phishing

from HTYP, the free directory anyone can edit if they can prove to me that they're not a spambot
Jump to: navigation, search

Overview

The word phishing refers to any attempt to obtain sensitive data – most commonly username/password combinations – by posing as a legitimate web site with whom the phishing victim has an account.

The most common scenario goes like this:

  1. User receives an email apparently from a legitimate business with whom s/he has an account
  2. The email informs the user that s/he needs to log onto her/his account for some reason
  3. The email gives a "convenient" log-on link for the user
    • some early phishing attempts included a log-on form in the email itself, but now too many people have become aware that this is a warning flag
  4. The URL in the link usually includes some text which looks like the legitimate site's log-in URL, and may even be indistinguishable from a legitimate URL unless the user knows a little bit about how URLs work
  5. The user clicks on the link, and is shown a page which appears identical to the legitimate log-in page (although links on this page may or may not function), but which is actually hosted on a machine controlled by the phisher
  6. The user enters her/his log-in information, and presses the "log in" button
  7. The user's username and password are recorded by the phisher, who later uses them to break into the user's account
  8. The site may then allow the user to actually log in (by passing the username and password on to the real site), or may report some legitimate-seeming "temporary error" and advise the user to try again later.

Phishing sites are a form of malware.

Example

Woozle received the following email on 2007-05-26 (edited for proper display within this wiki page):

email

Dear Paypal member,

Paypal was notified by Visa and Mastercard that some members card information
may have been compromised as a result of a security breach that recently occured
involving unauthorized access into a third party processor`s data system.

This breach is not associated with Paypal computer systems.
Paypal requires the customer to provide up-to-date and accurate information,
including but not limited to your real name,valid U.S mailing address and residential address(if different),
a Tax Identification Number or a Social Security Number,date of birth and telephone number.
A temporary block has been placed on your account until we receive this information.

If your card number has been compromised you will be notified by phone and/or e-mail.

Please note that failure to reply within 2 days will result in permanent cancelation of your account with Paypal

Click on the following link to remove this temporary block placed on your account

Log in to your account

Sincerely,

Copyright © 1999-2006 PayPal. All rights reserved.

Paypal logo.gif

Notice the bad punctuation and formatting, highly atypical of official messages from a large company such as PayPal.

web site

2007-05-26 streamjobs PayPal phishing screen.png

As an imitation, this is somewhat outdated; the real PayPal site currently looks like this.

None of the links work; they all seem to link to "#", which just refers back to the same page. (There isn't any javascript.)

whois

A whois on streamjobs.net (where the phishing page is hosted) returns this:

  Domain Name: STREAMJOBS.NET
  Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
  Whois Server: whois.melbourneit.com
  Referral URL: http://www.melbourneit.com
  Name Server: NS1.GLOBALSERVERS.COM
  Name Server: NS2.GLOBALSERVERS.COM
  Status: ok
  Updated Date: 18-oct-2006
  Creation Date: 04-aug-2004
  Expiration Date: 04-aug-2007

Domain Name.......... streamjobs.net

 Creation Date........ 2004-08-05
 Registration Date.... 2004-08-05
 Expiry Date.......... 2007-08-05
 Organisation Name.... Thierry Laurent
 Organisation Address. 422 Red River Trail
 Organisation Address. Apt 1075
 Organisation Address. Irving
 Organisation Address. 75063
 Organisation Address. TX
 Organisation Address. UNITED STATES
Admin Name........... Thierry Laurent
 Admin Address........ 422 Red River Trail
 Admin Address........ Apt 1075
 Admin Address........ Irving
 Admin Address........ 75063
 Admin Address........ TX
 Admin Address........ UNITED STATES
 Admin Email.......... tlaurent_us@hotmail.com
 Admin Phone.......... +1 (214) 7271499
 Admin Fax............
Tech Name............ Thierry Laurent
 Tech Address......... 422 Red River Trail
 Tech Address......... Apt 1075
 Tech Address......... Irving
 Tech Address......... 75063
 Tech Address......... TX
 Tech Address......... UNITED STATES
 Tech Email........... tlaurent_us@hotmail.com
 Tech Phone........... +1 (214) 7271499
 Tech Fax.............
 Name Server.......... ns1.globalservers.com
 Name Server.......... ns2.globalservers.com

It is not clear whether streamjobs.net is complicit in this scam, or whether their server has been hacked. The fact that they are hosting in Australia despite the domain being US-owned is suspicious: foreign hosting is one way of avoiding or delaying legal consequences for hosting illegal content.