12.16.05
Much Ado About Scam Emails
Among the more annoying things to get in your inbox are these fishing scams. You’ve probably seen them before, your ebay account is about to be terminated or your bank needs you to confirm some change. Of course, these emails are playing on peoples’ inherent trust that what they read in emails are true. For most people, it’s best just to delete the offending email, but how can they recognize it and what can they do about it?
Lets first take a look at the email as it appears to the mail client. The client I’m using Mozilla Thunderbird 1.5, it’s nice to see clients starting to recognize fishing scams like this.
Thunderbird has automatically sanitized the email for my safety, but I’m sure it would have been official looking with nice graphics and whatnot. It’s covered up in the picture, but there’s a spoofed “@ebay.com” return email address. We can also see some of the legal jargon they use to make it more official looking. If you mouse over the link that says “click here”, the URL that it’s forwarding you to says “http://62.68.180.125/ebay/login4101/”, that’s your first clue that it’s a scam.
At this point, we’d delete the email and move on with our lives, safely knowing our Ebay account information is still safe. But does is the little vigilante voice in your head telling you to find the people who did this and send them to the eternal fires of Hell? Well, we won’t go quite that far, but there are some things we can do. It’s off to WAR!
As any military leader will tell you, the most important thing before engaging the enemy is to do reconnaissance. So lets do some information gathering to find out a little more about our scammer. Time to venture into enemy territory (before trying this for yourself, always make sure you have some security setup). Clicking on the link takes us to the scammer’s web page.
It looks pretty official. Even the links take you back to actual Ebay pages. What he wants you to do is enter your account name and password in those fields, then it’s game over. Lets take a look at part of the page source.
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"><meta content="Microsoft FrontPage 5.0" name="GENERATOR"><script language=javascript>eval(unescape("%77%69%6E%64%6F%77%2E%73%74%61%74
%75%73%3D%22%65%42%61%79%20%2D%20%54%68%65%20%57%6F%72%6C%64
%27%73%20%4F%6E%6C%69%6E%65%20%4D%61%72%6B%65%74%70%6C%61%63
%65%22%3B%5F%64%77%3D%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74
%65%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%3D%6E%75%6C
%6C%3B"));
Looks to be encrypted javascript so it’s not going to be of much help. Going to the root address of the site shows our scammer has made a mistake. We see the default Apache page included with Fedora Core. Now we know what operating system and web server he uses. Moving on.
Another great tool for us to use is DNSStuff.com. The result below is a WHOIS lookup on the scammer’s IP address.
% Information related to '62.68.180.0 - 62.68.180.255'inetnum: 62.68.180.0 - 62.68.180.255
netname: ENTERNET
descr: ADSL lines of Enternet 2001 Ltd.
country: HU
admin-c: ENT2-RIPE
tech-c: ENT2-RIPE
status: ASSIGNED PA
remarks: INFRA-AW
notify: ********@enternet.hu
mnt-by: ENTERNET-MNT
changed: *************@enternet.hu 20040216
source: RIPEperson: Enternet Hostmaster
address: Enternet 2001 Ltd.
address: H-1134 Budapest
address: Csango u. 8.
address: HU
phone: +36 1 888 2001
fax-no: +36 1 888 2099
e-mail: ********@enternet.hu
nic-hdl: ENT2-RIPE
notify: ********@enternet.hu
mnt-by: ENTERNET-MNT
changed: *************@enternet.hu 20031118
source: RIPE
Some more good information. The .hu TLD (top level domain) means the web server resides in Hungary. Going to the enternet.hu website reveals they are an ISP and if the information is correct, our scammer is hosted on a broadband ADSL line.
Now that we have all this information, what can we do about it? One thing we can do is send an email to abuse@enternet.hu and hope somebody does something about it. This is the internet equivalent of “telling mommy” so the likelihood of someone taking action is very small. Other possibilities are, to use a euphemism, extra-legal. I’ll be purposefully vague about how to do this, but since we know what operating system he runs, we could test if he’s diligent about applying security patches. The ultimate purpose being to gain control of the system and make it unusable for the scammer. Or we could deny traffic coming into his site by overloading it with bogus connection attempts. In the end though, it’s probably best just to leave the internet vigilante-ism to the professionals, or the law.
If we have the time, in future articles, we might talk about overall systemic changes to email, such as requiring the use of cryptography and message hashing, to make sure our emails are secure and private.