Phishing

Here are some real professional attempts directed at me:

#1 Question: The link takes you to site where bot is downloaded but how do you investigate this?  Answer: Try viewing the source and see where the link actually points.Zimbra

#2

Note I have disabled the hyperlinks so that no one inadvertently follows them.  Up top is the email body I received and below is the HTML source revealed by “View Source” or “View Encoding”.  Note the picture is no longer available on the web. I particularly draw your attention to the chase.com url that is displayed in my email yet the actual HTML wants to take me to: http://sheltonscustomhuntingrifles.com/catalog/images/CreditUnion/update_card.htm

 INCLUDEPICTURE “https://chaseonline.chase.com/content/ecpweb/sso/image/chaseNew.gif” \* MERGEFORMATINET

From: security@creditunion.coop
Sent: Wednesday, October 05, 2005 6:54 PM
To: loobyjam@hvcc.edu
Subject: Your account has been limited

 

Dear loobyjam@hvcc.edu ,

Due to the merger of Chase and Bank One, we have made changes to our Web site. In order for the Web site upgrade to be effective for your service, we had to suspend your online access and you will need to re-enroll in Chase Online, unless you have recently completed an update process that was prompted by chase.com (or are otherwise notified).

To re-enroll, click on the link below and follow the prompts:

Email Hyperlink: https://chaseonline.chase.com/chaseonline/signup/sso_signup_filter.jsp?LOB=RBGLogon

During enrollment, you may be asked to provide information about either your Bank One or Chase accounts and to read and accept our most recent Online Services Agreements. When you re-enroll, your transaction history, scheduled transfers, Personal Bill Pay Payees, and payment history will automatically follow you.

If you do not re-enroll your online access will remain suspended and you will not be able to view your accounts or process or schedule transactions online until you have completed the re-enrollment process. While your online access is suspended, you will remain an Chase Online customer, and scheduled transactions will be processed in accordance with our service agreement, unless you or we terminate the service. Fees, if any, will be charged during the suspension period.

We want to assure you that any scheduled transactions (payments and transfers) will be made while your online access is suspended. If you need to schedule, change, or cancel any transactions, re-enroll in Chase Online.

Thank you for choosing Chase for your online banking needs.
And remember to re-enroll to continue your online access – it’s fast and easy!

Sincerely,

Chase Online Banking

Member FDIC.

© 2005 JPMorgan Chase & Co

 

Let’s look at the file’s html representation obtained when I view source: I have edited it (shortened)  for your convenience.

 

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”>

<BODY><B>From:</B> security@creditunion.coop<BR><B>Sent:</B> Wednesday, October

05, 2005 6:54 PM<BR><B>To:</B> loobyjam@hvcc.edu<BR><B>Subject:</B> Your

account has been limited<BR><IMG height=641

src=”http://www.trance.ws/stuff/cu.gif” width=774 useMap=#top border=0

name=top0> <MAP name=top><AREA shape=RECT coords=216,525,375,540

href=”http://sheltonscustomhuntingrifles.com/catalog/images/CreditUnion/update_card.htm”></MAP></BODY></HTML>

#3

Be very careful as this email found its way through our HVCC spam filter.  If you want to have a fun learning experience paste the following link into both Internet Explorer and Mozilla Firefox as you will have an eye opening security learning experience. *At this point in time Firefox would tell you it was a fraudulent Web site whereas IE would let you proceed to get harmed.*

___________________________________________

From: Paypal Security Departament [mailto:dpt@ppl.srv.com]
Sent: Monday, September 24, 2007 6:07 PM
To: sarubjos@hvcc.edu
Subject: Confirms that you have paid for this product

We recorded a payment request from “Internet Safe-Shopping -ebay.com-” to enable the charge of $ 93.12 on your account.

Because the order was made from an european internet address, we put an Exception Payment on transaction id #PayPal-P2415 motivated by our Geographical Tracking System.

THE PAYMENT IS PENDING FOR THE MOMENT.

If you made this transaction or if you just authorize this payment, please ignore or remove this email message. The transaction will be shown on your monthly statement as “Internet Safe-Shopping -ebay.com-“.

If you didn’t make this payment and would like to decline the $ 93.12 billing to your card, please follow the link below to cancel the payment:

Email Hyperlink: Cancel this payment (transaction id #PayPal-P2415)

Real Source Hyperlink in source but see below: “http://www.stadtserver.de/cms/hp/id/127/content/index.html” 

NOTE: Because email is not a secure form of communication, please do not reply to this email.

© Copyright 1995-2007 PayPal Inc. All Rights Reserved.

____________________________________________

Analysis:

HYPERLINK “http://www.stadtserver.de/cms/hp/id/127/content/index.html” http://www.stadtserver.de/cms/hp/id/127/content/index.html  thus its somewhere in Denmark but you immediately get redirected to

HYPERLINK “http://mkhair.hostmarx.com/uploads/-/PayPal/updates/us/webscr.php?cmd=_login-run” http://mkhair.hostmarx.com/uploads/-/PayPal/updates/us/webscr.php?cmd=_login-run

You can view an email link’s properties by right clicking on the link and select Edit Link –  HYPERLINK “http://www.stadtserver.de/cms/hp/id/127/content/index.html” Cancel this payment (transaction id #PayPal-P2415)