Saturday, May 05, 2007

Phucking Phishers

It seems I just got a very convincing phishing e-mail trying to get me to give away my Paypal information. The e-mail itself was not that convincing, but the link to the "Paypal site" was very well done, and the site itself was an almost perfect forgery.

This is what it looked like:

As part of our security measures, we regularly screen activity in the
PayPal system. We recently contacted you after noticing an issue on your
account.We requested information from you for the following reason:

Our system requires further account verification.

Case ID Number: PP-140-076-751

Please confirm your Paypal account,click the URL below:

https://www.paypal.com/cgi-bin/webscr?cmd=_login-submit

This is a second reminder to log in to PayPal as soon as possible. Once
you log in, you will be provided with steps to restore your account
access.

Once you log in, you will be provided with steps to
restore your account access. We appreciate your understanding as we work to
ensure account safety.

In accordance with PayPal's User Agreement, your account access will
remain limited until the issue has been resolved. Unfortunately, if
access to your account remains limited for an extended period of time, it
may result in further limitations or eventual account closure. We
encourage you to log in to your PayPal account as soon as possible to help
avoid this.

To review your account and some or all of the information that PayPal
used to make its decision to limit your account access, please visit the
Resolution Center. If, after reviewing your account information, you
seek further clarification regarding your account access, please contact
PayPal by visiting the Help Center and clicking "Contact Us".

We thank you for your prompt attention to this matter. Please
understand that this is a security measure intended to help protect you and your
account. We apologize for any inconvenience.

Sincerely,
PayPal Account Review Department

PayPal Email ID PP638

But if look at the email in raw HTTP, you see that the actual site the link directs you too is this:

http://maxipriest.com/loggin/

Yeah, not exactly confidence inspiring. See, they spoof the URL to appear to be the Paypal site in your address bar. This is fairly simple. And if you click the link (I wouldn't recommend it), it takes you to a page that looks EXACTLY like the Paypal page. Here's a comparison:

Left, the real Paypal page; on the right, the fake.













Well done, eh? If you didn't know what to look for, you'd never be able to tell. And that could be disastrous. So how can you tell? It's all in the URL. Take a look at the real page URL here:


If the login page doesn't match what I have here, don't put any login info in. Now the fake page has the wrong URL, but it still looks like it could be legitimate. Ah! But if you view the page source, you see it's actually a frame (sort of a Web page within a Web page). And the page that is being displayed? Well, take a look:


So the address on the left is what the spoofer wants you to see. Notice no "https." On the right, is the actual URL of the spoofed site. And if you put in your login and password? Well, you are definitely SOL then. The wost part of this spoof? The links from the page are the actual links to Paypal stuff! They are essentially copying the PayPal page, and just running their own login script to grab your ID rather than the Paypal system. Insidious, no?

So here's a few simple rules that you can follow that, if you follow them, will give you 100% protection against phishing attacks.
  1. First, most legitimate companies will NEVER ask you to update account information by posting a direct link to their site in the e-mail, so become immediately suspicious if they do.
  2. If an e-mail gives you a link to take regarding your account information, check the URL by copying it (right-click and then choose Copy Link) and pasting it in Notepad or some other text editor. This will give you the real URL that you will be following. If it doesn't match, don't follow it.
  3. Legitimate sites will always use secure "https" pages for logins. Phishers will almost never bother with attempting to use secure connections.
  4. Never, ever, EVER put any login or personal information directly into any text fields in an e-mail! No one will ever ask for info this way as there is no way to make this secure.
  5. If you use Gmail, they have a "Report phishing email" option just like spam reporting. Use it. Even if you think it's real, let the ubbersmart guys at Google take a look just to make sure.
  6. If you are even a little bit suspicious about an e-mail, report it and then trash it. If you want to make sure your account is OK, go to the site directly (don't use any links) and login, or even contact customer service and ask if there is anything wrong.
Well that's about it. Just thought everyone should be aware of things like this.

Posted by Mike at 12:51 PM

Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)