January 13, 2009Interesting Phishing Angle
I don't recall seeing the trick used in a PayPal phishing message I saw today. If a phisher can get his message into your inbox, his next goal is to get you to fill out a form with your username/password credentials (if not even more personal data).
At the same time, more consumers may be heeding advice about not clicking on links in email messages because they can be spoofed to lead to bad places that imitate good places. What first struck me about today's phishing message was that there was no link of any kind in the body:
Subject: 1 new e-mail successfully added
Dear PayPal member,
You have added [removed]@sbcglobal.net as a new email address for your PayPal account.
If you did not authorize this change, check with family members and others who may have access to your account first. If you still feel that an unauthorized person has changed your email, submit the form attached to your email in order to keep your original email and restore your PayPal account.
Thank you for using PayPal!
The PayPal Team
Please do not reply to this email.
This mailbox is not monitored and you will not receive a response.
Copyright © 1999-2009 PayPal. All rights reserved.
PayPal Email ID PP007
I've removed the sbcglobal.net account name just in case it's a legitimate address belonging to a non-criminal. Of course, any phishing expert would realize that the message didn't address the recipient by name, which PayPal's real messages do.
So, then I went to check out the attachment. The file is named:
Now, a lot of non-techy Windows users still have the default preference set to not display filename extensions. All that choice does, however, is strip off the last extension if there are multiples. Therefore, a Windows-using recipient seeing the attachment might think it's an Adobe Acrobat file. They might also not know that a PDF file can be loaded with malware, but might trust it anyway, and open it up. When they do, the HTML file will open in their default web browser (and we know which one that will be).
The attachment is properly base64-encoded, and is, indeed, an HTML file—but a file with nothing but a blank document and a <meta> refresh tag, which causes the browser to redirect immediately to a URL whose web page can look like anything...including a phony PayPal login page.
Fortunately for this particular message, the destination URL was already disabled when I tried to check it. That may be because the URL had been used for other nefarious purposes earlier:
http://[removed DSL location]/stimulus/refund/refund.html
Yes, the URL appears to have been used for a phony IRS economic stimulus refund phishing scam. Once a crook, always a crook, I guess.
The real bottom line of this exercise is that the more frightening-sounding the Subject: line and the bigger shot of adrenalin that rushes through you when reading an unexpected email message, the more likely it's a complete scam. Phishers, other scammers, and spammers want to drive you to act. If you let them pull your strings, yank your chain, get you to jump, they've won. If you can't filter out their messages before they get to your inbox, then your best defense is to not even let them know you're alive. Ignore-ance is bliss.Posted on January 13, 2009 at 02:58 PM