phishing email analysis

Phishing attacks are, in a word, fascinating. The basic goal of a phishing attack is to get personal information, such as credit card numbers, bank account information or passwords for online banking. For the phishing attack to work, the email needs to look legitimate.

Let me show you some classic warning signs of a phishing email, using an email that I recently received.

First, the email header is a dead give away. (Email headers are not usually shown by default. You will need to look for them based upon the program you are using to view email.) Notice that this message originated from the email server mail.groundjay.tw located in Taiwan

Received: (qmail 22075 invoked from network); 14 Jan 2009 18:01:05 -0000
Received: from h118-210-64-253.seed.net.tw (HELO mail.groundjay.tw) ([210.64.253.118])
(envelope-sender )
by pre-smtp26-02.prod.mesa1.secureserver.net (qmail-ldap-1.03) with SMTP
for ; 14 Jan 2009 18:01:04 -0000
Received: from User ([64.223.70.226])
by mail.groundjay.tw ([172.16.1.10]);
Thu, 15 Jan 2009 01:29:59 +0800
From: “Support”
Subject: Notification from eBay – Unlock your account.
Date: Wed, 14 Jan 2009 12:34:57 -0500

Next is the message itself. (Discount for the moment the fact that I don’t have an eBay account.) Often, these accounts have mispellings or gramatical errors. In this case, please note the phrase in the email, “Your online has expired”. I am guessing the author meant my online account.

Dear eBay Member,
This is your official notification from eBay. Your online has expired.
If you want to continue using our service you have to renew your online.
If not, your online will be limited and deleted
To confirm your Account records click on the following link:

Oh, look closely at the website that you need to go to in order to “reactivate” your account. If the url is listed using numbers and not the name of the site, this is often a BIG warning sign. (There are other url problems that I will address in future postings.)

http://210.38.96.137/ebay/eBayISAPI/ws/eBayISAPI.htm

Thank you,
Scott R. Shipman, CIPP Senior Counsel, Global Privacy Practices eBay Inc.

—End of email

And, a forth warning sign. This email was not personalized. Clearly it was just a broadcast email.

So, this message contained 4 warning signs that it was a phishing attack. Have a little fun with you next piece of spam email, check to see if you can find all of these warning signs in the email message!

What should you do? Two options come to mind:
Safe option: Just delete the message and move on!
Fun option: Go to the site, and supply bad information. Fill the hackers database with useless information. Then, they will have to check the legitimacy of all their entries, causing them to waste time.

My advice is to have fun! (literally)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s