Phishing E-mails

Posted on Monday 5 June 2006

My previous post on the pharming scam attempt on one of the more popular sailing on-line forums led me to write about another common way to get ripped off. One common phishing technique used by today’s criminals is the faked e-mail. Here is a good example of one, posted as JPG image.

A typical phishing e-mail.

Things to look for:

1) Make sure that if you do have a PayPal, e-Bay, Bank of XYZ account, that it is indeed addressed to the right e-mail address. In this case, the e-mail is addressed to the contact e-mail address off of my website and blog, and one I don’t use for anything else. I also don’t have a PayPal account, so the threat of my account showing unusual activity amuses me.

2) Check the raw e-mail source for some information. I’ve posted a slightly redacted image of the raw text of the example show above.

The slightly redacted raw text of the phishing e-mail from above.
3) Look to see what IP address and host it was received from. In this case the host is Ip116.43.ToryVal.abac.ro and the IP address is 84.247.43.116. A quick check with RIPE.net shows us that our IP address is registered to a Romanian named Brinduse Alin.  Any time there is a geographic mismatch between the location of the server, as seen by its IP address, and the logical location of the server, a warning flag should go off for you.  In my previous post, the servers were located in Hoboken, NJ, even though the website should have been in New Zealand.
The WHOIS Lookup for the IP address of the sender.

4) You can see that the message was received from an IP address of 228.220.142.228. This is a strange address as it is currently reserved under RFC 3171. HMM…

The strange second receiver IP Address, which is not supposed to be in use.

5) Check the e-mail raw source to see what e-mail client was used. The e-mail client is listed as Eudora, a strange choice for the corporate environment of PayPal.

6) Check the raw source for any links that show up in the e-mail. In this case, the e-mail has a link to:

http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/accounts-outside

However, if you look at the raw e-mail source, it shows the link actually goes to:

http://adsl-068-016-246-172.sip.bct.bellsouth.net:81/paypal/

A screenshot of the bogus PayPal page, as indicated in the raw source of the e-mail.

Which brings us to this very authentic-looking, but totally bogus PayPal page. Please note, that there is no padlock to indicate it is a secure site, which also is a good indicator that it is totally bogus.

A screenshot of the real PayPal site. Note the padlock.

When in doubt, please contact the bank, website or financial institution directly. Don’t click on links in e-mail unless you can verify the source of the e-mail. Stay safe…and stay alert.


1 Comment for 'Phishing E-mails'

  1.  
    Zen
    June 5, 2006 | 6:52 pm
     

    good advice.
    my method is do not click on any links that have anything to do with your money or accounts. 1. Resend it back, 2. send a copy to cutomer service 3. type in the the account site and check with customer service. say what’s up with this??? 🙂

    watch your back , watch your money, crooks are on their job, you should be too!

Leave a comment

(required)

(required)


Information for comment users
Line and paragraph breaks are implemented automatically. Your e-mail address is never displayed. Please consider what you're posting.

All comments are subject to review and approval
before being posted on this site.

Use the buttons below to customise your comment.


RSS feed for comments on this post | TrackBack URI