Often I am in a great hurry to clean up my Junk Email folder. Just a quick scan to verify no legitimate emails are present before deleting everything. This is what my normal routine visit entails. However, digging into this folder is sometimes helpful to better understand the threats reaching our users daily.
This is what I will do today. I will look into the latest phishing scam reaching my mailbox and go through the various tricks employed in emails of this type. Phishing is a term used to identify emails attempting to deceive its audience to hand over sensitive information. Whereas spam is typically happy to deliver adverts, phishing is run by more dangerous criminals with fraudulent intent.
This article discusses a specific email, but aims at highlighting the common logic and techniques behind email threats in general. Indeed very similar tricks are also employed in spam and virus distribution.
So here is the email. It is yet another attack on eBay and its users.
This scam is attacking a well known brand in order to attract the widest audience possible. Although the scam aims at defrauding eBay users, the damage incurred is broader. eBay is clearly a direct victim seeing the trust it has established under attack. Secondly the entire e-commerce community suffers from a general loss of confidence.
Email Delivery
The first challenge the scammer needs to address is email delivery. The email must reach the target recipients. Ideally it should trick any email filters so as to lend in the Inbox mixed with legitimate emails. In this particular case there are a couple of tricks being employed to maximize successful delivery:
-
The entire email content is an image! The email body shown above is not available as text. This is a classic trick to bypass keyword based content filtering. The image itself is delivered as an attachment.
This becomes clearer when looking into the raw HTML body content:
<html><p><font face="Arial"><A HREF="https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&sid=verify&co_partnerId=2&siteid=0"><map name="uscx"><area coords="0, 0, 646, 569" shape="rect" href="http://210.75.207.62:680/rock/eBayIsap/index.htm"></map><img SRC="cid:part1.01000105.03010205@support_id_34@ebay.com" border="0" usemap="#uscx"></A></a></font></p><p><font color="#FFFFF7">William that's a call for you Community service Quotation Drudge Report </font></p></html>
-
Looking closer into this HTML we also see that the body contains some invisible text saying:
"William that's a call for you Community service Quotation Drudge Report".
Of course this is totally unrelated to what the user sees. It aims at further misleading content filters which are unable to extract the true text as seen by the recipient.
Email Authenticity
Once the recipient opens the email, the scammer must lead his victim to click on the link within it. This is only possible if the email looks authentic and if it gives its victim enough reason to act immediately.
The sender address is spoofed. It ends with @ebay.com despite not originating from eBay of course. Indeed the address was spoofed both at the SMTP Protocol MAIL FROM command and within the email content headers.
The email content has a professional presentation that at first glance leads one to believe it is legitimate.
The body also shows a valid eBay login link. This is purely a visual trick as the true link that is triggered on clicking anywhere on the image is:
http://210.75.207.62:680/rock/eBayIsap/index.htm
The email message tries to frighten the victim. It threatens of account termination unless immediate action is taken.
SPF to the Rescue
So as we have seen this email includes a nice pack of tricks one of which is spoofing the originator address. This is a good example to illustrate the usefulness of SPF and Sender ID. These technologies will be enhancing the Exchange Intelligent Message Filter as from the upcoming Exchange SP2 release. Using nslookup we can see that the flowing SPF record is published for the ebay.com domain:
v=spf1 mx include:s._spf.ebay.com include:m._spf.ebay.com include:p._spf.ebay.com include:c._spf.ebay.com ~all
This record specifies that emails originating from servers not identified by it should be subject to greater scrutiny. Thus email filters supporting SPF are in a position to turn such spoofing to their advantage. The failed SPF match can be combined with other gathered hints, achieving more accurate email classification.
Stealing Credit Card Information
If the scammer convinced his victim to click on the link, we end up at his site.
The site closely resembles the real eBay login page. Indeed anyone who was convinced to go this far is unlikely to escape from this point onwards.
Indeed if we look carefully at the address bar there is yet another hint. The site is trying to use an Internet Explorer exploit that hides the true site address. In my case both the real and the fake URLs are visible, thus uncovering the use of this exploit. Further to this, note the account protection tip at the lower right corner of the page. It encourages the visitor to make sure that the address starts with https://signin.ebay.com/ (i.e. the fake URL).
Another hint that may enlighten the victim is the fact that the page is not secure. The typical Internet Explorer lock icon is not present.
Next I went ahead and entered a fake username and password. Of course the scammer has no way to validate this data. Hence, it was no surprise I was admitted to the next step encouraging me to hand over my credit card number.
The site asks for all the information including the PIN number!! If the request to supply the PIN does not ring a bell to our phantom victim then nothing else will. The scammers managed to net him.
I entered some random numbers here. Have to admit I have little knowledge of the logic behind Credit Card numbers. The scammers certainly know more than me since they promptly informed me that the credit card number was invalid.
This concludes our journey for today. A note of caution is appropriate to anyone tempted to follow my example and play with these sites. Watch out as many of these sites can be loaded with other exploits attempting to hijack the visitor's machine. This all depends on the real intent of the attacker. Some want to steal credit cards others want to transform your machine into a zombie...