example of a “phishing,” email and web site ece6612 - communications network security prof. john...
TRANSCRIPT
Example of a “Phishing,” Email and Web Site
ECE6612 - Communications Network Security
Prof. John A. Copeland
Georgia Tech
QuickTime™ and a decompressor
are needed to see this picture.
QuickTime™ and a decompressor
are needed to see this picture.
"http://marketingsolutions.chesterfieldsofuk.com/yadsecure/"
QuickTime™ and a decompressor
are needed to see this picture.
Your phony password does not work. Clicking “Forgot Your Password” takes you here, a real Yahoo Web page.
If your password did work, you would have been logged in to the real Yahoo Web site (and “they” would have your username and password).
Return-Path: <[email protected]>Received: from mail.ee.gatech.edu (mail.ee.gatech.edu [130.207.225.105])
by imap.ece.gatech.edu (Cyrus v2.3.13) with LMTPA; Thu, 08 Jan 2009 10:50:39 -0500
X-Sieve: CMU Sieve 2.3Received: from karmalarm1.cniweb.net (karmalarm1.cniweb.net [208.234.169.217])
by mail.ee.gatech.edu (8.14.0/8.13.7) with ESMTP id n08FoZcJ018478for <[email protected]>; Thu, 8 Jan 2009 10:50:36 -0500 (EST)
Received: from localhost.localdomain ([69.59.131.172])(authenticated bits=0)by karmalarm1.cniweb.net (8.13.7/8.13.7) with ESMTP id n08Fm1ss028343for <[email protected]>; Thu, 8 Jan 2009 10:48:10 -0500 (EST)
Date: Thu, 8 Jan 2009 10:48:10 -0500 (EST)Message-Id: <[email protected]>From: "YAHOO MARKETING SOLUTIONS" <[email protected]>To: <[email protected]>Subject: SERVICES EXPIREDContent-type: text/html; charset=us-ascii
Look at “source code” of HTML email - headers
Sender info - IP address
Sender mail server - IP address
~ copeland$ nslookup 208.234.169.217 (original email server)
Non-authoritative answer:217.169.234.208.in-addr.arpname = karmalarm1.cniweb.net.
Authoritative answers can be found from:169.234.208.in-addr.arpa nameserver = ns1.cniweb.net.ns1.cniweb.net internet address = 208.218.214.4
~ copeland$ whois cniweb.net
Creative Network Innovations 6905 N. Wickham Road Melbourne, FL 32940 US
Administrative Contact, Technical Contact: Creative Network Innovations, Inc. [email protected] 6905 N WICKHAM RD MELBOURNE, FL 32940-2031 US 321.259.1984 fax: 321.242.1965
To install whois on a PC: http://members.shaw.ca/nicholas.fong/dig/
On what network was the sending host (probably a “bot” compromised PC)?--------------------------------------------------------
~ copeland$ host 69.59.131.172 mail.irv2.com.
~ copeland$ whois irv2.com (ISP of sending host)
Registrant: Social Knowledge, LLC 3523 McKinney Ave #419 Dallas, Texas 75204-1401 United States
<x-html><!x-stuff-for-pete base="" src="" id="0" charset=""><html><body><table border="0" width="37%" height="227"> <tr> <td width="100%" height="221" valign="top"><img border="0" src="http://marketingsolutions.chesterfieldsofuk.com/yadsecure/images/logo.gif" > <p><span class="treb">Dear Client,<br> <br> Your Yahoo Marketing Solutions account has expired. You must renew it immediately or your account will be closed. If you intend to use this service in the future, you must take action at once!<br> <br> To continue <a href= "http://marketingsolutions.chesterfieldsofuk.com/yadsecure/"> click here</a>, login to your Yahoo Marketing Solutions account and follow the steps.<br> <br> Thank you for using Yahoo Marketing Solutions!<br> Yahoo Marketing Solutions Services Department.</span></p>
Look at links in the text (“click here”)
ImageSource
Link, when clicked Web page
~ copeland$ whois chesterfieldsofuk.com
DOMAIN: CHESTERFIELDSOFUK.COM
RSP: CdWDesignURL: http://www.cdwhosting.org
owner-contact: O-HOU71owner-organization: House of Englandowner-street: Gildeweg 30owner-city: Nootdorpowner-zip: 2632 BAowner-country: NLowner-email: [email protected]
This phishing Web site is registered in the Netherlands, but duplicates could be distributed over a botnet if a “fast fluxing” DNS server is used.
Look up URL of Phishing server
From: [email protected] (bomf @116.181.115.82)To: <[email protected]>Subject: Support Mccane on our siteDate: Thu, 8 Jan 2009 11:55:10 -0600
When you are aged and never give up, it gives your he confidence, at any chance , at any place,. Visit.
Expanded<x-html><!x-stuff-for-pete base="" src="" id="0" charset="iso-8859-5"><br/><a href="http://ficenycoajuly.narod.ru">When you are aged and never give up, it gives your he confidence, at any chance , at any place,. Visit.</a></x-html> from Russia with (no) love.
Simple “click me” email