About the Author

Chris Shiflett

Hi, I’m Chris: web craftsman, community leader, husband, father, and partner at Fictive Kin.


Phishing

Phishing seems to be getting more and more popular. This can only mean one thing - it's successful.

The usual scenario goes like this. You receive an email that makes it sound like you need to visit a web site in order to address some security concern with your account. Clicking the link leads you somewhere other than where you intend to go, but the page looks like you expect. For example, a phishing email going around right now links to http://logon.personal.wamu4u.com:280/login/index.php:

Of course, wamu4u.com is not the same as wamu.com, but if enough people receive this email, there are plenty of victims who won't notice (and who will, by coincidence, bank with Washington Mutual). Once you've been tricked into believing that the phishing site is the real thing, you are asked to provide some sensitive information. For example, if you visit the previous URL and attempt to log in, you will arrive at http://logon.personal.wamu4u.com:280/login/check.php:

This page asks for your name, credit card information, and PIN. Once you provide this, you are redirected to http://www.wamu.com/personal/Welcome/Privacy.htm, a page within the legitimate Washington Mutual web site, possibly unaware that you've just given your personal information to a phisher.

Interestingly enough, whois wamu4u.com shows the following:

Domain Name : wamu4u.com
 
::Registrant::
        Name      : Constance Edwards
        Email     : edwards@mail333.com
        Address   : 1094 SE St Patricks Court, Port Orchard, WA
        Zipcode   : 98367
        Nation    : US
        Tel       : +1.302-338-7956
        Fax       : +1.302-338-7956
 
::Administrative Contact::
        Name      : Constance Edwards
        Email     : edwards@mail333.com
        Address   : 1094 SE St Patricks Court, Port Orchard, WA
        Zipcode   : 98367
        Nation    : US
        Tel       : +1.302-338-7956
        Fax       : +1.302-338-7956
 
::Technical Contact::
        Name      : Constance Edwards
        Email     : edwards@mail333.com
        Address   : 1094 SE St Patricks Court, Port Orchard, WA
        Zipcode   : 98367
        Nation    : US
        Tel       : +1.302-338-7956
        Fax       : +1.302-338-7956
 
::Name Servers::
        ns1.spx2k.com
        nsfr1.us2k.net
 
::Dates & Status::
        Created Date   2005-02-10 07:48:01 EST
        Updated Date   2005-02-10 07:48:01 EST
        Valid Date     2006-02-10 07:48:01 EST
        Status         ACTIVE

Because requests for http://wamu4u.com/ return a server error, and because the phishing attack utilizes port 280, it seems quite possible that the legitimate owner of the site is unaware. However, it sure does seem like these attacks would be very easy to track down. Does anyone know what the big targets (banks, eBay, Paypal, etc.) are doing to address this growing concern? What can we, as web developers, do to help?

About this post

Phishing was posted on Thu, 17 Feb 2005. If you liked it, follow me on Twitter or share:

20 comments

1.Chris Shiflett said:

Washington Mutual has information about phishing on their web site:

http://wamu.com/personal/welcome/se...y.htm#emailscam

(I contacted them at the email address provided there.)

Fri, 18 Feb 2005 at 00:53:55 GMT Link


2.Chris said:

Microsoft, Ebay, Visa and Wholesecurity recently set up the Phish Report Network:

http://www.phishreport.net/

Seems to be ISP based filtering, perhaps a home product will come out as well.

Seems to me that browsers are going to be the solution to this problem. When you visit a site for the first time (ie a banking site) you should be able to click in your browser "TRUST THIS SITE" or something similiar. Every time you visit a site that you have previousy clicked TRUST THIS SITE there should be a *very* obvious button that this is the case. Then, if you ever visit what looks like your bank site with no TRUST THIS SITE button. Hardly full proof (malware could add their url to the trusted list) but might well help.

Fri, 18 Feb 2005 at 01:55:53 GMT Link


3.Jim Plush said:

I've traced alot of these phishing emails, getting the whois info, cross referencing that against the registered blocks of ip addresses that server is on and you get to the ISP which is usually located in a place where they could care less about taking legal action against these sites.

what you "could" do is get the ip address of the server hosting the site, run a vulnerability scanner like Foundstone's SuperScan or Nessus's version and take down the server with known exploits. Usually you can bring down a few that way and what are they gonna do to you? :)

Fri, 18 Feb 2005 at 01:56:21 GMT Link


4.Sean Coates said:

I agree: true phishing sucks, and it needs to be stopped.

At work, we send legitimate notices saying "your credit card has expired", and we're worried about looking like phishers (phishermen?).

These notices are completely legitimate - active customers with recurring billing with expired (or soon-to-expire) cards.

Puts us in a tough position.

S

Fri, 18 Feb 2005 at 02:17:35 GMT Link


5.Geoffrey Young said:

I know it's not foolproof, but legitimate businesses could help inform users a bit better just through some interface changes. for example, if you visit http://www.apache.com/en/ad_software.php and click on the "download apache" button on the right you are redirected not to where the page wanted you to go (check out the desination URL before you click), but to a site saying where you've been.

it can't be that difficult to trap landings from non-official sites - the apache.com trap is just a RewriteCond/RewriteRule pair.

Fri, 18 Feb 2005 at 02:50:35 GMT Link


6.Adam Trachtenberg said:

The eBay IE Toolbar has a section that turns red when you land on an known phishing site. eBay also tries to educate people to let them know that if an e-mail asks for anything like a password or an account number, then it's always going to be a scam.

Fri, 18 Feb 2005 at 06:07:19 GMT Link


7.Chris Shiflett said:

Education is good, but it doesn't seem like a complete solution. It might be the best solution, since I can't think of a good technical one, but I'm curious to know whether eBay considers this a large enough problem to warrant some further research.

Fri, 18 Feb 2005 at 06:22:52 GMT Link


8.Chris Shiflett said:

Geoff, that's cool. I like it. :-)

Of course, it's easy enough to avoid by never redirecting to the real site. That seems like an unnecessary part of the attack anyway, even if it does help to cover things up a bit.

Fri, 18 Feb 2005 at 06:24:16 GMT Link


9.Aaron Wormus said:

While this isn't an answer to the problem, these guys are taking down phishers by running up their bandwidth bill.

http://www.aa419.org/content/gallery.php

Fri, 18 Feb 2005 at 09:14:45 GMT Link


10.Chris Shiflett said:

Another interesting resource:

http://www.antiphishing.org/

Fri, 18 Feb 2005 at 09:57:26 GMT Link


11.Jim Plush said:

Perhaps a better way to actually solve the issue is to have "certified" sites. Much like IE verifies SSL certs.

Financial Institutions, Government Sites, etc would need to register as a certified site and IE and other browsers could download cert info from a trusted resource.

A big red X would appear somewhere in the browser letting the user know its not a certified site. Something like that perhaps.

Fri, 18 Feb 2005 at 17:40:00 GMT Link


12.Ilia Alshanetsky said:

I don't see phishing as a developer problem. It has to do with consumer awareness, which can be aided by things like Netcraft toolbar that keep an up to date database of phishing sites and similar plugins for other browsers. It is also a legal problem, where by the companies who's sites are getting phished should take the time to go out after the scammers to the full extent of the law. This would not only create deterrent but also reduce the overall number of phising sites available.

Things like SSL only sound nice, because an average consumer is not going to notice a little icon or difference between http:// and https://. There is also nothing to prevent ANYONE from getting a valid SSL cert, on average a per-ip cert costs <$100 a small expense for a scammer trying to swindle people out of thousands of dollars.

Fri, 18 Feb 2005 at 20:00:01 GMT Link


13.Chris said:

The quickest way to spot fake emails are in the body.

Dear Customer (FAKE)

Dear Christopher (becuase that have you details when you signed up)

Sat, 19 Feb 2005 at 23:18:44 GMT Link


14.Jeff McWilliams said:

It is unlikely that this person (Constance Edwwards)is unaware that her domain is being used, unless it is something such as an unscrupulous son, hubby or boyfriend doing it without her knowledge. This person has numerous dmain names registered. We have been receiving a large volume of spam recently that came from 3 of these domains. We added /index to the .com and 2 of them take us to the exact same "unsubscribe form"

http://www.aimarcoal.com/index

http://www.ectoolmanib.com/index

http://www.wamu4u.com

::Registrant::

Name : Constance Edwards

Email : edwards@mail333.com

Address : 1094 SE St Patricks Court, Port Orchard, WA

Zipcode : 98367

Nation : US

Tel : +1.302-338-7956

Fax : +1.302-338-7956

Thu, 31 Mar 2005 at 12:17:33 GMT Link


15.Kyle Yoti said:

Also impressive is how each of those 'unsubscribe' pages automatically posts the data submitted to 'error.php' - it's amazing, they know prematurely that you're going to enter fake details. Wish that same mentality worked on themselves.

Mon, 04 Apr 2005 at 08:04:31 GMT Link


16.Jeff McWilliams said:

After calling Directory Assistance, I was informed that there is NO LISTING for Edwards at the address listed in the WhoIs information.

The websites are all hosted with:

Registrant: NA

Profsoyuznaya 25-1, 31

Moscow, MSK 123109

RU

+7.0956995731

Fax:+61.294750668

Domain Name: DDAGRANIALE.COM

Administrative Contact:

Zhamelgo, Alexandr alexzhamelgo@mail.ru

Profsoyuznaya 25-1, 31

Moscow, MSK 123109

RU

+7.0956995731

Fax:+61.294750668

Technical Contact:

Zhamelgo, Alexandr alexzhamelgo@mail.ru

Profsoyuznaya 25-1, 31

Moscow, MSK 123109

RU

+7.0956995731

Fax:+61.294750668

Record last updated 03-24-2005 02:04:59 AM

Record expires on 03-21-2006

Record created on 03-21-2005

Domain servers in listed order:

FIRST.DDAGRANIALE.COM 222.47.183.53

SECOND.DDAGRANIALE.COM 61.156.239.204

THIRD.DDAGRANIALE.COM 200.149.11.64

Mon, 04 Apr 2005 at 12:01:34 GMT Link


17.Kevin Altepeter said:

I know what I think should be done to stop PHISHING. I saw it said here that certain ISP's don't care about these vermin of the internet using their services. Some of these are no doubt vermin themselves. A world-wide system needs to be developed to enforce stopping PHISHING by putting serious penalties on ISP servers that don't take serious steps to stop these people from getting online. When a PHISHING scam is located on a server, that ISP needs to be given notice of the problem and that they have "x" time to eliminate it. If they don't take action as warned, their entire server access to the www needs to be terminated for a specific amout of time progressively getting larger on each offence until they are out completely. ISP's are allowing these vermin to exist; some unintetionally, but others intentionally. The ISP's must be forced to police those that are allowed to use their services or not be allowed to be ISP's. Once big business customers start have their web sites shut down enough times, this will force ISP's to either do what it takes to block out these internet scam vermin from using their services or the loss of the business income revenue to providers that are doing things right will put them out of business.

Sun, 30 Oct 2005 at 19:46:08 GMT Link


18.Phisher Blacklist said:

Have you contacted WHOIS-PHISHING.COM ?

This is a group of investigators who have a massive phisher blacklist. They are excellent at tracking and locating phishers.

You'll find they can help you.

Thu, 04 May 2006 at 01:11:04 GMT Link


19.Phisher Blacklist said:

http://www.whois-phishing.com

Thu, 04 May 2006 at 01:15:51 GMT Link


20.Orlando D said:

Because of the accessibility of internet, it is mostly used in scams. You would receive letters in your email telling that you have to pay a certain bill that the truth is you never even purchased or rendered service from them. Or you would receive a message telling that you won million dollars in a lottery and a lot of too-good-to-be-true message. Internet scams are all over the place. Internet scams range from non-existent sellers on eBay that take your money and run, to scammers posing as payday loans lenders or mortgage refinancers. The short term loan scams are particularly insidious. They promise you a short term loan, and demand a fee to secure it. Well, that only secures you a loss of your money. If it happens to you, don't panic. Contact authorities to let them know about it, including both law enforcement officials and the Better Business Bureau. Hopefully you won't have to get short term loans to undo the damage from internet scams.

http://personalmoneystore.com/money...n-scams-caught/

Fri, 17 Apr 2009 at 09:36:20 GMT Link


Hello! What’s your name?

Want to comment? Please connect with Twitter to join the discussion.