The “Phishing Scammers” seem to be growing in numbers.

Is it just me or is everyone else noticing that the amount of “phishing scams” is on the rise? I think I’ve gotten at least a half dozen attempts in the last 4 or 5 days. For those of you who may not be familiar with this scam the idea is simple: Send a bunch of people an email claiming to be from PayPal or eBay telling them there’s been some sort of issue with their account. Perhaps you’re doing a routine check to ensure the account is still active so you can delete inactive ones (popular PayPal scam) or that someone has tried to log into their account unsuccessfully so they should go to a link you’ve handily supplied them and log in to verify that their account hasn’t been hijacked.

In either case they either provide you with a very official looking HTML email complete with a handy form for you to submit your account information including credit or debit card information or they’ll include a link that it claims will take you to a login screen or account validation form that you should fill out and submit. If you hold your mouse pointer over the link and then check the status bar of your browser it might even look like a valid URL pointing to the service in question. Or at least it will if you’re using an unpatched version of Internet Explorer. There was a known exploit that allowed for a bit of JavaScript to re-write what was displayed in the status bar at the bottom left of the browser window and this allowed the scammers to make it look like the URL in the email and the URL in the status bar were one and the same. Looking at the same email in Mozilla Mail or Thunderbird would reveal that the URL in the status bar is completely different than the one in the email. Usually it will have an IP address in it rather than a textual domain. If you go to the link and fill out the form it’ll then pass you on to the official home page of the service they’re spoofing so it doesn’t look like you’ve been had.

Even though Microsoft has patched IE to deal with this exploit it’s only effective if people apply it and we know how bad people are about keeping their systems updated. As a result reports of this scam have increased almost 200% in the month of April and the scammers are inventing new tricks to fool folks into handing over their info. Citibank is a favorite target with over 475 unique phishing scams in April according to The Anti-Phishing Working Group with eBay and PayPal coming in second and third.

Clever spoofers are even finding ways to deal with patched browsers. According to the folks at Miller Smiles in the UK the newest trick is to spoof both the address bar and the status bar using a new browser window with these features turned off and graphical images in their place:

These pages were constructed in the following manner …

  1. a link in a spoofed email opens a new browser window which is scripted to immediately close itself and reopen with the address bar (and possibly the status bar) removed,
  2. the new window contains a variable combination of HTA, HTML and javascript commands which construct a fake address bar using images and text (the text comprises a genuine URL).

Examples of both eBay versions and PayPal version have already turned up in user’s inboxes. I got the eBay one myself this morning. It wasn’t hard to tell it was fake if for no other reason than I have never had an account on eBay. I do, however, have a PayPal account so it’s important to know that neither company will ever send you an email asking you to submit credit card data in a form in the email. Nor will they provide you with a link to login to your account with. If you use eBay or PayPal with any regularity than you already know what the URL to get to their site is so they’ll expect you to go there on your own if they need you to do something. That’s your first line of defense: Know the policies and practices of the companies you deal with. In addition to that it probably wouldn’t hurt to keep tabs on the folks at The Anti-Phishing Working Group as they’ll keep you informed on new scams as they come up. At the very least, you want to be sure you think carefully about any request you get via email claiming to be from a recognized company that asks you to submit personal data and credit card information directly into a form they provide you. Always go to the site in question on your own without using any of the links in the email and check to see if they have any news of scams or frauds being perpetrated through email. Both eBay and PayPal have special email addresses you can forward these emails to in order to check if they are spoofs. Citibank probably does as well, but I’ve not checked their site for it.

I’ve posted a couple of examples of these scams at the bottom of this entry for those who want an idea of what to look for. Click ‘em for a bigger pic:

 

9 thoughts on “The “Phishing Scammers” seem to be growing in numbers.

  1. Yep, I’m getting a lot more fake mail from Citibank these days (where I do have an account).  One thing that helps in Outlook is to right-click the email in the list (without opening it) and choose “Options” at the bottom of the pop-up menu.  You can examine the headers of the email, and can see very clearly that the email is coming from some random address(es) instead of or in addition to a faked Citibank address.

  2. It pays (or should that be ‘saves’) to be a sceptic.

    Funny how they spend so much time on making these scams convincing, and then they can’t even spell right…

    As for asking for your ATM number: well, that shows some nerve. Can’t but admire such a determined crook, can you?

  3. There’s still a flaw in IE that hasn’t been patched - visit this test page in IE and click on the ‘Paypal’ link. Instead of ending up at Paypal you’ll end up at a page on my site.

    What’s worse is that this also works in Outlook Express. OE prohibits you from using JavaScript to rewrite the status bar though, so you can’t fake URLs in that.

  4. I would have to agree with Ingolfson.  Any e-mail purported to be from a large, reputable corporation that has numerous grammatical and spelling errors….it just has to make one skeptical.  How can anyone fall for this poorly slapped together crap?

  5. Some of the spelling/grammer errors may be due to the author’s unfamiliarity with English, but I think it is also so that spam filters don’t pick out the keywords.  The spammer knows that even if the spam filter cannot decode the words, the human will be able to.

    I have seen ads in Information Week saying “our filter will get ‘em no matter how they spell it” suggesting this is a problem yet to be fully solved.

    A couple months ago there was a piece of bullshit email circulating that used a number of extreme misspellings and yet was quite readable, then asks “isn’t that amazing?” Which it sort of is, that we can extract meaning from deliberatly messed up strings of text.  (I got about fifty copies of that email, but widecast bullshitmail is in another thread.

    I still feel like slapping anyone stupid enough to follow one of those mails and divulge their freakin’ credit card information.

  6. If I look at something iffy, I just View/Message Source in Firebird and check the message body to see if it’s crap.  That is, the ones that don’t have “oijhweoi” in the subject line.  Doesn’t matter to me that it sneaks it through a filter.  I white list my email, so crap like that in the subject line makes the junk folder browse quicker. 

    I think it’s easier to just add an address to the white list than to try to train the spam filter.  I do have a blacklist up on Hotmail, but since it’s limited, I save it for those who fill my box up and make me lose email.

  7. Bad spelling works because the people that think these emails are real are stupid and probably can’t spell themselves.

  8. I wonder what sort of reprecussions would occur from having hackers contracted by large corporations to bring sites such as these down?  (Other than the obvious abuse of power.)

    Most companies have an address where you can forward any ‘phish’ mails so that their internet security folks can follow-up on it.

    For Citibank members it is emailreport@citicorp.com

  9. We’ve talked about active retaliation before (in one of my previous lives as a corporate security officer).  You really can’t attack another site even if you claim it’s in self-defense.  Especially since you’d have to do a lot of legwork first to make sure the apparent originating site wasn’t just an innocent victim of a takeover by hackers to begin with.

    However, if you happen to have any personal friends who are off-duty NYC cops, and you happen to be able to find a reliable street address for the offender, there’s nothing to stop you from asking them to go have a friendly, unofficial chat with the suspected spammer …

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.