Phishing: Why Not? It's Platform Neutral

by Matthew Russell

Related link: http://en.wikipedia.org/wiki/Phishing



In my last post, I wrote about an interesting e-mail message I received. Well, earlier today, I got another interesting message -- but this time, something a little different. Here's a partial screenshot so that you get the full effect.

image

It looks pretty realistic, doesn't it? If I weren't a highly trained professional with keen wits, good looks, and sharp sense of smell (?!?), I might have even clicked on it. Well, it turns out that it's just another phishing attempt. And since I'm getting a little tired of seeing people get "phooled" by these things, here's a quick 101 lesson on not getting fooled by the phishers:

Whenever there's doubt, a good first step is to always check the mail headers. In ~/Library/Mail, you'll find a bunch of mail folders that you can dig through to get to your actual raw mail messages, although there are plenty of other ways to do this. For my .Mac account, the folder I dug into was ~/Library/Mail/Mac-ptwobrussell/INBOX.imapmbox/Messages. From there, I did a grep Amazon * to find the message in question since I knew it contained the term "Amazon", and I opened up the message file (emlx extension) with Vim to inspect the headers. Here's what I saw:

image

Ok, so what's wrong with that? (This is worth really thinking about before you read on.)

One thing we need to pay special attention to here is the sender's IP address and whether or not it maps back to the domain name. In Terminal, type whois 206.125.210.163 and you'll notice that the IP address in question does not really belong to amazon.com, nor does it even remotely appear to have come from there. It belongs to some guy in Texas. I'll stop digressing right there, but the point is that the IP address should have mapped back to amazon's domain name somehow, and it didn't.

If you want to see what a more authentic Amazon mapping would have looked like, type ping www.amazon.com to get their IP address and then do a whois on the IP address to get the real deal.

But that's just the first problem -- there's a few other things going on here.

If you inspect the link

https://www.amazon.com/exec/obidos/flex-sign-in/ref=pd_irl_gw_r/103-3177084-7567864?opt=oa&page=recs/sign-in-secure.html
,

you'll see that it actually links to a different page, notably this one:

http://secure.amazon.com.dec2r.com/signin.php?exec/obidos/flex-sign-in/ref=gw_hp_si/103-3177084-7567864?opt=a&page=recs/sign-in-secure.html&response=tg/recs/recs-post-login-dispatch/-/recs/pd_rw_gw_ur/ref=192930_1/3-3&ref=rom&emaddr=myEmailAddress@mac.com


Of course, my e-mail address was actually in the link instead of the bogus one listed. I guess that's how they keep track of who is naive enough to click on the link. Notice also that the URL links to a php script (never seen an Amazon page like that), and that the bogus URL contains a "dec2r.com" suffix. This is clever but typical -- the phisher set up a "secure.amazon.com" subdomain on their "dec2r" server. If you just skim first part of the URL, it looks good -- but if you realize that URLs are decoded from the end back to the beginning, then it's not so good. (Remember, this is social engineering.) When DNS servers are decoding the URL, first the ".com" server is found, then it looks up the "dec2r" server, and from there, I'd imagine that the "secure.amazon.com" subdomain is looked up on the "dec2r" server or something along those lines.

So what happens if you weren't so sharp and clicked on the link? If you did, you probably got your e-mail address logged for future attempted exploits, and you were greeted by this familiar looking page:

image

And regardless of what password you put in, it'll be accepted (and probably logged along with your e-mail address -- a very common login -- and maybe even exploited via trial-and-error at other online retail sites, perhaps.) But then you'll get hit with this:

image

Hmm. Even if you made it this far, you should start feeling a little bit (a lot) suspicious right now. I don't recall Amazon ever asking for my ATM PIN number, do you? But do notice that other links on the pages appear to actually link back to Amazon's real site. A thoughtful touch.

And there you have it, ladies and gentlemen -- a quick synopsis on how not to get "phooled" by the phishers. Feel free to chime in with your own tips, tricks, and analysis.

Have you or anyone you know ever fallen for a phishing attempt?


14 Comments

idji
2005-12-02 12:48:15
Now what is Apple (webkit) going to do about this?
Firefox, Opera and Konqueror developers have mentionned they will include some safety measures in their browser to alert users of un-certified sites. Is Apple going to jump in?
freelancer
2005-12-02 14:51:57
digging through ~/Library/Mail?
Even I, Unix snob of the first order, can't argue that going to a terminal, digging through ~/Library/Mail with grep, and opening a mail file in vim is easier or better than hitting command-option-U.
jdb8167
2005-12-02 14:52:36
Safari bug makes phishing too easy
There is a serious bug in Safari that masks the real URL for a form submit on an image. This has been reported to the webkit team but it isn't fixed yet.


an example:


http://homepage.mac.com/thoughtsimple/phish/index.html


Roll over the button. Then click the button to see the danger. That button could be the submit button on a form where you enter data.


What's worse is that this also works in Mail.app and masks the URL there as well.


This was originally found by these guys:


http://www.secureosx.com/email/alert/phishing/20051118

ptwobrussell
2005-12-02 15:00:21
digging through ~/Library/Mail?
HA! That's awesome.


When it comes to keyboard shortcuts, obviously I could use some tutoring myself. Thanks for pointing that out for viewing the raw message. Wish I'd have known it was so easy -- it would have saved me some typing.


Another reader also pointed out that shift-command-h reveals the long headers of a message.

freelancer
2005-12-02 16:45:11
Safari bug makes phishing too easy
Buttons for form submission don't normally show any URL at all in the status bar -- so if you see one appear, you know it's playing games.
Macam
2005-12-02 17:39:32
I actually fell for this one.
Being a large Amazon customer, I had some slight suspicions regarding this e-mail initially, but clicked the link anyway despite being, on the whole, extremely cautious about phishing and e-mail scams. However, the site itself drew further suspicion from me, with the ATM throwing up a monstrous red flag; however, even without that, the web layout wasn't done entirely in line with Amazon's, and various other indications -- the lack of https, the lack of a lock icon in Safari, and so on -- along with testing it alongside an indepdently loaded Amazon page confirmed my suspicions, and I quickly went about changing passwords and the likes within seconds.


This was one of the more refined phishing scams I've seen, and it certainly backs your original point: it IS platform neutral. I suspect as security gains a greater and greater focus by OS manufacturers and online commerce continues to expand its market share we'll see further phishing scams along these lines.

Macam
2005-12-02 18:37:49
digging through ~/Library/Mail?
Or for the more mice-inclined amongst us: Highlight the selected message, View > Message > Default Headers (or Raw Source).
shanezilla
2005-12-02 20:26:11
Good work!
I'm glad that you've written this up! Increasing general awareness of this sort of this can only help. Of course the people who really need the info would probably never hit the O'Reilly site.


I got the same email as well and treated it immediately with the same level of skepticism. In Thunderbird you can mouse over a link and see the link target in the status bar which makes for a real quick sanity check. Interestingly enough the domain used in my version of the email was tot-amz2.com... what do these guys have a bunch of different domains they use?

mattfein
2005-12-03 07:46:49
Phishing
It's interesting to poke around in the mail header, but that kind of misses the point. First, and most important, one should never enter information on a site that you get to via an email URL. Period.


Second, although phishers may be technically clever, they are nearly always semi-illiterate. The language in the email is the real giveaway. Amazon Inc. would never send out an email that's obviously unedited.

ptwobrussell
2005-12-03 08:10:34
Phishing
good calls.
rbannon@mac.com
2005-12-04 08:15:12
Great story, but . . .
too bad you're not Paris Hilton, because you'd have the full force of the FBI tracking that bastard down. Us lowly grunts who fork over half our pay to the government are not equal under the law, and there's absolutely no chance that law enforcement would help.


Unrelated blurb: If you're interested in a free iPod, email me.

W2ed
2005-12-06 00:01:10
Dumb Random Thought
Aside from the painful experiences this guy deserves, did you bother getting the authorities involved, or notify Amazon of the scam? With what information you dug up, you may have provided them a case on a silver platter.


Wayne C. Winquist

ptwobrussell
2005-12-06 03:51:40
Dumb Random Thought
Ya. Amazon has a page specifically for reporting this kind of thing


http://www.amazon.com/exec/obidos/tg/browse/-/15836841/ref=br_bx_c_1_2/102-6201263-6732955


And so after writing this up, I just send them the link to this weblog entry. Their system followed up with an automatic message that asked me to forward them the message itself, so I did that as well.


Hopefully, it helped them out at least a little bit.

paulie_p
2005-12-11 15:12:14
I actually fell for this one.
I just fell for a variant of the scam you guys described. The email I got claimed to be notifying me about my credit card company flagging a whole bunch of recent purchases, which happened to be all the xmas toys for my nieces and nephews.


I too got as far as the second screen, before I realized I just sent my amazon password clear text over the Internet. Have there been any repercussions from compromising your amazon password?


Paul
Paul