Defending against a phishing e-mail message
Who sent that e-mail message? Where is the link in the message really taking you?
I previously made the case thatfor email. When I got a fraudulent e-mail message on Saturday claiming to come from PayPal, Thunderbird offered two lines of defense.
The first was the big warning that the message might be a scam. Indeed it was.
The body of the message was a pretty standard phishing scam, with the usual typos and the true destination of the link hidden.
The formula, so to speak, for the above trickery is this:
The phony link destination is displayed initially. When the mouse is moved over the link, the "onmouseover" code is executed to modify the status line and make it show the phony link destination. When the mouse moves off the link, the "onmouseout" code resets the status line to not show anything.
Everyone using e-mail needs to be aware that the FROM address of an e-mail message is easily forged. Very, very easily. To see where it really came from requires looking at the normally hidden header of the message. In this case, the header showed that it originated from HostGator.com. Specifically, it showed:
The header also shows the originating IP address. This particular message came from a computer with an IP address of 188.8.131.52. According to dnsstuff.com the machine is in Dallas, Texas, and owned by The Planet. In this case, not very helpful information.
WHO GETS THE MONEY?
Unlike the FROM address and the link, the ultimate Web page destination is reliable. In this case the true destination was unusually obvious--a page at mardur.net. Who is mardur.net? There are two things about a domain that can be traced--the Web site and the domain name.
Based on the publicly available DNS servers for mardur.net, it's obvious the Web site is hosted at HostGator. Only HostGator knows who is paying for the account.
The public contact information for the domain mardur.net is
David Hayter (email@example.com)
Colombo, P 4543343
I know of no way to verify this information. However, the domain was registered by NameCheap.com and they would know who paid for it. At times good Web sites get hijacked by the bad guys for these phishing scams, so we can't assume that David Hayter is a bad guy. It's a safe bet, however, that neither he nor mardur.net is PayPal.
Be careful out there.
Update. October 28, 2007: See my next postingfor more on this.