Anatomy of a Phishing Attempt
Phishing is a common exploit where malicious individuals use email, or more recently, compromised Web sites to misrepresent themselves as legitimate sources, often in order to gain confidential, personally identifiable information such as credit card numbers, bank account details, etc.
Phishing relies largely on social engineering and, to a great extent, the gullibility of the recipient.
|While many people have heard the term "phishing," perhaps just a small number have actually examined a phishing attempt up close and personal. Phishing attacks come in many different shapes and sizes, but ultimately, the goal is the same: to trick an unsuspecting individual into revealing personal and confidential information, or into visiting a website that has been compromised with malware.|
The purpose of this article is to take a close-up examination of a real-life phishing attempt in order to better understand what they look like, so they can be more easily recognized.
|A phishing attempt typically arrives in the form of an unsolicited email. In this example, the message claims to be from the Canada Revenue Agency.|
|This message seems harmless enough at first glance. The copyright notice at the bottom of the email lends an aura of "legitimacy" to the message. |
The content is meant to pique one's curiosity with the offer of an attractive refund. This is the "lure" that is intended to grab the recipient's interest and ulitmately get them "hooked." How can we tell? Let's examine the clues that reveal this offer is not what it claims to be.
Clue #1: The Email Address
|This message was sent to a UFV mail address. Since the recipient had never conducted any business or correspondence with the Canada Revenue Agency using a UFV mail account, there was no reason for the CRA to send the message to this address in the first place.|
|The recipient had already received a tax refund, along with most people, several months previously in the spring. There was no apparent reason for an additional refund to be given. Hmmm.|
Clue #3: The Email Format
|While the message may appear legitimate, the format of the email itself seems too plain to be coming from an agency of the Canadian government. An assumption could be made that the message was sent as text-only in case the recipient's mail client was not set up to display HTML messages. However, there is something about the format that doesn't seem right. What other clues can we find?|
Clue #4: The Message Header
|Most email clients will allow you to view the source information of a message. In particular, the header information associated with the message can be very revealing. Let's take a closer look at the header information in our example. . .|
IP address information has been blurred intentionally
Although the message purports to be from cra-arc.gc.ca, the Canada Revenue Agency's web address, notice that the message, itself, is being directed from a totally different address. This mismatch in source address information is another indicator that the message is not what it claims to be.
Clue #5: Spam Filter Status Details
|In situations where email is screened by a spam filtering program, this message would probably have been flagged as possible spam. In this example, the university's spam filtering application identified the email as suspicious. Further examination of the mail header reveals the following. . .|
|Even a cursory look at the spam filter information in the mail header should give the reader cause for concern.|
Clue #6: The Embedded Link
|Another important clue that should set off "alarm bells" concerning this message is the embedded link which the recipient is encouraged to click on in order to complete the refund request. . .|
|One of the primary goals of a phishing attempt is to lure the unsuspecting recipient to an alternate and usually malicious website. As with this example, the link provides no indication as to where it leads.|
Clue #7: The Link's Destination
|Again, an examination of the message source reveals some very interesting details concerning the destination address of the embedded link.|
|The URL for the refund form does not appear to be associated with the Canada Revenue Agency's Web site at all. Following is the actual URL for CRA's refund page:|
Clue #8: The Link's Actual Destination
|Using one of the networking tools provided in Windows, it is possible to discover some revealing information concerning the IP address of the link|
|DNS (Domain Name Server) information related to the IP address reveals that it has its source somewhere in New Zealand. Clearly, the link to the refund form is not associated the CRA or any other Canadian governement website.|
|So now the big question: Where, exactly, would the embedded link lead to? When asked about this phishing example, security vendor, Sophos, advised that although they had not investigated this particular exploit, they were very much aware of it. According to one Sophos researcher, this campaign has been around since the beginning of 2008.|
So what is at the other end of the link? In all probability, nothing good. These types of messages are best left unopened and deposited into the electronic trash bin.
The lesson we can learn from this phishing expedition: Stay away from the lure of these kinds of messages to keep from getting "hooked."
|More URL Tips
Here are a couple of things to watch out for concerning URLs. . .
After navigating to a website, check and confirm that the URL displayed in your browser’s address bar matches the intended destination.
For example, if you were visiting the website of security vendor Sophos, the displayed address should read www.sophos.com.
If you see something else like www.sophos.badurl.com, you can be sure that you have been re-directed to some other site.
Never click on a link inside an email message.
If you believe that the link is valid, manually type the URL into the address bar of your browser.
Again, check the displayed address a second time to ensure that you have been directed to the intended site.