web developer & system programmer

coder . cl

ramblings and thoughts on programming...


identifying phishing email

published: 17-09-2009 / updated: 17-09-2009
posted in: rants, sysadmin, tips
by Daniel Molina Wegener

Phishing is a criminal activity. I’ve recently received an electronic mail with one of those phishing attempts. Surely I’ve ignored since I know how to read the electronic mail headers and some other useful information that comes in electronic mails. The Wikipedia refers to it as:

In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

This time — I usually receive those electronic mails — I’ve received an important announcement from a Chilean bank, but really it was a phishing attempt. How do I know that? It appears to be quiet real, but what is behind all those pretty and trustful words?

phishing message

The electronic have a plain text format. Yes! is not a binary format like Micro$oft Word or another kind of electronic format. This format has standard basis from the RFC 5322, and looks pretty similar on every message you sent and you receive. As the RFC 5322 standarizes the message format, the message format is as follows:

A message consists of header fields, optionally followed by a message body. Lines in a message MUST be a maximum of 998 characters excluding the CRLF, but it is RECOMMENDED that lines be limited to 78 characters excluding the CRLF. (See section 2.1.1 for explanation.) In a message body, though all of the characters listed in the text rule MAY be used, the use of US-ASCII control characters (values 1 through 8, 11, 12, and 14 through 31) is discouraged since their interpretation by receivers for display is not guaranteed.

Well, message headers are an important task while we are examining the message. You can view the original message by saving your email as plain text and looking at it with any text editor. Find a menu with View Source, View Message Source, View Raw Message, Save As (…plain text), and similar options to take a look on the message source. Well, this phishing mail has some interesting headers, such as the Received header, which indicates how the mail message was received by MX servers or mail servers:

Received: (qmail 12145 invoked by uid 1552); 14 Sep 2009 08:38:10 -0000
Received: from virtual1.webair.com (virtual1.webair.com [216.130.161.111])
    by mail07.ifxnetworks.com with SMTP id 9f9zhdib52zaavt9vaiekajna6;
    for dmw@unete.cl;
    Mon, 14 Sep 2009 08:38:10 +0000 (GMT)
    (envelope-from monitor@santander.cl)
Received-SPF: None; receiver=mail07.ifxnetworks.com;
    client-ip=216.130.161.111; envelope-from=<monitor@santander.cl>;
    helo=virtual1.webair.com
X-Avenger: version=0.7.9; receiver=mail07.ifxnetworks.com;
    client-ip=216.130.161.111; client-port=2914;
    syn-fingerprint=32768:58:1:60:M1380,N,W0,N,N,T FreeBSD 4.8-5.1 (or MacOS
    X); data-bytes=0

My electronic mail address which received the phishing mail, is hosted at IFX Networks, so the final receiver — from top to bottom — was the ****.ifxnetworks.com server. Electronic mail routes can be longer that this one, but you can read as final receiver from top to the initial receiver to bottom. WOW! What a surprise!, the initial client is 216.130.161.111, let see from where comes that IP address…

[www@quake ~]$ geoiplookup 216.130.161.111
GeoIP Country Edition: US, United States

[www@quake ~]$ nslookup 216.130.161.111
Server:         200.62.2.180
Address:        200.62.2.180#53

Non-authoritative answer:
111.161.130.216.in-addr.arpa    name = virtual1.webair.com.

WOW!, the client comes from USA, not a Chilean sender! and matches with Spam Filter receiver at IFX: helo=virtual1.webair.com. Why a Chilean bank wants to send an important advice from foreign servers? it smells like pure phishing. Now let me see what are indicating the NIC servers from that domain:

[www@quake ~]$ whois webair.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

WEBAIR.COM.BR.GAROTAEXECUTIVO.COM
WEBAIR.COM

Hhhmmm… looks like a Brazilian domain ;). Looking at the real entry: GAROTAEXECUTIVO.COM.

Registrant:
   Executivo
   Rua: Executivo 3333
   Sao Paulo, Sao Paulo  01313000
   BR

   Registrar: DOTSTER
   Domain Name: GAROTAEXECUTIVO.COM
      Created on: 24-OCT-07
      Expires on: 24-OCT-09
      Last Updated on: 04-OCT-08

   Administrative, Technical Contact:
      Club, Executivo  postmaster@postmaster.com
      Executivo
      Rua: Executivo 3333
      Sao Paulo, Sao Paulo  01313000
      BR
      551122334455

Yeah! it’s a Brazilian one! Now, looking for all those URLs to make me fall in the fraudulent activity of phishing, where I’ve found three interesting URLs:

  • hxxp://www.santander.cl/estilos/2008_08/bitmaps/santander.gif
    WOW!, it points to an image at the Chilean bank — I’ve replaced the t for x intentionally — and surely this will make some believe some people that the electronic mail is quiet real.
  • hxxps://www.officebanking.cl/images/porque.gif
    WOW!, it points to an URL of the same bank but using the HTTPS protocol, this will make a possible client to believe that is pointing to the real bank, since many email clients asks for the site certificate. Interesting.
  • hxxp://www.fpfa.esp.br/imagens/campeoes/st2.php
    WOW!, the full URL to the phishing site! I’ve not opened the URL, and I don’t know what is behind it :B

The piece of code with the link to the phishing web site in the body of the message:

<span class="style10">
                                            <a target="_blank"
href="http://www.fpfa.esp.br/imagens/campeoes/st2.php">
                        <img
src="https://www.officebanking.cl/images/ingresar.gif"
align="middle" border="0" width="65"
height="21"></a></span>

conclusions

  • You can not trust in banking electronic mail until you strongly verify the electronic mail.
  • You can not enter any site with your financial institution logos without verifying the URL bar.
  • Google permits to download the message source.
  • Use a good electronic mail client, for example Thunderbird has good advices on spam and phishing.
  • Certainly the www.fpfa.esp.br site was cracked, and was used for phishing activities, and I’ve blocked it in my browser.
  • Those virtual1.webair.com servers are widely opened to be used by spammers, and I’ve added them to my blacklist.


one comment to “identifying phishing email”

  1. Just landed on this place via Google seek. I love it. This post change my percept and I am acquiring the RSS feeds. Cheers Up.

post a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>