How to spot phishing attempt – anatomy of a ‘phishing’ Email

If you consider yourself as someone who knows how to spot spam and phishing emails, you won’t learn anything new here. Others who want to learn how to spot spam or phishing mails, especially if you are someone who simply can’t resist clicking on links in your email no matter how many times you were told not to 🙂  read on …

Like most of you, every now and then I do get a phishing mail delivered to my inbox. Gmail usually does a pretty good job of filtering spam and phishing mails, however, this particular one shown here slipped through gmail spam filter because of my own filter (a discussion on why it slipped is outside the scope of this blog). Anyway, here is a screenshot of the phishing mail we will be dissecting in this blog. Apparently, citibank all of a sudden lost everything they know about me except my email address :). You can stop right here since it is clearly a phishing attempt, but for the purpose of this exercise, lets continue. At a glance, for a novice email user, it looks legitimate and it does appear to have come from citibank.com, and is instructing me to download the attachment called Citibank.html. It must be important since it is from citibank alert service and I should immediately download the file and double click it right? The first thing you need to understand is that the ‘mail from’ (i.e. in this case alerts@citibank.com) is the easiest thing to fake. To find out where it really came from you need to see the full email headers from the “show original” option. [Note: The screen shot below is from gmail but as far as I know all mail clients like yahoo, hotmail, outlook etc allow you to view the ‘raw’ content of the mail which will show all mail headers].

When you select the ‘show original’ as shown above, you can get the ‘raw’ mail content including all the mail headers (see annotated screenshot below).

From the above screenshot, you can clearly see google’s mail server received this mail from decisiontreetech.com not from citibank.com (highlighted in yellow). Does this mean the decisiontreetech.com is the phishing source? The answer is No. In this case, it looks like someone from that company seem to be infected with a malware allowing a remote hacker to hijack their email account session to send phishing mail via that company’s mail server. If you look further down you can see a remote host from France with a IP address 62.244.93.88 initiated this message. For many of you, unless you are in cyber crime division of law enforcement, at this point, it doesn’t matter who the criminal is (we will discover shortly below), you know this is fake and you should simply delete this mail and go on with your life. You can continue to read if you are interested in dissecting this mail further …

Now, we are going to examine the attachment the crook wants you to download so he can collect your information. Typically, you can view the raw mail safely with your browser to see what the attachment contains to make sense out of it as long as its not binary. In this case it is supposed to be a HTML file. However, the crook encoded the content of the HTML text to base64 encoding so it is not easy to view what he is trying to do and where he intend to send your information (see the screen shot below).

I can just download the file to let the browser decode the base64 encoded HTML for me or just simply copy the content and decode it myself. The following screen shot is a relevant part of the HTML file decoded using an online decode tool from http://www.base64decode.org
Finally, you can see they are posting your information to a webserver at 69.73.182.242 to eventually mail everything to two email address i.e. sammy78@iname.com and effeferegregregre@yahoo.com There you have it.
PS: As of this writing the above server is still up and running although the post action is no longer working.
Hope this blog helped you to learn how to easily spot phishing mails and protect your hard earned money. Bottom-line is, if you get a mail asking for stuff your financial institution should already know, its a fake, delete it.
Advertisements