Related link: http://en.wikipedia.org/wiki/Phishing
In my last post, I wrote about an interesting e-mail message I received. Well, earlier today, I got another interesting message — but this time, something a little different. Here’s a partial screenshot so that you get the full effect.
It looks pretty realistic, doesn’t it? If I weren’t a highly trained professional with keen wits, good looks, and sharp sense of smell (?!?), I might have even clicked on it. Well, it turns out that it’s just another phishing attempt. And since I’m getting a little tired of seeing people get “phooled” by these things, here’s a quick 101 lesson on not getting fooled by the phishers:
Whenever there’s doubt, a good first step is to always check the mail headers. In ~/Library/Mail, you’ll find a bunch of mail folders that you can dig through to get to your actual raw mail messages, although there are plenty of other ways to do this. For my .Mac account, the folder I dug into was ~/Library/Mail/Mac-ptwobrussell/INBOX.imapmbox/Messages. From there, I did a
grep Amazon * to find the message in question since I knew it contained the term “Amazon”, and I opened up the message file (emlx extension) with Vim to inspect the headers. Here’s what I saw:
Ok, so what’s wrong with that? (This is worth really thinking about before you read on.)
One thing we need to pay special attention to here is the sender’s IP address and whether or not it maps back to the domain name. In Terminal, type
whois 22.214.171.124 and you’ll notice that the IP address in question does not really belong to amazon.com, nor does it even remotely appear to have come from there. It belongs to some guy in Texas. I’ll stop digressing right there, but the point is that the IP address should have mapped back to amazon’s domain name somehow, and it didn’t.
If you want to see what a more authentic Amazon mapping would have looked like, type
ping www.amazon.com to get their IP address and then do a
whois on the IP address to get the real deal.
But that’s just the first problem — there’s a few other things going on here.
If you inspect the link
you’ll see that it actually links to a different page, notably this one:
Of course, my e-mail address was actually in the link instead of the bogus one listed. I guess that’s how they keep track of who is naive enough to click on the link. Notice also that the URL links to a php script (never seen an Amazon page like that), and that the bogus URL contains a “dec2r.com” suffix. This is clever but typical — the phisher set up a “secure.amazon.com” subdomain on their “dec2r” server. If you just skim first part of the URL, it looks good — but if you realize that URLs are decoded from the end back to the beginning, then it’s not so good. (Remember, this is social engineering.) When DNS servers are decoding the URL, first the “.com” server is found, then it looks up the “dec2r” server, and from there, I’d imagine that the “secure.amazon.com” subdomain is looked up on the “dec2r” server or something along those lines.
So what happens if you weren’t so sharp and clicked on the link? If you did, you probably got your e-mail address logged for future attempted exploits, and you were greeted by this familiar looking page:
And regardless of what password you put in, it’ll be accepted (and probably logged along with your e-mail address — a very common login — and maybe even exploited via trial-and-error at other online retail sites, perhaps.) But then you’ll get hit with this:
Hmm. Even if you made it this far, you should start feeling a little bit (a lot) suspicious right now. I don’t recall Amazon ever asking for my ATM PIN number, do you? But do notice that other links on the pages appear to actually link back to Amazon’s real site. A thoughtful touch.
And there you have it, ladies and gentlemen — a quick synopsis on how not to get “phooled” by the phishers. Feel free to chime in with your own tips, tricks, and analysis.
Have you or anyone you know ever fallen for a phishing attempt?