|
|
I'm frustrated to no end about the misuse of the web. I ventured into web land in 1997 where it was a somewhat calm and peaceful place. Nowadays there are so many fraudulent practices going on....one which is known as phishing. I never understood how someone could actually give up their information to a 3rd party culprit until I actually dug through the entire process. I'm not saying that there aren't completely obvious clues that something is wrong....but these phishermen do a decent job of pretending to be someone they're not. In this post I'm going to cover a PayPal fisherman trying to steal my info.
The way it generally starts is an email saying that someone tried to access your account and that you should login immediately and update your information. Here's a screenshot of the email I received:
Ignore the [SPAM] text in the subject line. This is something that spamassasin does for me. There are millions of users out there that don't user spam filters so this message would slip on through.
One thing that users aren't aware of is that PayPal no longer embed links in their emails. I was able to verify this when I received an email to login and update my credit card info. The email was plain text and gave me a list of steps to follow without providing any links.
Screen 1 has a couple of interesting attributes. The first thing you notice is the supposed IP address of the computer where your information was submitted. After doing a whois lookup you'll find out this IP belongs to a computer in Amsterdam. Screen 2 shows the results of the lookup. Seems strange, but we all know that the Internet flattens the earth so this phishing can take place from anywhere.
The second and most important thing to notice about Screen 1 is the "Click here to activate your account" link. This is the single entry point into the phisherman's world. Different email clients are providing mechanisms to help protect users. I know Outlook displays a tooltip telling me where this link will take me. Others show this in a status bar. Most browsers display this information in a status bar, given that it's enabled. Screen 3 shows what my Safari browser does when I place my mouse over the link.
For the purposes of this analysis I'm actually going to click on this link. In every other scenario I would recommend deleting the email and enjoying the rest of your day. Actually clicking the link isn't harmful other than it will waste your time....and you know what they say about time. Clicking on the link yields what you seen in Screen 4.
So the dead giveaway in this screen is the URL address. If users tend to miss this I'd be completely shocked, but I can guarantee that it happens. Not to give future phisher wannabes an idea, but your chances of success might be better if you used JavaScript to hide the address bar.
If you take a look at the culprit PayPal page it looks IDENTICAL to the real PayPal page. A simple view source, change link references, and save as will get you an identical page. What's even more interesting about this entire process is where this page lives. If you strip off the path and hit the base URL you'll see the site in Screen 5. Note that http://64.6.232.32/ is the IP address for http://www.whenrelationshipshurt.com.
It's very likely that this company doesn't even know these PayPal pages exist on their server. There are several approaches that hackers can take to remotely gain access to the server and upload these types of files. This makes it even more complicated to trace back and find the culprit since the entire system lives on someone else's server.
The next logical step in the process is to actually submit the form, but before we do that let's take a look at where the username/password data will actually go. A quick view of the page source shows that the data will be passed to "dynaform.php" and is highlighted in Screen 6.
Now the fun begins. I decided to submit the form using test@test.com with the password test. I received the standard PayPal "Processing login" screen, which once again led me to believe I was actually using the real system. These guys implemented all the bells and whistles.
For me, this next screen was a dead giveaway that something is insanely wrong with this so called identity verification process. Screen 8 shows a couple of glaring holes that I wanted to point out. The first is the statement "It is a good idea to use the debit card linked to the checking account you have on file with us". You've got to be kidding me. And the fact they're asking for my debit pin number?!? I've never seen something so ridiculous. What's even more ridiculous is the fact that people have probably fallen for this insanely illegal tactic.
After submitting the form I was directed to a success page where all my information was sent to the culprit and I was redirected to PayPal's homepage. Screen 9 shows the "big catch".
I'm disgusted with this complete misuse of the web and hope that someone will benefit from this post. I believe the only way to prevent this type of illegal behavior is for users to become more educated and pay more attention to the environment their working in. If you're aware of any phishing scams then I suggest contacting the Anti-Phishing Working Group.
Posted by dennis baldwin at December 22, 2005 11:04 AM