Last Updated May 23, 2011 07:59 PMPDT
Other Reports
|
There's a somewhat newer technique that 'phishers' are using to get your financial information for identity theft and financial fraud. It most commonly comes in an email message that purports to be from eBay, PayPal, or your bank.
But it's an evil thing they do.
I manage the email filtering for a large west coast US governmental agency. We get about 50,000 messages a day, and 45% of those are blocked as spam.
We also get about 1000-1500 'phishing' emails a day. We block most of those with various techniques. You probably also get them also. Even on my home email account, which is pretty hidden from view, I get several each day.
If you know what they look like, then you can ignore them. As a rule, I usually ignore any message from anyone that tells me that my "account information needs to be updated". I just delete them, but I have noticed this new technique that can fool the unwary, along with being able to get past many email filtering programs (except mine).
One of the best ways to avoid evil emails is to make sure that your mail client, such as MS Outlook, is set to display all of your messages as text, not as HTML (web-based). This is the default for newer versions of Outlook; updating is recommended. (Go to www.microsoft.com/protect , install the new "Microsoft Update", and have it automatically update your Windows and Office software.)
(Of course, you folks that use the alternative browsers/email clients may not be affected with some of these techniques. But most people are using Microsoft Windows and Outlook. This information is for them ... and for your friends and relatives, who are not techno-geeks using 'open source' software.)
This is important to know.
You get an email from eBay (or your bank, or PayPal). It tells you that your account has been compromised, and they need you to re-enter your login and financial information. An example of this type of mail can be found in our report here. Go ahead and take a peek at that if you are not familiar with phishing emails.
These new emails are similar, but they use a graphic image for their message. And the link for the graphic goes to an evil web site that might look like eBay/your bank. All they want to know is your credit card number, PIN, Social Security Number, your mother's maiden name; all the other info that allows the evil spammer to commit financial fraud.
Here's how they do it. I show the HTML code in brackets, and have obscured the actual web site address of the evil site. (This information is well-known in evil spammer's circles, so I am not revealing any new information. And although this example shows eBay, eBay did not send out the email.)
Inside the message is this HTML code (shown like this). The lines starting with "...." are explanations of that HTML code.
[html]
.... the start of the HTML code in the message
[p]
.... start a paragraph
[font face="Arial"]
.... use the Arial font
[A HREF="https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&sid=verify&co_partnerId=2&siteid=0"]
.... a link to eBay's site, using the 'evil' eBayISAPI dll . If you move your
mouse over this link, you'll see the "signin.eba.com/..." site,
making you believe that the link is valid.
[map name="vrk"]
.... this defines a 'map' area, which is used to put a link in an area of a
graphic
[area coords="0, 0, 646, 569" shape="rect" href="http://nnn.nnn.nnn.nnn/.../e3b/"]
.... the area of the map; in this case, it's probably most of the area of your
email message. It's a rectangle, and it has it's own 'href' -- a link
to the 'evil' site (the IP address numbers are obscured here). So if you
click in the area of the map, you will be taken to the evil site, not eBay's
site.
[/map]
.... end of the map command
[img SRC="cid:part1.04040401.02070700@supprefnum9050925566425@ebay.com" border="0" usemap="#vrk"]
.... since this image is inside the 'A HREF' command, this displays an image
file attached to the message. The image (encoded in the SRC filename, but
probably a benign-looking file name) is a picture of an "eBay
message" (not
really from them) that alerts you to a problem with your eBay account. The
image typically has an eBay logo and style that is quite similar to the actual
eBay site. In fact, the phisher probably did a screen capture of a valid
eBay page to get that graphic.
Here's what that evil image looks like:
Using a graphic image is useful to the phisher, because a picture of text can't be scanned by email filters that look at the text of a message. Email filters may know about existing 'bad/evil' image files, and may block those. But the phisher just makes a slight change his graphic file, and blasts out his message for a few days. Email filters will not know about that version of the image for a day or two; in the meantime, the phisher has blasted out a million or two of his phishing emails. And they will get responses.
[/A]
... here's the closing tag of the A HREF command
[/a]
... and another ...
[/font]
... the closing tag for the FONT command
[/p]
... the closing tag for the P command
[p]
... start another paragraph
[font color="#FFFFFB"]
... set the font color to almost white, so the following text won't be visible
(most mail clients have a white background). As an example, there is a word
right here -- hidden -- that you can't see because
I set the word to that color.
Blackout rescue I object to... In short. in 1815 in 2000
... here's the invisible text. It's just random/benign words that attempt to
bypass Bayesnian Filters (which analyze the words in a message -- the more
benign
words, the
less chance of a spammy message).
[/font]
.... closing tag for the FONT command
[/p]
.... closing tag for the P command
[/html]
.... closing tag for the HTML command; end of the message
So, what if you click on the link? You get to go to the evil phisher's site, and are asked to enter your personal information. (See our example here.)
Or worse.
The folks at the Internet Storm Center analyzed a similar email. By clicking on the link:
"First off, there is an exploit on the page that takes advantage of MS05-001 (Vulnerability in HTML Help Could Allow Code Execution) which is just another cross-domain scripting vulnerability. This allows you to get a file called ppp.hta from their website and is then launched on your local hard drive. This then creates a file called netlog.exe and and this appears to be launched on your local hard drive by using Windows Media Player.
Netlog.exe then goes and gets another file called win32sba.exe, which is Robobot variant."Now your system can be used for what ever malicious intent the folks who set this scheme up had in mind."
Click on the link, and you computer is now under the control of the evil phisher. And your credit card account is drained. And new credit accounts are set up in your name to be used by the evil phisher. And your credit rating is destroyed. And the files on your computer are accessed by the evil phisher. Who can also destroy your computer files.
And you'll spend about 1000 hours and over $6,000 trying to fix that financial
damage.
Awareness is the key to safe computing. My rule is that any email from anyone, even if I know them, that tells me to go to a link to verify my information is deleted. If (and that's a rare 'if') I think it is valid, I don't click on the link. I type it in manually.
And I keep my software updated and patched (see here) automatically.
And I tell others -- friends, family, and you. Take a look at those other reports in the box at the top of this page.
Be careful out there.
Rick Hellewell -- August 5th, 2005
More comments available on our "Daynote" site: http://www.digitalchoke.com/daynotes. Your are invited to send your comments here.