WinDeveloper IMF Tune

WinDeveloper IMF Tune
WinDeveloper IMF Tune

Inside Phishing

Alexander Zammit

Alexander Zammit Photo

Alexander Zammit has been developing server applications for over 15 years. Most of his works involve Exchange integrated applications, including a FAX server, a mail security product and anti-spam products.

  • Published: Sep 06, 2005
  • Category: Security
  • Votes: 1.5 out of 5 - 8 Votes
Cast your Vote
Poor Excellent

Email is the number one delivery channel for spam, phishing scams, viruses, and other maleware. Various tricks are employed in order to ensure most emails reach their target recipient. Today we look at the latest phishing scam in order to highlight the set of tricks it adopts.

Often I am in a great hurry to clean up my Junk Email folder. Just a quick scan to verify no legitimate emails are present before deleting everything. This is what my normal routine visit entails. However, digging into this folder is sometimes helpful to better understand the threats reaching our users daily.

This is what I will do today. I will look into the latest phishing scam reaching my mailbox and go through the various tricks employed in emails of this type. Phishing is a term used to identify emails attempting to deceive its audience to hand over sensitive information. Whereas spam is typically happy to deliver adverts, phishing is run by more dangerous criminals with fraudulent intent.

This article discusses a specific email, but aims at highlighting the common logic and techniques behind email threats in general. Indeed very similar tricks are also employed in spam and virus distribution.

So here is the email. It is yet another attack on eBay and its users.

scam email

This scam is attacking a well known brand in order to attract the widest audience possible. Although the scam aims at defrauding eBay users, the damage incurred is broader. eBay is clearly a direct victim seeing the trust it has established under attack. Secondly the entire e-commerce community suffers from a general loss of confidence.

Email Delivery

The first challenge the scammer needs to address is email delivery. The email must reach the target recipients. Ideally it should trick any email filters so as to lend in the Inbox mixed with legitimate emails. In this particular case there are a couple of tricks being employed to maximize successful delivery:

  1. The entire email content is an image! The email body shown above is not available as text. This is a classic trick to bypass keyword based content filtering. The image itself is delivered as an attachment.

    This becomes clearer when looking into the raw HTML body content:

    <html><p><font face="Arial"><A HREF="https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&sid=verify&co_partnerId=2&siteid=0"><map name="uscx"><area coords="0, 0, 646, 569" shape="rect" href="http://210.75.207.62:680/rock/eBayIsap/index.htm"></map><img SRC="cid:part1.01000105.03010205@support_id_34@ebay.com" border="0" usemap="#uscx"></A></a></font></p><p><font color="#FFFFF7">William that's a call for you Community service Quotation Drudge Report </font></p></html>

  2. Looking closer into this HTML we also see that the body contains some invisible text saying:

    "William that's a call for you Community service Quotation Drudge Report".

    Of course this is totally unrelated to what the user sees. It aims at further misleading content filters which are unable to extract the true text as seen by the recipient.

Email Authenticity

Once the recipient opens the email, the scammer must lead his victim to click on the link within it. This is only possible if the email looks authentic and if it gives its victim enough reason to act immediately.

  1. The sender address is spoofed. It ends with @ebay.com despite not originating from eBay of course. Indeed the address was spoofed both at the SMTP Protocol MAIL FROM command and within the email content headers.

  2. The email content has a professional presentation that at first glance leads one to believe it is legitimate.

  3. The body also shows a valid eBay login link. This is purely a visual trick as the true link that is triggered on clicking anywhere on the image is:

    http://210.75.207.62:680/rock/eBayIsap/index.htm

  4. The email message tries to frighten the victim. It threatens of account termination unless immediate action is taken.

Copyright © 2005 - 2016 All rights reserved. ExchangeInbox.com is not affiliated with Microsoft Corporation