RE: Phishing (Mug Meeting Topic)
RE: Phishing (Mug Meeting Topic)
- Subject: RE: Phishing (Mug Meeting Topic)
- From: Fred Showker <email@hidden>
- Date: Mon, 2 May 2005 07:08:50 -0400
John said:
> I would merely like to add that the biggest danger
> of all arises from what some of us call the human
> gullibility virus. This is the basis of virtually
> all phishing activities that are designed to
> steal personal information
I second that. John is exactly right.
IN FACT, I encourage ALL user groups to have a "Phishing" meeting topic.
Gather four or five Phishing spams and trace their
origin, then trace the money trail.
Show how it looks in HTML (Browser) email, but then show
the actual code in a program like BBEdit which "colorizes"
the tags. There, you'll see where the actual link goes.
You could even follow that link and do a screen capture to
show how realistic the scam is engineered.
I get four to six Phishing attempts a day, and I try to
track and report them all.
Here... this one was in this morning's email.
You may have gotten it too...
This email came in coded as HTML, with very convincing graphics
and layout, exactly like one from Citibank...
> Subject: security Center of Citybank
> From: "www.citynational-bank.com" <email@hidden>
However, looking into the headers we find the mail server
from which the mail originated:
> Received: from moon.htlwrn.ac.at (HELO mail.htlwrn.ac.at)
> (193.170.149.251) by littlechiefhugh.com with SMTP; 30 Apr
> 2005 23:43:28 -0000 Received: from ewww.htlwrn.ac.at
> (email@hidden [193.170.149.221])
> by mail.htlwrn.ac.at (8.12.3/8.12.3/Debian-7.1) with SMTP id
> j3UNgvRp011753 for <email@hidden>;
Note the mail is from: mail.htlwrn.ac.at
That's the first giveaway. We see that the Phisher has utilized
an open proxy at a mail server for the School of Technology
Wiener Neustadt, Austria. This email would NOT have come from
CitiBank. So, we know this sender is bogus.
So, let's follow the money trail:
The "action" link within the html said...
> Please follow the link below and login to your
> account<br>and renew your account information <p>
> <a target="_blank" href="http://paypal22.com/scgi.citibank.com.saw-cgi
> .ebayISAPI.dll.ConfirmRegisterInformation.EnterRegisterInfo.
> dll.eBayISAPI.dll.aw-cgi.Verification.html">
> https://www.citizensbank.com/login/login_redirects.asp?lr=cbol&;
> page=home</a></p>
Note the "TEXT" of the link looks like a valid citizensbank.com login
link... however the actual HTML LINK goes to paypal22.com, and
is obfuscated by putting the "target" tag before the "href" which
will get around many spam checkers and blockers.
Where will the user's private identity go?
The link says:
http://paypal22.com/scgi.citibank.com.saw-cgi
Which is owned by one
> James Wilson, (email@hidden)
> 6320 Williamsburg Dr, Columbus, GA 31909 US
Which in all likelihood is a forged name and address.
The server for his Phishing site is located at Look.ca,
"Easy Hosting" in Canada.
A second Phising spam was in the same mail, which was
totally different (eBay) leading us through a different SMTP
server -- BUT to the SAME domain owned alledgedly by Mr. Wilson.
So the guy has set up CGI scripts to handle a variety of
Phishing scams.
The sad part of this story is "Easy Hosting" as the ISP could
be called in on the rug by ICANN, and penalized for having
forged information in the Whois. But it would take weeks to
get that complaint through. Except, there's no official
organization or department tracking such violations of
the ICANN rules. So they know no one will be penalized.
Once the scam is reported, and Look.ca is contacted to
identify the perp, law enforcement officials contacted --
the guy has scarfed off all those who actually responded, and
has closed shop and moved on -- untracable.
DO IT FOR YOUR MEMBERS:
Show a few of these scenarios to your members at the meeting.
Write it up in the Newsletter. If you need an article, I'll
write one for you.
Tell your members to alert and help educate all their friends
and relatives. Particularly the non-web-savvy, the elderly,
and others who are easy prey to such scams.
EDUCATION is the best defense against these online criminals.
I've volunteered to give this presentation at the
User Group University, but get turned down every year.
Fred
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Augd mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden