Somethin' Phishy

Re: Somethin' Phishy

Derek K. Miller — Wed, 13 Apr 2005 03:41:53 GMT

This particular phishing scam is, alas, far from something new. I wrote an article for TidBITS about it almost two years ago, and the essential technique has not changed, even as the scammers have gotten better at avoiding misspellings:

http://db.tidbits.com/getbits.acgi?tbart=07294

http://www.penmachine.com/paypalscam/

Note that in that case, the linked URL even began with www.paypal.com in the source code -- but isn't really a paypal.com URL at all. Sneaky.

re: Somethin' Phishy

Chris — Mon, 11 Apr 2005 09:05:05 GMT

We had an interesting phish a week back - the URL displayed when you hovered over the image in the HTML email pointed at the real web site, but the image had a client-side image map which had an URL which went to the phisher's web site!

Very cunning!

re: Somethin' Phishy

Will Parker — Mon, 11 Apr 2005 07:09:40 GMT

I got something similar recently purporting to be from EBay. Although I didn't bother to keep the precise details, the technical MO was quite similar. My bet is that the perps decided that they could easily use the same scam for Ebay and PayPal.

BTW, the address for reporting phishing attacks for EBay is spoof@ebay.com.

re: Somethin' Phishy

Chucky — Sun, 10 Apr 2005 22:29:04 GMT

<i>"That way, even if someone implements some kind of spoof, the password it harvests won't work."</i>

The solution you have provided can be easily defeated.

Once you give an app your admin password, it can place components where they will receive root access in the future <b>even if you change your admin password.</b>

The one and only solution is to not give your admin password to any app that you do not trust.

re: Somethin' Phishy

John Konopka — Sun, 10 Apr 2005 21:28:11 GMT

This spoof could work but first you would get the dialog from the OS asking for a password then you would get a dialog from the application asking for a password. I can see if I were a little distracted not being sure whether I had already entered the password or not.

Rather than switching the passwords back and forth you could just change the admin password each time you use it for an install.

re: Somethin' Phishy

Bob Maguire — Sun, 10 Apr 2005 21:00:37 GMT

I received two of these last night.

---
We regret to inform you that your paypal account could be suspended if
you don't resolve your billing issues. If your billing is not updated
your account will be put on hold.

If a hold should be placed on your account,you are prohibited from
using Paypal in any way. until billing is updated. This includes
registration of a new account. Please note that if your account is suspended any funds you have in your paypal account will be put on hold till this issue is resolved.

Please click on link below to update info:

http://203.162.1.205/support/support.asp

Best regards,
Safeharbor Department Paypal Inc.
The Paypal Team.

---

You guessed it. 202.0.0.0 - 203.255.255.255 are allocated to Asia Pacific Network Information Centre, but not registered with ARIN.

re: Somethin' Phishy

jbelkin — Sun, 10 Apr 2005 19:53:31 GMT

The paypal ones are pretty convincing ... though if you just roll over the url they ask you to click, everyone should know that by looking at that url, it's clearly not www.paypal.com.

But I can see where most people might just quickly hover and click.

I also don't understand how more people aren't arrested for that - if I call you up & ask for your checking account - I can be arrested, not exactly sure why doing it electronically is different ...

re: Somethin' Phishy

Joku — Sun, 10 Apr 2005 15:29:16 GMT

The one thing I'd love the Outlook people to implement is that, suppose you get a mail like that and it has one of those fishy adresses:

1st and most common spoof method I see on what gets through Outlook spam filters:

www.microsoft.com/login <123.123.123.123/***.xyz>

And real email from microsoft likely has:

www.microsoft.com/login <www.microsoft.com/login>

OR

Login here <www.microsoft.com/login>

I just get a TON of spoof where the 1st method is used. It is just mind blowingly easy to have some code that looks for:

link: REAL URL<FAKE URL>
and marks these as spam.
link: REAL URL<SAME AS REAL URL>
and
link: Sometext, but not a valid URL (analyze) <REAL URL>
would not be marked as spam.

That would like kill 99% of the spoof mails I get. And I still do not see it implemented.. Is there a problem I do not see or are the Outlook guys just plain not-thinking and looking for patterns here?