educate the enterprise. defeat phish hooks.
educate the enterprise. defeat phish hooks.
|
|
Phishing Trip Part 1: Washington Mutual Scams Download PDF infectionvectors.com January 2005
Overview
Everyday, email users are flooded with spam. Many of these unwanted messages are advertisements; some are phishing attempts, concerted efforts to lift personal information with the intention of using that data to steal money.
Defending users and customers against these attacks requires education. The ubiquity of these scams has spurred many large banks and credit organizations to put phishing warnings on their homepages. This report examines multiple phishing attempts with the same premise: that the recipient’s bank is requiring an update from all of its customers via the web. The focus of the attempts in this paper, Washington Mutual, has taken steps to arm their customers with enough information to protect themselves against phishers, as can be seen by the alert page on their website.1
Information is the best weapon against these criminals as the tactics and tools they use change rapidly. The intention of this report is to provide a framework for identifying scams and resources that maintain large databases of phish. From there, information assurance groups (and concerned individuals) can begin educating their users.
Note: Hyperlinks intentionally removed from scam examples, visit these sites at one's own risk.
The Scam
Almost every large financial institution has found their customers as the targets of these scam attempts. These institutions make good “senders” because the average user is likely to understand the request for personal/credit information from a bank. Recognizing the threat, the Office of the Comptroller of the Currency2, which regulates and supervises banks in the United States, provides a number of good resources that educate users about phishing. At its core, a phishing attempt has to raise its believability above the reader’s suspicion level. Criminals make use of many tools to accomplish this task, including: using the bank’s logo, urgent-sounding verbiage, and a legitimate “From:” field address.
Briefly, here’s how the scams work:
1) A user receives an email message indicating that their account information is required. 2) The user clicks a link within the message that takes them to an “update” page (which asks for personal information) or submits their data directly. 3) The criminal who established the site collects the data and uses it for any number of nefarious ends.
Although the scam may at first seem easy to avoid, the amount of work put into crafting legitimate-looking websites to serve as the false front-end for collecting data makes many of these cons difficult to detect. This is especially true for a general user that has an inherent trust of email “sources” and the use of official logos within messages. Furthermore, the use of obscured URLs in the email (making it appear that a link takes one to www.your-bank-here.com when it actually connects the user to www.bank-scams.net) makes spotting these fake messages all the more difficult for the average email reader.
Phish attempts often lift the logos directly from the real bank websites and link back to those sites for “Help” directories and email replies. This increases the apparent authenticity of the message. The following diagram outlines the simplicity of the scam:
Washington Mutual
Washington Mutual (“WaMu”), a large US bank offering both traditional and online consumer and business services, has found its customers the targets of attempted scams numerous times in the past year. This section will examine eight such attempts. The first message below arrived on November 10, 2004. Since that time a tremendous number of phony “WaMu” messages have circulated around the Internet. Over a two-week period (December 24, 2004 through January 6, 2005) an email account set up at infectionvectors.com received 7 scam attempts designed to appear as requests from Washington Mutual.
Message Zero
The first message is perhaps the most intriguing, as it carries no readable message body text in the email code (which makes it different from all of the others analyzed here). Instead, it pulls in the body of the email from a website in the form of a small HTML document, although a brief look at the URL would not necessarily reveal that fact.
The scam offers one unaltered URL, that of the real Washington Mutual login page, and one obfuscated URL (the true destination of the harvested personal data). URL obfuscation is the use of Unicode characters, HTML code, decimal encoding, or other means to make URLs unreadable to human eyes. Web browsers (and HTML email clients) easily decode them, however, making them easy ways to hide a destination from a suspicious user.
In the case of this initial email, the destination URL appears this way in the code (see Appendix A for full code of each email example): http://%36%35%2E%31%36%37%2E%31%33%30%2E%31%32%36:%38%37/%77%61/%69%6E% 64%65%78%2E%68%74%6D
Converting the URL to ASCII3 text yields the following friendlier (to read anyway) URL:
http://65.167.130.126:87/wa/index.htm
Many users would be skeptical if they saw this as the URL, as the familiar “wamu.com” is missing (and more technically inclined users would note the use of port 87 vice the usual 80). A little research into this address (via public tools) reveals:
IP Location: United States - North Dakota - Devils Lake - Sentris Network Llc Portfolio
Sprint SPRINTLINK-2-BLKS (NET-65-160-0-0-1) 65.160.0.0 - 65.174.255.255 Sentris Network LLC Portfolio SPRINTLINK (NET-65-167-130-0-1) 65.167.130.0 - 65.167.130.255
Sprintlink’s address space has been listed as a “known spammer” for some time as of this writing.4 In addition, by the time of this report Fraud Watch International had already catalogued the email message in question.5
Of additional interest is the use of random phrases at the end of the email (unseen by the reader, see Appendix A). These are present in hopes of beating adaptive spam filters.6
Message One
The first of the year-end explosion, received on December 24, 2004 warns of foreign “login trials” that forced WaMu to disable the reader’s account. [Click images to enlarge.]
The text of the email:
On the date of 18th of December there was a
login trials from
for your security Please click the link below to reactivate your account: https://www.wamu.com/internetBanking/RequestRouter?requestCmdId=Reactivate
Most users would immediately notice the odd carriage return following “for your security” the lack of correct punctuation and poor grammar. However, in a rush, many people may accept the message, especially considering the “secure” URL taking them to WaMu’s “Reactivation” page. Again, see Appendix A for the HTML code for each sample email.
The logo itself does come from the wamu.com site, it is lifted from the website as a user opens the HTML-formatted email message. The two horizontal yellow lines in the email also come from a bank, but not Washington Mutual. These are grabbed from SunTrust’s website (SunTrust has had their own share of fake requests circulating the Internet, this was likely crafted by someone responsible for at least one of those as well – recycling the basic scam here with a different shell).
The link, which is clearly the key to the entire scam, is defined by the following HTML:
href="http://64.23.10.44/wamuupdate/accounts/update/avncenter/bsda6gwcv7zfcwfcwf34gfwf23g 235f134f3fg3f&bhdfahva68532hbhwseBayISAPI.dllPaymentLanding&ssPageName=hhpayUSf& =userhgads&secure&ssl7r2vbd7d88klmnogh.htm">https://www.wamu.com/internetBanking/Reque stRouter?requestCmdId=Reactivate </a></p>
The real destination, 64.23.10.44, is registered to:
Affinity Internet, Inc AFFINITY-64-23-0-0 (NET-64-23-0-0-1) 64.23.0.0 - 64.23.127.255 Ronkonkoma Greenhouses Inc SKWB-UURID-401 (NET-64-23-10-32-1) 64.23.10.32 - 64.23.10.47 United States - Maryland - Baltimore - Ronkonkoma Greenhouses Inc
64-23-10-44.ptr.skynetweb.com
The actual destination is visible when a user hovers the mouse pointer over the link, although many people are not in the habit of checking for a match.
Message Two
On December 28, 2004 the following lengthy message arrived:
It is very well written, except for the last line, which has typographical errors and a completely different tone than the rest of the message body. This addition (which is an attempt to add urgency to the fake request) may have been added by someone other than the author of the rest of the letter.
The hyperlink in this letter has one very important addition, the use of the follwing link tags in the HTML code:
"onMouseOver="window.status= and onMouseOut="window.status=
As can be seen in the image of this version of the scam, the author uses the disguised web address as the information displayed in the status bar of Internet Explorer while the mouse hovers over the hyperlink (where a knowledgeable user may look to see where the link actually points. A user would have to right click the link, select Properties, and then examining the hyperlink that to see that the true destination is not wamu.com (or examine the HTML source as has been done here). The actual destination is:
http://211.9.254.123/en/.mutual-sk/index.php?MfcISAPICommand=SignInFPP &UsingSSL=1&email=&userid=
A quick check on the destination reveals the following:
inetnum: 211.8.0.0 - 211.19.255.255 netname: JPNIC-NET-JP descr: Japan Network Information Center
inetnum: 211.9.254.112 - 211.9.254.127 netname: INTER-BIZ2 descr: Interbusiness,Inc country: JP
Finally, this message also includes suspicious image-retrieving links to non-Washington Mutual websites, such as PayPal, indicating the recycling of older scam code.
Message Three
The third incarnation, received a few days later on December 30, 2004, looks identical to the second message when opened with an email/HMTL client with two exceptions: the “respond by” date is January 10 instead of January 7, and the “mouse over” functionality is broken. The latter makes the scam attempt much less realistic looking, as it points to:
http://210.103.105.224/.wamu/index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid=
Which is registered to:
inetnum: 210.102.64.0 - 210.103.255.255
netname: KRNIC-KR descr: KRNIC descr: Korea Network Information Center
Unfortunately for the author of this version, due to formatting errors in the HTML code the “mouse over” trick used by the last iteration does not work correctly (see Appendix A to view additional carriage returns saved into the code) and the message will not display as intended in a web mail client (it simply shows up as HTML, which is unlikely to entice a reader to divulge personal information). It is possible that someone with nefarious intentions received this email, attempted to change a few parameters to have it point to their own server, and mistakenly saved the code with the errors.
Message Four
Also received on December 30, 2004, this message appears to be identical to the previous two, with a different destination (an address belonging to a US company) and recycling the date of January 7, 2004 as the deadline for responding. The destination for this scam is:
OrgName: AEROSPACE INTEGRATION CORP OrgID: AIC-82 Address: 5555 JOHN GIVENS RD City: CRESTVIEW StateProv: FL PostalCode: 32536 Country: US
As of January 5, 2005 there was no web site available at this address. Google’s cache of the address shows the company’s page being there as of December 29, 2004.7 The company’s site, aicworld.com currently shows a default Apache installation page. It is quite likely that someone compromised the server, used it as the host for the scam, and was soon discovered – resulting in the sites being taken down temporarily.
Message Five
Reminiscent of the first message in this report, message 5 simply changes the destination, now taking a user to:
http://aquaforcepspump.com/wamu/accounts/update/avncenter/bsda6gwcv7zfcwfcwf34gfwf23g235f134f 3fg3f&bhdfahva68532hbhwseBayISAPI.dllPaymentLanding&ssPageName=hhpayUSf&=userhgads&sec ure&ssl7r2vbd7d88klmnogh.htm
Attempts to research the domain aquaforcepspump.com show the domain registered to an individual in the US and that the registration information was last updated on December 24, 2004.8 However, there is no page up for this domain, nor is there a placeholder where a WHOIS link indicates there may be one.
Message Six
On January 5, 2005, another “Washington Mutual” message arrived. It has the same text as previous versions of the message, including the poor grammar and spelling of the last sentence. This version, beyond having a new destination for the phony update page, has a different overall look, changing the highlighting and images that are pulled into the HTML message.
The destination in this case was a site owned by American Camping Association (ACA). The ACA hosts their site through:
OrgName: 1-800-HOSTING, Inc.
This is an Apache-based web server like Aerospace Integration Corp’s site and may have been compromised.
This email does not attempt to use the “mouse over” trick from message 2. It does, however, pull two images from Yahoo pages. The first is a gray bar at the top of the message. This bar is hyperlinked to the real WaMu login page. The second image is a thin line at the bottom of the email.
The HTML shows signs of being crafted with Microsoft’s FrontPage Editor, as the META tags for this product are visible in the code.
Message Seven
January 6, 2005 brought the most interesting of the scam attempts. This message embeds the request for personal information directly into the email body, without redirecting a user to a phony page or even pulling a phony page into the e-mail’s body. This means there is no URL that will appear in the status bar at the bottom of a browser or email client.
Certainly the downfall of this scam is the poor grammar and spelling, which would make many readers suspicious. However, the mistakes are not so glaring as to be obvious to someone reading the message in a hurry. As in previous messages, the Washington Mutual logo is lifted from their actual web page once the message is open.
The link triggered by the button will open the real Washington Mutual home page, which may put users at ease if they click the button as a “trial run” before inputting personal financial information.
The code reveals a few clues that undermine the scam. These include the destination of the account data: yourinternetzone.com. This domain is registered by MELBOURNE IT, LTD (Australia) to:
Domain Name.......... yourinternetzone.com Creation Date........ 2004-12-01 Registration Date.... 2004-12-01 Expiry Date.......... 2005-12-01 Organisation Name.... Maryland Nurses Association Organisation Address. 16489 hinds rd Organisation Address. Organisation Address. holley Organisation Address. 14470 Organisation Address. NY Organisation Address. UNITED STATES
The owner of the block:
OrgName: Inktomi Corporation OrgID: INKT Address: 4100 East Third Avenue City: Foster City StateProv: CA PostalCode: 9440 Country: U
NetRange: 68.142.192.0 - 68.142.255.255
This is an especially tricky attempt (except for the spelling errors) to steal account information from readers. It is these types of scams that will likely drive every business to abandon email requests of customers, as most vendors have already announced.
Arming Users
To prevent a user (or relative) from falling victim to such tricks, it is important to educate them with regards to phishing: what it is, what tricks are commonly employed, and where they can go to research an email they find suspicious.
Reviewing papers such as this can provide a good foundation for learning the multitude of tactics criminals take in efforts to harvest personal information. Although reviewing the HTML itself is too technical and laborious for the average email user, a quick reading of the examples presented herein may be all that is required to stimulate suspicion the next time an “urgent request” hits their inbox.
It’s also advisable to give users a list of resources to use when investigating an email request. This ranges from simply employing critical thinking skills through checking fraud databases around the Internet. The following items are a good start:
Never provide personal information through email-based forms. ANY request for financial or personal data should be scrutinized and assumed to be phony until proven otherwise.
Sources to use when checking a presumed email/request source:
1) Check the sender of the email by typing the destination URL, not by clicking a link (even if the link “looks OK”). 2) Fraud Watch International http://www.fraudwatchinternational.com 3) The Office of the Comptroller of the Currency http://www.occ.treas.gov/ 4) The Anti-Phishing Workgroup http://www.antiphishing.org/resources.html 5) Internet Fraud Complaint Center http://www.ifccfbi.gov/index.asp 6) FTC’s Fraud Alerts: http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm
The ease with which such scams are crafted (using tools available to almost every modern PC user) and the success they have found thus far ensures that phishing attempts will continue to appear. Arming users with knowledge of the latest tactics and resources for scam verification is the best defense. Infectionvectors.com provides many resources that can serve as the basis for awareness training for multiple malware issues, including email security. See http://www.infectionvectors.com for more information.
1. Washington Mutual’s Email Scam Alert Page http://www.wamu.com/personal/welcome/security.htm#emailscam
2. The Office of the Comptroller of the Currency’s Phishing Information page http://www.occ.gov/consumer/phishing.htm
3. One good resource for an ASCII Conversion Chart is available here: http://www.jimprice.com/jim-asc.htm
4. Sprintlink is referenced here: Known Spammer: http://www.spambag.org/cgi-bin/spambag?record=sprintlink
For the curious, the website that appears on port 80: http://65.167.130.126/ = Acrony.com : Acronyms Made Funny
5. While researching the latest events for this paper, the inclusion of this scam at Fraud Watch was noted: http://www.fraudwatchinternational.com/fraud_alerts/041110_3457_washmu.htm
6. Although outside the scope of this brief paper, one method of beating a spam filter is to poison it with un-spam-like phrases. In this case, by adding things like “in 1958 in 1921 Prom Hairstyles in 1842” the scammer hopes to generate a number of false positives and ultimately, force administrators to loosen the filtering. For more information on this subject see, “How to beat an Adaptive Spam Filter” John Graham-Cumming, Sophos. (PowerPoint Presentation): http://www.jgc.org/SpamConference011604.pps
7. Google Search to see cached aicworld.com site http://www.google.com/search?hl=en&lr=&q=http%3A%2F%2Fwww.aicworld.com%2F
8. Aquaforcepspump.com Information http://www.whois.sc/aquaforcepspump.com
Additional Resources
Washington Mutual’s Home Page
Washington Mutual scams catalogued on Mail Frontier’s site: http://www.mailfrontier.com/threats/advisories/2004-11/wamu_04110203/04110203_advisory.html
Mail Frontier’s Phishing Awareness Test http://survey.mailfrontier.com/survey/quiztest.html
|
Copyright Ó 2004 infectionvectors.com. All rights reserved.
