Somethin’ Phishy


Over the past couple of days, I’ve received some e-mail messages purporting to be from PayPal. Each message claims that I’ve added an e-mail address (a different e-mail address in each message) to my account, and gives a link that I can follow to verify that I did, indeed, add the given e-mail address.

Being inherently suspicious, I checked out the link without following it. The first hint of suspicion is that the underlying href for the link doesn’t point to PayPal’s web site. Rather, it points to a numerical IP address (e.g. 210.103.173.130).

So, I fired up ARIN’s Whois database, and entered that IP address. Turns out that the including range of IP addresses (210.0.0.0 through 211.255.255.255) is administered by the Asia Pacific Network Information Centre. PayPal’s web addresses (which begin with 64.4) are administered by Network Solutions in California. Moreover, according to APNIC, this IP address range isn’t registered in the ARIN database.

Lastly, I headed over to the PayPal web site, logged in, and checked my profile. No new e-mail addresses; just mine.

So, it looks like someone’s phishing for PayPal account login credentials, and people are being redirected to a bogus web site that looks like PayPal’s web site yet isn’t.

All of this reminds me of a problem with security on Mac OS X. Just like web sites, dialog boxes can be spoofed. This includes the dialog box that prompts for an administrator’s password when you install new software. While no one has, to the best of my knowledge, exploited this weakness, it’s possible for someone to implement an installer that looks exactly like the standard installer yet squirrel’s away your administrator credentials. One way or another, convenience always compromises security.

For those of you who are paranoid like me, there’s a two-stage workaround for this vulnerability. The first stage is to never run your regular account as an administrator. If you are running as administrator, then follow these steps:

  1. Open the Accounts control panel;
  2. If your current account is the only administrator, then create a new account, and grant it administrative privileges by checking “Allow user to administer this computer” on the “Security” tab;
  3. For your account, uncheck “Allow user to administer this computer” on the “Security” tab;

The second stage is to think up a separate password for the administrator’s account to be used during software installs. Then, before you install a new piece of software, switch to the administrator’s account and change the password to your “install” password. Then install the software. After the installation completes, switch back to the administrator’s account and change the password back to the day-to-day password. That way, even if someone implements some kind of spoof, the password it harvests won’t work.

Now, you certainly don’t have to be as paranoid as me, but, should someone ever come up with an installer spoof, I won’t have to say, “I told you so.”

 

Rick

Currently playing in iTunes: Dance Sister Dance by Santana

Update: Since posting this, I’ve received another phishing message regarding PayPal. This one said:

We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address and we have reasons to belive that your account was hijacked by a third party without your authorization. If you recently accessed your account while traveling, the unusual log in attempts may have been initiated by you.

This one, too, had a link where I could “correct” matters, but the link contained another suspicious IP address (though not the same as the one above). Note, also, the language of the above paragraph; that it says nothing about whether or not the attempts were successful.

This is about as sleazy as it gets.

Comments (8)

  1. Joku says:

    The one thing I’d love the Outlook people to implement is that, suppose you get a mail like that and it has one of those fishy adresses:

    1st and most common spoof method I see on what gets through Outlook spam filters:

    http://www.microsoft.com/login <123.123.123.123/***.xyz>

    And real email from microsoft likely has:

    http://www.microsoft.com/login <www.microsoft.com/login>

    OR

    Login here <www.microsoft.com/login>

    I just get a TON of spoof where the 1st method is used. It is just mind blowingly easy to have some code that looks for:

    link: REAL URL<FAKE URL>

    and marks these as spam.

    link: REAL URL<SAME AS REAL URL>

    and

    link: Sometext, but not a valid URL (analyze) <REAL URL>

    would not be marked as spam.

    That would like kill 99% of the spoof mails I get. And I still do not see it implemented.. Is there a problem I do not see or are the Outlook guys just plain not-thinking and looking for patterns here?

  2. jbelkin says:

    The paypal ones are pretty convincing … though if you just roll over the url they ask you to click, everyone should know that by looking at that url, it’s clearly not http://www.paypal.com.

    But I can see where most people might just quickly hover and click.

    I also don’t understand how more people aren’t arrested for that – if I call you up & ask for your checking account – I can be arrested, not exactly sure why doing it electronically is different …

  3. Bob Maguire says:

    I received two of these last night.



    We regret to inform you that your paypal account could be suspended if

    you don’t resolve your billing issues. If your billing is not updated

    your account will be put on hold.

    If a hold should be placed on your account,you are prohibited from

    using Paypal in any way. until billing is updated. This includes

    registration of a new account. Please note that if your account is suspended any funds you have in your paypal account will be put on hold till this issue is resolved.

    Please click on link below to update info:

    http://203.162.1.205/support/support.asp

    Best regards,

    Safeharbor Department Paypal Inc.

    The Paypal Team.

    You guessed it. 202.0.0.0 – 203.255.255.255 are allocated to Asia Pacific Network Information Centre, but not registered with ARIN.

  4. John Konopka says:

    This spoof could work but first you would get the dialog from the OS asking for a password then you would get a dialog from the application asking for a password. I can see if I were a little distracted not being sure whether I had already entered the password or not.

    Rather than switching the passwords back and forth you could just change the admin password each time you use it for an install.

  5. Chucky says:

    <i>"That way, even if someone implements some kind of spoof, the password it harvests won’t work."</i>

    The solution you have provided can be easily defeated.

    Once you give an app your admin password, it can place components where they will receive root access in the future <b>even if you change your admin password.</b>

    The one and only solution is to not give your admin password to any app that you do not trust.

  6. Will Parker says:

    I got something similar recently purporting to be from EBay. Although I didn’t bother to keep the precise details, the technical MO was quite similar. My bet is that the perps decided that they could easily use the same scam for Ebay and PayPal.

    BTW, the address for reporting phishing attacks for EBay is spoof@ebay.com.

  7. Chris says:

    We had an interesting phish a week back – the URL displayed when you hovered over the image in the HTML email pointed at the real web site, but the image had a client-side image map which had an URL which went to the phisher’s web site!

    Very cunning!

  8. This particular phishing scam is, alas, far from something new. I wrote an article for TidBITS about it almost two years ago, and the essential technique has not changed, even as the scammers have gotten better at avoiding misspellings:

    http://db.tidbits.com/getbits.acgi?tbart=07294

    http://www.penmachine.com/paypalscam/

    Note that in that case, the linked URL even began with http://www.paypal.com in the source code — but isn’t really a paypal.com URL at all. Sneaky.