Example of a “Phishing,” Email and Web Site

ECE6612 - Communications Network Security

Prof. John A. Copeland

Georgia Tech

QuickTime™ and a decompressor

are needed to see this picture.

QuickTime™ and a decompressor

are needed to see this picture.

"http://marketingsolutions.chesterfieldsofuk.com/yadsecure/"

QuickTime™ and a decompressor

are needed to see this picture.

Your phony password does not work. Clicking “Forgot Your Password” takes you here, a real Yahoo Web page.

If your password did work, you would have been logged in to the real Yahoo Web site (and “they” would have your username and password).

Return-Path: <keith@cniweb.net>Received: from mail.ee.gatech.edu (mail.ee.gatech.edu [130.207.225.105])

by imap.ece.gatech.edu (Cyrus v2.3.13) with LMTPA; Thu, 08 Jan 2009 10:50:39 -0500

X-Sieve: CMU Sieve 2.3Received: from karmalarm1.cniweb.net (karmalarm1.cniweb.net [208.234.169.217])

by mail.ee.gatech.edu (8.14.0/8.13.7) with ESMTP id n08FoZcJ018478for <copeland@ece.gatech.edu>; Thu, 8 Jan 2009 10:50:36 -0500 (EST)

Received: from localhost.localdomain ([69.59.131.172])(authenticated bits=0)by karmalarm1.cniweb.net (8.13.7/8.13.7) with ESMTP id n08Fm1ss028343for <copeland@ece.gatech.edu>; Thu, 8 Jan 2009 10:48:10 -0500 (EST)

Date: Thu, 8 Jan 2009 10:48:10 -0500 (EST)Message-Id: <200901081548.n08Fm1ss028343@karmalarm1.cniweb.net>From: "YAHOO MARKETING SOLUTIONS" <service@marketingsolutions.chesterfieldsofuk.com>To: <copeland@ece.gatech.edu>Subject: SERVICES EXPIREDContent-type: text/html; charset=us-ascii

Look at “source code” of HTML email - headers

Sender info - IP address

Sender mail server - IP address

~ copeland$ nslookup 208.234.169.217 (original email server)

Non-authoritative answer:217.169.234.208.in-addr.arpname = karmalarm1.cniweb.net.

Authoritative answers can be found from:169.234.208.in-addr.arpa nameserver = ns1.cniweb.net.ns1.cniweb.net internet address = 208.218.214.4

~ copeland$ whois cniweb.net

Creative Network Innovations 6905 N. Wickham Road Melbourne, FL 32940 US

Administrative Contact, Technical Contact: Creative Network Innovations, Inc. webmaster@CNIWEB.NET 6905 N WICKHAM RD MELBOURNE, FL 32940-2031 US 321.259.1984 fax: 321.242.1965

To install whois on a PC: http://members.shaw.ca/nicholas.fong/dig/

On what network was the sending host (probably a “bot” compromised PC)?--------------------------------------------------------

~ copeland$ host 69.59.131.172 mail.irv2.com.

~ copeland$ whois irv2.com (ISP of sending host)

Registrant: Social Knowledge, LLC 3523 McKinney Ave #419 Dallas, Texas 75204-1401 United States

<x-html><!x-stuff-for-pete base="" src="" id="0" charset=""><html><body><table border="0" width="37%" height="227"> <tr> <td width="100%" height="221" valign="top"><img border="0" src="http://marketingsolutions.chesterfieldsofuk.com/yadsecure/images/logo.gif" > <p><span class="treb">Dear Client,<br> <br> Your Yahoo Marketing Solutions account has expired. You must renew it immediately or your account will be closed. If you intend to use this service in the future, you must take action at once!<br> <br> To continue <a href= "http://marketingsolutions.chesterfieldsofuk.com/yadsecure/"> click here</a>, login to your Yahoo Marketing Solutions account and follow the steps.<br> <br> Thank you for using Yahoo Marketing Solutions!<br> Yahoo Marketing Solutions Services Department.</span></p>

Look at links in the text (“click here”)

ImageSource

Link, when clicked Web page

~ copeland$ whois chesterfieldsofuk.com

DOMAIN: CHESTERFIELDSOFUK.COM

RSP: CdWDesignURL: http://www.cdwhosting.org

owner-contact: O-HOU71owner-organization: House of Englandowner-street: Gildeweg 30owner-city: Nootdorpowner-zip: 2632 BAowner-country: NLowner-email: info@chesterfieldsofuk.com

This phishing Web site is registered in the Netherlands, but duplicates could be distributed over a botnet if a “fast fluxing” DNS server is used.

Look up URL of Phishing server

From: bkeefe@merrillcorp.com (bomf @116.181.115.82)To: <copeland@ee.gatech.edu>Subject: Support Mccane on our siteDate: Thu, 8 Jan 2009 11:55:10 -0600

When you are aged and never give up, it gives your he confidence, at any chance , at any place,. Visit.

Expanded<x-html><!x-stuff-for-pete base="" src="" id="0" charset="iso-8859-5"><br/><a href="http://ficenycoajuly.narod.ru">When you are aged and never give up, it gives your he confidence, at any chance , at any place,. Visit.</a></x-html> from Russia with (no) love.

Simple “click me” email