the difference—and they wont. The solution will have to come elsewhere, probably from technology.
The beginning is the adoption of MARID or some standard like it, and the next step will be anti-fraud systems based on accreditation and reputation. In that sense, phishing is part of the same exact spam problem that will kill off e-mail unless we stop it.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:
More from Larry Seltzer