In earlier blogs about Phishing (especially Phishing Primer Part 1 and Part 2) we described phishing as an artful attempt to get readers to click links in e-mail, thereby opening themselves up to unwarranted disclosure of personal or sensitive information and possible theft, as well as downloads of malware designed to mine and export such data to unauthorized third parties. In todays blog, we take a look at a blatant and low-grade phishing attempt that arrived in your authors inbox this morning by way of illustrating what a rude and crude phishing attempt looks like. Heres a graphical snippet from that message, sent to my Yahoo mail accounts inbox and quite properly relegated to the Unverified and unknown sender message bin by my spam filtering service.
[caption id="attachment_140" align="aligncenter" width="600" caption="It's easy to spot some Phishing messages...others not so much"][/caption]
Here are the telltale signs of a blatant and pretty low-grade phishing attempt, just from this small snippet clipped from a much larger message:
All of these outright errors, formatting glitches, and the strange mix of graphical and badly written textual elements point toward a phishing attempt. Indeed a quick look at View Source for the incoming HTML-formatted message (the favored medium for phishing, because thats what permits users to click embedded links, should the phishing attempt succeed) shows further signs of phishing (I use text snippets from that HTML file to make illustrations of whats going on):
The originating IP address for this message is 82.132.130.169. A quick trip to the IP2Location.com website shows that this address originates in the UK, and is administered by an ISP named O2 Online. If it were legitimate, Yahoo! would contact me from the US, and it would not originate its messages from a service provider that specializes in broadband and mobile phone accounts for consumers (Yahoo! uses Inktomi, as you'll see below). Furthermore the claimed sender policy framework identification (SPF) is attributed to mailservice@yahoo.com but Yahoo! itself reports that it does not designate permitted sender hosts. This is an entirely oblique way of informing someone who bothers to check the markup for the e-mail message that its been spoofedthat is, the claimed originator does not match the actual originatorbut those unfamiliar with the ways and jargon of SMTP email are unlikely to notice this.
Further down in the message header the following text appears:
This shows that the purported Message-ID, Reply-To, and From fields in the message as it displays in a Web browser have all been faked: the < and > strings are HTML character entities for < and > respectively and while they make the enclosed text look like the message originates from Yahoo!, includes a Yahoo! reply to address, and comes from mailservice@yahoo.com, all of these entries are entirely bogus.
And finally, theres a dead giveaway at the end of the message header, where fields that begin with an X-SA appear to indicate why this message has been flagged as spam (itself a sign of something untoward and unwanted at work):
My spam filtering service, Spamarrest.com, where I pick up all my incoming e-mail was able to deduce from the mismatch between the actual point of origination (82.132.130.169) and claimed point of origination (mailservice@yahoo.com; the address 68.142.198.147 appears in the e-mail header for the Yahoo! mail server that processed this message, and IP2Location reports its in Sunnyvale, CA, operated by Inktomi Coporation for the domain name yahoo-inc.com, which is entirely legitimate).
So much for a seriously flawed and flagrant phishing attempt. It never even got into my inbox! Hopefully, it won't get into yours or into any of your employees' inboxes, either!
Stu Sjouwerman
[caption id="attachment_140" align="aligncenter" width="600" caption="It's easy to spot some Phishing messages...others not so much"][/caption]
Here are the telltale signs of a blatant and pretty low-grade phishing attempt, just from this small snippet clipped from a much larger message:
- Its addressed to Account Owner rather than to an individual, even though Yahoo! had sufficient information to address the recipient by name (me, that is) if they had been the actual sender of this message (and of course, they were not, as I will shortly demonstrate).
- Theres a strange formatting error in the first paragraph of the message, where the blue-background Yahoo! text graphic includes a part of vertical strokes underneath, and impinges on the following text. Likewise, there are odd line breaks after Dear and at the end of the first nearly-full line of text in the message body. Also the font used for the message salutation is very different from the font used for the message body (sans-serif versus serif, in fact): Yahoos own email messages use consistent fonts throughout.
- The message body text omits a space between 48 and hours and misspells shuting [shutting], conjestion [congestion], and unsued [unused].
- The Yahoo! graphical header at the start of the snippet references a customer care satisfaction survey, but the entire message body that follows deals neither with a survey, nor is attributed to customer care at its conclusion. Yahoo! wouldnt do any of this.
- The Yahoo! graphical header at the start of the snippet references a customer care satisfaction survey, but the entire message body that follows deals neither with a survey, nor is attributed to customer care at its conclusion. Yahoo! wouldnt do any of this.
All of these outright errors, formatting glitches, and the strange mix of graphical and badly written textual elements point toward a phishing attempt. Indeed a quick look at View Source for the incoming HTML-formatted message (the favored medium for phishing, because thats what permits users to click embedded links, should the phishing attempt succeed) shows further signs of phishing (I use text snippets from that HTML file to make illustrations of whats going on):
X-YahooFilteredBulk: 82.132.130.169
Received-SPF: none (mta161.mail.sp2.yahoo.com: domain of = mailservice@yahoo.com does not designate permitted sender hosts)
Received-SPF: none(yahoo.com: yahoo.com does not designate permitted = sender hosts)
Received-SPF: DomainKey Not Present
The originating IP address for this message is 82.132.130.169. A quick trip to the IP2Location.com website shows that this address originates in the UK, and is administered by an ISP named O2 Online. If it were legitimate, Yahoo! would contact me from the US, and it would not originate its messages from a service provider that specializes in broadband and mobile phone accounts for consumers (Yahoo! uses Inktomi, as you'll see below). Furthermore the claimed sender policy framework identification (SPF) is attributed to mailservice@yahoo.com but Yahoo! itself reports that it does not designate permitted sender hosts. This is an entirely oblique way of informing someone who bothers to check the markup for the e-mail message that its been spoofedthat is, the claimed originator does not match the actual originatorbut those unfamiliar with the ways and jargon of SMTP email are unlikely to notice this.
Further down in the message header the following text appears:
Message-ID: <4C63A9A32EA52BFA@> (added by '')
Reply-To: <alertsevice25@yahoo.com.cn>
From: "Yahoo Service"<mailservice@yahoo.com>
This shows that the purported Message-ID, Reply-To, and From fields in the message as it displays in a Web browser have all been faked: the < and > strings are HTML character entities for < and > respectively and while they make the enclosed text look like the message originates from Yahoo!, includes a Yahoo! reply to address, and comes from mailservice@yahoo.com, all of these entries are entirely bogus.
And finally, theres a dead giveaway at the end of the message header, where fields that begin with an X-SA appear to indicate why this message has been flagged as spam (itself a sign of something untoward and unwanted at work):
X-SA-MPREASON: Forgery
My spam filtering service, Spamarrest.com, where I pick up all my incoming e-mail was able to deduce from the mismatch between the actual point of origination (82.132.130.169) and claimed point of origination (mailservice@yahoo.com; the address 68.142.198.147 appears in the e-mail header for the Yahoo! mail server that processed this message, and IP2Location reports its in Sunnyvale, CA, operated by Inktomi Coporation for the domain name yahoo-inc.com, which is entirely legitimate).
So much for a seriously flawed and flagrant phishing attempt. It never even got into my inbox! Hopefully, it won't get into yours or into any of your employees' inboxes, either!
Stu Sjouwerman