How to catch a phish

I’ve received several phishing attempts, recently, this time masquerading as mail from Twitter. I thought I’d share how I recognized this as an attack. Many list members already know this stuff, but I thought I’d share since we still see folks responding to these kinds of attacks.

1. Unexpected

Before I even looked at the content of the message, I was suspicious because I don’t have any twitter stuff associated with my UVM email. I could have deleted the message then and, if I was using twitter, logged into my twitter account directly to see if something was going on.

But I wondered how the message was crafted, so I opened it with awareness.

2. False link

A false link is shows a web address in the message, but the link that is attached to it is different. Below, my mail program shows that the link will actually send me to pachitanglangbarcelona.com.

twitter-scam-ol

Thunderbird actually throws a warning about the suspicious nature of the message. Also, when I hover my mouse pointer over the link, the real address is displayed in the status bar on the bottom of the Window.

twitter-scam-tb

 

Webmail shows a warning, and my web browser displays the real link address at the bottom of the screen.

twitter-scam-wm

 

That’s enough for me to hear Admiral Ackbar in the back of my head.

3. Strange headers

If you look at the full header information, you can see some interesting details about the email message. Here are some of the headers from the message above:

Return-Path:
Received: from warthog.uvm.edu (warthog.uvm.edu [132.198.101.92])
    by penguin1.uvm.edu (8.13.7/8.13.7) with ESMTP id p2M6r9Qj004516
    for ; Tue, 22 Mar 2011 02:53:09 -0400
Received: from s15339449.onlinehome-server.info (s15339449.onlinehome-server.info [87.106.10.20])
    by warthog.uvm.edu (8.14.4/8.14.4) with SMTP id p2M6r7vT022753
    for ; Tue, 22 Mar 2011 02:53:08 -0400
Received: by mx005.twitter.com (Postfix, from userid 1181305386)
        id 026EA983D3C; Tue, 22 Mar 2011 07:24:17 +0000 (UTC)

X-Mailer: MIME-tools 5.427 (Entity 5.427)
From: "Twitter"
Subject: You have notifications pending
To: geoff.duke@uvm.edu

Looking at the Received: headers, we should see an entry for each email server that handled the message from origin to destination. I note that the first Received header (bottom one) is missing the from phrase that’s part of the others. So even though it says mx005.twitter.com, it’s a crudely forged entry, but makes for a good example.

Also, in the second (middle) Received header, I see that UVM’s server warthog actually got the message from a computer called s15339449.onlinehome-server.info. That’s not twitter. And what’s with the Return-Path address, hedrick@chipotle.com? More junk.

I hope this is helpful info. Here are a few links with more info:

http://en.wikipedia.org/wiki/Phishing

http://www.microsoft.com/security/online-privacy/phishing-scams.aspx

Let me know what you think.

Leave a Reply