Learn to detect phishing scams

Antivirus Products

Antivirus Essentials

Topics

links

Visitor Focus

Learn to detect phishing scams

Written by zhaotingting
February 21, 2008 11:07
Reputable firms such as eBay and PayPal have been besieged by email scammers attempting to pilfer valuable credit card details from unsuspecting customers. These emails often are quite well-done and look very authentic. However, a seasoned eye can quickly ferret out the truth. Those less savvy may want to follow a simple bit of advice: never follow a link in email unless you absolutely trust the sender. If you'd like to move from unsavvy to seasoned, here's how to ferret out malformed link scams. Understanding HTML links HTML is the programming language that tells a browser how to render a web page. You can use HTML in email and many people do. However, doing so makes it very easy for links in email to appear to point to one site, when in fact they point to another. Links in HTML are created by a special tag. There are two components to the tag, the real link (i.e. the target) and the displayed text for that link. For example, if I wanted to create a link to the homepage for this website, I would add the following to the HTML code: Antivirus.About.com which would then be displayed as Antivirus.About.com. In other words, the target link, http://antivirus.about.com, does not appear. Instead what is rendered is the display link information provided: Antivirus.About.com. Miscreants exploit this by providing bogus display text - they display what appears to be a link to a legitimate site, when all the while, they are pointing at something different. Let's use this site's homepage as an example: http://www.ebay.com If you've followed me so far, you'll quickly realize that what would be displayed is http://antivirus.about.com/ but the actual target is http://antivirus.about.com. Thus if you clicked the link, you would not go to the displayed ebay.com address, but instead would be directed to the antivirus.about.com target. In other words, with links in email (and on web pages) what you see is not always what you get. What we've learned so far are just the basics needed to understand what these scammers are doing. Now we're going to learn how to detect what's really hiding behind the displayed link text. Once again, let's use our faked eBay link as an example: http://antivirus.about.com/ Position your mouse over the "eBay" link shown above. Now, with the mouse still over the link, look in the bottom left corner of your brower. You should see the actual target link displayed there, as shown in the image below: If you weren't able to see the target link appear, make sure you have the status bar enabled. To do so, select View \| Status bar from the Internet Explorer menu and try hovering over the link again. Alternatively, you can right-click the link and select Properties from the right-click menu. A display box will appear, showing the target address (URL) that the link text is referencing. But wait! What you've learned so far are just the very basics. The folks behind these scams are far more sophisticated. They not only use fake display text, they munge the actual target link text so that it does seem to point to a valid site. How do they do this? HTML can best be described as multi-lingual. That is to say, it will take commands in a number of "languages". Bad people exploit this ability. For example, let's look at the characters //. A normal URL might appear at http://www.uglyemail.com. But there's another way to render //. The browser will interpret %2F%2F as // when it finds them in a URL. Let's take a look at the following URL: https://scgi.ebay.com/saw-cgi/eBayISAPI.dll?VerifyInformation I know. A lot to swallow, isn't it? But bear with me. The link example above would appear in an email (or on a website) as this: http://antivirus.about.com/gi/dynamic/offsite.htm?site=http://scgi.ebay.com%40%2531%2532%2537%252E%2530%252E%2530%252E%2530:%2534%2539%2530%2531 Now hover your mouse over that link, or right-click it and choose Properties. You'll find that the virtually indecipherable href link is actually pointing to http://scgi.ebay.com@127.0.0.0:4901/. (I deliberately chose what's known as a loopback address for this example. If you click the link you'll simply get a "Page Cannot Be Found" error). The creators of these scams will use this trick to point to a fake ebay or Paypal site. And that brings us to the next part of the puzzle, why does the browser ignore the http://scgi.ebay.com in favor of the @127.0.0.0:4901/ portion of the address? So we've got this mysterious address of http://scgi.ebay.com@127.0.0.0:4901/. To many it might seem as if it really does point to a legitimate ebay site. However, that's where something called DNS and IP addresses come into play. Let's use a phone number as an example. If I wanted to call Betsy Smith but didn't have her phone number, I could either call information or look it up in phone book. Using either method, I could determine her number was, for example, 555-1212. To call Betsy, I simply have to dial that number. DNS and IP are the equivalent of directory assistance and a phone number. By adding @127.0.0.0:4901/ to the eBay address, the scammer is bypassing directory information (the DNS servers on the Internet) and telling the browser that http://scgi.ebay.com is found at 127.0.0.0. The 4901 is the port it is telling the browser to use. (Normal web connection are made through port 80. By telling the browser to use port 4901, the scammer is attempting to bypass firewall filters). So now we know how it's done, but how do we tell when it's being done in email? Unfortunately, it's not as simple as hovering over the link or right-clicking the link and choosing Properties. In fact, most email clients will not let you right-click a link and view the actual target. Worse, when you hover over the link in unpatched versions of Outlook and Outlook Express, the display link text will display instead of the actual target link. In other words, if you hover over the following link in an email (with unpatched versions of these mail clients): http://antivirus.about.com/gi/dynamic/offsite.htm?site=http://scgi.ebay.com%40%2531%2532%2537%252E%2530%252E%2530%252E%2530:%2534%2539%2530%2531 it will display: instead of this: Therefore, the best way to determine an actual link in email is to view the actual Message Source code for the email. To view the source code for an email message, right-click the email in the inbox list and choose Properties: Now select the Details tab: From the Details tab, click the Message Source button. Now scroll through the source code for the email until you locate the link you want to check. Keep in mind all that we've learned thus far about ways to disguise a link and you should have no difficulty determining whether the link you've received is valid. It may be a moot point, as both eBay and PayPal urge their members to never click a link found in any eBay or PayPal email. Instead, they recommend directly typing the URL to their site directly into the browser address window. Both also caution that they will never request financial or account information via email, thus any email doing so should be considered suspicious.