Anatomy of a Phishing Attempt


Phishing
is a common exploit where malicious individuals use email, or more recently, compromised Web sites to misrepresent themselves as legitimate sources, often in order to gain confidential, personally identifiable information such as credit card numbers, bank account details, etc. 

Phishing relies largely on social engineering and, to a great extent, the gullibility of the recipient.


A Real-life Example
While many people have heard the term "phishing," perhaps just a small number have actually examined a phishing attempt up close and personal.  Phishing attacks come in many different shapes and sizes, but ultimately, the goal is the same: to trick an unsuspecting individual into revealing personal and confidential information, or into visiting a website that has been compromised with malware.

The purpose of this article is to take a close-up examination of a real-life phishing attempt in order to better understand what they look like, so they can be more easily recognized.


The Message
A phishing attempt typically arrives in the form of an unsolicited email.  In this example, the message claims to be from the Canada Revenue Agency.

This message seems harmless enough at first glance.  The copyright notice at the bottom of the email lends an aura of "legitimacy" to the message. 

The content is meant to pique one's curiosity with the offer of an attractive refund.  This is the "lure" that is intended to grab the recipient's interest and ulitmately get them "hooked."  How can we tell?  Let's examine the clues that reveal this offer is not what it claims to be.


Clue #1:  The Email Address
This message was sent to a UFV mail address.  Since the recipient had never conducted any business or correspondence with the Canada Revenue Agency using a UFV mail account, there was no reason for the CRA to send the message to this address in the first place.


Clue #2:  The Refund
The recipient had already received a tax refund, along with most people, several months previously in the spring.  There was no apparent reason for an additional refund to be given.  Hmmm.


Clue #3:  The Email Format
While the message may appear legitimate, the format of the email itself seems too plain to be coming from an agency of the Canadian government.  An assumption could be made that the message was sent as text-only in case the recipient's mail client was not set up to display HTML messages.  However, there is something about the format that doesn't seem right.  What other clues can we find?


Clue #4:  The Message Header
Most email clients will allow you to view the source information of a message.  In particular, the header information associated with the message can be very revealing.  Let's take a closer look at the header information in our example. . .


IP address information has been blurred intentionally


Although the message purports to be from cra-arc.gc.ca, the Canada Revenue Agency's web address, notice that the message, itself, is being directed from a totally different address.  This mismatch in source address information is another indicator that the message is not what it claims to be.


Clue #5:  Spam Filter Status Details
In situations where email is screened by a spam filtering program, this message would probably have been flagged as possible spam.  In this example, the university's spam filtering application identified the email as suspicious.  Further examination of the mail header reveals the following. . .

Even a cursory look at the spam filter information in the mail header should give the reader cause for concern.


Clue #6:  The Embedded Link
Another important clue that should set off "alarm bells" concerning this message is the embedded link which the recipient is encouraged to click on in order to complete the refund request. . .

One of the primary goals of a phishing attempt is to lure the unsuspecting recipient to an alternate and usually malicious website.  As with this example, the link provides no indication as to where it leads.


Clue #7:  The Link's Destination
Again, an examination of the message source reveals some very interesting details concerning the destination address of the embedded link.

The URL for the refund form does not appear to be associated with the Canada Revenue Agency's Web site at all.  Following is the actual URL for CRA's refund page:



Clue #8:  The Link's Actual Destination
Using one of the networking tools provided in Windows, it is possible to discover some revealing information concerning the IP address of the link

DNS (Domain Name Server) information related to the IP address reveals that it has its source somewhere in New Zealand. Clearly, the link to the refund form is not associated the CRA or any other Canadian governement website.


What's at the Other End?
So now the big question: Where, exactly, would the embedded link lead to?  When asked about this phishing example,  security vendor, Sophos, advised that although they had not investigated this particular exploit, they were very much aware of it.  According to one Sophos researcher, this campaign has been around since the beginning of 2008.

So what is at the other end of the link?  In all probability, nothing good.  These types of messages are best left unopened and deposited into the electronic trash bin.

The lesson we can learn from this phishing expedition: Stay away from the lure of these kinds of messages to keep from getting "hooked."
Lock Your Workstation

It is never a good idea to leave your workstation or laptop unattended while logged in.

A good safety habit to get into is to “lock” your computer while you are away from your desk.

Simply press the CTRL + ALT + DEL keys, then click on the Lock this computer option

Alternatively, you can press the “Windows” + L keys to lock your computer

Either way, it would be wise to restrict access to your computer while you are away from it.

 

   
   
   

 

 
Twitter Facebook Linkedin Flikr UFV on Google+ YouTube goUFV