Managed Solutions » Phishing

Twitter Phishing DM and Fake Twitter Website in the Wild

Joe Hackman — Sun, 15 Jan 2012 06:06:41 +0000

Please be very careful following any hyperlinks on Twitter. Tonight I received a direct message from someone I am following on one of my accounts. The message includes a link to a fake Twitter website that appears to be the way this user was originally compromised. Watch the video (updated 1/16/2012) if you want to see exactly how it looks and works.

Browser doesn’t show flash or video not displaying? You can also view it on Youtube.

Updated 1/14/2012 10:25PM UTC-8: Chrome is already reporting the URL in the video as a suspected phishing site.

Updated 1/15/2012 7:05PM UTC-8: The fake site is still up and running. I decided to go and report it to the ISP, unfortunately it’s in China and they probably won’t do anything about it.

Updated 1/16/2012 11:33PM UTC-8: This thing is picking up steam in spite of efforts to build awareness. If you receive one of these messages be sure to tell the person who sent it to you to change their twitter password. Presently whoever is pharming these accounts is not locking the owner out by changing the password. This could change at any point. Also just keep in mind if you use the same password for multiple things you should change the others also as this password list is likely to circulate in nefarious circles. Here is a Tweet spotted tonight after just glancing at the Twitter stream.

Updated 1/17/2012 2:39PM UTC-8: Surprisingly something simple that would be dead if it wasn’t hosted in China (any ISP in the USA/Western Countries would have taken this site offline within 6-8 hours) appears to be gaining steam. A coalition of humorous and fed up folks setup a gag site about it. I won’t ruin it for you, you can check it out at didyouseewhattheysaid.com. I will say this, I got a chuckle out of it.

Dr. Dan wants to buy Real Estate (Phishing)

Joe Hackman — Thu, 12 Aug 2010 15:40:29 +0000

We’re paid to be paranoid here at Managed Solutions. When this message arrived in my inbox today it was a rarity. Rare because it is one of very few phishing Emails that have bypassed my anti-spam mechanisms. Phishing is a process by which a criminal pretends to be a legitimate entity in an effort to gain passwords, identity, bank account or other private data. Here is the text of the message:

I am interested in purchasing a private residence in your country or in any country you are well-acquainted with.

The Property must be located in a well-reserved,serene,secure and highly-hygienic environment because I am most particular about the safety and sound health of my family.
I wish to make this transaction with you in a very secret and confidential manner due to my position as a cabinet minister here in my country Ghana.

Therefore,upon response from you I will connect you with my agent here whom I trust so much to represent my interest in this purchase.franciskweme2007@[hidden].com
Thank you and accept my kindest regards,

Dr. dan

Want to complete this article?

What issues do you see with the text of this message and why would I assume that it is a Phishing Email? Complete this story via comment and we’ll feature your comment as a part of the article and link back to your website.

We have a winner, David Schur completed the article via this comment on Facebook:

David Schur – I’ll take a shot Joe.
1) does not address you by name. Nobody will buy your house, or send you millions of dollars without knowing who the heck you are
2) Total lack of pii. If this was legit, they would know your address, which is the relevant pii in this case. My bank or cc includes the last 4 digits of my account to let me know the email is real.
3) Typo’s…when will the phishers learn that simply hiring a native english speaker to proofread would make a difference (maybe there is ba business opportunity here)
4) simple common sense…to good to be true = false…100% of the time

This won’t work for a real hack…but luckily phishers these days never invest in data that connects your email to any meaningful form of pii…luckily axiom 4 will ALLWAYS be true

Joe’s comment – I really like David’s rule #4, I think Phishers best tool is exploiting people’s greed. Also David had no desire to have a link back to anywhere so I asked him what Charity he likes, here is his response:

“American Red Cross…when bad stuff happens they get my money…then I can safely and with good conscience ignore the inevitable scam charity emails” – David Schur

Anatomy of a Phishing Email

Joe Hackman — Mon, 14 Jun 2010 06:23:11 +0000

I encountered a great opportunity this evening, the opportunity to share an inside look of a Phishing Email. What is Phishing?

“In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.” – Wikipedia

What I noticed was an Email purportedly from Bank of America telling me that there was an “Account Resolution Required”:

Message in Outlook Allegedly from Bank of America

I scanned over to the preview pane and noticed that it had a link that appeared to be correct, so I hovered over the link to see if the link was spoofed and to no big surprise, it was. Here is how the message looked in my preview pane, I did not download pictures because that is a popular way for spammers/crooks to confirm Email addresses of their targets/victims:

Full Phishing Email Screenshot

Let me further clarify in lay terms, the link that reads:

https://www.bankofamerica.com/home/1244618/ddjdfdkfi126.aspx?screenid=Update_Acct

is actually:

http://prostyle-esports.nl/index.php

and this is evident when I hover over, or place my mouse cursor on the “alleged” link. This is a tactic you can use to check links you are unsure of. However I should clarify that it doesn’t always work. There have been occasions where this has been spoofed effectively typically it has to do with the Email client or Browser and security patches on your computer.

Testing the Link

Using a test environment I pasted the link to see what the target site looked like:

Blocked - Forgery

I was pleased to see it had been blocked, this saved me the time of researching and Emailing the Internet Provider involved. After confirming this I used “properties” on Outlook to get the header information, there is a lot of information but plenty of clues to let me know that this message was not authentic (had everything else appeared right, which most certainly the SSL certificate warning would have popped up unless it was an unprecedented forgery!). Here are a few of the more obvious lines I parsed from the headers:

Received: from User ([82.128.0.69]) by post.strato.de (mrclete mo25) (RZmta
23.3) with ESMTP id 20016am5E507CT ; Mon, 14 Jun 2010 07:43:29 +0200 (MEST)
Reply-To:
From: Bank of America

In the above examples, you can see that the message replay and from don’t match and that the mail server is post.strato.de not a likely mail server for Bank of America (perhaps for Deutsche Bank next time guys?). Also after running the IP address of the sender 82.128.0.69 on Arin.net I was able to determine that it was a European Address (which I had already figured due to the .de domain on the mail server, but it was further validation):

Output of Arin.net Whois - RIPE

There are a lot of ways to spot fraudulent/Phishing Emails. Our advice to our clients is if they are not 100% certain we recommend they forward the messages to us for analysis. Most of these kinds of messages are blocked and we don’t see them, but if something doesn’t look quite right it probably isn’t.

ADP Warns of Phishing Emails to Payroll Clients

Joe Hackman — Wed, 27 Jan 2010 00:08:35 +0000

We were made aware of an issue that ADP is reporting with some of their Payroll customers. Here is the text of the warning message they are sending their clients:

“ADP is receiving reports of a phishing email scam targeting ADP EasyPayNet clients who perform their payroll via the Internet. Phishing email scams are designed to mimic legitimate websites and are intended to compromise your login credentials. The email is fraudulent and did not come from ADP. Please immediately delete the email and do not click on any links in the email or enter any login information. Please be aware that ADP would never send an email asking you to provide or enter your login credentials for any reason.”

Here is a screenshot of the Phishing Email:

Sample of ADP Phishing Email

Warning Facebook Phishing Email

Joe Hackman — Thu, 10 Dec 2009 17:07:21 +0000

Today I noticed a peculiar Email message from Facebook in my Quarantine. A quick investigation confirmed what I had suspected, it was a phishing attempt to compromise my Facebook account or other personal information. This video demonstrates what this message looked like and how the URL in the link gave away that it was not Facebook but in fact a .me.uk address:

Phisher Shutdown

Joe Hackman — Fri, 31 Aug 2007 05:03:37 +0000

This morning I happened to get a Phishing message from the contact form on this website. It was carefully crafted and was devised to obtain routing and bank information to most certainly relieve us of any and all funds in the account. When I went to investigate the site, I quickly learned that it had already been removed from the dns records of the hosting provider – precisely what I had intended to inform them of. Someone had already reacted to this would be phisher and stopped them in their tracks. This is always nice to see because often times when we do something as a responsible netizen administrators of websites and hosting companies lack the resources to respond and address the threats.