Phishing Phollies

Do you smell that?… I dunno, like, low tide or dead phish? Yeah, thats it!

The ink is barely dry on my last post on PayPal phishing and I got another one!

This one is also from some poor ISP site in Amsterdam. Really, don’t they have anything else to do over there?

At least get a better grasp of English, proper grammar and error checking or go back to riding your bicycles… Oh, wait, if you HAD those skills you’d have a real job.

Carry on then, besides, you’re my source of amusement and comic relief.

Do you like my new Phish Stamp?

I can certify Phish now from either direction! Look for these on all my phishing reports!

UPDATE: Ha! Not 5 minutes after I posted the above I got another one of these, identical to the one above. This idiot’s rent must be due….

On the slim chance the company is not aware of the evil takeover of their site I sent them an email.

Here is one of my favorite types of phish! Please pass the tartar sauce?..

This urgent message from PayPal is to inform you that your account may have been breached and you MUST login within 48 hours or they well give your account a lobotomy!

The usual stars of this fictional series are cast: Generic greeting; poor grammar and mistakes; threat of account closure; and the all-revealing URL that takes you to waters infested with temporally inept sharks.

And, they are accusing some poor British bloke of violating my PayPal account! Unfortunately, the IP address actually belongs to a company in Amsterdam called Ripe Network Coordination Centre.

As you recall, I mentioned a great reference site: PhishTank… Checking this URL we see that it has been verified as 100% rotten PHISH.

If you need more convincing, a looksee at the header info shows us that the mail did not come from PayPal. In fact, ovarpack.pt is a small company in Ovar, Portugal. Most likely, their site was hacked and used as a mail relay to send this message. And the bogus site (202.61.20.75) is part of a block of IP numbers sold to an Asian Pacific ISP in Australia. Account-access.com is a domain currently available for sale… It is owned by a company in Russia!

  If only I had the air miles this email has earned!

Why do we always pick on Denmark?

Yes, Virginia, even plain text emails can be like the North Atlantic in December…

Note the generic "Dear Customer" and the poor grammar.

Yes, the bogus link is not hidden this time. This is either a really dumb phisherman or is praying his recipients are naive guppies.

However, www.konverce.com is NOT nstarcu.org so that should be your first warning that something is smelly in Denmark.

It appears that the konverce.com site was hacked and a page was setup to look like the credit union site. The page no longer exists, however, you can’t be sure that you are safe to check these URL’s,  Should your browser have no restrictions set on it, just going to one of these sites can get you in to all sorts of ugly messes. There could be scripts on the site that will kick off the second the page loads. I do not let scripts run in my browser; I pick and choose which scripts I will allow, especially if I have never been to the site before or if the site is notorious for pop-ups or ads.

Moving to the all-telling header we find this:

mailstore.freecom.net has nothing to do with either konverce.com or the credit union.

If you want to check to see whether an email you received is a phishing attempt you can check this site: http://www.phishtank.com/

Yours in pessimism

PHISH: Fraudulent emails that use stolen company graphics, and sometimes language, from legitimate companies in an attempt to lure you into logging on to a fake site, also using stolen graphics and coding, to steal your credentials. Emails usually do not greet you by name or refer to your account. They use a threat of account closure or an offer of free gifts for completing the requested task. Or they try to tell you that your account may have been violated.

Continuing with our training, lets review an "urgent" email from "Chase"……

Heavens to Murgatroyd!

That URL does not look like "https://chaseonline,chase.com……"!!!

 Lets compare this with a REAL email from Chase:

Notice, the email greets me by name and refers to my account.

Now, lets compare the backend; the source code behind the email….

This one clearly does not come from Chase. It is trivially easy to change your "From" address in Outlook and most browser based email applications. If you look at the "X-Mailer" line 5 lines down from the green box below you will see this was from an Outlook application.

Referring to the "Received" headers you see the route the message took to get to you. If there is more than one "Received" entry the truth is usually revealed in the bottom few "Received" entries.

This header is from the real Chase email. Notice that all the "Received" entries refer to "bankone.com" (Chase owns Bank One and www.bankone.com takes you to Chase’s web site)

Yours in pessimism

So, you got an "e-card"?

Don’t get so excited yet…. Yes, someone thought of you so much they may very well have sent you a virus, or a phishing attempt!

Learn how to read "beneath" the lines…….

Even though every other link on this email message takes me to the actual Hallmark site the one that you want to click on is a VIRUS.

Now, lets examine the header information on the email and the HTML code that is behind it::

Never click on a link in an email without making sure you know where it is going to take you.

The safest way to proceed is to go to the site directly, by typing the URL you know into your browser.

If you receive an email claiming to be from your "Bank/eBay/PayPal", do NOT click that link. Open a browser and type in the URL to access their site, the same URL you always use, not the link in the email.  Login and see if there are any messages for you.

A few big tip-offs that an email is bogus:

• 90% of phishing emails do not address you by name
• Most of them have something wrong with the spelling or grammar
• Most try to alarm/surprise you into thinking your account is being shut down/has been violated or that you will win wonderful prizes by participating or they screwed up something and need you to rebuild your account….

Keep that inbox safe and protect the machines and data you work with.

A message from your friendly local pessimist!