Valley Web Hosting Email Tech Support Design Rentals Bytes Arts Store

 
Email Fraud, or Phishing
Overview

Occassionally we receive emails that request us to update account information and appear to come from trusted organizations such as PayPal, Ebay and CitiBank. The graphical display supported by email programs makes it hard for the unsuspecting recipient to distinguish a valid email from fraud. Recent advances in this fraudulent activity can confuse even the savvy internet user. Fake and fraudulent emails could even look like they come from your bank, so please beware. A few new techniques were observed in early May 2004, warranting the following detail.

Many of you are familiar with right-clicking or option clicking (Mac) on images to "save to disk." Much information, text and images, can be taken right from the internet in this manner. These fraudulent persons or organizations are taking the elements from PayPal, Ebay and other pages (or saving the entire page) and recreating an email interface that looks like the trusted site. The steps that I took to investigate apparent fraud are listed to the right.

What is most alarming and NEW about the fraudulent Ebay email is that if you click on the link, it pastes an Ebay URL right over the URL you are actually visiting. It was offset on my PC enough that I could see it but undetectable visually on my Mac. There was no lock symbol on the page, either. Even when I went into some other programs I already had open on my PC, this URL was pasted over everything else, so it really did not do a good job of hiding itself unless the viewer did not suspect and stayed on the one page it sent you to. When I closed their page it went away.

After a quick bit of research, I found an article that I recommend you read that will help you distinguish the fakes, Antiphishing.org. The key points are looking for the lock symbol, and closing your browser if in doubt.

The moral of the story? Do not respond to inquiries for personal information without absolutely knowing that the requester is valid. I follow this same logic on the phone. If I can't see the name of the entity in my caller ID, they don't get my cooperation. In email it is trickier. The safest thing to do is call the organization if in doubt or to go to the login page that you know is valid and check the status of your account. Calling the organization may also alert them to a scam. If you have given away information inadvertently, call the appropriate service immediately and consider cancelling the account.

When you need to access any of your on-line accounts, go to the web page that you know is real directly from your bookmarks or favorites. Make it a practice NOT to click on links in emails. It is far safer to write down and type the link manually if in doubt. Then you will get to the real page rather than the fraudulent page and most likely see that your bank or service has not even requested an update.

See a related article on Domain Hijacking that builds upon some of this information.

 
For the Technically Inclined
Detail

The following are investigative steps that can be taken, with detailed narrative below from the PayPal and Ebay examples.

  • examine the "from" address
  • look at the full header and review the spam tags to see where the email came from
  • view the source of the email to see the hidden code "behind" the link
  • check domain names in a Whois
  • check reverse IPs in DNS Stuff
  • view the source of the web page to check form actions

Examining the "from" address does not tell us that the email is a fraud. The sender is requesting us to click on a link to take us to a website page where we will update our account information. Therefore, it doesn't matter if the "from" address is forged because they are not looking for our response through email.

Spam filtering software will provide a few hints to the fraud. I have my email program set to always show me the spam tags. You can view "full headers" on individual emails or change your settings universally to show more information if you desire.

One of the "PayPal" emails had a reference to kupio.lunarpages.com seven times in the spam tags but did not flag the email as spam, apparently because kupio.lunarpages.com is a valid entity. The management at lunarpages must be irate that one of their customers or associates is using their service to generate fraud.

The other "PayPal" email was craftier because the spam filters noted in several places that it appeared to be sent from paypal.com. The spam tags also referenced several other domain names and noted that the email was coming from a foreign country. Although this email tried to look like paypal, it actually had a much higher spam weight of 17 and was flagged as possible spam.

Looking further into the bodies of the emails, each requested clicking on a link as noted. The first brought me to a bad link on a site called paypal-stuff.com, but with a few trial and error changes to the URL address, I did get to an actual page with a security certificate warning that it was not a trusted source. This amateur did not do a very effective job of trying to get your account information.

The link in the body of the other email brought me to a "paypal" page that looked authentic, however, it did not have a secure paypal URL, i.e. https://www.paypal.com. Interestingly, this email received on May 1st asked me to update my info by April 5th.

Since I am generally NOT a fan of clicking on ANY links in emails, the way I normally investigate is to "view source" in some manner such as from the top menu or right clicking or option clicking (Mac) in the body of the email. It takes some knowledge of html to read the source, but the link that does not match the visible words can be found in this manner. I copy and paste this into the browser to continue investigating.

Viewing the source of the target web pages will also generally show you that the form action is a fraudulent domain or URL as well.

I performed all of these steps on the Ebay email, found the same type of results where the address it leads you to is not Ebay but the page looks like Ebay. The address is registered by someone in Romania. Even the email had the "Trust" certificate in the lower corner.

What is most alarming about this fraudulent Ebay email is that if you click on the link, it pastes an Ebay URL right over the URL you are actually visiting, back to main article.

Valley WebHostingEmailDomainsTechSupportPayment TermsStarter SitesHome

MadRiverConsulting/DesignMadRiverWeddings • MadRiverStore • MadRiverArts • MadRiverRentals

Offering a Suite of Internet ServicesWebsite DesignPromotionMaintenanceTraining
Available for consulting and development of any internet projects • Client ReferencesDirections

Phone (802) 496-4940 • E-mail Mad River Web

©1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005 Mad River Consulting (a.k.a. MadRiverDesign.com, MadRiverWeb.com). All rights reserved.

Based in the Mad River Valley
PO Box 877, Waitsfield, Vermont, 05673-0877 USA