2006-04-01
Abstract
It is no longer unusual to receive a PayPal phishing email, but over recent months the phenomenon has become increasingly serious as the fake emails and websites set up by those behind the scams have become harder to distinguish from the genuine ones. Sorin Mustaca takes a closer look.
Copyright © 2006 Virus Bulletin
It is no longer unusual to receive a PayPal phishing email, but over recent months the phenomenon has become increasingly serious as the fake emails and websites set up by those behind the scams have become harder to distinguish from the genuine ones.
In this article I will look at why phishing emails take the form of messages from well-known organisations such as PayPal and I will describe some of the most successful attempts that I have seen recently. I will also describe some methods that can be used to detect phishing safely.
I receive a lot of phishing emails every day. The majority are recognized automatically as junk mail by my specially trained Thunderbird mail filter. Thunderbird uses Bayesian filtering techniques to categorize email, and I train the filter engine regularly with large quantities of phishing and spam emails. However, at least once a week, I receive one or more phishing emails that pass through Thunderbird's filter engine unrecognised. What do the phishers write in these emails in order to confuse the filter? And what can be done to improve filtering in order to detect them correctly?
I chose for analysis a phishing email which I found a little more interesting than many others. The email contains a total of six links that point to the fake website www.paymentlanding.com. With so many links, it should be pretty easy to detect this as a phishing email, but at what cost? We have to parse the HTML code inside the email. This uses a lot of resources. Sometimes, of course, the emails come with a high degree of HTML obfuscation (tables, frames, redirects, etc.). So, by including such a large number of links to the fake website, the creators of the mail are either being careless or they are counting on the fact that some filters do not parse HTML emails that are over a certain size.
What I saw in the body of the email was evidence of a very good understanding of social engineering. The creators of this phishing scam wanted to be sure that the mail seemed credible and used a couple of methods to achieve this.
First, they included text under the main body of the mail in a colour that is close to that of the body (#C0C0C0) and with a font size of 2 (small). This makes it appear like an email signature, since email clients often dim the signature text.
Secondly, the text explains a couple of things which are designed to reassure a recipient who might have doubts. It goes like this:
FOR INTERNATIONAL PAYMENTS ONLY: Commissions and Fees incurred by sender: $0.00 Rate of exchange: If and when the Receipt chooses to withdraw these funds from the PayPal System, and if the withdrawal involves a currency conversion, the Recipient will convert the funds at the aplicable currency exchange rate at the time of the withdrawal, and the Recipient may incur a transaction fee.
Very clever. No fees on currency exchange. But it goes further:
RIGHT TO REFUND You, the customer, are entitled to a refund of the money to be transmitted as a result of this agreement if PayPal does not forward the money received from you in 10 days of the date of its receipt, or does not give instructions commiting an equivalent amount of money to the person designated by you within 10 days of the date of the receipt of the funds from you unless otherwise instructed by you.
What else could a customer want? Right to refund, a guarantee offered by PayPal, a 10-day grace period (which is far shorter than the 30-40 working days that is usual for this situation).
At the end of the message, the 'customer' is advised to check his latest payments by clicking on a login link which points to the fake website. Another link is provided should the 'customer' require any help. Again, pointing to the fake website.
In another phishing email, the recipient is advised to check his PayPal account in order to comply with 'some of the most advanced security systems in the world':
Military Grade Encryption is Only the Start
At PayPal, we want to increase your security and comfort level with
every transaction. From our Buyer and Seller Protection Policies to
our Verification and Reputation systems, we’ll help to keep you safe.
PayPal is committed to maintaining a safe environment for its community
of buyers and sellers. To protect the security of your account, PayPal
employs some of the most advanced security systems in the world and
our anti-fraud teams regularly screen the PayPal system for unusual
activity.
[..]
Sincerely,
PayPal Account Review Department
In this email there is only one link to the fake website. This is a trend now - since the beginning of this year, the majority of the phishing emails I have seen have contained only one link. Some of these fake links are very well disguised - for example: http://www.paypal.com.identity-protectionmatters.com/webscr.php?cmd=LogIn.
Many other kinds of social engineering techniques are used within the emails to trick the recipient. Briefly, here are the most common:
The 'customer' account has been suspended - the ‘customer’ is required to take action to reactivate it.
A regular security checkup - the 'customer' is required to verify their account details.
Suspicious activity has been detected in the account - the 'customer' is required to acknowledge transactions.
Transactions have been sent/received - the 'customer' is required to confirm transactions.
Many unsuccessful login attempts have been noted from one or many IP addresses (which are sometimes listed, along with the country where they are located) - the 'customer' is required to check their account.
A password change is requested - the 'customer' is required to verify their account information.
Changes/improvements have been made to the site - the 'customer' is required to check their account.
A new email address has been added to the account (of course, created by somebody else) - the 'customer' is required to verify the account details.
In each of these cases, a link is provided for the recipient to log into their account on the (fake) PayPal website.
An experienced computer user will easily spot most of these scams, but imagine the impact on an inexperienced user who thinks that this has something to do with him. I discussed such emails with a number of less experienced computer users, all of whom asked more or less the same question: 'Why me?' or 'Why did I receive this email, when I don't use PayPal?'.
Of course, the best but not the easiest way to detect a phishing email is to compare the target link with the text displayed by the browser. Normally, you don't have to parse the entire text for this. The easiest way is to use naive Bayesian filtering. But, as I explained before, this doesn't always work, even if we train the filter with thousands of emails. Indeed, even if we add in the statistical filtering, the links to the fake websites and the well-known techniques used to trick the recipients, or to attract them, there are still plenty of other methods to trick the filter. Here are a few of them:
Various obfuscation techniques:
Embedded HTML tables, frames, comments, image areas.
Java Script code.
Text generated using JS code from some encoded content (Base 64, UTF written in hexadecimal).
False redirects using a legitimate website to the fake website. Recently, I've seen many of the links accessed through google.com (this can be done with other search engines).
Neutral text excerpts from books, magazines or random text added in order to confuse statistical filters.
Links to other legitimate websites, not only to the real website they are trying to fake (in our case www.paypal.com). These links are made to look very normal in order to confuse those filters which check the validity of the target links.
Since version 1.5, the email client Mozilla Thunderbird is able to detect email scams. It performs a very simple comparison between the target of the link and the text displayed as target to the client. This is the easiest, and in my opinion, it is the most reliable way of all.
This analysis wouldn't be complete without a real PayPal email. I didn't believe at first that this was actually an original email from PayPal. It is incredible to see so much ignorance. Needless to say, Thunderbird marked the mail immediately as Junk and when I opened it, it also marked the email as 'Email scam'.
After a quick look at the links inside, I understood why it had done this. Here are a couple of them:
www.buch.de goes to http://email1.paypal.de/u.d?QlXpXwcpcUEpepT=171
www.paypal.de/contactus goes to http://email1.paypal.de/u.d?GFXpXwcpcUEpepv=211
http://www.paypal.com/de/privacy goes to http://email1.paypal.de/u.d?YlXpXwcpcUEpepo=221
After seeing this, I opened the source of the email. Here are some links from inside:
http://link.p0.com
http://pics.ebay.com
and the best of all:
http://dm.ebay.de/offline/paypal
Another interesting thing, which had been ignored by Thunderbird, was an email signature, inside the headers of the message:
DomainKey-Signature: a=rsa-sha1;[...]
No wonder, when so many phishy things are inside.
Besides sending ‘'hishy' emails to its customers, PayPal also makes life easy for phishers constructing fake websites. Figure 1 shows the genuine PayPal website (www.paypal.com) at the time of writing this article. As you can see, there is nothing extraordinary about this web page, but if we look at the source code (Figure 3), we can see that most of the pictures on the page are brought in from outside the paypal.com domain. The majority of them come from http://www.paypalobjects.com/. Since this domain is not secure, the pictures can very easily be used in third party websites.
Figure 2 shows a fake website, which looks very similar to the genuine PayPal site. In fact, the images used on the fake website are ones that used to be displayed on the genuine paypal.com website, and which still remain buried on PayPal's servers (try accessing, for example, http://www.paypalobjects.com/en_US/i/header/t1Hdr_hpGraphic_563x115.jpg). How careless, to leave the old pictures there for anybody to access them!
Even if anti-spam/anti-phishing technology advances on a daily basis, it seems that phishing techniques are keeping the pace. Unfortunately the legitimate websites seem to want to make the life of the phishers very easy, by allowing free use of their graphical elements. It is also disappointing to see the seeming inability of legitimate corporations like PayPal, to ensure that the emails they send are non-phishy.
Some phishers are starting to understand that the success of an attack lies not so much in the 'quality' of the forgery, but in the social engineering and localization of their emails. Now, highly targetted emails are being created: the recipient’s email address is included in the email, and some even include the name of the recipient (taken from the email address). Most importantly, the messages are written in the recipient's language.
This gives the phishing emails a larger penetration and makes all users more prone to errors. If the user also happens to have a PayPal account (as, according to PayPal, do 86,600,000 users), then only the security-awareness of the recipient or an anti-phishing tool will prevent him from falling for the scam.