Some of you reading this article may have seen news reports of people getting alarming email messages from their friends.
Tales such as "Help, I'm stranded in Nigeria and need money" have come to many people as a surprise in recent months, and the trend seems to getting more widespread. The messages are coming directly from the email accounts of someone you know, and at first glance it may seem real. The truth, once discovered, is that the email account has been taken over (hacked [link]) by a fraudster, and the solicitations for money being sent out are a simple fraud. One question that seems lost in all of these news reports is "how did this happen?" -- Let's investigate this a little further and shed some light into this dark corner.
From Hack To Phish
Hacking covers a wide range of techniques, such as Security exploit; Vulnerability scanner; Packet Sniffer; Spoofing attack; Rootkit; Social engineering; Trojan horse; Virus; Worm and Key loggers; but for the purpose of this article we will concentrate on only one of these, social engineering.
"Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud or computer system access; in most cases the attacker never comes face-to-face with the victim." (Source Wikipedia: [link])
Phishing [link] of course, comes under the general umbrella of social engineering and is a technique of fraudulently obtaining private information. People may associate Phishing with financial institutions (banks, credit cards and credit unions), eBay, PayPal and others due to a great many reports in press. However, one form of this phishing hides in relative obscurity, and asks not for banking details, but for your email account login credentials. If you get one of these emails, it may actually look very real indeed.
Bring Out The Phish!
Recently one of our own staff, received one of these Phishing emails targetting a Yahoo account. The email was crafted in such a way that it appears at first glance to be quite authentic, as the image below will show.
For the purpose of the search engines here is the actual text of the Phishing email...
From: Customer <email@example.com>
Date: Thu, 02 Apr 2009 10:39:08 -0500
Subject: Yahoo Warning! Unused Account Removal Confirm Your Account
Dear Valued Member,
Due to the congestion in all Yahoo users and removal of all unused Yahoo Accounts,Yahoo would be shutting down all unused accounts,You will have to confirm your E-mail by filling out your Login Info below after clicking the reply botton, or your account will be suspended within 24 hours for security reasons.
Date Of Birth: ..........................................
Country Or Territory:................................
After Following the instructions in the sheet,your account will not be interrupted and will continue as normal.Thanks for your attention to this request.We apologize for any inconvinience.
Do you think the email is real? Would you respond to it and give the requested details? If you answer yes to either or both of those questions, then you have a serious problem, so you must read and understand this article.
The email address shown (firstname.lastname@example.org) is an account created by a fraudster on Yahoo! and has nothing to do with official Yahoo! business. The premise behind the email is to convince you to willingly give away your account login details. With this Yahoo! Phish, you are also being asked to provide other details that would normally allow you to recover the email account when you actually discover you lost it.
The information you provide allows the fraudster to login to your account and change all the vital details. You would be highly unlikely to get the account back again, unless you can actually convince Yahoo! that you are the real owner.
The important point to remember is that Yahoo! will never ask for your login details, nor would any other email provider for that matter. There are absolutely ZERO reasons why any service provider would ask for the account password of one of its customers. This is how people get 'hacked' and their accounts taken over. Simple isn't it. :wink:
When you reply to the email, your account would be taken over shortly afterwards. This my friends is the art of Social Engineering, and lots of people fall for it.
You will start getting weird questions from people in your contact list or address book when spam/scam emails start coming from your account. In addition, and if it is the wrong kind of spam message being sent out, you may even get reported to Yahoo! Abuse, and your account (whilst in control by the fraudster) may even get closed permanently. Ouch! :shocked:
Under The Covers Of The Phish
During our investigation into this particular Yahoo! Phishing email, we looked at further information embedded into the header information of the email itself. We wanted to find out where the email came from and surprise surprise, we turn up the following information:-
X-PHP-Script: tablemash.com/mail.php for 220.127.116.11
This indicates that the email originated by someone using a Direct On PC Ltd connection in Nigeria [link] and was sending the email via a mail script on a website called tablemash.com. I decided to take a look at the website responsible for the mailer script and it was quickly apparent that the site has been recently defaced by a hacking group. Here is the image of the main page taken on Friday 3rd April 2009.
The host was informed, and on Saturday the site appears to be back to normal again.
Naturally, we have no idea whether the website was defaced before or after the vulnerable mailer script was found; or whether the site was hacked first then the route sold to the Nigerian Phishers.
Our article serves as a reminder to all that even the most authentic looking email can fool you into revealing too much. Phishing attacks can happen to anyone, so don't think for a moment that "I'm not important, it can't happen to me.", because you would be dead wrong.
It is also interesting to see the route that this Phising Email has taken. From a compromised website running a vulnerable mailer script; being abused by Nigerian scamming scum, and into the arms of one of our own Staff members.
The internet is full of nasties, and nasty people. Never drop your guard, and guard your passwords as though your life depended upon it.
Be careful out there.
Sample of related news items
- Email scam stuns businessmen [link] (Hotmail Account)
- EPPING: Police investigate fraud email from Nigeria [link] (Yahoo Account)
- Lost in Lagos? The mystery of Jack Straw and the Nigerian scammers [link] (Hotmail Account)