News & Views

This is a semi-technical explanation of a very common exploit of your personal information that was taking place at an exponential rate in 2004. The technique is called “phishing” and for that reason, I have entitled this article “Phishing 101.”

According to VISA's web site, ““Phishing” is an email scam that attempts to trick consumers into revealing personal information—such as their credit or debit account numbers, checking account information, Social Security numbers, or banking account passwords—through fake Web sites or in a reply email. Typically, the emails and Web sites use familiar logos and slick graphics to deceive consumers into thinking the sender or Web site owner is a government agency or a company they know. Sometimes the phisher urges intended victims to “confirm” account information that has been “stolen” or “lost.” Other times the phisher entices victims to reveal personal information by telling them they have won a special prize or earned an exciting reward. Phishing scams are among the fastest growing forms of fraud on the Internet. According to the Anti-Phishing Working Group, phishing scams grew by 52 percent from December 2003 to January 2004.”

My goal with this article is to give you some basic knowledge as to what you can do to see if an email you receive is really from the sender that it says it is from.

Let’s start with an innocent-looking email message. (See “Phishing1.”) As you can see from this graphic, we are in Apple’s Mail program, and it appears that we have received an email from PayPal. The message tells me that PayPal has noted an attempt to log in to my PayPal account from a “foreign IP” address and asks me to log in to verify that my account had not been hijacked (i.e. someone other than myself logged in to the account, and perhaps changed the password or contact information.)
Sounds good. Why would I be suspicious? Well, for one thing, I don’t think I have a PayPal account. (And I’ve received similar messages for FirstBank and Citibank, and I don’t have accounts there, either!)
Distressingly, if you’re not on the ball, this message looks very legitimate. Notice in the middle of the email they give you a link to click on that shows a PayPal URL.
LESSON ONE: Frequently spam and phishing emails purport to show you a link to click on, but when you click on that link, they actually take you to a different place. How on earth would you ever know this? That’s the ugly part.
What I had to do in Apple’s Mail program was go to the Message Menu and choose “Raw Source” to see what was actually going to happen if I clicked on that link. (See “Phishing2.”)
LESSON TWO: Learn enough about HTML so that you can look at raw source without getting seasick.
You want to see that raw source, don’t you? Then take a look the graphic at “Phishing3.” The way the scam artists do this is really very interesting. First of all, any time you see <img src= blah blah blah> that is an image tag. What they do is download real, corporate images from the actual server that they are trying to imitate. Therefore, if you review the source of this message, you’ll see that it downloads ALL the “official” PayPal graphics from the PayPal web site. Normally a person might say that this email came from PayPal since it uses graphics from their server. Except this is legal. Huh?
LESSON THREE: HTML email can download images from any server, including a different one than the product or service advertised in the message. So MacNexus might send out a message advertising a raffle, and include an image of the new iPod using an embedded URL <img src=http://www.apple.com/ipod/ipod.jpg> to Apple’s web site to obtain the graphic. When you get the email, it shows a picture of an iPod. There’s nothing illegal about doing this, at least so far.
OK, so if HTML email can legally include images from here, there, and everywhere, how would you know that this PayPal email is a scam? Well, the critical part of the message is what I have highlighted in yellow in “Phishing3.” This is the part of the message where they tell you to “click here” to log in to your account. In the “visual” part of the email that the reader sees, they show this link as https://www.paypal.com/cgi-bin/webscr?cmd=_login-run but as you can see when you view the raw source, if you click on that, it is really going to go to http://217.112.229.216/ which ain’t PayPal, my friend. It is some computer running somewhere with a login form and when you put in your login and password, the thieves will then possess your PayPal login information! Then they can login to your PayPal account and transfer money, presumably to themselves.
LESSON FOUR: If an HTML email asks you to click a link to verify information, view the source to see what is actually going to happen when you click that link!
Want to see another example? Then please review the graphics “Ebay1” and “Ebay2.” You will see that I received an HTML email message telling me they were unable to process “my most recent payment.” Only problem here is that I haven’t bought anything on eBay for roughly three years. It seemed suspicious to me, even though the criminals who wrote this had the audacity to include eBay logos and the ‘trust•e” logo to make me think that it was official. I decided to view the source of this message. As you can see in the second graphic, all the graphics come from eBay, but the login screen goes to http://67.19.186.3. Where the hell is that? I don’t know, but one would think that if all the graphics came from eBay, then the link to the login page would also start with something like https://www.ebay.com instead of directing to a raw IP address.
This is an overview of the current epidemic of phishing. It may seem technical, but all users should attempt to master these skills to protect their personal information.
What can you do to combat phishing? If you can identify and document phishing attempts, most major web sites have links or departments where you can report security breaches. I have reported phishing attempts to Citibank, PayPal, and eBay. eBay was the most cumbersome, as I had to find my eBay login and login to their site before I could file a report. The others just let me reveal the raw source of the offending message and paste it into a form.
Categorically, if you get a message that just doesn’t seem quite right to you, either investigate it and report the criminal to the appropriate authorities, or take no action and give out no information. If this keeps up, many of us may just decide to conduct our banking by phone or in person, and never type any information into a web site because of the number of scams that are out there.

© 2004 Bill Davies, MacNexus, the Sacramento Macintosh User Group. May be reprinted by any Mac user group with proper attribution.