home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   

Classic spam: Gone phishing

The bottom line: Internet crooks can use trickery to get you to surrender valuable personal information such as usernames, passwords, and banking information. You can protect yourself against nearly all such attacks by remembering one simple rule: Do not click on any links found in any e-mail messages from "your bank", "your auction website," etc. Log in to these institutions yourself using known-good links (typed in by hand or retrieved from your bookmarks), and then proceed from there to investigate the problems mentioned in the messages.

In a sense, the messages on this page aren’t spam. They are something FAR worse. They are GROSS DECEPTION, FRAUD and ATTEMPTED THEFT.

These examples illustrate a more criminal cousin to spamming known as “phishing,” in which the perp casts his lines among millions of potential suckers to see whether some will bite and surrender personal information — names, e-mail addresses, account names and passwords, and even credit card numbers or other “funding sources.”

There are some technical tricks involved (as we will see), most of them borrowed from more conventional spamming, but mostly the phisher relies on what hackers call “social engineering:” exploiting the ignorance, carelessness, or gullibility of susceptible members of the population.

“...teach a man to phish, and he’ll (ch)eat for a lifetime.”

Here’s how the phish game works: you get a bulk-delivered message purporting to be from some big business with which you might (but might not) have regular dealings. Online payment services like PayPal and even large retail banks (as below) are often impersonated or “spoofed,” as is eBay. The message typically informs you of “problems” with “your account” without specifically identifying either the problem or the account (indeed, your name or e-mail address may not even appear in the message at all). You are usually given a web link that will supposedly take you to the institution’s login page, but that actually takes you to a website under the control of the phisher. If you fill in the proffered form, the minute you hit “submit,” your info is on its way to the phisher’s database, whence he can use it or sell it to other crooks.

You might think (as I would have) that such a scam could only trap the stupid, but this is definitely not the case. My own first encounter with phish mail (spoofing eBay) was a scary and potentially expensive learning experience: I fell for it and entered my eBay name and password. Almost immediately, I realized what I’d done, and scooted right over to eBay to change my login. Fortunately, no damage was done, but it was a very close call (I am a very infrequent user of eBay, and I don’t have payment information stored in my account, so at worst the crooks could have done no more than place a couple of bogus and easily-cancelled bids in my name).

Now, I could be among the stupid (I hope not), but I do have a fair amount of internet experience (as well as life experience in general), so if this trick could catch me, I’m sure that it can bag many others less well-informed.

Why am I getting phished?

Upon receiving a phish mail, some folks suspect that they have somehow been specifically and personally targeted (e.g., “I get one of these every time I bid on eBay”). This is generally not true; the phisher simply mailed to you because your address is one of the thousands or millions appearing in his list.

Above all, don’t worry that the phisher has somehow already gotten hold of your account information or is somehow tracking your activities on the net; this is quite unlikely. The phisher is simply following the example of the spammer, who blankets the world with his mail even though he knows full well that only a tiny fraction of recipients will be gullible enough to respond. Phishers use the same kind of “scraped” or harvested address lists as the spammers do.

From where you sit, it may seem stupid for a phisher to send you a mail regarding your National Bank of Podunk account when you know that you have no such account; however, if you are smart enough to know this, you are simply not part of the phisher’s intended audience. He expects that the vast majority of the recipients will simply delete or ignore the mail, but that some small group of recipients (i.e., those who do have such accounts, and are naive enough to follow his instructions) will give him what he wants.

Morphology of phishing spam

Phishing has evolved quite a bit over the couple of years that it’s been around. At first, many of the attempts were clumsy and made themselves rather conspicuous (such as by embedding or attaching actual login forms in the e-mail message, a huge security no-no that no reputable firm would attempt). There was also a spate of phishers who actually did direct you to the proper bank or institution, but were able to exploit the leaky and overcoded security systems of these firms to “eavesdrop” on the sucker’s login and capture the name and password.

Since then, the volume of phishing has gone down quite a bit, as the duffers have fallen by the wayside (or perhaps have been apprehended by law enforcement). So, we are now left with the more expert and sophisticated phishers who don’t try to hack the banks’ websites and don’t make such glaring errors.

Nowadays, the phishers’ messages usually are simple notices dressed up to look as though they came from the institution in question, and contain links that the suckers are supposed to use to reach eBay, PayPal, or their bank; instead, these links actually take them to the phishers’ own websites.

On these sites, the phishers will copy the spoofed firm’s website layout as closely as they can, even going so far as to include graphics, info links, and navigational JavaScripts (and even warnings about phishing!) found on these institutions’ sites. Some enterprising phishers will even make up host names or even domain names for their sites that are very close to that of the institution they’re spoofing (as we shall see in the cases below). The sites are often hosted at a number of different IP addresses, and DNS manipulation is used to “rotate” these sites very rapidly so as to make it difficult for investigators to find them and get them all shut down.

Much of this phishing comes from offshore, from folks who aren’t fluent in English; so, if you get cranky about poor English usage and syntax (as do I), this kind of intuition may help clue you in that such messages aren’t what they claim to be.

Examples of phishing spam

In any case, let’s now step over to the aquarium and take a closer look at some live and typical examples of phish mail.

Phisher spoofs a retail bank (Citibank)

Our first example purported to be from the big retail bank Citibank. Here’s how the mail looked in Microsoft Outlook:

At top left, the perps have used a pair of authentic Citibank logos, both of them GIF files taken from Citibank websites and embedded into the message packet in MIME parts, and then pulled into the visible message using cid: links. Embedding images in the message packet in this fashion is a pretty good indication of evil intent, since most honest mailers (including, one presumes, the real Citibank) would have served these images from their own web servers using standard http: URLs.

The message text is not obviously fraudulent, but does contain some troublesome bits of English usage that no careful copy editor would allow into a big national bank’s correspondence:

I’m reaching a bit, but this suggests a Russian involvement: native Russians who aren’t fully proficient at English often omit articles (like “a”, “the”, “those,” etc.), since these are not used in Russian. They might also be likely to use spellings not familiar to native U.S. English speakers words (like “guaranty” for “guarantee”).

Now, let’s look at the HTML source for further insights:

<head>

<style type="text/css"><!--
body,td {font-family: Arial; font-size: 11pt; background-color: #FFFFFF; color: #000000; }
--></style>
</head>

<body bgcolor="#FFFFFF" link="#0000FF" alink="#0000FF" vlink="#0000FF" text="#000000" bottommargin="15" leftmargin="0" marginheight="0" marginwidth="0" rightmargin="0" topmargin="15">
<!-- V24C --><div align="center"><table cellpadding="0" cellspacing="0" border="0" width="80%" height="80%">
<tr><td align="left" valign="top" width="100%" height="100%"><div align="left">
<img src="cid:citilogo.gif" border="0" height="44" weight="61"><br>
<img src="cid:cblogo.gif" border="0" height="30" weight="146"><br>
</div><div align="justify"><br><b style="font-size: 12pt;">Dear CitiBank member,</b><br><br>
We are looking forward to your assistance and understanding and inform you about new
CitiBusiness<sup style="font-size: 10pt;">&reg;</sup> department system updrade performed by security management team in
order to protect our clients from increased online fraud activity, unauthorized account
access, illegal funds withdrawal and also to simplify some processes.<br>
&nbsp;<font color="#FFFFFF" size="1">elL7NN1L3XElYV1zOh0KhWemmRAtVFV92HhPvtDzgtVfeXN
3fONwL3U9WvqQal1c4t3ABH9RZ57d3Wgt</font>
<br>
The new updated technologies guaranty convenience and safety of CitiBusiness<sup style="font-size: 10pt;">&reg;</sup> account
usage. New services for your account will be effective immediately after an account
confirmation process by a special system activation application.<br>
&nbsp;<font color="#FFFFFF" size="1">L5Oy9JH5f9XpvYDAhHaRnjJnpRCtOTLBYB98kQeB0b1waF
6qlhjJB591XKvLEhnDTxLfn0PocRVlx1NT</font>
<br>
To take an advantages of current updrade you should login your account by using
CitiBusiness<sup style="font-size: 10pt;">&reg;</sup> Online application. For the purpose please follow the reference:<br><br>
<a href="http://citibusinessonline.da-us.ciflbank.com/cbusol/signon.do" target="_blank">https://citibusinessonline.da-us.citibank.com/cbusol/signon.do</a><br><br>
Please note that changes in security system will be effective immediately after relogin.<br>
&nbsp;<font color="#FFFFFF" size="1">t9EUeNVczpYeTmQBUEPiEHIQzEe7G21ZbGTpuOC4gBiY
YaATNpdt8WjTAzOgBQfMx9d2YO7fppdoBMtp</font>
<br>
Current message is created by our automatic dispatch system and could not be replyed.
For the purpose of assistance, please use the "User Guide" reference of an original CitiBusiness<sup style="font-size: 10pt;">&reg;</sup> website.<br>
&nbsp;<font color="#FFFFFF" size="1">evTlqe51MUtoLydjHplGguVGU85vWnWbTPyj4DlRyEtjc
EW1zcvuToDZVAmQKgHjBLXXFvCXPNtuTovt</font>
<br>
Thank you for using our services,<br>CitiBusiness<sup style="font-size: 10pt;">&reg;</sup> Security Team.<br>
&nbsp;<font color="#FFFFFF" size="1">B0Mupquk1QcM8U8IG5HkBiiq8LWQcq9NrXiRnMepEqeL
klw2rdn4xHvFurwHTGvlDNe2CttgUT3f4Atx</font>
<br>
</div></td></tr></table></div><!-- MGBjn70TzwArc5OPU3TwwlMq4QH9qZGfFhz3nAWX6xp
iDfaxi34PoQhuIYDaYi -->
</body>
</html>

The HTML is “packed” into long lines, which makes it somewhat difficult to read. However, we can make out that the phisher is using a simple “bait-and-switch” tactic to disguise his website link (see the yellow and pink highlights above). The visible anchor text (which you can see in the screen dump image above) gives the link as

https://citibusinessonline.da-us.citibank.com/cbusol/signon.do

which is a working and valid URL for Citibank. The actual link (in the HREF field of the <A> tag is actually

http://citibusinessonline.da-us.ciflbank.com/cbusol/signon.do

They look pretty similar at a casual glance, but if you study them closer you will see that:

One other odd feature of this message are the numerous bits of gibberish text and extraneous HTML comments (all highlighted above in green). Normally, this is the kind of thing you would find in a more conventional spam message, where it would be used to break up or dilute spammy text, but I’m not sure why it is used here (since this message doesn’t look terribly spammy, or at least isn’t supposed to). On the other hand, the fact that the phisher colors the bogus text strings the same as the background (white) and makes them a very small size (size 1) would, however, tend to attract the attention of a good spam filter, so the phisher could be too smart for his own good here.

If I were in law enforcement, my first avenue of attack in pursuing this particular fraudster would be to track down his web service. We can look at his domain registration info (since he’s taken out a domain name for his site), as well as where he has hosted the site (i.e., at what IP address).

Here’s the domain registration info for ciflbank.com, obtained from a whois lookup:

alu-g4pb:~ rconner$ whois ciflbank.com

 [...snip...]

domain: ciflbank.com
owner: Arthur Logan
organization: Logancomp
email: sonjoarde@earthlink.net
address: 10A Perry CR
city: Annapolis
state: MD
postal-code: 21402
country: US
phone: 619-865-2021
admin-c: sonjoarde@earthlink.net#0
tech-c: sonjoarde@earthlink.net#0
billing-c: sonjoarde@earthlink.net#0
nserver: ns.iordns.com
nserver: ns1.iordns.com
nserver: ns.endns.org
nserver: ns1.endns.org
nserver: ns.zxdns.org
nserver: ns1.zxdns.org
status: lock
created: 2006-03-01 02:19:49 UTC
modified: 2006-03-14 01:51:42 UTC
expires: 2007-02-28 21:16:44 UTC
source: joker.com live whois service

The postal address appears to be valid, but it is located on the grounds of the U.S. Naval Academy (just a couple of miles from my office where I received this mail). The phone number has an area code assigned to cell phones in the San Diego, California area, although this by itself wouldn’t be suspicious (given the current mobility of cell phone numbers). Still, I regard this registration with great suspicion. The domain was registered with Joker.com just days before the phish mail was sent; as I write, the registration has been placed on hold by Joker, who for once is taking some responsibility for the actions of its customer.

When I first looked into this message, the web host name citibusinessonline.da-us.ciflbank.com resolved to 202.76.169.30, which is assigned to an Australian ISP. It seems to have been offline (“404”) at the time I checked it. When I checked later, the site had reappeared at another address 80.191.148.140, part of a small (CIDR /24) block assigned to Mahdi Net, apparently an ISP from Iran. The site was still available when I used this IP address rather than the host name (after Joker pulled the DNS info for the domain), but with good luck very few potential victims will get to it because of the deactivated domain name.

Now, here’s the relevant portion header of the message, so we can see how it got sent to me. The first header line indicates that the message came from 219.104.141.36, assigned to the infoweb.ne.jp domain; possibly this is a zombie machine, so tracing it down might yield little information on the phishers themselves. The second line is an obvious forgery (although it does include the proper PTR (reverse-DNS) name for the 219.104.141.36 address).

Received: from -1208894744 (unverified [219.104.141.36]) by
  EXANPCN14.arinc.com (Content Technologies SMTPRS 4.3.19)
  with SMTP id <T77092cf4cd0af30335f78@EXANPCN14.arinc.com>
  for address hidden; Wed, 15 Mar 2006 07:17:29 -0500
Received: from citibusinessonline.com
  (-1215226424 [-1215002976])
  by ntkyto024036.kyto.nt.ftth.ppp.infoweb.ne.jp (Qmailv1)
  with ESMTP id 331240A032
  for address hidden; Wed, 15 Mar 2006 07:26:11 -0500
Date: Wed, 15 Mar 2006 07:26:11 -0500
From: CitiBusiness Security Team <securityteam@citibusinessonline.com>
X-Mailer: The Bat! (v2.00.4) Personal
X-Priority: 3
Message-ID: <8610902026.20060315072611@citibusinessonline.com>
To: address hidden
Subject: CitiBusiness department security system update alert
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----------1C802069E000825"
X-AntiVirus: checked by AntiVir MailGate (version: 2.0.1.5; AVE: 6.17.0.2; VDF: 6.17.0.5; host: ntkyto024036.kyto.nt.ftth.ppp.infoweb.ne.jp)
Return-Path: securityteam@citibusinessonline.com
X-OriginalArrivalTime: 15 Mar 2006 12:27:12.0820 (UTC) FILETIME=[C9826F40:01C6482B]

Phisher spoofs eBay

This more recent example shows the phisher trying to spoof the popular internet auction house eBay. Here, reviving an elderly eBay phish gambit that was fairly widespread a couple of years before, the phisher sends you what appears to be a question from a bidder, and encourages you to press the button within the e-mail message in order to log on to eBay and reply. If you use the login page provided at this link, your username and password will be captured by the phisher, as well as any more sensitive info (credit card numbers, bank accounts, PayPal info) accessible from your eBay account.

I extracted the HTML from the message body and displayed it in a web browser (click on the image to blow it up to full size):

This message looks a lot less suspicious than the Citibank example, but this is mainly because the phisher has simply copied most of the markup and image links directly from legitimate eBay mailings, inserting only a small bit of original content (mainly the info about the “auctioned item” and the message from the “bidder”). At the top, the message gives the eBay user name for which the message was intended, but it isn’t mine (and probably not yours, either).

The payload of this phish message is found in the markup for the orange “respond now” button (and in several other hyperlinks within the message):

<A onclick="return ShowLinkWarning()" href="http://www.signin-ebay-com-very.land.ru/eBay.html" target=_blank _ border="0"><IMG height=32 alt="Respond Now" src="http://pics.ebaystatic.com/aw/pics/buttons/btnRespondNow.gif" width=120 border=0></A>

As you can see from the HREF target (yellow highlight), if you click on this link you will be sent not to eBay but to a server in the land.ru domain, suggesting that this, too, is a Russian-originated phish job (indeed, the address of this host was found in a Russian ISP’s net block). In the full-size illustration, you can see that the browser shows us this same URL in the status line (bottom of window) when we hover over the link with the mouse (sorry, my mouse cursor is not visible in this screen shot). So, make sure your own browser’s status line is turned on and that you check it carefully before clicking on untrusted links.

If you had visited this site, you would have seen what looked like an authentic eBay login page; but, had you scrolled down to the bottom of the page, you would have found a couple of Russian-language banner ads (which should have aroused quite a bit of suspicion in those who were foolish enough to get this far with the transaction).

The link includes a call to a JavaScript function called ShowLinkWarning() (that no doubt posts a warning to be careful with the link), but since this script is not available to the page (its source is not found in the message itself, and the message does not link to any external script files), the call apparently fails silently.

This phisher actually was too greedy for his own good, since he sent me six copies of this same message in rapid succession, all pointing to the same spoofed eBay site and all originating from a Chilean ISP’s net space using direct-to-MX mailing. Now, you might be tempted to click on the link if there were only a single message, but getting six identical mailings in a row ought to make even the most innocent mail user a bit suspicious.

Dealing with phish spam

From the point of view of the spam investigator, phish mails usually aren’t much different than other kinds of spam; there’s an originating mail host to be found and reported, and then there are one or more web links to be identified, traced down and LARTed as well.

Generally, when I receive phish mail, I try to escalate my response beyond what I would do for normal spam. I figure that the most important thing is to get word to hosting providers as quickly as possible that they are harboring criminals in their midst, so I will often send a personal message (rather than the pro-forma SpamCop report on which I usually rely). Many other people do the same thing, so in most cases these sites are very quickly shut down. Occasionally, however, the phish websites are hosted by what appear to be gangs of crooks with their own IP blocks; in such cases, it is best to find the upstream provider for these blocks and report the activity to this provider instead.

Summing up

In closing, I suggest that the dark cloud of phishing may have a small silver lining: this new nexus between spam and crime may raise spam’s threat level and thereby actually hasten the day when spam will be effectively dealt with by providers and by law enforcement. It’s one thing to get a penis-enlargement spam or other stupid sales pitch (which you can easily ignore), but it’s quite another to have a thief knock at your door and use gross deception to try to steal your personal info.



 home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   


(c) 2003-2007, Richard C. Conner ( )

11511 hits since March 27 2009

Updated: Sat, 18 Aug 2007