« A Botnet By Any Other Name... | Main | Spear 419ing »

October 21, 2008

I'm always amazed to receive a phishing message aimed at customers of a tiny institution that I had never heard of prior to receiving the message. That a phishing crook bothers to send what should be highly targeted messages to any ol' email address just seems like a waste of even cheap spamming resources. It's the inverse of shooting fish in a barrel—more like shooting fish in the Mediterranean Sea from Mars.

Today a phisher introduced me to an existing online payment system that was news to me. I'm not going to advertise for them, so don't expect me to name the real site here. Wikipedia has an entry for them—for whatever that's worth (hell, someone even put up a now badly-outdated entry for me).

The phishing message consisted of an image (downloaded from a free image hosting service) containing the text of the message. To entice action on the part of the recipient—if he or she should be the one-in-ten-million customer of the targeted institution—the message claimed that the user had to click "here" (anywhere on the image, actually) to acknowledge a few items in the terms of service shown in the image.

I looked over the genuine company's Terms of Service document and saw that the wording for the phishing message sections was copied directly from the real document. Of course no one reads Terms of Service documents (well, I do) or remembers them (well, I don't) to recognize whether something showing up in an email message reflects changes to the original. But the key point is that by copying verbatim from official documents, the phishing message used terminology that was localized to the institution (the first time I've heard of withdrawals or payments referred to as "spends"). Thus, if our Martian's bullet should find a Lusitanian toadfish off the Moroccan coast, the fish would recognize the ammunition.

Upon safely checking the phishing site, I found the usual form requesting login credentials. In an effort to make the phishing page look official (the layout reproduction was very well done), a CAPTCHA image is displayed. The format and look of the image is identical to the type used by the real web site's login page. The big difference, however, is that unlike real CAPTCHA images, this one doesn't change with subsequent reloading of the page. It's the same darned "2015" every time, whereas the real site's CAPTCHA image changes with each reload, as it should. Unfortunately, I doubt many potential phishing victims would know to test for this behavior.

The phishing site is being hosted through an Afghan ISP. In the site's source code, I also found a pointer to an Indian site where the well-crafted page originated. I don't think the Indian phishing kit creator wanted that kind of advertising. Oopsie.

Oh, and the Indian original fake site had the same CAPTCHA image.