The Phishing Guide Part 1: Email and Spam

Saturday, June 10th, 2017

Phishing attacks initiated by email are the most common. Using techniques and tools used by Spammers, Phishers can deliver specially crafted emails to millions of legitimate “live” email addresses within a few hours (or minutes using distributed Trojan networks). In many cases, the lists of addresses used to deliver the phishing emails are purchased from the same sources as conventional spam.

Utilising well known flaws in the common mail server communication protocol (SMTP), Phishers are able to create emails with fake “Mail From:” headers and impersonate any organisation they choose. In some cases, they may also set the “RCPT To:” field to an email address of their choice (one which they can pickup email from); whereby any customer replies to the phishing email will be sent to them. The growing press coverage over phishing attacks has meant that most customers are very wary of sending confidential information (such as passwords and PIN information) by email – however it still successful in may cases.

Techniques used within Phishing emails:

• Official looking and sounding emails
• Copies of legitimate corporate emails with minor URL changes
• HTML based email used to obfuscate target URL information
• Standard virus/worm attachments to emails
• A plethora of anti spam-detection inclusions
• Crafting of “personalised” or unique email messages
• Fake postings to popular message boards and mailing lists
• Use of fake “Mail From:” addresses and open mail relays for disguising the source of the email

A Real-life Phishing Example

The following is an email sent to many thousands of Westpac banking customers in May 2004. While the language sophistication is poor (probably due to the writer not being a native English speaker), many recipients were still fooled.

Things to note with this particular attack:

• The email was sent in HTML format (some attacks use HTML emails that are formatted to look like they are plain-text – making is much harder for the recipient to identify the hidden “qualities” of the emails dynamic content).

• Lower-case L’s have been replaced with upper-case I’s. This is used to help bypass many standard anti-spam filters, and in most fonts (except for the standard Courier font used in this example) fools the recipient into reading them as L’s.

• Hidden within the HTML email were many random words. These words were set to white (on the white background of the email) so were not directly visible to the recipient. The purpose of these words was to help bypass standard anti-spam filters.

• Within the HTML-based email, the URL link https://oIb.westpac.com.au/ib/defauIt.asp in fact points to a escape-encoded version of the following URL: http://olb.westpac.com.au.userdll.com:4903/ib/index.htm This was achieved using standard HTML coding such as:

• The Phishers have used a sub-domain of USERDLL.COM in order to lend the illusion of it really being the Westpac banking site. Many recipients are likely to be fooled by olb.westpac.com.au.userdll.com.

• The non-standard HTTP port of 4903 can be attributed to the fact that the Phishers fake site was hosted on a third-party PC that had been previously compromised by an attacker.

• Recipients that clicked on the link were then forwarded to the real Westpac application. However a JavaScript popup window containing a fake login page was presented to them. Expert analysis of this JavaScript code identified that pieces of it had been used previously in another phishing attack – one targeting HSBC.

• This fake login window was designed to capture and store the recipient’s authentication credentials. An interesting aspect to this particular phishing attack is that the JavaScript also submitted the authentication information to the real Westpac application and forwarded them on to the site. Therefore the recipient would be unaware that their initial connection had been intercepted and their credentials captured.

Leave a Reply

Your email address will not be published. Required fields are marked *