stefan and zogo small Help Stefan Campaign
If you can spare $1 then help support this site and change someone's life forever? Learn how and why on the Help Stefan campaign page.

Phishing Scam

Introduction

Phishing is a term used for the criminal practice of attempting to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. eBay and PayPal are two of the commonest targets but on-line banks are also increasingly-popular targets of phishing exercises.

How it Works

Phishing is usually conducted using email and more often than not directs users to a website which is masquerading as a genuine site. The term phishing is a variant of fishing and alludes to the use of increasingly sophisticated lures to 'fish' for users' financial information and passwords. Indeed, recent phishing attempts have been targetting the customers of banks and on-line payment services such as PayPal. While the first such examples were sent indiscriminately in the hope of finding a customer of a given bank or service, recent research has shown that phishers may in principle be able to establish what bank a potential victim has a relationship with, and then send an appropriate spoofed email to this victim. This practice of targeted phishing being termed spear phishing

The majority of phishing methods use some form of technical deception designed to make a link in an email (and the spoofed website it leads to) appear to belong to the spoofed organization. Common tricks being the misspelling of URLs or the use of subdomains. Another common trick is to make the anchor text for a link appear to be a valid URL when the link actually goes to the phishers' site. A recent problem with URLs has emerged as the handling of Internationalized domain names (IDN) in web browsers, that might allow visually identical web addresses to lead to different, possibly malicious, websites. However, despite the publicity surrounding the flaw, known as IDN spoofing no known phishing attacks have yet taken advantage of it. Yet phishers have taken advantage of a similar risk by sing open URL redirectors on the websites of trusted organizations to disguise malicious URLs with a trusted domain.

Once the victim has been directed to a website some phishing scams use JavaScript commands in order to alter the address bar. This is done either by placing a picture of the legitimate entity's URL over the address bar, or by closing the original address bar and opening a new one containing the legitimate URL so that the victim believes they are on a trusted website.

In another popular method of phishing, an attacker uses a trusted website's own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or service's own web page, where everything from the web address to the security certificates appears correct. In reality, the link to the website is crafted to carry out the attack, although it is very difficult to spot without specialist knowledge.

To show you examples of these scams in action here are emails I recently received:

Scam email starts:

From: info@paypal.com
Subject: Unlock your account
Date: 31 May 2006 14:04:26 BDT
To: dyfed.lloydevans@btinternet.com
Reply-To: info@paypal.com

PayPal
PayPal
Your account will be suspended !
 

We are contacting you to remind you that on 30 May 2006 our Account Review Team identified some unusual activity in your account. In accordance with PayPal's User Agreement and to ensure that your account has not been compromised, access to your

account was limited. Your account access will remain limited until this issue has been resolved.

To secure your account and quickly restore full access, we may require some additional information from you for the following reason:

We have been notified that a card associated with your account has been reported as

lost or stolen, or that there were additional problems with your card.

 

To securely confirm your PayPal information please go to your PayPal's Update Profile or click on the link bellow:


Click here to activate your account






Thank you for using PayPal!
The PayPal Team
Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your PayPal account and choose the "Help" link in the footer of any page.

To receive email notifications in plain text instead of HTML, update your preferences here.

PayPal Email ID PP468
Protect Your Account Info
Make sure you never provide your password to fraudulent websites.

To safely and securely access the PayPal website or your account, open a new web browser (e.g. Internet Explorer or Netscape) and type in the PayPal URL (https://www.paypal.com/us/) to be sure you are on the real PayPal site.

PayPal will never ask you to enter your password in an email.

For more information on protecting yourself from fraud, please review our Security Tips at https://www.paypal.com/us/securitytips
Protect Your Password
You should never give your PayPal password to anyone, including PayPal employees.

This process is mandatory, and if not completed within the nearest time your account or credit card may be subject for temporary suspension.

We encourage you to log in and perform the steps necessary to restore your account access

as soon as possible. Allowing your account access to remain limited for an extended period

of time may result in further limitations on the use of your account and possible account closure.
 

 

Scam email ends

This type of email is very insidious as it seems to come from PayPal. The logos are all correct, the email address looks correct. However, if you look at the headers for the email you will notice that it actually originates at GFGYGZTAFOCJDYWJLYPRK@hotmail.com it does not come from Paypal as all!

Moreover, if you look at the HTML encoding for the message then the link encouraging you to 'Click here to activate your account' actually directs to the web address: http://walletorne.com/index.php. So it's not going to PayPal at all! This is a re-direct page that takes you to a site that spoofs PayPal and asks you for your login details. If you enter them then the spoof emailer has access to your PayPal account.

Another way of knowing that this is not a genuine email from PayPal is that the PayPal ID is never mentioned in it. All genuine PayPal emails will always contain your PayPal ID.

So that's the first kind of email scam. The next email is a classic bank acount scam:

Scam email starts:

From: "Barclays Bank PLC."
Subject: ATM CONTRACT RESOLUTION UNIT
Date: Barclays Online Banking Security Check #06103
To:
Reply-To: support@barclays.co.u


Dear dyings,

As part of our efforts to meet the requirements of the Federal Financial Institutions Examination Council (FFIEC), we now ask all Barclays Online Banking users to confirm their account information. It's a smart and simple way to add an additional level of protection to your account.

Here's how it works:
 1.   Click here to login.
 2.   Complete our quick and simple form.
 3.   Continue with your Barclays Online Banking session.

We may periodically ask you to login into your Barclays Online Banking account as a quick identity check. That way, when you drop in to do business, we'll know it's you.
If you choose not to confirm your account information  today, you will have only 3 more chances to do so before it's required to access your account online.

Sincerely,
Barclays Online Banking.

Scam email ends

The header looks correct on this mail and the logo is right but my name in the email is incorrect. There is no such institution as the Federal Financial Institutions Examination Council and even if there was it would not apply to a UK clearing bank. Checking the headers of the mail revealed that the return-to path is dying-to-buy@feral.co.uk. So the mail did not originate from Barclays.

Moreover, the link in the email links through to this site "http://zidd.com/bbs/data/freeboard/ibank.barclays.co.uk/olb/u/ definitely not a Barclays domain. So, this is a phising email trying to get hold of my bank details.

If ever you get an email trying to get you to a site where you will have to enter personal details treat it very suspiciously. If you repeat the kinds of cheks that I've shown here it will generally reveal a phishing attemp to you. But if that doesn't work contact the institution by phone. Never use a link in an email to contact any financial situation. Follow these rules and you will protect yourself from phishing scams.

Unfortunatly this type of fraud is becoming more prevalent, mainly because of the relative ease with which it can be set up and the simplicity of getting unsuspecting people to divulge personal information to the phishers: including credit card numbers, social security numbers, and security answers such as mothers' maiden names.

Combating Phishing

The easiest way to combat phishing attacks is to modify users' behaviour by education. The simplest way is to teach users to modify their browsing habits. Users who are contacted about an account needing to be "verified" (or any other topic used by phishers) can contact the company that is the subject of the email to check that the email is legitimate, or can type in a trusted web address for the company's website into the address bar of their browser to bypass the link in the suspected phishing message.

The truth is that nearly all legitimate email messages from companies to their customers will contain an item of information that is not readily available to phishers. Some companies, like PayPal, always address their customers by their username in emails, so if an email addresses a user in a generic fashion ("Dear PayPal customer") it is likely to be an attempt at phishing. Emails from banks and credit card companies will often include partial account numbers they will also always refer to you by name. Always, always be suspicious if the message does not contain specific personal information. Though phishers are now increasingly using publicly-available information to address their emails more personally so that it is not necessarily safe to rely on personal information alone as a sign that a message is legitimate.