"Phishing" For Fun and Profit
Rick Hellewell

August 12, 2004 - Last Updated May 23, 2011 07:59 PM  PDT

Other Reports

We got an interesting email lately. It was 'from' US Bank, but it was really a 'phishing' attempt to get our financial / personal information. We decided to analyze it, and report on our findings.

The original message came via email, but we took the code and put into this web page. The original text is the first green text below, along with the actual graphic (above). The original text was well-written, no grammar or spelling errors. Please note that the original email did not come from US Bank, it came from someone trying to steal your money. It used some clever (and commonly used) techniques to hide it's true purpose. (US Bank, like many other financial institutions, has information on how to spot 'phishing' messages.)

All phishing email senders want to get your bank/credit card information, passwords, pin numbers, etc in order to place fraudulent charges against your account. We took the time to analyze this particular one in order to help educate people on phishing techniques. It's possible (and probable) that if you respond to a phishing email, your account will be charged within an hour of your response. We'll include some links to additional information about phishing attempts, and a short test to see if you can 'spot the phisherman'.

This particular phishing email is a bit more clever than most. The original text is well-written, without grammar errors. And it uses some interesting techniques to hide it's true purpose.

A Phishing Analysis

U.S. Bank To see how this works, follow along as we analyze the techniques used by the phisherman. First, the email (when viewed in HTML mode) had the US Bank logo that you see here. The logo is actually from the bank's web site. Here's the HTML code that did that:

<img alt="U.S. Bank" hspace=10 src="https://www4.usbank.com/internetBankingStatic/images/logo.gif" border=>0>

You can see that the image code uses the 'gif' file from the bank's site, even applying an 'alt' tag that will display the text "U.S. Bank" when you move the mouse over the image. This helps the phishing email to appear to be authentic.

The next part of the email's original message contains text alerting you to a problem with your computer. It includes the following text, along with a link.

In order to check if your computer system is compatible with our new security standards, please login to your account.

Login immediately to your account.

Move your mouse pointer over the above link, then look at the bottom of your browser window -- the "status" area. You should see what looks like a valid bank web address. That web address looks pretty good, right? (When you click on this link, you'll get a 'page not displayed' error, because we changed the original link address.)

The above link contains this code (we put some line breaks to display it more clearly, and changed the IP address to hide the real location for safety):

<a href="http://111.111.111.111/us/index.php" onMouseMove="window.status = 'http://www.usbank.com./internetBanking./RequestRouter
?requestCmdId=DisplayLoginPage';return true;" onMouseout="window.status=''">
Login immediately</a> to your account.

Note the use of the 'onMouseMove' parameter of the "a" (link) command to display text in the 'status' area of the browser (in IE, at the bottom of the browser window). It's a very common technique to look at the status area to confirm the link before clicking). The 'onMouseMove' parameter is very commonly used, can be useful, say to display a pop-up box, or perhaps change the color of the text when you move the mouse over the link. In this case, it has a more nefarious purpose. This link just displays a message on the status line, and uses a href of this page. (Go ahead and click on the link to get back to about here.)

This technique of using the onMouseMove parameter makes the link look valid. But the actual work that is done when you click on the link is defined by the "href" parameter of the "a" command. You won't go to the address shown when you 'hover' over the link. You'll go to our bogus web site with the IP address of "111.111.111.111", (and get a "Page Not Found" error.)

Here's an example of the pages you'll see if you click on a phishing link. The pages are getting very realistic.

Some Limited Testing

We did some testing of this with Internet Explorer (pre- and post-SP2 on a WinXP system). In both instances of IE, the results are as described above. The same results are with NetCaptor, which is an alternate browser that uses the IE 'engine'.

With Opera (version 7.50 with the ad-banners, running on a Xandros system), a mouse hover will pop-up a box with the actual 'href' address. But the Opera Status Bar (when enabled) will show the bogus link (or our "Hello there!" message).

So it is possible that this technique will not fool non-IE browser users. But remember, the original version of this was in an email, not on a web page like this one. When you view a message in HTML mode, you don't get a status bar, or a little pop-up window that shows you the actual link address. I've verified this with Outlook (fully patched on a Windows XP/SP2 system), and in Novell's GroupWise mail client. I don't have any other mail clients on my computers, so it's not clear how they handle this technique.

The lesson here is that you should be very careful with email messages that ask you to verify your personal / financial / login information. If you need to do that, go to the real web site by typing in their web site address, never by clicking on a link in the email.

A Phishing Test

Can you be fooled by a phishing email? This site has a 10 question test showing actual email messages. Your job is to figure out if the messages are real or bogus.

For more examples of phishing messages, go to the Anti-Phishing Organization web site . They have links to other pages/sites that will be educational. You should also go to the security or privacy areas of your bank and/or credit card pages (but type in their address).

And you can check out our "Daynotes" page (aka 'blog') for other sometimes-interesting notes about computer security.

Caveat Emptor!

Rick Hellewell -- August 12th, 2004

http://www.digitalchoke.com

More comments available on our "Daynote" site: http://www.digitalchoke.com/daynotes. Your are invited to send your comments here.

Copyright © 2004 by Rick Hellewell, All Rights Reserved. Permission granted to reproduce in whole without editing, while providing attribution to the source document and the author. Limited excepts can also be referenced, with links to the original source document and the author.

You are not allowed to write code that will perform these functions. That would be naughty and evil.

The link to this document is below.

http://www.digitalchoke.com/daynotes/reports/bank-phish01.php
Page views: