Wednesday, April 30, 2008

Ways to tell a phishing email...

Sorry for the delay in the second part of this Anti phish Blog. Been real busy these weeks. Well here it goes...

Now that you have got the basic knowledge of protecting yourself against Phishing. How do you tell a real mail from a phishing email? There are three important factor we can focus on in this blog.

1) Objective of Mail
2) SMTP header ( I hope you did some read up as mention by my earlier blog)
3) The hyperlink in the email and URL cloaking

Objective of Mail


If the objective of the email is to obtain your password and other confidential personal informations by bringing you to a link and entering your ID and password, such email have high chance of being a spoof mail. Thought not 100%, almost all mails that i had encounter that asking for such informations over the electronic format are spoof mails. Call the relevant organisation to verify the authenticity of the mails. **Please do not click on the hyperlink and call the number shown on the website, the number can be FAKE.

SMTP Header


This is a little more technical, but i will make it simple and hope you people can understand from it.

To see the email header, you'll need to view the properties of the email. To do this in MS Outlook 2007 for instance, you can right click the email (before opening), then select 'Message Option' from the 'drop down' menu. You will see an "Internet Header" box which shows the header.

**Example shown below:

Here is a comparison between the headers of a spoofed and a genuine eBay email.

The spoof header:

Return-Path:
Delivered-To: webmaster@millersmiles.co.uk
Received: (qmail 21262 invoked from network); 6 Jun 2003 21:21:49 -0000
Received: from unknown (HELO mail.almtal.net) (217.16.118.12)
by server16.donhost.co.uk with SMTP; 6 Jun 2003 21:21:49 -0000
Received: from localhost (mail.almtal.net [127.0.0.1])
by mail.almtal.net (8.11.6/8.8.7) with SMTP id h56LRD008495
for ; Fri, 6 Jun 2003 23:27:16 +0200
Message-Id: <200306062127.h56LRD008495@mail.almtal.net>
From:
To:
Subject: ebaY Contest
Date: Fri, 6 Jun 2003 23:27:13 +0200
X-Mailer: sendEmail-1.40
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

The genuine header: (see a copy of this email)

Return-Path:
Delivered-To: millersmiles-auctions@millersmiles.co.uk
Received: (qmail 36907 invoked from network); 9 Jun 2003 10:22:29 -0000
Received: from unknown (HELO mx5.smf.ebay.com) (66.135.209.200)
by server16.donhost.co.uk with SMTP; 9 Jun 2003 10:22:29 -0000
Received: from miami.smf.ebay.com (miami.smf.ebay.com [66.135.215.166])
by mx5.smf.ebay.com (8.12.3/8.12.3) with ESMTP id h59AMQG9000488
for ; Mon, 9 Jun 2003 03:22:26 -0700
Received: from rhv-kas-03.corp.ebay.com (rhv-kas-03.corp.ebay.com [64.68.79.239])
by miami.smf.ebay.com (8.11.6+Sun/8.11.6) with SMTP id h59AMfZ10198
for ; Mon, 9 Jun 2003 03:22:41 -0700 (PDT)
Message-Id: <200306091022.h59AMfZ10198@miami.smf.ebay.com>
Date: Mon, 09 Jun 2003 03:22:28 -0700
To: millersmiles
Subject: Re: (KMM72404455V54089L0KM)
From: eBay United Kingdom Customer Support
Reply-To: eBay United Kingdom Customer Support
MIME-Version: 1.0
Content-Type: text/plain; charset = "us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Kana 6.0

See the differences .....

The 'Received: from Unknown (HELO xxx.xxxx.xxx) part tells us the details of the machine that the email was sent from. In this case, the spoof shows a machine with the ID 'mail.almtal.net' with IP address 217.16.118.12, whereas eBay's genuine email has come from a machine with the ID mx5.smf.ebay.com and IP address 66.135.209.200. When querying a whois lookup (aka DNS look up, or reverse look up) it is clear that the genuine email has originated from eBay's mail server at IP 66.135.209.200 (eBay, San Jose, CA), whereas the spoof has come from a different machine at an IP address that is owned by someone in Wien, Austria.

The handling mail server has further added an identifier for the sending server, in the case of the spoof, Received: from localhost (mail.almtal.net [127.0.0.1]) which is either an internal mail server, or a mail server running on the same machine. Whereas, eBay's genuine email, correctly shows that the sending server was identified as miami.smf.ebay.com [66.135.215.166 (which again proves to be owned by eBay when conducting a whois lookup).

The email server and mail software version are shown by the handling server as the email is relayed from ISP to ISP, and the spoof shows by mail.almtal.net (8.11.6/8.8.7), which is again NOT eBay's mail server which is shown correctly in the genuine email as by mx5.smf.ebay.com (8.12.3/8.12.3). ** ( Example lifted from http://www.millersmiles.co.uk)

The hyperlink in the email and URL cloaking

Now how many can tell which of the hyperlink below is real just by looking?

1)http://www.arofanatics.com/forums/showthread.php?t=316662


2)http://www.arofanatics.com-securitycheckw8grhgakdj-jd7788-accountmaintenace-4957725-s5982ut-aw-ebayconfirm-secure/
3)http://www.clubhyundai.org



Out of the three link above, only one of it will lead you to where it show as it is. Hyperlink can be easily spoof and often user are trick to website looking similar or 99% the same as the usual website. This phishing site are hosted at different servers and the organsation being spoof would take sometime to bring down the spoof site or to notifiy their customers. Therefore it is important to know about such tricks being used and know how to avoid them. When you move your mouse cursor over the link it will show you the actual website you will be brought to.

There are many ways a email can be spoof and honestly there isn't much we can do about it. But knowing the threat is there and not protecting yourself against it is pure foolishness, isn't it?

1 comment:

Fireopal said...

I have been receiving many phishing emails from some Singnet technical help desk recently..

maybe u should do a feature and warn others of this!