WeekEnd Feature: Gone Phishing

by Ian Thompson, CCSP Staff Editor
January 24, 2004

Jus’ lazin’ on a Sunday afternoon…
How many of us have received an email from “our” banks asking us to re-register? Or that eBay or Amazon have suffered a security breach and need us to confirm our username and password to prevent the ‘fix’ from removing our accounts? The web addresses all look okay, and the first bit matches the home page details of these sites, so it all seems legitimate.

What’s this on the line…?

These are all examples of ‘phishing’, the act of trying to trick users by posing as official requests from trusted bodies. But what is ‘phishing’?

Well, my Interconnected Network readers, Word Spy seems as good a place as any to begin finding that one out. They have a good description at http://www.wordspy.com/words/phishing.asp, which just about says it all.

The ‘ph’ bit is legacy from the early hacking days and comes from the word ‘telephone’. Back in the early 70’s, the first hacker, John Draper (aka. Captain Crunch), coined the phrase ‘phreaking’ to describe the activity of making a public telephone system behave in ways it shouldn’t, such as giving free long-distance and international calls from call boxes, or having the bill directed to someone else’s account. This had been going on since the mid-late 60’s, but came to the public’s attention when it was first published in 1971. Variously, this has been described as ‘phone wreaking’, ‘phone freaking’ or ‘phone phreaking’, depending on your side to the argument and how much Class A you’d just popped. Bell Telecom would side with the ‘wreaking’ bit, the hippy scene would fully understand why the phone service would be ‘freaked out’ by all this, and Richard Stallman would no doubt appreciate the circular reference akin to GNU. However, all agree that ‘ph’ is from ‘phone’.

Since then, any less-than up-front activity has used the ‘ph’ for ‘f’ transition.

Uh-huh! Got a nibble…

The site http://www.anti-phishing.org/ has been set up to highlight and combat this kind of fraud, and other email scams. Their description of the problem is this:

“Phishing attacks involve the mass distribution of 'spoofed' e-mail messages with return addresses, links, and branding which appear to come from banks, insurance agencies, retailers or credit card companies. These fraudulent messages are designed to fool the recipients into divulging personal authentication data such as account usernames and passwords, credit card numbers, social security numbers, etc. Because these emails look “official”, up to 20% of recipients may respond to them, resulting in financial losses, identity theft, and other fraudulent activity.”

Now read that last line again and think about this; 20% of all those receiving the scams are responding – a typical paper-based mail-shot would only expect around 1%. Clearly, phishing works.
Strike! Real this sucker in…

Harsh words, maybe, but it fits the analogy…
As security-conscious readers, you need to understand how this sort of thing actually works. I mean, if the message is crafted so carefully that on the face of it everything seems legitimate, there must be a good reason or two why this can succeed.

I guess the first is that people are basically gullible. If you read my ‘Cash’ article, you’ll have heard (in a non-audible way) me say that “a healthy dose of paranoia is a good thing”, and there I go again. But it’s true. I do not want to live in a world where everyone has their natural openness removed, otherwise there’d be no more acts of charity for fear of being mugged over, but I don’t much like having to open folks’ eyes to the fact that there are bad people out there too. Especially painful if it’s to a friend or relative who only thought they were doing the right thing.

There are several ways that this can happen, and for once, not all are ‘features’ of Windows…

HTML tags: (brackets altered from '<' &'>' to '{' & '}' for visibility)

A HTML hyperlink converts a word, phrase or picture into a link to another site. This is the most basic way of creating the deception. The web page (or HTML-coded ‘fancy’ email) includes a line like;

{a href=”Ha Ha! You thought it was Amazon..!”} Amazon.com{/a}

that displays as “Amazon.com” on the web page, but actually links to some place else. If you want to test this, cut’n’paste this code into notepad (just put a pointy bracket ('<' and '>') instead of the curly ones:-

{html}
{body}
{a href=”Ha Ha! You thought it was Amazon…!”}Amazon.com {/a}
{/body}
{/html}

Save it as ‘spoof.htm’ - make sure you set it to view ‘All files’ in the save dialogue, or else it will add ‘.TXT’ on the end and not work. Just double-click the ‘Spoof’ web file icon this creates to have a look.

How to spot this…

Well, most web browsers have a Status line (on IE it’s at the bottom, under the display). This shows the actual link address, so in this case, you’ll not see ‘Amazon.com’ when you roll the cursor over the hyperlink…

Redirecting the user…

HTML lets writers use code references instead of ‘real’ characters to hide things. This means stuff can get really tricky… Change the long code line to:

{a href=”http://www.amazon.com@%31%32%37%2E%30%2E%30%2E%31:%39%39%39%39”}Amazon.com {/a}

and have another look. Now when you roll over the hyperlink, the ‘status’ shows a fairly real-looking web address. Actually, it sort of looks like an email address since it’s got the ‘@’ in the middle, but the first part’s convincing, isn’t it? Problem is, this will redirect the user to a spoofed website at the IP address shown. Don’t worry; it’s actually the internal loop-back one inside your PC, so click away! All you’ll get is a ‘Cannot find Server’ error. Actually, you can probably spot the IP address in the code stuff – the ‘%’ tells the browser to expect a coded item, a number follows ‘3’, and ‘2E’ is a dot. Further characters include ‘2F’, which is ‘/’, so you can see how even a full address can be made up like this.

How to spot this…

Look at the source code of the page or message. If you spot any of this nonsense, don’t go there. You can right-click the link and copy’n’paste it into the address bar to reveal the more readable version, but often just viewing the properties only shows the visible link, not the hidden one.

More redirection methods include using server name redirection, where the email analogy continues to the point of calling one website from within another – again, the link looks real (even more so) in the status line, but copy’n’paste to the address bar reveals the deception.

An actual flaw in IE – What? You do surprise me…
None of the methods above are flaws, just ways in which HTML can be used. However, as reported at Bugtraq ..............

(http://www.securityfocus.com/archive/1/346948/2003-12-08/2003-12-14/2),

IE can be made to hide the offender’s address entirely. MS may fix this in the time-honoured way soon.

The solution – trust no one!

Actually, that’s a little drastic, but you get the point. In fact, if major banks, plus common targets like eBay and Amazon are issuing advice not to respond to these kinds of direct email shots, you’ve probably heard this before. As a rule, they never email anyone requesting security information. Stuff like SpamPal (http://www.spampal.org/) will no doubt help, but it’s back to that old nugget called ‘user education’ – no amount of software will help the hapless user clicking on an icon or link.
Be a smart sprat, not a trusting trout
Remember – only the fish that take the bait end up stuffed and mounted on the wall. Okay, that’s enough piscatorial stuff for now…

Note: All brakets for the code have been removed .......so that you can see them. Otherwise the software that created this article will eliminate the tags and create the links.......



Ian Thompson is a Network Manager of a 500-PC, 5-server, 1700-user school network and is an ICT teacher at a UK high school near the city of Leeds. He has written articles for the Hutchinson Encyclopedia, plus many resources in support of teaching ICT in the UK schools' National Curriculum.

Copyright © Ian Thompson 2004