Rack of Ethernet switches.

Analyzing a "Phishing" Scam Attempt

"Phishing" Scams

Phishing refers to a form of social engineering done through e-mail and/or web pages. An attempt to get people to reveal sensitive personal information, usually financial, by masquerading as a bank or similar.


Step 1 — Mail Arrives

Mail arrives, and a typical mail tool takes the naive approach that all the header fields can be believed. The message details would appear to be as follows:

From support@paypal.com Mon Jan 5 11:05:17 2004
Subject: PayPal Account Update
To: bobcromwell@insightbb.com
Reply-To: support@paypal.com
Date: Tue, 6 Jan 2004 01:05:17 +0900

What does the message say? If you take the extremely dangerous step of letting your mail tool render the HTML, here is what you would see:

Entirely Bogus Scam Attempt
PayPal
URGENT: PayPal System Problems
Dear PayPal User,

Today we had some trouble with one of our computer systems. While the trouble appears to be minor, we are not taking any chances. We decided to take the troubled system offline and replace it with a new system. Unfortunately this caused us to lose some member data. Please follow the link below and log into your account to make sure your information is not affected. Account balances have not been affected.

Because of the inconvenience this causes we are giving all users that repair their missing data their next two incoming transfers for free! You will pay no fees for your next two incoming transfers*.
https://www.paypal.com/cgi-bin/webscr/?cmd=_login-run
Thank you for using PayPal!

* - If fees would normally apply, you will not pay anything for the next two incoming transfers you receive.
PayPal Security

PROTECT YOUR PASSWORD
NEVER give your password to anyone and ONLY log in at PayPal's website. If anyone asks for your password, please follow the Security Tips instructions on the PayPal website.

Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your PayPal account and choose the "Help" link in the footer of any page.

Look at that! Real PayPal artwork, some very legitimate looking text, a valid PayPal URL, and even appropriate security warnings.

BUT THAT MESSAGE IS ENTIRELY BOGUS, AN ATTEMPT TO STEAL YOUR PERSONAL INFORMATION!

Let's look at the real header and the actual message data, to see what's going on.


Step 2 — Reading the real mail header

Here is the real mail header. Notice the bold line showing the first SMTP hop.

From support@paypal.com Mon Jan  5 11:05:17 2004
Return-Path: <support@paypal.com>
Received: from sccigwc01.asp.att.net ([63.240.76.150])
          by sccigwc01.asp.att.net
          (InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP
          id <20040105161116.UYJ18214.sccigwc01.asp.att.net@sccigwc01.asp.att.net>
          for <bobcromwell@insightbb.com>; Mon, 5 Jan 2004 16:11:16 +0000
Received: from smerp (unknown[61.80.83.4])
          by sccigwc01.asp.att.net (sccigwc01) with SMTP
          id <20040105161104ig100i9m5ne>; Mon, 5 Jan 2004 16:11:15 +0000
From: "payPal.com" <support@paypal.com>
Subject: PayPal Account Update
To: bobcromwell@insightbb.com
Content-Type: text/html;iso-8859-1
Reply-To: support@paypal.com
Date: Tue, 6 Jan 2004 01:05:17 +0900
X-Priority: 2
X-Library: Indy 8.0.25
Message-Id: <20040105161116.UYJ18214.sccigwc01.asp.att.net@sccigwc01.asp.att.net>
Status: R
X-Status: N
X-KMail-EncryptionState:  
X-KMail-SignatureState:  
X-KMail-MDN-Sent: 

The mail was really sent from 61.80.83.4. Anyone with the GNU version of whois can see that this is a member of a block of 128 IP addresses:

$ whois 61.80.83.4

query: 61.80.83.4

# ENGLISH

KRNIC is not ISP but National Internet Registry similar with APNIC.
Please see the following end-user contacts for IP address information.

IP Address         : 61.80.83.0-61.80.83.127
Network Name       : KORNET-HOTLINE2003061191
Connect ISP Name   : KORNET
Connect Date       : 20031129
Registration Date  : 20031206

[ Organization Information ]
Orgnization ID     : ORG291047
Org Name           : kangmunsik
State              : CHONNAM
Address            : taeintekeu ho 0002 beonji 0042 seomyunseonpyung suncheonsi
Zip Code           : 540-813

[ Admin Contact Information]
Name               : munsik kang
Org Name           : kangmunsik
State              : CHONNAM
Address            : taeintekeu ho 0002 beonji 0042 seomyunseonpyung suncheonsi
Zip Code           : 540-813
Phone              : +82-2-551-5132
E-Mail             : abc017@kt.co.kr

.... lots more deleted ....

If you don't have the GNU version of whois, then use robtex.org.

Look at the difference in the two date fields in the header — here is the simplified header as shown by a typical mail tool one more time:

From support@paypal.com Mon Jan 5 11:05:17 2004
Subject: PayPal Account Update
To: bobcromwell@insightbb.com
Reply-To: support@paypal.com
Date: Tue, 6 Jan 2004 01:05:17 +0900

As per the Date: field, the sending machine seems to think it's in the UTC+9 time zone, which would be in eastern Asia. And given the offset between the timestamps in the Date: and first From fields, that seems to be be the case.


Step 3 — Reading the Real Message

Here is the actual HTML code making up the message body. If you are like me, your mail tool does not render any HTML but just displays the real message contents, as shown below. The only HTML-formatted mail I get is from spammers and scammers. If you are curious about how spammers and scammers try to trick you, then you might want to actually look at the HTML code. Otherwise, just throw away all your HTML-formatted mail.

If someone needs fancy fonts and formatting to get their point across, then apparently they don't know how to write meaningful prose. Reading their text would be a waste of your time.

<html>
<head>
<style type="text/css">
BODY, TD {font-family: verdana,arial,helvetica,sans-serif;font-size:
12px;color: #000000;}
...pp_heading {font-family: verdana,arial,helvetica,sans-serif;font-size:
18px;font-weight: bold;color: #003366;}
</style>
</head>
<xbody bgcolor="#ffffff">
<table width="600"
style="text-align: center;">
<tr style="vertical-align: top;">
<td><A target="_blank"  href="https://www.paypal.com" ><IMG
src="http://images.paypal.com/images/email_logo.gif"  width=255 height=35
alt="PayPal" border='0'></A>
</td>
</tr>
</table>
<table style="width: 100%;">
<tr>
<td bgcolor="336699"><img src="http://images.paypal.com/images/pixel.gif" 
height='25' width="1" border='0'></td>
</tr>
</table>
<table width="600"
style="text-align: center;">
<tr style="vertical-align: top;">
<td width="400">
<table style="width: 100%;">
<tr style="vertical-align: top;">
<td>
<table style="width: 100%;">
<tr>
<td class="pp_heading" style="text-align: left;">URGENT: PayPal System Problems</td>
</tr>
</table>
</td>
</tr>
<tr>
<td>Dear PayPal User,<br><br>Today we had some trouble with one of our
computer systems. While the trouble appears to be minor, we are not taking
any chances. We decided to take the troubled system offline and replace it
with a new system. Unfortunately this caused us to lose some member data.
Please follow the link below and log into your account to make sure your
information is not affected. <i>Account balances have not been
affected.</i><br><br>Because of the inconvenience this causes we are
giving all users that repair their missing data their next two incoming
transfers for free! You will pay no fees for your next two incoming
transfers*.</td>
</tr>
<tr>
<td><table style="text-align: center;
bgcolor=#ffffff;">
<tr>
<td><img src="http://images.paypal.com/images/dot_row.gif" width=390
height=5></td>
</tr>
</table>
</td></tr>
<tr>
<td><table style="text-align: center;
bgcolor=#ffffff;">
<tr><td><a
href="http://www.paypal.com%65%6B%6A%68%61%73%6B%6A%71%70%77%6F%70%77%6F@32%31%31.%36%33.%31%36%32.%39%33:%37%33%30%31/%70%61%79%70%61%6C.%68%74%6D">
https://www.paypal.com/cgi-bin/webscr/?cmd=_login-run</a></td></tr>
</table>
</td>
</tr>
<tr>
<td><table style="text-align; center;
bgcolor=#ffffff;">
<tr>
<td><img src="http://images.paypal.com/images/dot_row.gif"  width=390
height=5></td>
</tr>
</table>
</td>
</tr>
<tr>
<td>Thank you for using PayPal!<br><br><font size="-1">* - If fees would
normally apply, you will not pay anything for the next two incoming
transfers you receive.</td>
</tr>
</table>
</td>
<td><img
src="http://mail.yahoo.com/config/login?/images.paypal.com/images/pixel.gif"
height='1' width="10" border='0'>
</td>
<td style="width: 190px; vertical-align: top;">
<table style="width: 100%;
bgcolor: #cccccc;">
<tr>
<td>
<table style="width: 100%;
bgcolor: #ffffff;">
<tr bgcolor="#eeeeee">
<td colspan="2"><b>PayPal Security</b></td>
</tr>
<tr>
<td colspan="2"><br><i>PROTECT YOUR PASSWORD</i><br>NEVER give your
password to anyone and ONLY log in at PayPal's website. If anyone asks for
your password, please follow the Security Tips instructions on the PayPal
website.<br><br>Please do not reply to this e-mail. Mail sent to this
address cannot be answered. For assistance, log in to your PayPal account
and choose the "Help" link in the footer of any page.<br>
<br>
</td>
</tr>
</td>
</table>
</td>
</table>
</td>
</tr>
</table>
</body>
</html>

Step 4 — Analyzing the Attempted Scam

Now we see their trick! Notice the hyperlink:

<a href="http://www.paypal.com%65%6B%6A%68%61%73%6B%6A%71%70%77%6F%70%77%6F@
  %32%31%31.%36%33.%31%36%32.%39%33:%37%33%30%31/%70%61%79%70%61%6C.%68%74%6D">
https://www.paypal.com/cgi-bin/webscr/?cmd=_login-run</a>

Especially notice the encoded ASCII values: "%65", "%6B", "%6A", and so on. ASCII 0x65 is an "e", ASCII 0x6B is a "k", ASCII 0x6A is an "h", and so on.

Replacing the ASCII encodings with the actual characters changes the hyperlink's target to:

http://www.paypal.comekjhaskjq1pwopwo@211.63.162.93:7301/paypal.htm

Ahah! Connect to TCP port 7301 at IP address 211.63.162.93, asserting identity "www.paypal.comekjhaskjq1pwopwo", and get the file "/paypal.htm".

211.63.162.93 is from a different South Korean IP block.

% whois 211.63.162.93

query: 211.63.162.93

# ENGLISH

KRNIC is not ISP but National Internet Registry similar with APNIC.
Please see the following end-user contacts for IP address information.

IP Address         : 211.63.162.64-211.63.162.95
Network Name       : KORNET-HOTLINE2003239528
Connect ISP Name   : KORNET
Connect Date       : 20031202
Registration Date  : 20031224

[ Organization Information ]
Orgnization ID     : ORG316440
Org Name           : bakinseob
State              : KYONGGI
Address            : sehwajeongmil(ju) ho 0001 beonji 0707 namsabuk yonginsi
Zip Code           : 111-222

[ Admin Contact Information]
Name               : inseob bak
Org Name           : bakinseob
State              : KYONGGI
Address            : sehwajeongmil(ju) ho 0001 beonji 0707 namsabuk yonginsi
Zip Code           : 111-222
Phone              : +82-31-334-1511
E-Mail             : ktmen1@kt.co.kr

Over six months later the page was still available. It was a form asking for:

Nmap said the following about both machines involved in this attempted scam:

# nmap -sS -sV -O -PI -PT 61.80.83.4   

Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-01-08 10:09 EST
Interesting ports on 61.80.83.4:
(The 1636 ports scanned but not shown below are in state: closed)
PORT      STATE    SERVICE       VERSION
25/tcp    open     SMTP          Microsoft ESMTP 5.0.2195.6713
67/tcp    filtered dhcpserver
68/tcp    filtered dhcpclient
80/tcp    open     http          Microsoft IIS webserver 5.0
135/tcp   filtered msrpc
137/tcp   filtered netbios-ns
138/tcp   filtered netbios-dgm
139/tcp   filtered netbios-ssn
443/tcp   open     https?
445/tcp   filtered microsoft-ds
1025/tcp  open     msrpc         Microsoft Windows msrpc
1026/tcp  open     msrpc         Microsoft Windows msrpc
1029/tcp  open     msrpc         Microsoft Windows msrpc
1033/tcp  open     netinfo?
1720/tcp  filtered H.323/Q.931
3372/tcp  open     msdtc         Microsoft Distributed Transaction Coordinator
3389/tcp  open     microsoft-rdp Microsoft Terminal Service (Windows 2000 Server)
4444/tcp  filtered krb524
4899/tcp  open     radmin?
5800/tcp  filtered vnc-http
5900/tcp  filtered vnc
17300/tcp filtered kuang2
Device type: general purpose
Running: Microsoft Windows 95/98/ME|NT/2K/XP
OS details: Microsoft Windows Millennium Edition (Me), Windows 2000 Professional or Advanced Server, or Windows XP

Nmap run completed -- 1 IP address (1 host up) scanned in 99.256 seconds

My guess is that both South Korean Windows machines ran an unpatched version of IIS, susceptible to the directory traversal hack that allows anyone to get remote administrative access. Someone took over two South Korean Windows machines connected to cable modems. One of them spewed out the mail scam. The other harvests sensitive information, and either saves it there for the perpetrator or sends it to some drop-off point.

Who did this? Who knows -- Russian mob, eastern European hackers, Brazilians, could be anyone...


Back to the Security Index