I just received the most clever and scheming phishing attempt of my long Internet career. Addressed to me, from a seemingly legitimate Suntrust Bank email address, I received the following image:
Now, how did I know it was fake right away? I don’t have a Suntrust bank account! But if I did, and I weren’t totally paranoid, I would have clicked the link.
But see, I am totally paranoid. Usually, before I click a link on any e-mail, even from companies with which I do business, I copy the link from my email program to the clipboard, so I can examine it. One of the basic tactics of phishing is to display an image or a link that lets the user believe they are going to one URL, when, in fact, the phisher is sending them to quite another location—one that is likely set up to steal the victims identity, money or both. Also, I like to remove uniquely identifying information sometimes, such as identifications in URLs that are going to link me to a specific cookie and so on. That’s just me.
Anyway, I control-clicked on the URL displayed in the email, pasted it into the location bar in my web browser and, sure enough, it matched the URL in the message, which would normally indicate a legitimate e-mail:
Now that I’ve entered it here, I see the one weird spelling error in the URL. But it took me a few times to notice it. Something was still amiss because, remember, I am not a Suntrust Customer. I didn’t hit enter to visit the site, figuring something was really, really sketchy here.
I did a whois on the domain name suntrust.com. Perhaps, I thought, Suntrust uses something like Suntrustbank.com, and this is just a clever put on by some domain pirates. So I entered http://www.suntrust.com into my web browser and, sure enough, I saw Suntrust’s website.
Finally, I just went to the URL in the clipboard, which resulted in a 404 (file not found) error. Curious, that. But not as curious as the fact that I was starting to think that perhaps a phisher had forgotten to change the URLs to reflect their malevolent will.
Finally, I decided to look at the mail message headers which, probably should have been done up front, but curiosity got the best of me on this particular phishers intentions. When going to pull up the “View Long Headers” option, I saw the “View Raw Source” menu item just below it in Mail.app (Macintosh platform mail progarm), so I clicked it.
Sure enough, the extent of the phishers genius was revealed. Not only were the headers forged (a given), but the following markup was hidden in the “link”:
<html><p><font face="Arial"><a hREF="http://www.suntrust.com/ personal/Checking/OnlineBanking/Inerenet_Banking/security.asp"> <map name="FPMap0"><area coords="0, 0, 646, 437" shape="rect" href="http://%31%34%38%E%31%33%31:%34%39%30%37/%73%74/ %69%6E%64%65%78%2E%68%7%6D"></area></map><img SRC="cid: part1.08000701.06020106@firstname.lastname@example.org" border="0" usemap="#FPMap0"/></a></font></p><p> <font color="#FFFFFC">in 1958 The most in 1978 when the in 1935 I don't feel like Websites in 1842 Metasearch Male Spice Girls MGM @ Baseball Love Stories And I can Oscar Poetry in 1872 Panasonic Tennis what's the matter No, not now. Buffy the Vampire Slayer Internet Explorer </font></p></html>
Basically, what the phisher did was hide an image map with a freaky encoded URL in an HREF. I removed a good portion of the encoded URL and have yet to enter it into a browser for fear of what it may do. If you don’t know what an image map is, you should probably heed the advice I’m about to drop on you. But let’s just assume that the page you’d have received in your browser, had you clicked on that link, would have been a totally normal-looking “log into your Suntrust account” page. Once you did that, the phisher has your personal account information and, by extension, probably all of your money, too.
Email is seriously suffering right now. I still think its the “killer app” of the Internets, but serious problems need to be solved in order for it to continue being useful. In short, I offer this advice and some words of doom:
Do not ever click on any link from anybody enclosed in an email message unless you have the skills and energy to determine exactly what it is you’re getting into. I am an Internet veteran, more than a decade into my career, with a strongly cautious online posture, and this one would have just about fooled me were it not for one minor flaw: the fact that I don’t have a Suntrust account. Had it come from my bank…