Phishing Update

In the Inside ID Conference report I mentioned "phishing" as one of the types of fraudulent activity that is happening on the Internet. There was a news story about phishing in the past few days — it is clearly on the rise and something to be quite careful about. I have personally received three phishing emails this week and it is clear that the perpetrators are getting very clever. In addition to the basic fraudulent attempts to get personal information from others, the emails use"spoofing". Spoofing is a technique — unfortunately not hard to do — whereby the "from" address is modified to make it look like it came from a legitimate source. Here are the three emails I received and some advice on how to deal with them.
eBay logo
Dear Valued eBay Users,

eBay Information Management regrets to inform you that your eBay account has been suspended due to validation problems. Your account failed to be authorize and as a result, your account has been flagged. All further transactions with your account will be denied until this flag is removed. To remove the flag, follow the instructions below:
Click Here to go to the validation page.

Have your debit card and other validation items ready.

Fill in the required fields with the necessary information

After you have double checked all fields, click the "Continue" button at the bottom of the page to send the information.

Then you will be redirected to page (2) of the validation where you must agree to the new terms and privacy policy.

Then you will be redirected to page (3) of the validation where you must sign in to your account to send the information securely to our security validation department. Please print this page to keep reference to.

Please allow 3 to 5 days for proper validation. You can continue to use your account as usual, If there are any problems verifying your information you will receive an e-mail from our security department

NOTE: Do not submit more then one time. Failing to do so will delay the validation process drastically.

Copyright © 1995-2003 eBay Inc. All Rights Reserved. PayPal is a eBay company.

Designated trademarks and brands are the property of their respective owners.

Use of this Web site constitutes acceptance of the eBay User Agreement and Privacy Policy.
Truste


Unfortunately, it is also easy to steal a trademarked logo from a web site as they did here with eBay. To add insult to injury, the fraudsters also placed a Truste logo at the end. The actual hyperlink in the email goes to http://hostingprod.com/@ebay-log-in.com/ This is obviously not an eBay.com server. An inspection of the header of the email shows that it actually was sent from prod-infinitum.com.mx which is a server in Mexico.
The next phishing email impersonated Citibank.


a1

Recently there have been a large number of identity theft attempts targeting Citibank customers. In order to safeguard your account, we require that you update your Citibank ATM/Debit card PIN.
This update is requested of you as a precautionary measure against fraud. Please note that we have no particular indications that your details have been compromised in any way.
This process is mandatory, and if not completed within the nearest time your account may be subject to temporary suspension.

To securely update your Citibank ATM/Debit card PIN please go to : https://www.citibank.com/signin/citifi/scripts/login2/update_pin.jsp

(note by JRP: bold text above was originally a clickable link – see note below)
Please note that this update applies to your Citibank ATM/Debit card – which is linked directly to your checking account, not Citibank credit cards .

Thank you for your prompt attention to this matter and thank you for using Citibank!

Regards,

Sheena Egan

Head of Citi® Identity Theft Solutions

a2

Copyright © 2004 Citicorp. All rights reserved.


Needless to say, the email did not come from Citibank and the link does not go back to Citibank. The link is very deceiving. It looks like a legitimate link just like the email itself looks legitimate. The actual markup for the link had a href attribute value of http://218.62.39.59:8000/verify/citipop.htm while the anchor element showed on the page https://www.citibank.com/signin/citifi/scripts/login2/update_pin.jsp
Here you see that the href attribute clearly does not reference a Citibank server.
Third example, "from" Fleet Bank


Fleet Bank


This one was short and to the point. Click to give away your credit card number.


The moral of the story is to be increasingly careful. Anti-virus and anti-spam are not enough. Anti-spyware is not enough. Hardware and software firewalls are not enough. All of these are essential but the other ingredient is common sense. Look at your email carefully. Even if the "from" address is one you recognize, look also at the context. Ask yourself if the email content is something you were expecting, that you understand, or at least makes sense. Look especially hard at attachments and hyperlinks before taking action. If it isn’t something you were expecting, my advice is don’t click and don’t open.
Digital ID’s are essential to add authentication to email and software downloads. We need to be able to establish that we are who we say we are and to be sure that others (people, links, software) are who they say they are. You can read more about this in the patrickWeb Privacy and Trust series.