« More To: Field Inanity | Main | The Futurama of Spam »

November 15, 2007

Sometimes it's hard to tell if a phisher is just stupid, or if he believes enough recipients are stupid enough to fall for the tall tale being told in the message. Today's story has a beginning, middle, and end, on which I'll comment out of order.

In the beginning (where have I heard that before?) is the basic premise from this Amazon impostor. Very usual stuff here:

Dear Amazon member,

The Amazon Review Department has determined that different computers have tried to login into your Amazon.com account, and multiple password failures were present before the logons. We now need you to re-confirm your account information to us. If this is not completed by November 19th, 2007, we will be forced to suspend your account indefinitely as it may have been used for fraudulent purposes. We thank you for your cooperation in this manner and we apologise for any inconveniences.

If online companies, such as Amazon, actually sent out security warnings of this type, the premise part of this phishing message might hold sway. Unfortunately, I'd wager that a majority of Amazon customers might take this advisory as possibly being real because they don't know that Amazon would never send out such a warning. If your account were genuinely compromised (or attempted to be compromised by slamming a bunch of passwords at it), the account is quietly suspended —you won't know it until you try to log in (at least this is how PayPal handles it).

At the end of the phisher's story is this reassuring closer:

NOTE: If you received this message in you SPAM/BULK folder, that is because of the restrictions implemented by your ISP. Thank you for your patience in this matter. Amazon.com Review Department.

Well, no. The reason the message (with any luck) appears in your Spam folder is because your ISP saw that the message didn't have the Domain Keys signature that genuine Amazon email messages now carry in their headers. But, again, the typical email user doesn't know about Domain Keys or any other type of sender validation systems. It's much easier to blame your ISP for having too aggressive an email filter in place.

At this point in my story, if you're keeping score, the phisher is actually ahead 2 to 0 against unenlightened email users. That's not good.

I'm happy to say, however, that the middle of the phisher's story gets a little screwy. Because this phishing message was sent as plain text, there is no hiding a real URL behind an HTML link that renders as "http://www.amazon.com". The recipient is instructed to click on the link presented in the message (some email clients turn text that looks like a URL into a clickable link) or enter it into the browser. This is usually where the less-lazy phisher enters a newly-minted domain that has the word "amazon" buried within it to make it look legitimate (such as "confirm-amazon-security.com"). But today's phisher didn't bother. Instead he's using a hijacked web server from South America with a domain name whose primary component is the following:

poolservice

Anyone who clicks that link believing it connects to Amazon, and anyone who visits the lookalike page and enters username/password data should have Internet privileges taken away or be dragged off to a re-education camp. In this day and age, however, a U.S. victim of this phish will probably sue Amazon for failing to safeguard personal information.