Monday, 27 October 2008 
Phishing attacks have become a common method for stealing personal identification information, such as bank account numbers and passwords. It is the fastest growing method of fraud on the Internet.
I have recently received a scam email from a well known airline, it claimed that I have bought an air ticket from their website and my credit card has been charged for an amount. The message also provides the login username and password information and attached an e-ticket receipt for my record.
I know it is a fake phishing email and the attachment might have contains the virus or worm or something will harm my computer or steal my information. I believe many of you also have received this kind of fraudulent email messages, it is a common Internet confidence scam, the increasing number of email scam become our mentally challenge when filtering those unnecessary email from our mailbox, and worry when will accidentally open an email contain the “Boom”.
The people who create the phishing email using the psychology technique to attract people open their email such as attractive message subject and real/trustable email sender (ie. admin, support, person name), and email contain message that you will first feel desires or denied. For an example above email message, if I first think that I didn’t buy it and want to check the receipt whether it’s my information then I fell into their trapped.
There’s more way doing scam. Some would install the spy ware/worm/virus into your computer, some will ask you to click on the link on the email message to a website that will request to obtain your P&C information. Anyhow their purpose and objective is to steal your information whether is worm resist in your computer or manually provide by you enter on a web page.
I used to study on a spam research, the results was turned out 3 out of 10 person was fell into spam trap. Below is the whole process:
Note: The name/company/website using here is just an example.
A smart phishing email creator know how to protect and clean his/her backside:
1. Register 2 Paypal accounts- one Paypal account with fake information and another one with real information which has your credit card details.
2. Register 2 eBay accounts- one account (A) with a real Paypal account and one account (B) with fake Paypal account.
3. Account (B) offer a product on ebay and let the account (B) win the auction bidding, then transfer the money from account A (real paypal account) to the account B (fake Paypal account). The amount of money as long as enough to buy a domain name and web hosting for one month.
4. Close/terminate the real Paypal account.
5. Ready to use the fake Paypal account money to register a domain name and web hosting. There are many third world / Europe countries offer no restriction hosting. Many illegal group host their website in Europe / Russia to avoid government tracked/banned/suspended.
Above is basically a money laundering process and cover backdoor-fire method, which using the Internet technology to perform illegal process that beyond government ability/boundary.
Creating a website that you know:
Those Malaysia well known e-commerce website simply to become the victim. Let say, Maybank2u.com, AirAsia.com, kwsp.gov.my and etc. For our example, Maybank2u.com- nearly 30% of Malaysian have accounts with Maybank, and those with Maybank accounts will usually activated their online banking.
See how can I create a Fake Maybank2u site:
1. Register a domain name “look” like Maybank2u.com or intentionally create a typo error domain name. For example: Mayban2u.com, Moybank2u.com, Maybak2u.com, Maybank2u.de, Maybank2u.asia, Maybank2uu.com or whatever similar.
2. Copy the Mayban2u.com website layout and duplicate it on the fake website. Let we use “Mayban2u.com” as for our fake website example.
3. A page on “Mayban2u.com” with the URL: http://www.mayban2u.com/mbb/scripts/mbb_login.jsp?do=Login. The reason for this is because it look like the actual login URL and also more text can confuse people visually overlook the domain names.
4. Create a web application behind that will capture username and password when user really enter the login information. Upon recorded the login information then forward to actual Maybank2u.com’s login page. (At this point, the fake phishing email creator has already achieve his/her objective. The account holders may think that the page at Maybank2u.com is not working and etc)
For process 2 & 3, the creator need to have a little of web programming skills.
Preparing and sending out the fake phishing email to anyone.
1. Design a corporate and professional email newsletter with the actual logo. Attached the fake link mentioned above in the newsletters and mask it with the actual URL (the actual link is just the text and when you click on it, it will lead you to different page), and of cause, newsletter will not designed in the way of “I want your username and password” style. It must made the recipient either feel desire or denying, this is the psychology technique. For a sample:
—————– Begin of sample: fake phishing email —————–
Dear Valued Customers,
Thank you for being a Maybank2u.com account user. We would like to inform you that your online account will be deactivated in 3 days (31st October 2008) due to following reason:
Status code: MI109947463-3
Description: In-active account – 3 months.
Please take note that you will need to manually re-active your online account through Maybank2u.com’s Customer Account Control Panel (login required) BEFORE the deactivation date.
Please ignore this notification if you do not wish to continue the online account.
For enquiries, please contact our customer care centre.
Thank you.
Regards,
Customer Care Dept
Maybank Berhad
Address: bla blabla
Email:customercare@maybank2u.com
Website: www.maybank2u.com
Call centre hotline: blablabla
Fax: blablabla
—————– End of sample: fake phishing email —————–
The message “Customer Account Control Panel (login required)” which is the link to the fake URL. When user click on it, it will lead you to a page that look exactly like the Maybank2u.com page.
2. Design an attractive email message subject that will make recipient desire to know more. For an example: “Maybank2u.com – Deactivate Account Notification” or “Important Notice: Your Maybank2u.com account will be deactivated”
3. Sending the email out by a common sender name. You can set this in your web hosting configuration for email account. For an example: “Cutomer Care”, Company Name, “Support”, “Admin”, “Billing”…
4. That’s it. The last process will be who do you want to send to? I believe those fake phishing email creator already has thousands or even millions of email address records on their hand. (See our junk mail box already know how many of them have our email address)
Is Phishing Illegal?
Yes and no. There is no crime in asking you to volunteer information. It isn’t a crime to send you an important-looking message. Its a copyright infringement if the originator of the message uses a copyrighted or trademarked logo (which are easy to steal) to make the message look more authentic, but that’s a crime against the owner of the logo not you. Identity theft is illegal but no crime is committed until the thief actually uses the information you unwittingly provide. Its attempted fraud of course but if it were easy to catch these people, Phishing wouldn’t be a problem.
Phishing, Identity Theft and Bank Fraud Detection – Netcraft Toolbar
To protect your savings from Phishing attacks, there’s a freeware ‘Netcraft Toolbar’ is available for download at http://toolbar.netcraft.com/, it is something like Google Toolbar / Yahoo Toolbar, it will integrated with your web browser once you installed. I am using this tool to gether the information from the website that I visited, lower the risk, browse in safety and check the reported phishing attack (and help defend the Internet community from fraudsters.)
Beside the Netcraft Toolbar, you can also subscribe to their Netcraft Phishing Site Feed (RSS). More: http://news.netcraft.com/phishing-site-feed
Tips on Phishing
Know your senders
- Is this someone I do business with?
- Is this something I was told I’d receive?
- Look for other ways to respond
Stay on guard
- Look for clues – improve your PhishingIQ
- Don’t be afraid to ask
- Know how your system is updated
- Protect your system
- Check your records
Disclaimer: The name/company/website used above is for an example. It is not a real case.