Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« Web Beacons Live On | Main | The Oldies Keep Coming »

August 21, 2009

Phish Are Jumpin' and the Rotten is High

A couple of days ago, I was thinking to myself that I hadn't seen much in the way of phishing email come this way recently — or at least phishing messages that made it through my primary bit-bucket filter. Heaven knows what's in all those thousands of misaddressed messages aimed at my other domain each day. But, as people who live in changeable weather cities say, "just wait a minute and it will [whatever-it's-not-doing-now]".

Each of the three messages can serve as a prototype of different types of phishers. All may be first-timers trying to make a quick buck. Only one of them has any sense, limited though it may be.

Exhibit A is a PayPal phishing message written by someone whose English is, well, less than stellar. Claiming to be alerting me about a message concerning my PayPal account (Subject: You have a new message alert to view in your account !), the message body begins inauspiciously:

Departament Of PayPal


Exhibit B attempts to get the attention of Bank of America customers with the following:

Subject: BankofAmerica Account blocked

The message body of this HTML-formatted message begins with a Bank of America image fetched directly from the bank's server. But then the sending software failed this crook, leaving out almost all of the rest except for notice of the bank being an Equal Housing Lender. No links. No URLs. In other words, this guy is technically challenged. He assumes computers always do what you think they should do. Why bother with an innocuous test run to make sure it's working before sending out huge batches?


Exhibit C is an Amazon.com phish. I suppose I have to give credit to the crook for following the phishing kit instructions to the letter. He didn't screw with the well-written text, which includes one of those double mind-bend tricks of putting potential blame on the recipient:

  • If you received this notice and you are not an authorized Amazon account holder, please be aware that it is in violation of Amazon policy to represent as an Amazon user. Such action may also be in violation of local, national, and/or international law.
  • Amazon is committed to assist law enforcement with any inquires related to attempts to misappropriate personal information with the intent to commit fraud or theft.
  • Information will be provided at the request of law enforcement agencies to ensure that perpetrators are prosecuted to the full extent of the law.

This guy also went to the trouble of a double web site hijack. The first was to place a redirector page inside a legitimate French company's site. Redirection (via the old meta REFRESH tag trick) takes you to a compromised site of a Colorado-based metal art site.

Well, it will for most, but not Mac users. You see our crook followed some bad advice about how to redirect using hexadecimal numbers for numeric IP addresses. Macs (at least in Firefox and Safari) don't do those types of URLs, so the redirection fails. Also, the URL, in both hex and decimal equivalents quickly got onto the phish blocking services employed by modern browsers.


So, phishing kids, leave crime to the real criminals. And be sure to tell your dorm-mates that phishing is best left to the professionals.

Posted on August 21, 2009 at 11:03 AM