SECURITY- Standard Phishing Attack Example.


It’s called Phishing – I got this one in my MSN.com email account this morning. In a seminar recently a developer asked me for an example of how Phishing works and I thought this was a good typical example – so I’d bog it.

NOTICE: Never Click on a Link in an Email unless you’re REALLY Sure !


In my morning in-box I receive this email, sent to my MSN.com address that appears to be an official looking request form MSN Accounting.


But, when I hover over the link the email wants me to click on I see a problem !!!
The link is to www.msn-club.com and NOT www.MSN.com
Also, notice the cid= argument ? This argument identifies me to the Phishing Host – so I DON’T click on the link.
I don’t want the Phisher to know they even found me.
Instead, I open a new browser instance and enter www.msn-club.com into the Address Bar.

A trick happens here that fools lots of web surfers. A new window opens the box above.
The ORIGINAL browser window re-directs to the REAL MSN.com



If you Right-Click in the Dialog Box that asks for the MSN Username and Password, and view properties…….
LOOK ! You’re about to send your Usename and Password to a Hacker’s Site !!



If we look at the WHOIS record for msn-club.com we see that it does NOT belong to Microsoft Corporation.
In fact, it was registered only FIVE DAYS ago.

NOTE: The name and contact info for the registrant has been modified and the attack has been reported to MSN. It is very possible that the name and contact info in the record are NOT actuall and were used by the REAL registrant to mask their identity.

Comments (9)

  1. Another trick to point out here. After the page loads from the phisher’s site, they can use a javascript to change the content in the address bar, so it looks like the address you were taken to was http://www.msn.com.

    A phisher can also use JS to modify what is displayed in the status bar, and use a link attribute to change what is displayed when you hover over the link.

    Unfortunately, Outlook does not even give us a status bar when viewing a message, and also does not display links when you hover over them, which is a nice feature of the web based mail you feature here.

    Also, why didn’t you report the phony regsitration to Yahoo and the host?

  2. RGab says:

    Well, if you modified the names of the registrant and you think he masked his identity, you might have ended up with his REAL name 😉

    Btw, nice post, hope a lot of people read it!

  3. My practice is to request as many newsletters, etc. to be sent in plain text. In doing so, I immediately know that the HTML ones are junk. The tricks used in HTML e-mail do not work in plain text e-mail, even if your e-mail client linkifies URLs.

    Plain text also has the advantage of not possibly indicating receipt through tracking URLs to images, reduced sizes, and much more.

  4. Rob Mello says:

    Outlook should have a security feature you can enable – which will present a confirmation dialog showing the actual URL – and warning you if it does not match the domain in the ‘from’ field when you click on a link.

  5. Mark Metzger says:

    so what happens if I clicked on it?

  6. Hey Mark,

    If you click on the link it opens a window as shown in the 3rd image and redirects the origional browser to the REAL msn.com

    If you "buy" this Phisihing attack and enter your userid and password – then you just gave your login credentials to the hacker. Which them, the hacker can steal your account information, and your identity.

    -Joe

  7. Mike says:

    For some added protection you could use toolbar technology. EarthLink introduced a (FREE to the public) toolbar that prevents users from going to known phisher sites about a year ago. It was only as good as the "block list" but they maintain an very comprehensive list and update it in near realtime. About 6 months ago, they added the ability to scan web page elements (for pages not on the block list) and determine a "phishy-ness" they also added the ability to see where the site is hosted, etc. I believe there are some other toolbars out now, but I’m most familiar with EarthLink. EarthLink has also produced a "Protection Blog" that talks about Phisher, Fruad, Spam, Spyware and many other internet threats.

    http://www.earthlink.net/home/software/toolbar/

    http://www.protectionblog.net/

  8. Great post Joe.

    For the somewhat more technical folks among us (ha!), here’s what I do to avoid potential issues.

    I use the Internet Explorer zones settings quite extensively. Sites I visit that require JavaScript, ActiveX, etc. are put in my Trusted Sites zone (which has a custom security level, slightly tighter than the default). Sites such as microsoft.com, dell.com and blogs.msdn.com go there.

    My Internet zone has JavaScript, Java, ActiveX, etc. disabled (even posting unsecured form content raises a confirmation dialog).

    I also use the Restricted Sites zone for sites that deliver unwanted content. Sites include doubleclick.net (and Slashdot ;o))

    How does this help me prevent phishing attacks? (first of all, I don’t click on the links in e-mail messages, I’d rather type the URL myself…) But if I would, I would notice that that site is not in my Trusted Sites zone because its features won’t work.

    Of course, it requires some management to add sites to the Trusted Sites zone, but once you have that setup, it’s not too much of a hassle (in the end, I mostly browse the same sites anyway).

    HTH,

    Sven.

  9. JON SMITH says:

    ITHANK YOU FOR EDUCATING ME ON THE BOGUS MSN.COM SENT TO ME REQUESTING MY IDENTITY.I WILL INFORM AS MANY PEOPLE AS POSSIBLE.GOOD JOB.