09 August 2006

The dilemma of phishing…

OK, so I'm a pretty computer savvy guy.
I like FISHING, but these PHISHING attemps drive me crazy! 
I don't get fooled by these phishing messages... never have... hopefully never will.  I got the following email from someone claiming to be Fifth Third Bank.
The above email supposedly was sent from online_support_id_2821853.cust@53.com.
I sincerely doubt the existence of such an email address, though the domain is valid.  The actual return path of the message is alt@0451.com.
Anyway, normally when I get these kinds of messages and when I check their sites, the sites have been taken down already.  Not this time.  Either these hackers are finding ways to stay up longer or my email address has moved to the front of the "who to hack" queue.  Whichever it is, it's not good!
One can generally tell it's a phishing message because there are some dead giveaways.  Grammar is always the prime one.  Most of these phishing messages originate behind what used to be the iron curtain i.e. former Soviet states.  Any country where police enforcement of online issues is hampered by normal crime figures being high, is a prime location for these hackers to base their operations from.  As such, English isn't their first language and grammar is usually poor, resulting in a dead giveaway as to the message's illegitimate source.
If you look at the email, you will notice that they are getting better and better at it though.  The logo, stolen directly off the bank's web site at #1 makes it look legitimate.
The URL, with a very valid domain component, lends itself more to fooling the user into believing the email to be valid as in #2 and they even include the copyright footer information in #3.
The only indication of something fishy (excuse the pun) going on is at #4 and #5 where the grammar of the email is not as perfect as one would expect.
One thing that set this message appart from others is the fact that they didn't just put the link in the message... instead, they encapsulated the entire message in a link object and as a result, clicking ANYWHERE in the message pops open the site as follows:
Looking at the phishing site, at #1 you can see that the URL mimics that of the real 53 Bank site.  The only difference being that between ".com" and "wps" is a "." instead of a "/" as on the real site.  The same goes for "wps" and "portal".  It would be so easy for a novice user to miss that and think the site is real.
To add to the effect, the "Privacy & Security" link even points to the valid location on the 53.com site.
Of course what these hackers are really after is your information as in #3.
Providing them your full name, state, ID and password enables them to logon to your account.  The next thing they will attempt to do is change your password so as to lock you out of the account.  They may require a security verification code to do that.  The most common code people use is either their pet's name or their mother's maiden name ala #7 and #8 on the form.  With that information in hand, they can pretty much clean your account out.  Bastards! 
If you look at the 53 Bank site as follows:
You will notice the logo at #1, which was stolen and used on the phishing email and site.
Furthermore, at #2 you will notice the URL that was mimicked on the phising site.  The real URL being:
while the phishing URL was:
Notice the subtle differences? 
Oh, and of course the "Privacy & Security" link, also stolen for the phishing site...
So what are we to do?  Law enforcement can't touch these guys.  They setup their sites and break them down so quickly that it's almost impossible to catch them.  The fact that they are sitting in Russia doesn't help either.  Actually, on this one, the site is hosted in Taiwan and the domain owner is a Russian named Fedor Burof.  The WHOIS record for the domain is as follows:
How do we handle such threats to our finances, in fact our lives?  I don't know... I honestly don't have an answer to this one.  I know how to handle it if the guy was in my city, or even my state or country, but the internet has not only exposed all the information we could possibly want to anyone and everyone, it has also made us more vulnerable to such attacks from far, far away.
The only way to counter such threats is to be alert, trust nothing coming in via email, question everything written in email and above all, educate ourselves, so please stay safe...
Later C

RSS Google+TwitterLinkedInFacebookMVPQuixCC

No comments:

Post a Comment

Comments are moderated only for the purpose of keeping pesky spammers at bay.

SharePoint Remote Event Receivers are DEAD!!!

 Well, the time has finally come.  It was evident when Microsoft started pushing everyone to WebHooks, but this FAQ and related announcement...