Phishing emails – A working example

Posted on by

Phishing is an attempt to fool a user to disclose confidential information like user names, account numbers, and passwords. It can be done through several means, like sending an email informing a user that his account will expire. Others do this by spoofing the login page of a certain Web site.

The following examples are phishing emails that dropped in on my mailbox.

Image hosted by Photobucket.com

(Click on the image to view the entire picture.)

This email informs a user that someone tried to login from a foreign IP address using the user’s account. The user is informed that the user needs to go to the link https://www.paypal.com/ to restore the account access, or click the link click here.

This is an obvious phishing attempt because (1) I don’t have a PayPal account =P and (2) by hovering the mouse pointer over those links, the text that appears on the status bar is different from what is displayed in the image.

The link https://www.paypal.com/ actually points to {http://ip/horde3/.paypal/index.php?cmd=_login_run}. The link click here points to {http://ns1.devil-hosting.com/~xl/paypal/login.html}. The first link doesn’t work, and the second one was blocked by our Web filter software.

The next two images are supposed to be from eBay, and they took a long while to reach my mailbox; the year in the date was 2003!

Image hosted by Photobucket.com

(Click on the image to view the entire picture.)

This email informs the user that his eBay account is to be suspended if he doesn’t update his account information, and gives a link to where he should update. This is a phishing attempt since (1) again I don’t have an eBay account, and (2) the entire email message is just a large image and is clickable. When you hover the mouse pointer over the entire message (even if the text is not a link), you will see that it is clickable. The image points to the address {http://61.33.191.155:680/rock/eBayIsap/}. The address is blocked by our Web filter.

Image hosted by Photobucket.com

(Click on the image to view the entire picture.)

This email is the same as the first one, but the address that the image link points to is different: {http://61.145.119.80/bbs/templates/…/}. The said site is blocked by our Web filter.

These three email messages illustrate a technique where they present valid URLs that point to another.

So be careful when you receive emails like this.

For more information, visit this link.