Intelligent Message Filter, Content Filter, can do more...

WinDeveloper IMF Tune
WinDeveloper IMF Tune

Inside Phishing

Alexander Zammit

Alexander Zammit Photo

Alexander Zammit has been developing server applications for over 15 years. Most of his works involve Exchange integrated applications, including a FAX server, a mail security product and anti-spam products.

  • Published: Sep 06, 2005
  • Category: Security
  • Votes: 1.5 out of 5 - 8 Votes
Cast your Vote
Poor Excellent

Email is the number one delivery channel for spam, phishing scams, viruses, and other maleware. Various tricks are employed in order to ensure most emails reach their target recipient. Today we look at the latest phishing scam in order to highlight the set of tricks it adopts.

SPF to the Rescue

So as we have seen this email includes a nice pack of tricks one of which is spoofing the originator address. This is a good example to illustrate the usefulness of SPF and Sender ID. These technologies will be enhancing the Exchange Intelligent Message Filter as from the upcoming Exchange SP2 release. Using nslookup we can see that the flowing SPF record is published for the ebay.com domain:

v=spf1 mx include:s._spf.ebay.com include:m._spf.ebay.com include:p._spf.ebay.com include:c._spf.ebay.com ~all

This record specifies that emails originating from servers not identified by it should be subject to greater scrutiny. Thus email filters supporting SPF are in a position to turn such spoofing to their advantage. The failed SPF match can be combined with other gathered hints, achieving more accurate email classification.

Stealing Credit Card Information

If the scammer convinced his victim to click on the link, we end up at his site.

Scammer Login Page

The site closely resembles the real eBay login page. Indeed anyone who was convinced to go this far is unlikely to escape from this point onwards.

Indeed if we look carefully at the address bar there is yet another hint. The site is trying to use an Internet Explorer exploit that hides the true site address. In my case both the real and the fake URLs are visible, thus uncovering the use of this exploit. Further to this, note the account protection tip at the lower right corner of the page. It encourages the visitor to make sure that the address starts with https://signin.ebay.com/ (i.e. the fake URL).

Another hint that may enlighten the victim is the fact that the page is not secure. The typical Internet Explorer lock icon is not present.

Next I went ahead and entered a fake username and password. Of course the scammer has no way to validate this data. Hence, it was no surprise I was admitted to the next step encouraging me to hand over my credit card number.

Credit Card Information

The site asks for all the information including the PIN number!! If the request to supply the PIN does not ring a bell to our phantom victim then nothing else will. The scammers managed to net him.

I entered some random numbers here. Have to admit I have little knowledge of the logic behind Credit Card numbers. The scammers certainly know more than me since they promptly informed me that the credit card number was invalid.

Invalid Credit Card

This concludes our journey for today. A note of caution is appropriate to anyone tempted to follow my example and play with these sites. Watch out as many of these sites can be loaded with other exploits attempting to hijack the visitor's machine. This all depends on the real intent of the attacker. Some want to steal credit cards others want to transform your machine into a zombie...

Copyright © 2005 - 2018 All rights reserved. ExchangeInbox.com is not affiliated with Microsoft Corporation