Print

Print


I posted this to my website, if you prefer referencing a URL to forwarding
image-laden email.

 

http://www.uvm.edu/~gcd/2011/03/how-to-catch-a-phish/

 

--Geoff

 

From: Technology Discussion at UVM [mailto:[log in to unmask]] On
Behalf Of Geoffrey Duke
Sent: Wednesday, March 23, 2011 2:48 PM
To: [log in to unmask]
Subject: How to catch a phish

 

I've received several phishing attempts, recently, this time masquerading as
mail from Twitter. I thought I'd share how I recognized this as an attack.
Many list members already know this stuff, but I thought I'd share since we
still see folks responding to these kinds of attacks.

 

1. Unexpected

 

Before I even looked at the content of the message, I was suspicious because
I don't have any twitter stuff associated with my UVM email. I could have
deleted the message then and, if I was using twitter, logged into my twitter
account directly to see if something was going on.

 

But I wondered how the message was crafted, so I opened it with awareness.

 

2. False link

 

A false link is shows a web address in the message, but the link that is
attached to it is different. Below, my mail program shows that the link will
actually send me to pachitanglangbarcelona.com.

 



 

 

Thunderbird actually throws a warning about the suspicious nature of the
message. Also, when I hover my mouse pointer over the link, the real address
is displayed in the status bar on the bottom of the Window.

 



 

 

Webmail shows a warning, and my web browser displays the real link address
at the bottom of the screen.

 



 

That's enough for me to hear Admiral Ackbar <http://youtu.be/dddAi8FF3F4>
in the back of my head.

 

3. Strange headers

 

If you look at the full header information, you can see some interesting
details about the email message. Here are some of the headers from the
message above:

 

Return-Path: <[log in to unmask]>

Received: from warthog.uvm.edu (warthog.uvm.edu [132.198.101.92])

                by penguin1.uvm.edu (8.13.7/8.13.7) with ESMTP id
p2M6r9Qj004516

                for <[log in to unmask]>; Tue, 22 Mar 2011 02:53:09 -0400

Received: from s15339449.onlinehome-server.info
(s15339449.onlinehome-server.info [87.106.10.20])

                by warthog.uvm.edu (8.14.4/8.14.4) with SMTP id
p2M6r7vT022753

                for <[log in to unmask]>; Tue, 22 Mar 2011 02:53:08 -0400

Received: by mx005.twitter.com (Postfix, from userid 1181305386)

        id 026EA983D3C; Tue, 22 Mar 2011 07:24:17 +0000 (UTC)

X-Mailer: MIME-tools 5.427 (Entity 5.427)

From: "Twitter" <[log in to unmask]>

Subject: You have notifications pending

To: [log in to unmask]

 

Looking at the Received: headers, we should see an entry for each email
server that handled the message from origin to destination. I note that the
first Received header (bottom one) is missing the from phrase that's part of
the others. So even though it says mx005.twitter.com, it's a crudely forged
entry, but makes for a good example.

 

Also, in the second (middle) Received header, I see that UVM's server
warthog actually got the message from a computer called
s15339449.onlinehome-server.info. That's not twitter. And what's with the
Return-Path address, [log in to unmask] More junk.

 

I hope this is helpful info. Here are a few links with more info:

http://en.wikipedia.org/wiki/Phishing 

http://www.microsoft.com/security/online-privacy/phishing-scams.aspx 

 

--Geoff

 

Geoffrey Duke
802.656.1172 |  <http://www.uvm.edu/~gcd> Sr System Administrator |
<http://www.uvm.edu/ets> Enterprise Technology Services |
<http://www.uvm.edu/> University of Vermont