Adam Stiles

Here's an interesting spoof we saw today. The target? The FBI. If this works, I'm sure we'll see lots more like this one - the CIA, Homeland Security, NASA (have aliens stolen my identity?).

I've written before about confused phishers and multiple personality phishers. Here's another one in the same vein. Its a Lloyds TSB spoof, but the subject and from address are both PayPal. See the highlighting.

Seems like many phishers are either complete amateurs or they need a better QA process.

My job developing anti-phishing software is an almost constant source of amusement. Clueless phishers provide the most enjoyment, but sometimes we see clueless vigilantes.

Here's a screenshot of a PayPal spoof that looks like its been defaced by a vigilante or sysadmin. Most defacers will warn users and disable the phishing site so it can't hurt anyone. In this case, the defacer just posted a warning (at the top, and also gives a phone number to call in case anyone wants to help catch the phisher) but then he/she leaves the site intact, so it can still swipe user credentials. That's like finding a hole in road that someone could fall into and only putting up a warning sign - fill in the hole with dirt too!

So here's defacing-a-phishing-site law #1: when defacing a phishing site, make sure you break it so no one can get hurt.

Here's a revealing behind-the-scenes look at phishing crimes over at over at WSJ.com.

As a follow up to Phishing eBay through Doubleclick, here's an example of a Union Planters spoof linked through Google.

The URL bounces through Google (who could probably tell us how many users have clicked it) and lands on the spoof site:

This isn't quite as dangerous as the eBay/Doubleclick redirects mentioned above, but Google's redirecting could make it easier for someone to phish Google adwords accounts in the future.

I'll be at the Anti-Phishing Working Group's Spring 2005 meeting for the next couple of days in San Jose. I'm going to pull a Scoble and publish my cell phone number - I'm at 626-298-0100 if you want to meet up.

I stumbled on a new (to me) technique to defend against phishing attacks today.

A little background. Spoof sites use the same images as the sites they are spoofing. Sometimes those images are stored on the same server as the spoof site, and sometimes they are hot-linked to the target site directly. When image are hot-linked they are pulled from the target site and displayed on the phishing site.

Check out this spoof of Royal Bank of Canada we saw today.

Notice the WARNING! FRAUDULENT SITE! image at the top left? That image has been hot-linked so that it has been pulled directly from the RBC web site. Normally, the image at that URL is the RBC logo, but in this case, the RBC web site is serving an alternative image in an attempt to warn users about the danger. To reiterate - RBC is serving a warning image when their logo is displayed at this phishing site but display their normal logo when served on their own site. Cool!

Here's how they are (probably) doing this:

When a browser requests an image from a web server, the request includes something called a referer - the browser tells the server the URL that referred the user to the image. It looks like RBC is serving different images based on the referer that the browser is sending. RBC may be serving the warning logo anytime someone hot-links their logo, or they may be doing it just for specific referers (known phishing sites). I don't know and don't have plans to test.

This technique is interesting though I don't know how effective it is. Its trivial for phishers to serve local copies of images instead of hot-linking them, so there is a simple work-around for phishers.

Here's an excerpt from another multiple-personality phishing email. I wonder if this is from the same group that conflated WAMU, Charter, and Regions Bank.

We recently reviewed your account, and suspect that your Charter One Bank Internet Banking accountmay have been accessed by an unauthorized third party.

Protecting the security of your account and of the Washington Mutual network is our primary concern. Therefore, as a preventative measure, we have temporarily limited access to sensitive account features.

Ever wonder what would happen if a phisher stole your bank account information? Phishers who want to stay in business won't empty your account directly. They often operate in countries from which it is difficult to work directly with American banks. Plus they don't want to lead authorities directly to them. So how do they get your money? Mules.

A mule is a go-between that phishers "use" to launder money. Phishers transfer money from compromised accounts to an account opened by the mule. The mule then withdraws those funds (minus a commission) and sends a money order to the phisher. Sounds easy enough, but who in their right mind would do this for a phisher? The paper trail leads directly to the mule, and money laundering is a serious offense.

So phishers have to be a little more creative in their recruiting practices.

This email showed up today and kicked off this post:

We are web designers/programmers team. We are located in Moscow, Russian Federation. Currently, our team works for several US companies and we have difficulty in getting our wages.

They're to pay us but they don't send money directly to Russia, because the companies we work for pay us by direct deposits available in USA and Canada only. Reasonable question: why don't they pay us by checks? Yes, they could, but here in Moscow it is really hard to collect on the American checks (enormous commission fees and it takes 2-3 months).

We realize that you can't provide your current bank account. So, if you are ready to help, would you be so kind as to open a new zero-balanced checking account where they could send our wages.

So, when our employers get the account information they will initiate the transfer. When the bank transfers are completed your assistance is needed once again to transfer the money via Western Union or Money Gramm (it is not the best (profitable) way but it's the fastest one).

Finally, we have to solve the problem regarding your interest in this deal We suppose you should get an interest in this business and we can offer you a good compensation for your help. If you are ready to help, please, send your reply to the following email address...[edited]

Sounds more legit. I wouldn't have to risk my own funds (no balance checking account), I'd make a little money, and help out a team of programmers who just want to get paid for work they have already done. I can see how these emails would be effective recruiting tools.

You've been warned

JD has a nice review of how Gmail handles suspected phishing emails.