Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« An Iraqi 419er (Probably Not From Iraq) | Main | A Tech Support Dialog »

June 11, 2006

Old Phishing Wine in Old Phishing Bottles

If you are a crook and want to elicit a click response from a target, all you have to do is make the recipient believe that he/she has been charged money for something he/she didn't order. I've seen this ruse many times by criminals wishing to get you to visit a site that silently installs malware that takes over your PC (written up in Spam Wars). Phishers use the same ploy, claiming that the email message from PayPal (or whomever) is a receipt for a mythical payment. If you wish to dispute the charge, simply "click on the link below" to log in and resolve the issue. Where you click, of course, is on a link that leads to a bogus lookalike site that asks for your PayPal username and password. Enter that data, and kiss your PayPal account (and any funds therein or linked thereto) goodbye.

Phishing filters on incoming mail servers and in email programs might be on the watch for the usual types of content that phishing messages contain. But such filters won't catch a message whose only readable body content is contained in an image, like the following:

Phony PayPal message

Even if the recipient has automatic downloading of images turned off, you can bet your bottom dollar that when the From: line reads "PayPal <service@payal.com>" and when the Subject: line reads "Your payment has been sent to mailto:sales@sonyusa.com"—and there is nothing else in the message except an image to be downloaded—the recipient will ask to download that image to investigate without hesitation. The impending doom of being charged many hundreds of dollars for something not ordered, nor shipped to a recognizable address, will override calm logic that shouts, "Why is this supposedly one-off message in the form of an image?"

Again, the real "secrets" of this message are to be found in the source code view, where nothing remotely connected to PayPal is in the unforgeable areas of the message header and body. I maintain that it is easier for a non-techie email consumer to learn how to identify bogus phishing messages in the source code than it is to learn how to use an iPod with iTunes. Unfortunately, and despite the huge risks of falling for phishing scams, the will to learn the right way to spot the scam messages isn't there.

Posted on June 11, 2006 at 11:20 AM