Gone Phishin'

Paul M. Hirsch paul@voltagenoir.org - 03/26/2004

Have you received alarming email about your credit card recently? How about a scary message about your EBay account? Have you gotten email reporting that your credit card has been charged $150 for porn? It seems that lots of people have been having similar trouble recently. Most of these messages include helpful instructions on how to resolve the problem and a nice link to a secure web page where you can safely fix the issue. How helpful! Unfortunately, these messages, and many more, are all scams. If you buy into any of them, prepare for some serious problems, because you have just been "Phished".

Phishing is a form of electronic fraud in which deceptive email or other electronic communication is used to trick victims into handing over sensitive information. The Phishers use a combination of classic swindling techniques, spam email, and web browser trickery to make their scams believable, and they are getting better. Read on to learn more about Phishing, what the Phishers do with personal information, and how you keep from being hooked. (Also, read on for more half-witted fishing related section names.)



When did man first learn to Phish?

The term Phishing was coined around 1996. Back then, groups of unskilled hackers were scamming America On Line (AOL) customers into giving up their passwords so they could take over the victim's account. Since they were essentially trolling the Internet, looking for a sucker to take the bait, "fishing" seemed like an appropriate description. F was replaced with Ph to fulfill the eternal computer geek need to put a "clever" spin on names. (This is about as clever as nick naming a tall man "Tiny", but to each their own.)

Phishing remained a small time practice until around mid-2003, when the Age of Spam and the Age of Identity Theft collided, resulting in a kind of fraud synergy. For a long time, spam delivered scams were fairly strait forward versions of old confidence and sham product scams, like the extremely popular Nigerian 419 scams. Between 2001 and 2003, new scams started to take advantage of technical tricks to lure the victim into thinking they were dealing with a trusted party. By playing on fear, instead of greed, and hiding behind companies that people trust, these scams were much more effective than regular cons. By mid-2003, Phishing had become a central technique in the online-fraudster's arsenal.

Since Phishing first was labeled, the target of most online fraud, (what the fraudster wants to extract from the victim), has also changed. Tricking the victim into writing a check, or buying worthless junk, while still popular, has given way to scams designed only to perform "identity theft". Identity theft (a.k.a. ID theft), involves stealing an individual's name, Social Security Number (SSN), account numbers, address, or any other personal information that can be used to directly steal money, or that can be used to impersonate the victim. With a victim's personal information, an identity thief can steal money out of the victim's existing accounts, open up new accounts in the victim's name, use the victim's personal information to create fake IDs, and commit a host of other crimes without the victim knowing what is happening until it is too late. Most Phishing is now done either to steal account numbers, or to commit ID theft.



Bait and Tackle

So what does a Phishing message look like? Many of them are just a simple con. They ask your to email some sort of personal information to the scammer, usually to clear up a "discrepancy" involving charges to a credit card or bank card. The more sophisticated Phishers try to trick you into going to a special fake web site. To make the trick work, they have to convince you that the link they provide is valid. Here is a sample email with a link included:

From: Visa International Service mailto:security@visa-security.com 
Sent: Friday, December 05, 2003 7:46 PM 
To: 
Subject: Visa Security Update 
 
Dear Customer, 

Our latest security system will help you to avoid possible fraud actions and 
keep your investments in safety. 

Due to technical security update you have to reactivate your account 

Click on the link below to login to your updated Visa account. 

To log into your account, please visit the Visa Website at 

http://www.visa.com   

We respect your time and business. 
It's our pleasure to serve you. 


Please don't reply to this email. This e-mail was generated by a mail 
handling system.    

Copyright 1996-2003, Visa International Service Association. All rights 
reserved. 

Sounds fairly reasonable. And look, the link says "http://www.visa.com", so it must be legitimate. Unfortunately, what a link looks like and where it goes are two completely unrelated things. How about this relate to you?

http://www.wellsfargo.com

Looks like a legitimate link to Wells Fargo. (A small community bank, if I am not mistaken.) It really goes to http://www.google.com/search?q=fraud, which will give you the Google search results for the word "fraud". It could go anywhere. You must be very careful when clicking on a link in an HTML formatted email. It is a good idea to hold your mouse pointer over a link (mouse over) and see what shows up in the status box of your web browser or email client. Since there are ways of making the browser display something else when you mouse over, it is an even better idea to right click on the link and choose "Properties" to see the real web address of the link. Always remember that the text of a link and the link's destination (a.k.a. Uniform Resource Locator, or URL), are two completely different things.

What if the message is a plain text one, or what if you check the properties for the link, and the address looks ok? You are not out of the woods yet. There are many URL tricks that let Phishers create a URL that looks legitimate when viewed by a human, but is not. One of the classic techniques is to create a new domain that is a variation on the site that is being spoofed. Can you tell which of these are legitimate sites for CapitalOne, Visa, EBay, and PayPal?

https://www.capital-one.com
https://auth.secure-capitalone.com
https://www.visaonline.com
https://signin.ebay.com
https://secure.pay-pal.com

The part of the links above that is most important is the "domain". For instance, www.voltagenoir.org, hello.voltagenoir.org, and voltagenoir.org all are in the same domain, voltagenoir.org. Domains are owned by people and businesses. Whoever owns a domain decides where names in that domain point to. I own the domain voltagenoir.org. If I wanted to, I could point www.voltagenoir.org to the real address (IP) for www.microsoft.com. (I wouldn't do that, but you get the idea.)

With that background, let's look at the example URLs above. The first is in a domain owned by CapitalOne, but they have no web page up for it. The second is not owned by anyone. I could go register (buy) secure-capitalone.com right now and probably trick quite a few people. visaonline.com is owned by Visa, and the link above will take you to their secure sign in page. Same with signin.ebay.com, which is the real EBay signin page. pay-pal.com is not owned by the real PayPal, which handles online money exchanges for thousands of people. Some guy with a Hotmail email address owns it. He runs an anti-PayPal site on www.pay-pal.com. While he seems like a decent fellow, he could just as easily serve up a scam page and trick hundreds or thousands of PayPal users into giving up their account information.

I found all this out by using whois. Every domain, (with the exception of government's .gov and military's .mil domains), is "registered" with a domain name registrar. It is required that the registrar provide information about the owner of a domain. This information can be gathered with a whois query. There are many whois tools online. (See the links section at the end of the article for a few examples.) If you are suspicious about who really owns an Internet site or domain, use whois to see if the company you think owns the domain really does. (Note that many companies use third party "hosting" companies, so a whois search may not always be the answer.)

Turning back to the topic of tricks, there are many more ways to fool people into following a link. Which of these beauties is a valid URL?

https://www.wellsfargo.com%2f%70%65%72%2f%6d%6f%72%65%2f%62%61%6e%6b%69%6e%67%2e%6a%68%74%6d%6c
https://www.wellsfargo.com%2e%76%6F%6C%74%61%67%65%6E%6F%69%72%2E%6F%72%67%2f%73%75%63%6b%65%72%2e%68%74%6d%6c

These URLs use "URL encoding". %XX notation is often used to represent special characters in URLs. Web servers convert the codes to their corresponding characters. For instance, %61 is the letter "a", and %20 is a space. Here are the un-encoded forms of the links above:

https://www.wellsfargo.com/per/more/banking.jhtml
https://www.wellsfargo.com.voltagenoir.org/sucker.html

The first URL goes to Wells Fargo's banking site. The second goes to www.wellsfargo.com.voltagenoir.org,
which is not in the wellsfargo.com domain, but in the voltagenoir.org domain. This is just one of the encoding tricks that is used by Phishers. (And spammers, and worms, and hackers, etc, etc.)



Reel em' In

Once you have been tricked into following the Phisher's link, you will usually end up at their trick web site. (Lately, very sneaky Phishers provide the victim with a popup window from the Phisher's website, and then redirect the main browser window to a page from the legitimate site.) You will then be asked to enter personal information. It might be your social security number, your mother's maiden name, your phone number, your address, one or more credit card numbers, your username and password for the site (for EBay or online banking), your ATM card number and PIN, or any other information the Phisher can think of that would be useful to them. Most scams will only try to get a few items, and not the whole laundry list. However, sometimes they go for broke. Here is an example screen shot of a Phishing page that tries to trick PayPal customers into giving up everything:

an image
PayPal_Scam_Page


This one even included "Bank Routing Number". It seems like overkill, but the extensive detail it asks for may actually make it seem more legitimate to an unsuspecting victim. Some parts of this scam page are pretty sloppy. Notice that a numerical Internet address (IP) number appears in the Address bar on top. Also notice that, while it has a note on the top of the page regarding SSL encryption, and it has a cute little padlock icon nearby, the page is not a SSL secured page. The URL in the address box starts with http:// instead of https://, and the padlock icon is nowhere to be found at the bottom of the web browser window. There are ways of covering up the faults I have pointed out, but it takes skill that most Phishers do not currently seem to have. It pays to pay attention to detail. (It also pays to be paranoid.)

Cut em' and gut em'

Let's say, for arguments sake, that you took the bait. You filled out the form or sent off the email without a second thought. Let's say you were satisfied with the "Thanks for updating your information" or "We'll correct the problem right away" response your received after handing over your information. You carry on with life as usual. What happens next? That depends on what information you gave over and how nasty the people who took it are. Here are a few possibilities:

  • Your bank account is sucked dry
  • Your credit cards are maxed out
  • Your address, (not email address, but your real, postal address) is changed with a fake change of address form
  • New accounts are opened in your name, used up, and abandoned
  • Fake IDs are made using your information, including SSN and driver's license numbers
Once you discover the problem, cleaning up your credit can take months or even years, and any real money that was stolen is probably gone for good. You may have to get all new IDs and account numbers. If you suspect you are the victim of Phishing, online fraud, and/or identity theft, there are a number of links at the end of the article that may help. As fraud and identity crimes have grown common, many organizations and groups have sprung up to help people recover.



The One That Got Away

In the case of Phishing, an ounce of inaction equals 5 tons of pain and frustration. Here are a few tips on avoiding being a sucker, or rainbow trout:

  • Do not trust links or URLs
  • If it is too good to believe, or too bad to believe, or too idiotic to believe, it is either a lie or horribly bad business practice. In either case, ignore the message.
  • No reputable business will ask for you to re-enter all your personal information after you have already set up your account.
  • Reputable businesses do not use email for serious messages, or verification purposes.
  • Do not use links included in email to go to a site you have an account with. Enter the URL for the site directly into your web browser's address box by hand.
  • If you don't remember buying hundreds of dollars of highly objectionable or illegal goods with your credit card, you probably did not.
  • Email is insecure. Do not email your credit card number, passwords, or any other sensitive information, especially to a stranger or strange company.
  • Reputable businesses use secure web (SSL) to protect personal information. Do not enter personal information or account numbers into a web page without checking for the padlock icon at the bottom of your browser window.
  • Reputable businesses do foolish things sometimes.
  • Search engines, whois domain information, anti-fraud web sites, and other resources can help you determine what is fake and what is not.
  • When in doubt, don't do anything.
Perhaps now you are thinking, "That is great, but how can I strike back at these scum-sucking bottom feeders?" The best way is to alert the legitimate company that the Phisher is impersonating. Many large sites have an "abuse@" email address where you can report abuse. By sending the company a copy of the Phishing message, you can potential help them stomp out a scam. You can also report Phishing scams and other fraud to the Federal Trade Commission. (Follow the "File A Complaint" link.) Another way to strike back is to send a copy of the Phishing message to one of the independent anti-Phishing tracking sites, like the Anti-Phishing Working Group. Finally, you can always fill out the Phisher's fake web page with false information, or information for your bankrupt and incarcerated second cousin. (Disclaimer: I do not actually recommend this action. It could lead to problems for you and the person whose information you use. Don't do it! Tell me all about it if you do, though. I would find it amusing. But don't do it!)



Phishing: A Popular Pass Time For Years To Come

Phishing is a cottage industry. It is fairly easy to do, lucrative, and is a low risk criminal endeavor. Like spamming, Phishing is a popular source of income for both the professional criminal, and the part time criminal. (It is amazing how many people seem to consider scams, fraud, and unsolicited marketing to be just another way to make a little money on the side.) While many groups and industries are working to make it harder to steal personal information, and harder to effectively use stolen personal information, fraud will always be a problem.


More Information