|
How_Safe_is_Your_Success_Part_5_of_8
| How Safe is Your Success? Part 5 of 8
"How Safe is Your Success" is a series of eight articles that
address different aspects of a universal problem which is of
particular importance to those who do business on-line. Most
Internet users are at least aware there are dangers "out there",
but few appreciate the real extent of those dangers, the
possible (even likely) consequences, or the best, most practical
and least expensive means of countering them. This series is
intended to at least provide some useful awareness of the
situation.
-------------------------
Part 5 - Phishy Tales
The word "phishing" has become something of a buzz word, yet
many casual Internet users still do not know what phishing
really is or how to identify it. In this part of our series I'm
going to use a simple but actual email to demonstrate the most
common form of phishing. But first, a bit of background.
Computer and technology dictionary Webopedia.com defines
phishing as "The act of sending an e-mail to a user falsely
claiming to be an established legitimate enterprise in an
attempt to scam the user into surrendering private information
that will be used for identity theft." On the origin of the
word, Webopedia says "Phishing, also referred to as brand
spoofing or carding, is a variation on 'fishing', the idea being
that bait is thrown out with the hopes that while most will
ignore the bait, some will be tempted into biting".
OK, but how do you distinguish between a phishing eMail and a
real message from, say, your bank or credit card provider? A
phishing message may look very legitimate, with all the right
logos and so on. Even most of the links may be the real thing.
Although there are often tell-tales such as poor spelling or bad
grammar, many examples of this scam do appear to be perfect in
every respect. The only way to see what is really going on is to
look "under the covers".
What the scammer is trying to do is get you to click on a link
that will take you to a website which is different to the one
you think it is going to take you to. At this dummy page the
scammer will try to get you to enter sensitive information such
as credit card or on-line banking details.
With plain text emails, what you see is what you get. If a link
says "www.CitiBank.com" then that is exactly where it will take
you. But all is not so transparent with the links in a HTML
email. With HTML the only way to tell where a link will really
take you is to look at the HTML code that underlies the message.
And "No", you cannot tell by hovering your mouse cursor over the
link and looking at the status bar. The status bar message can
be faked very easily.
All eMail client programs of which I am aware provide some means
for you to look at the HTML code. In Outlook, for instance, you
can right-click on the body of the message and select "View
Source" from the pop-up menu. I've selected the scam eMail I'm
going to use because it is a very simple example without too
much HTML code to complicate the picture. The original eMail as
it appeared in Microsoft Outlook can be seen here:
http://HackersNightmare.com/FreeContent/Other/phishing1.jpg
In a moment I'll show you the HTML code associated with that
eMail. Don't worry if you don't understand HTML code at all –
I'll explain the few important parts. But first, just a bit of
general information to help you make sense of what you see.
In HTML code, anything that is between is
called a "tag". A tag is the actual code that tells the web
browser how to display the message text. In this simple example
there are only a few tags in use, and only one of them is very
important to us. The tags in use in the example email are:
. See Lines 1
and 2.
A line break. Several together is a series of line breaks.
E.g. line 3. NOTE: The dot before BR is not part of a real HTML
Tag. It is inserted so some editors will not interpret the text
as a real Tag.
and The text that appears between them will be in bold
type. See line 4.
. This tag must also be terminated with a
tag. See lines 16-18. Anything that appears between the and the is simply a comment, regardless of the
fact that it may look like a web address. This information is
critical to the following analysis.
Here's the actual HTML code that makes up the eMail message. I
have added the line numbers for ease of reference – they are not
part of HTML.
1.
3.
4. Dear SunTrust Client,
5.
6. We recently reviewed your account, and suspect that your
7. Suntrust account may have been accessed by an unauthorized
8. third party.Protecting the security of your account and of
the
9. SunTrust network is our primary concern.
10.
11. Therefore, as a preventative measure, we have temporarily
12. limited access to sensitive Suntrust account features.
13.
14. Click the link below in order to regain access to your
account:
15.
16.
17. https://internetbanking.suntrust.com
18.
19.
20. We received a massive identity thefts targeting SunTrust so
21. we suggest you to Confirm Your Banking Account within 24
22. hours.
23.
24. DO NOT FORGET TO COMPLETE BOTH FORMS, to
25. avoid Credit Card Fraud.
26.
27. We apologize for any inconvenience this may cause, and
28. apriciate your assistance in helping us maintain the
integrity of
29. the entire SunTrust system.
30. Sincerely,
31. The SunTrust Security Department Team.
Incidentally, note the misspelling of "appreciate" on line 28.
There are other errors also, such as a missing space in
"party.Protecting" on line 8, and lines 20-21 are poor English.
Real financial institutions rarely make such obvious errors.
Now, it is lines 16 to 18 that are critical to our investigation
of this scam. Line 17 is apparently a link that suggests we will
be taken to "internetbanking.suntrust.com". There is no reason
to be suspicious of the address itself because it is after all
on the SunTrust website. But…
Line 17 is not inside a tag, as denoted by an opening < and a
closing >. The tag that indicates the real target of the link is
on the previous line, line 16. The text
"https://internetbanking.suntrust.com" on line 17 is just that –
nothing but text. It could just as easily read "Find Nemo here"
and it would have the same effect. The real target of the link
is, as line 16 indicates, "http://www.toyworld.org/SunTrust"
because it is in the "
|
|
| |
| |
