Cover Your Assets

Phishing Fraud

This is an excellent example of a phishing email.
The text of the quoted email appears in italics

Highlighted sections are in Bold Italics

Annotations by the author are in regular text and the email is divided into sections for clarity and to make the annotations easier to track.

This is the page source for the email in question. Much of what the source contains is written so that it is invisible in your email client. This can tend to make the reader believe that the email actually comes from the legitimate service.

---

Delivered-To: munge@gmail.com
Received: by 10.90.65.2 with SMTP id n2cs163811aga;
    Tue, 19 Dec 2006 12:24:30 -0800 (PST)
Received: by 10.70.37.12 with SMTP id k12mr10458523wxk.1166559870673;
    Tue, 19 Dec 2006 12:24:30 -0800 (PST)
Return-Path: <service@ebay.com>
Received: from 192.168.20.10

This is the address the sender is claiming to be sending from. This is a Class C private network address which isn't routable.
Basically, that just means that you should ignore who they are claiming to be and pay attention to the next part, which is who your mail server says they really are.

(adsl-070-147-032-204.sip.bct.bellsouth.net [70.147.32.204])

This is the actual address that sent it, and the network domain that it actually belongs to. Note that the sender is not as the Return Path line above claims ebay.com. This address belongs to a DSL customer on the Bellsouth network.

    by mx.google.com with SMTP id i37si13696250wxd.2006.12.19.12.24.30;
    Tue, 19 Dec 2006 12:24:30 -0800 (PST)
Received-SPF: softfail (google.com: domain of transitioning service@ebay.com does not designate 70.147.32.204 as permitted sender)


SPF is a form of email server verification. What this is saying is that Google’s mail server asked eBay and eBay says that this is not an authorized sender IP. Note the time signature and time zone stamp then look to the received header below.


Received: from 64.39.41.192 by ; Wed, 20 Dec 2006 00:18:29 +0400


This received line claims that it is the original sender, however the received line above it doesn't list the additional acknowledgement of the transaction and this one claims to have been sent from international time zone +4:00 which significantly east of Germany, which is the location of the network the IP address indicates as the source. In addition it claims to have been sent at a little after midnight, while the email was logged by Google at a little before 1:00 PM in the -8:00 Pacific Standard Time in California. This doesn't indicate that the email actually came from Germany. What is says instead is that this line was added by a sloppy hacker who didn't pay attention to detail and doesn't understand how to set up his spam software. Spam software commonly ads additional received lines to confuse the recipient into thinking the email has been bounced around from server to server. In this case, the hacker has actually defeated his own purposes by verifying that the Bellsouth address is actually the sender and that this line is forged (written in by the sender in an attempt to hide). It is actually possible for the forgery to be perfect and some spam is sent via viral software which hijacks an innocent user system, but in this case it appears that this isn't the case. The only important thing to remember is that if ANY of these lines is forged or doesn't pass SPF it is definitely a forgery and an attempted Phishing scam. There are other things to look for as well, so even if this all seems perfectly legit and you check your account by browsing directly to the service site rather than using the clickthough link in the email you should be able to verify that it is Phishing.


Message-ID: <CDSVNFGFGMSYKFUZAGLW@aol.com>

Another indication of forgery. This indicates an AOL message ID when neither of the IP addresses above are AOL mail servers. Don't allow this to confuse you. It is enough that you know that the Received line above is forged. Once you find anything falsified in an email header, it is fairly certain that everything below it will also be written by the scammer or his spamming software.

From: "service@ebay.com" <service@ebay.com>
Reply-To: "service@ebay.com" <service@ebay.com>
To: munge@gmail.com
Subject: eBay Registration On Hold
Date: Tue, 19 Dec 2006 21:15:29 +0100
X-Mailer: Microsoft Outlook Express 6.00.2600.0000

Ebay is using Outlook Express? No... I don't think so.
Neither is the hacker, but he's sloppy and has already mis-set several other features of his spamming software. It is probably designed to forge the client X-mailer header with a number of popular clients and may even have the ability to take manual input for this line. This just once again confirms that it is a Phishing email... and that the sender is sloppy.

MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--12976056587338265"
X-Priority: 1
X-MSMail-Priority: High

----12976056587338265
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<strong><FONT color=3Dred> IMPORTANT: Only for seller accounts ! </FONT>
<br>
<br>
<br>Dear eBay seller Member</FONT>,

First of all, eBay never sends notifications of any kind without addressing the account holder correctly by their registration ID. Keep in mind that even if this is done correctly, you should still never trust an email that asks that you click through. It is just as easy to access your account directly by browsing directly to the site. You can check your account safely with the browser, but not using the email link.

we regret to inform you that your eBay=
account has been put on-hold due to the violation of our site policy belo=
w:
<br>
<br>Non-payment of US $26.69 balance on your eBay account.

But I don't owe them $26.69. In fact I pay close attention to my account and I don't owe them anything. This is also not the form of a notification from them. They ask quite politely well in advance of the due date, to give the account holder plenty of time to pay. Always keep up to date on your account status and what your balance is. You won't be tempted to fall for this scam if you stay aware of your current account status.

<br>
To be considered for reinstatement of this account, you must pay the US $2=
6.69 balance due immediately.
<br>
<br>
<strong><FONT color=3Dred>1. Clik to </FONT><a
href=3D"http://200.37.122.73:84/ws/eBayISAPI;dllSignIn&co_partnerId=3D2/pU=
serId=3D&siteid=3D0&pageType=3D&pa1=3D&i1=3D&bshowgif=3D&UsingSSL=3D&ru/">=
<font color=3D"red"></b></font> https://www.ebay.com</a>

The line above is coding which tells your browser to display a link in the body of your email and tells your browser to display the website address of eBay, but to link that text not to Ebay's website but to a server in Lima, Peru and to use port 84. This in itself is unusual. Your browser will do as instructed, but the average webspider will miss this site due to the port assignment. It is entirely possible that this same server has an entirely legit purpose and that the service running on port 84 was not put there by the administrator. This link is what the entire email is all about. If the hacker can convince you it is legitimately eBay and you enter your account and password information at the phony login screen that waits for you there, then he will own your eBay account within minutes. They will be able to change your email address, shipping address, security questions, etc. Then they can charge any and all credit cards you have associated with the account to their limit, and either have goods delivered to a vacant home or other dead drop where they can receive them without much risk of being caught... BUT any changes in your account will cause an email to be sent to your last verified email address, and if you receive such an email, report the change immediately to the service (in this case ebay) as being fraudulent and they will void any transactions so long as you tend to the matter quickly. If the items have already been shipped they may still be able to stop the shipper, but if they have already been delivered, or the goods are digital and have already been downloaded, then you will have to call your credit card company and cancel the charge and have them issue a chargeback. Yes, this is the sort of thing that the chargeback is meant to be used for legitimately.

<br><FONT color=3Dred>2. On the sidebar under the 'My Account' section, cl=
ick the 'Seller Account' link</FONT>
<br><FONT color=3Dred>3. Select a method to pay your eBay fees</strong></F=
ONT>
<br>
<br>
If your account remains past due, your ability to bid and list may be rest=
ricted.<br>
Your account could be charged a late payment finance charge of up to 1.5 p=
ercent of your past due amount and all
collections efforts will continue.<br>
<br>
If you have already paid your eBay fees, please disregard this message.<br=
<i>
<br>Thank you,
<br><FONT color=3Dblue><strong>eBay Customer Support (Global Billing)</FON=
T></strong>
</i>

The rest of the email is meant to look serious, threatening, and to urge haste... Almost all scams will urge haste because people who are in a panic tend to make bad choices, and tend to be suggestible toward a specific action represented as a remedy for the panic. Even if you suspect you have really messed up and allowed yourself to fall into one of these scams, DON'T PANIC... You can still fix things if you act with reasonable promptness and keep your head.

...Now, if you've taken the time to read this entire wiki page then kudos for your patience. If you understood the nerdy bits pretty well then kudos for your technical skills, but really if you had stopped reading at the warning to never click on the link in any email asking you to use a link to a login page for any service you use, then you didn't need to understand anything else. Any service you use is just as accessible by browsing to the legit site directly (type in ebay.com for example).

The more legitimate the email looks, the more important it is that you get your account information through a direct connection to the site rather than the link.