Analyzing a "Phishing" Scam Attempt
"Phishing" Scams
Phishing refers to a form of social engineering done through e-mail and/or web pages. It's an attempt to trick people into revealing sensitive personal information, usually financial, by masquerading as a bank or similar.
Step 1 — Mail Arrives
Mail arrives, and a typical mail tool takes the naive approach that all the header fields can be believed. The message details would appear to be as follows:
From support@paypal.com Mon Jan 5 11:05:17 2004
Subject: PayPal Account Update
To: bobcromwell@insightbb.com
Reply-To: support@paypal.com
Date: Tue, 6 Jan 2004 01:05:17 +0900
What does the message say? If you take the extremely dangerous step of letting your mail tool render the HTML, here is what you would see:
|
 |
|
|
|
Look at that! Real PayPal artwork, some very legitimate looking text, a valid PayPal URL, and even appropriate security warnings.
BUT THAT MESSAGE IS ENTIRELY BOGUS, AN ATTEMPT TO STEAL YOUR PERSONAL INFORMATION!
Let's look at the real header and the actual message data, to see what's going on.
Step 2 — Reading the real mail header
Here is the real mail header. Notice the bold line showing the first SMTP hop.
From support@paypal.com Mon Jan 5 11:05:17 2004
Return-Path: <support@paypal.com>
Received: from sccigwc01.asp.att.net ([63.240.76.150])
by sccigwc01.asp.att.net
(InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP
id <20040105161116.UYJ18214.sccigwc01.asp.att.net@sccigwc01.asp.att.net>
for <bobcromwell@insightbb.com>; Mon, 5 Jan 2004 16:11:16 +0000
Received: from smerp (unknown[61.80.83.4])
by sccigwc01.asp.att.net (sccigwc01) with SMTP
id <20040105161104ig100i9m5ne>; Mon, 5 Jan 2004 16:11:15 +0000
From: "payPal.com" <support@paypal.com>
Subject: PayPal Account Update
To: bobcromwell@insightbb.com
Content-Type: text/html;iso-8859-1
Reply-To: support@paypal.com
Date: Tue, 6 Jan 2004 01:05:17 +0900
X-Priority: 2
X-Library: Indy 8.0.25
Message-Id: <20040105161116.UYJ18214.sccigwc01.asp.att.net@sccigwc01.asp.att.net>
Status: R
X-Status: N
X-KMail-EncryptionState:
X-KMail-SignatureState:
X-KMail-MDN-Sent:
The mail was really sent from 61.80.83.4. Anyone with the GNU version of whois can see that this is a member of a block of 128 IP addresses:
$ whois 61.80.83.4 query: 61.80.83.4 # ENGLISH KRNIC is not ISP but National Internet Registry similar with APNIC. Please see the following end-user contacts for IP address information. IP Address : 61.80.83.0-61.80.83.127 Network Name : KORNET-HOTLINE2003061191 Connect ISP Name : KORNET Connect Date : 20031129 Registration Date : 20031206 [ Organization Information ] Orgnization ID : ORG291047 Org Name : kangmunsik State : CHONNAM Address : taeintekeu ho 0002 beonji 0042 seomyunseonpyung suncheonsi Zip Code : 540-813 [ Admin Contact Information] Name : munsik kang Org Name : kangmunsik State : CHONNAM Address : taeintekeu ho 0002 beonji 0042 seomyunseonpyung suncheonsi Zip Code : 540-813 Phone : +82-2-551-5132 E-Mail : abc017@kt.co.kr .... lots more deleted ....
If you don't have the GNU version of whois, then use robtex.org.
Look at the difference in the two date fields in the header — here is the simplified header as shown by a typical mail tool one more time:
From support@paypal.com Mon Jan 5 11:05:17 2004
Subject: PayPal Account Update
To: bobcromwell@insightbb.com
Reply-To: support@paypal.com
Date: Tue, 6 Jan 2004 01:05:17 +0900
As per the Date: field, the sending machine seems to think it's in the UTC+9 time zone, which would be in eastern Asia. And given the offset between the timestamps in the Date: and first From fields, that seems to be the case.
Step 3 — Reading the Real Message
Here is the actual HTML code making up the message body. If you are like me, your mail tool does not render any HTML but just displays the real message contents, as shown below. The only HTML-formatted mail I get is from spammers and scammers. If you are curious about how spammers and scammers try to trick you, then you might want to actually look at the HTML code. Otherwise, just throw away all your HTML-formatted mail.
If someone needs fancy fonts and formatting to get their point across, then apparently they don't know how to write meaningful prose. Reading their text would be a waste of your time.
<html>
<head>
<style type="text/css">
BODY, TD {font-family: verdana,arial,helvetica,sans-serif;font-size:
12px;color: #000000;}
...pp_heading {font-family: verdana,arial,helvetica,sans-serif;font-size:
18px;font-weight: bold;color: #003366;}
</style>
</head>
<xbody bgcolor="#ffffff">
<table width="600"
class="centered">
<tr style="vertical-align: top;">
<td><A target="_blank" rel="noopener" href="https://www.paypal.com" ><IMG
src="http://images.paypal.com/images/email_logo.gif" width=255 height=35
alt="PayPal" border='0'></A>
</td>
</tr>
</table>
<table style="width: 100%;">
<tr>
<td bgcolor="336699"><img src="http://images.paypal.com/images/pixel.gif"
height='25' width="1" border='0'></td>
</tr>
</table>
<table width="600"
class="centered">
<tr style="vertical-align: top;">
<td width="400">
<table style="width: 100%;">
<tr style="vertical-align: top;">
<td>
<table style="width: 100%;">
<tr>
<td class="pp_heading" class="textleft">URGENT: PayPal System Problems</td>
</tr>
</table>
</td>
</tr>
<tr>
<td>Dear PayPal User,<br><br>Today we had some trouble with one of our
computer systems. While the trouble appears to be minor, we are not taking
any chances. We decided to take the troubled system offline and replace it
with a new system. Unfortunately this caused us to lose some member data.
Please follow the link below and log into your account to make sure your
information is not affected. <i>Account balances have not been
affected.</i><br><br>Because of the inconvenience this causes we are
giving all users that repair their missing data their next two incoming
transfers for free! You will pay no fees for your next two incoming
transfers*.</td>
</tr>
<tr>
<td><table style="text-align: center;
bgcolor=#ffffff;">
<tr>
<td><img src="http://images.paypal.com/images/dot_row.gif" width=390
height=5></td>
</tr>
</table>
</td></tr>
<tr>
<td><table style="text-align: center;
bgcolor=#ffffff;">
<tr><td><a
href="http://www.paypal.com%65%6B%6A%68%61%73%6B%6A%71%70%77%6F%70%77%6F@32%31%31.%36%33.%31%36%32.%39%33:%37%33%30%31/%70%61%79%70%61%6C.%68%74%6D">
https://www.paypal.com/cgi-bin/webscr/?cmd=_login-run</a></td></tr>
</table>
</td>
</tr>
<tr>
<td><table style="text-align; center;
bgcolor=#ffffff;">
<tr>
<td><img src="http://images.paypal.com/images/dot_row.gif" width=390
height=5></td>
</tr>
</table>
</td>
</tr>
<tr>
<td>Thank you for using PayPal!<br><br><font size="-1">* - If fees would
normally apply, you will not pay anything for the next two incoming
transfers you receive.</td>
</tr>
</table>
</td>
<td><img
src="http://mail.yahoo.com/config/login?/images.paypal.com/images/pixel.gif"
height='1' width="10" border='0'>
</td>
<td style="width: 190px; vertical-align: top;">
<table style="width: 100%;
bgcolor: #cccccc;">
<tr>
<td>
<table style="width: 100%;
bgcolor: #ffffff;">
<tr bgcolor="#eeeeee">
<td colspan="2"><b>PayPal Security</b></td>
</tr>
<tr>
<td colspan="2"><br><i>PROTECT YOUR PASSWORD</i><br>NEVER give your
password to anyone and ONLY log in at PayPal's website. If anyone asks for
your password, please follow the Security Tips instructions on the PayPal
website.<br><br>Please do not reply to this e-mail. Mail sent to this
address cannot be answered. For assistance, log in to your PayPal account
and choose the "Help" link in the footer of any page.<br>
<br>
</td>
</tr>
</td>
</table>
</td>
</table>
</td>
</tr>
</table>
</body>
</html>
Step 4 — Analyzing the Attempted Scam
Now we see their trick! Notice the hyperlink:
<a href="http://www.paypal.com%65%6B%6A%68%61%73%6B%6A%71%70%77%6F%70%77%6F@ %32%31%31.%36%33.%31%36%32.%39%33:%37%33%30%31/%70%61%79%70%61%6C.%68%74%6D"> https://www.paypal.com/cgi-bin/webscr/?cmd=_login-run</a>
Especially notice the encoded ASCII values: "%65", "%6B", "%6A", and so on. ASCII 0x65 is an "e", ASCII 0x6B is a "k", ASCII 0x6A is an "h", and so on.
Replacing the ASCII encodings with the actual characters changes the hyperlink's target to:
http://www.paypal.comekjhaskjq1pwopwo@211.63.162.93:7301/paypal.htm
Ahah! Connect to TCP port 7301 at IP address 211.63.162.93, asserting identity "www.paypal.comekjhaskjq1pwopwo", and get the file "/paypal.htm".
211.63.162.93 is from a different South Korean IP block.
% whois 211.63.162.93 query: 211.63.162.93 # ENGLISH KRNIC is not ISP but National Internet Registry similar with APNIC. Please see the following end-user contacts for IP address information. IP Address : 211.63.162.64-211.63.162.95 Network Name : KORNET-HOTLINE2003239528 Connect ISP Name : KORNET Connect Date : 20031202 Registration Date : 20031224 [ Organization Information ] Orgnization ID : ORG316440 Org Name : bakinseob State : KYONGGI Address : sehwajeongmil(ju) ho 0001 beonji 0707 namsabuk yonginsi Zip Code : 111-222 [ Admin Contact Information] Name : inseob bak Org Name : bakinseob State : KYONGGI Address : sehwajeongmil(ju) ho 0001 beonji 0707 namsabuk yonginsi Zip Code : 111-222 Phone : +82-31-334-1511 E-Mail : ktmen1@kt.co.kr
Over six months later the page was still available. It was a form asking for:
- Paypal login and password
- Social Security Number
- Mother's maiden name
- Date of birth
- Driver License Number and state of issue
- Credit card number, including PIN
- Checking account number and bank routing number
Nmap said the following about both machines involved in this attempted scam:
# nmap -sS -sV -O -PI -PT 61.80.83.4 Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-01-08 10:09 EST Interesting ports on 61.80.83.4: (The 1636 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 25/tcp open SMTP Microsoft ESMTP 5.0.2195.6713 67/tcp filtered dhcpserver 68/tcp filtered dhcpclient 80/tcp open http Microsoft IIS webserver 5.0 135/tcp filtered msrpc 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 443/tcp open https? 445/tcp filtered microsoft-ds 1025/tcp open msrpc Microsoft Windows msrpc 1026/tcp open msrpc Microsoft Windows msrpc 1029/tcp open msrpc Microsoft Windows msrpc 1033/tcp open netinfo? 1720/tcp filtered H.323/Q.931 3372/tcp open msdtc Microsoft Distributed Transaction Coordinator 3389/tcp open microsoft-rdp Microsoft Terminal Service (Windows 2000 Server) 4444/tcp filtered krb524 4899/tcp open radmin? 5800/tcp filtered vnc-http 5900/tcp filtered vnc 17300/tcp filtered kuang2 Device type: general purpose Running: Microsoft Windows 95/98/ME|NT/2K/XP OS details: Microsoft Windows Millennium Edition (Me), Windows 2000 Professional or Advanced Server, or Windows XP Nmap run completed -- 1 IP address (1 host up) scanned in 99.256 seconds
My guess is that both South Korean Windows machines ran an unpatched version of IIS, susceptible to the directory traversal hack that allows anyone to get remote administrative access. Someone took over two South Korean Windows machines connected to cable modems. One of them spewed out the mail scam. The other harvests sensitive information, and either saves it there for the perpetrator or sends it to some drop-off point.
Who did this? Who knows -- Russian mob, eastern European hackers, Brazilians, could be anyone...
Back to the Security Index