I encountered a great opportunity this evening, the opportunity to share an inside look of a Phishing Email. What is Phishing?

“In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.” – Wikipedia

What I noticed was an Email purportedly from Bank of America telling me that there was an “Account Resolution Required”:

Message in Outlook Allegedly from Bank of America

I scanned over to the preview pane and noticed that it had a link that appeared to be correct, so I hovered over the link to see if the link was spoofed and to no big surprise, it was. Here is how the message looked in my preview pane, I did not download pictures because that is a popular way for spammers/crooks to confirm Email addresses of their targets/victims:

Full Phishing Email Screenshot

Let me further clarify in lay terms, the link that reads:

https://www.bankofamerica.com/home/1244618/ddjdfdkfi126.aspx?screenid=Update_Acct

is actually:

http://prostyle-esports.nl/index.php

and this is evident when I hover over, or place my mouse cursor on the “alleged” link. This is a tactic you can use to check links you are unsure of. However I should clarify that it doesn’t always work. There have been occasions where this has been spoofed effectively typically it has to do with the Email client or Browser and security patches on your computer.

Testing the Link

Using a test environment I pasted the link to see what the target site looked like:

Blocked – Forgery

I was pleased to see it had been blocked, this saved me the time of researching and Emailing the Internet Provider involved. After confirming this I used “properties” on Outlook to get the header information, there is a lot of information but plenty of clues to let me know that this message was not authentic (had everything else appeared right, which most certainly the SSL certificate warning would have popped up unless it was an unprecedented forgery!). Here are a few of the more obvious lines I parsed from the headers:

Received: from User ([82.128.0.69]) by post.strato.de (mrclete mo25) (RZmta
23.3) with ESMTP id 20016am5E507CT ; Mon, 14 Jun 2010 07:43:29 +0200 (MEST)
Reply-To:
From: Bank of America

In the above examples, you can see that the message replay and from don’t match and that the mail server is post.strato.de not a likely mail server for Bank of America (perhaps for Deutsche Bank next time guys?). Also after running the IP address of the sender 82.128.0.69 on Arin.net I was able to determine that it was a European Address (which I had already figured due to the .de domain on the mail server, but it was further validation):

Output of Arin.net Whois – RIPE

There are a lot of ways to spot fraudulent/Phishing Emails. Our advice to our clients is if they are not 100% certain we recommend they forward the messages to us for analysis. Most of these kinds of messages are blocked and we don’t see them, but if something doesn’t look quite right it probably isn’t.