PHISHING

Most concerning is the increasing trend of malicious spam. Customers of almost every major international bank have been targeted by phishing scams of varying sophistication. Phishing is the term given to a specific type of spam that attempts to fool people into supplying confidential information -- the spammers are effectively "fishing" for whatever information they can find.

Essentially, phishing is a type of social engineering -- an attacker attempts to gain the trust of a victim and fool them into taking certain actions.

The normal format of a phishing scam is an e-mail that looks official, is apparently sent from the bank itself, and that requests you to input your personal details (often including credit card and PIN number) for the purposes of account confirmation. These e-mails generally use genuine logos and text styles, often taken directly from the bank's Web site, to try to fool the recipient. Figure 3-1 shows a phishing e-mail as displayed by Outlook:

Figure 3-1: A classic phishing e-mail.
Figure 3-1: A classic phishing e-mail.

Enlarge image

Ignoring for the moment that no bank would send an e-mail like this, the body of the message looks legitimate. There is a Nationwide logo, which is a major U.K. bank. The From e-mail header says that message was sent from a nationwide.co.uk e-mail address and the message text asks you to visit a page on the Nationwide Web site. This is all very legitimate and believable, at first glance.

Under no circumstances should you attempt to access the Web site or follow any directions shown on this lesson page. This phishing investigation is provided purely as an example for learning purposes.

However, all is not as it seems. Because this e-mail has images and text styles apparently included in it, it must be an HTML e-mail. Viewing the HTML source behind it, shown in Figure 3-2, starts alarm bells ringing:

Figure 3-2: HTML source code behind the e-mail.
Figure 3-2: HTML source code behind the e-mail.

Enlarge image

Figure 3-2 shows some HTML code split into blocks for easy reference. You may not be familiar with some of the code, so let's go over it step by step:

  • The first code block has the <a href> tag, followed by the correct Nationwide Web site address. When you move your mouse over the HTML message in Outlook, this code ensures that the Nationwide Web site appears as the tool-tip. If it weren't for the rest of the code in the e-mail, you would be taken to the Nationwide site.
  • The next block begins with the <map> tag. This effectively places an invisible mask over the entire message so that when you click anywhere in the e-mail, you're immediately taken to the Web site specified in the href section. As you can see, although the Web address starts with http://, strange numbers and percentage signs follow it. You'll come back to this shortly, but it's this piece of code that overrides the Nationwide hyperlink.
  • The penultimate block begins with the <img src> tag. This is the HTML command to load an image from a remote server, and here's where the scam becomes clear. What you're actually seeing in the e-mail shown in Figure 3-1 is not a text e-mail with a hyperlink; it's a bitmap image mock-up of an e-mail that, no matter where you click, takes you to a malicious Web site.
  • The final block of seemingly random text, highlighted in yellow, is an antispam evasion mechanism. Later in this course Bayesian filtering will be covered, which explains the purpose of this line of text.

From the analysis of this phishing e-mail, you can now see that no matter where you click in the e-mail, you're taken to a malicious Web site. The Web site in question is defined by the string beginning http://%32%30%33 in Figure 3-2, but this doesn't look like any normal URL; it has actually been obfuscated by hex encoding. To understand why this works, a small detour into computer and operating system architecture is needed.