PayPal Phish - Ticket to Disaster
06-07-2006
If you’ve been on the Internet more than a month or two, you’ve likely by now received an email similar to the one below. The emails almost always predict some dire consequences and horrible fate to those who fail to comply immediately. Be advised - the dire consequences and horrible fate only await those who do reply to such emails.
The email shown here is what is known as “a phish” or “phishing attack.” While this one in particular is an attack on those having a PayPal account, phishing attacks have been conducted on virtually all well known financial institutions including banks and credit unions.
To get an understanding of how this is done let’s dissect this rascal and see what’s behind the scenes!
Those familiar with the PayPal service and its logos will likely agree this looks very official, and indeed it should as the attacker is actually using PayPal’s logos from www.paypal.com. For example here’s the HTML code (the language used to create web pages) from the email for the PayPal logo at the top of the page. If you click on the underlined part of the item below you will see that it takes you to the actual PayPal logo at the real PayPal site of paypal.com.
< img src=”http://images.paypal.com/en_US/i/logo/email_logo.gif” alt=”PayPal” border=”0″/>
If you’re not familiar with HTML code, don’t worry about it. The important point here is that those creating phishing attacks do link to the real graphics for logos and other distinctive items at the legitimate web site to make their fake email look more authentic.
Now let’s look at the attacker’s goal and how the actual attack takes place. The attacker’s goal is usually simply to get the unwary user to believe they are actually complying with an official request from the given institution (PayPal in this case) and to get the user to enter their private data such as login name and password. Other phishing attacks similarly try to get users to provide account numbers, passwords, credit card numbers and similar information. In short, any data that the attacker can use to conduct a fraudulent transaction to his financial gain.
The “how” they accomplish this is by hiding the link to where you’ll actually be taken if you click on the link in the letter. Let’s clarify this with the current example above. In the email shown above we see at the end of the first paragraph the sentence ..
You can submit additional information at the following link:
followed by the rather official looking link:
https://www.paypal.com/cgi-bin/webscr?cmd= login-run
Let’s look at the actual HTML code for this email again to see what’s really going on here. The actual code for the above link is:
< a href=”http://some-place-other-than-paypal.com” target=”_Blank”>https://www.paypal.com/cgi-bin/webscr?cmd=_login-run< /a>
The above is how a link to another area on the web is coded within HTML. Notice that the second part, starting after the “_Blank”>” section is the same as that which appears in the link given in the graphic of the actual phishing attack email above. This is the visible part of a hyperlink. Where the hyperlink actually takes you is given by the first part which in this case I have replaced with a fictitious link titled “http://some-place-other-than-paypal.com,” which is exactly what happens. The attacker takes you to a fraudulent site that is made to appear legitimate
Let’s demonstrate this with the actual working link. Note, nothing will happen here as this is a fake link and you’ll just get a “page not found” error if you try. The important thing to note is to look at the actual link given at the bottom of your browser when you position the mouse over the visible link. Notice you’re actually being shown the hidden link of “http:// some-place-other-than-paypal.com”
This is the heart of a basic phishing attack. I obviously used a fictional place and did so for several reasons, in a real situation the attacker will direct the unwary user to a fake site that has been set up to look like the real thing and then have the victim submit the items mentioned above such as login names, passwords, credit card numbers and other personal items that can be exploited for personal gain by the attacker.
New and more sophisticated attacks have been developing over the past year that add a few twists and turns to how the attack is conducted but the above outlines the primary concept of redirecting the unwary user to an area meant solely to fraudulently capture the private data.
Protecting Yourself
If you receive such an email, the safest bet is to just delete it. If you believe that the email might be legitimate, don’t click on links given in the email. Instead start your browser and type in the URL for the institution yourself and then log into your account.
As an example, PayPal did send out emails to account holders a while back requiring that they agree to some changes in the terms of service. Not even bothering to see if they were legitimate, I just deleted the email, started Firefox, and logged into my PayPal account. Sure enough, there was a message there requiring some actions on my part.
Moreover you can help prevent these miscreants from plying their illicit trade by forwarding the phishing email to ‘reportphishing@antiphishing.org’.
Also, many organizations such as ebay and PayPal are using the universal email address of “spoof@the-institution-name.com” such as spoof@ebay.com or spoof@paypal.com.
Thoughts, comments and questions welcome. Tell us what you think!
Posted by admin on 06-07-2006 at 12:06 am
Posted in Phishing
No comments yet.
Leave a comment
Please log in or