Phishing Exposed! - Brady & Associates, LLC

Phishing Exposed!

Identity theft - it is the fastest growing crime on the Internet. This article is to enlighten you, educate you and empower you to fight back against identity thieves.

One method identity thieves use is called phishing. Basically it works like this:

First a web site gets hacked into and a web page form is placed on the web server.
This is used to collect information and send it back to the identity thief.
(some stupid identity thieves actually register their own domains and host their own sites...)
Email addresses are collected by going out to the web and harvesting them from web sites, newsgroups
and sometimes even worms and viruses.
Messages are sent out requesting that you verify personal, credit card and / or banking information.
Some very common messages that have been making the rounds lately look like they come from eBay,
PayPal and other online transaction account services.
The unsuspecting 'phish' responds to the email message as instructed, enters their information and Viola!
Their identity is no longer theirs. Armed with all of the victim's personal information, the identity thief can
now assume the identity and completely destroy their victims financially.

You can protect yourself from phishing if you know how! Read the information below to find out more.

If you have any questions or comments please be sure to let me know!

Brady & Associates, LLC.

March 11, 2004
This morning as I was checking my email I found a curious message in my inbox.
It wasn't the usual spam that we all receive for various pharmaceuticals or offers to refinance our mortgage.
It actually looked like it might be a real message.
Especially since it came into my very private email address.
I actually get a very small amount of spam in this email address.
(and I have found a way to keep it that way... more on that later)

Here's the message I received. It looked innocuous enough...

It was purported to be from Visa International and it had a contact name at the bottom of the message.
It did make me curious though. My Visa card is provided through the bank that handles my student
checking account and I didn't remember if I gave them this particular email address or not.

So... I decided to investigate a little bit more before I clicked on the "Continue" button. I was glad I did.

(my private email address has been modified in the images below)

Nearly every email client in use has a way for you to look at the source code of the email message.
Since I use "The Bat!" from RIT Labs it is pretty easy to see this information.
It is deciphering the headers that take a bit of work.

The first suspicious thing I saw was the email address in the return path.
Look! it goes to someone at AOL! It doesn't go back to Visa International at all.

It is likely this email address belongs to some unwary victim themselves but there are some stupid ID
thieves out there who don't understand how easily they could be traced back through their email address
to their ISP, who can then be served a court order to release the subscriber information related to
the email address.

Once I saw this was a bogus message, I decided to investigate a little further...
(my private email address has been modified in the image below)

Since I have The Bat! set up to not display HTML messages by default, the first step was to save the source
code for the entire message out to an HTML page. This would then allow me to look at the underlying code
behind the "Continue" button.

Having saved the file. I then fired up Microsoft FrontPage 2003. Say what you want about FrontPage as a
web site editor. The only reason I use it is because it is fast and accessible. I found the section of the message
that contained the button and exposed the HTML code beneath it...

Phishing email form button

Notice the http link in the action parameter above.
This is a common method used to hide domain names to make it hard for people to read them.
The browsers can easily decode the hexadecimal notation for each character and send you to the correct web site.
In this case it goes to www.demospeople.com (DO NOT GO HERE!).

It's fairly easy to decode the link without visiting the site. In this case, I highlighted the entire http link and copied
it to the Windows clipboard and pasted it by itself on the page and returned to the preview mode.
The domain name for the web site was readily displayed.

Since there are many security problems with Microsoft Internet Explorer and fully 98 percent of the people
browsing the web use IE, it's a pretty safe bet that there is HTML, VBSCRIPT or JSCRIPT code on that page
to collect information about your computer without your knowledge.

There is usually an official looking web page with a form used to collect your name, address, credit card,
social security and bank account information. This is supposedly used to verify that you are who you say you are.

In many cases, because a legitimate web site has been hacked into and pages have been 'inserted' onto the
web server, it may be difficult to identify whether or not the page is actually part of the real web site.
The only way to know for sure is to analyze the HTML, JSCRIPT and VBSCRIPT source code used to
define the page.

Never enter ANY personal information into a web site form unless you absolutely know beyond a shadow of
a doubt that the organization purporting to be hosting the web site is actually the organization and not some
scammer.

The next step was to find out to whom the site was registered.
This proved to be interesting since it was registered through TUCOWS, an anonymous registrar.
They allow people to register domain names for the hosting of web sites but they retain the actual ownership
of the domain name.
All I did to find out who the site was registered to was go to www.register.com and do a whois search on www.demospeople.com

I then loaded up a special browser that is not based upon Internet Explorer and went to the DemosPeople
web site to check it out.

Once there, I was greeted with an "Under Construction" message stating the page was being updated.

I have sent an email to the address displayed on the site to find out if it had been hijacked.
Thus far, I have not had a response to my inquiry.

As you can see, it is not difficult to trace back to the origins of these suspicious email messages.
The next time you get an email message, particularly one that asks you for personal information or
supposedly requires verification of your identity, be wary and do your due diligence.

The credit rating you save may be your own!

ClearICE Home Page