Defending against a phishing e-mail message

Who sent that e-mail message? Where is the link in the message really taking you?

I previously made the case that Windows users should use Thunderbird for email. When I got a fraudulent e-mail message on Saturday claiming to come from PayPal, Thunderbird offered two lines of defense.

The first was the big warning that the message might be a scam. Indeed it was.


The body of the message was a pretty standard phishing scam, with the usual typos and the true destination of the link hidden.

Please Update Your Account
Dear valued PayPal member:
It has come to out attention that your PayPal account information needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online services.
However, failure to update your records will result in account suspension. Please update your records on or before Nov 02, 2007.
Once you have updated your account records, your PayPal session will not be interrupted and will continue as normal.
To update your PayPal records click on the following link: https://www.paypal.com/cgi-bin/webscr?cmd=_login-run


Thunderbird's second line of defense was not falling prey to the common practice of using hidden JavaScript code to hide the real destination of a link embedded in the message. In the screen shot below you see that the blue link appears to go to a secure PayPal login page.


This, however, is not the real destination of the link. When the mouse hovers over this link, Thunderbird shows the true destination in the status bar (shown above), a page at mardur.net. Some other e-mail programs reinforce the scam by showing the phony destination in the status bar. They willingly obey hidden JavaScript code. In this case, the code was:

<a onmouseover="window.status=
"https://www.paypal.com/cgi-bin/webscr?cmd=_login-run";return true"
onmouseout="window.status="" target="_blank" href=
"http://www.mardur.net/clickable/paypal-secure/costumers/connexion/
login/index.html">
https://www.paypal.com/cgi-bin/webscr?cmd=_login-run</a>

The formula, so to speak, for the above trickery is this:

<a onmouseover="window.status="phony-destination"";
   onmouseout="window.status=""
   href="real-link-destination">phony-destination</a>

The phony link destination is displayed initially. When the mouse is moved over the link, the "onmouseover" code is executed to modify the status line and make it show the phony link destination. When the mouse moves off the link, the "onmouseout" code resets the status line to not show anything.

FROM WHERE?


Everyone using e-mail needs to be aware that the FROM address of an e-mail message is easily forged. Very, very easily. To see where it really came from requires looking at the normally hidden header of the message. In this case, the header showed that it originated from HostGator.com. Specifically, it showed:

Received:
from innovas by gator133.hostgator.com with local (Exim 4.68)
  (envelope-from <innovas@gator133.hostgator.com>)

The header also shows the originating IP address. This particular message came from a computer with an IP address of 74.52.58.242. According to dnsstuff.com the machine is in Dallas, Texas, and owned by The Planet. In this case, not very helpful information.

WHO GETS THE MONEY?


Unlike the FROM address and the link, the ultimate Web page destination is reliable. In this case the true destination was unusually obvious--a page at mardur.net. Who is mardur.net? There are two things about a domain that can be traced--the Web site and the domain name.

Based on the publicly available DNS servers for mardur.net, it's obvious the Web site is hosted at HostGator. Only HostGator knows who is paying for the account.

The public contact information for the domain mardur.net is

David Hayter (kgoodsoft@gmail.com)
+1.45443344
Fax: +1.565434534
South Street
Loave Sowna
Colombo, P 4543343
LK

I know of no way to verify this information. However, the domain was registered by NameCheap.com and they would know who paid for it. At times good Web sites get hijacked by the bad guys for these phishing scams, so we can't assume that David Hayter is a bad guy. It's a safe bet, however, that neither he nor mardur.net is PayPal.

Be careful out there.


Update. October 28, 2007: See my next posting Test your email program for more on this.

About the author

    Michael Horowitz wrote his first computer program in 1973 and has been a computer nerd ever since. He spent more than 20 years working in an IBM mainframe (MVS) environment. He has worked in the research and development group of a large Wall Street financial company, and has been a technical writer for a mainframe software company.

    He teaches a large range of self-developed classes, the underlying theme being Defensive Computing. Michael is an independent computer consultant, working with small businesses and the self-employed. He can be heard weekly on The Personal Computer Show on WBAI.

    Disclosure.

     

    Join the discussion

    Conversation powered by Livefyre

    Show Comments Hide Comments
    Latest Galleries from CNET
    ZTE's wallet-friendly Grand X (pictures)
    Lenovo reprises clever design for the Yoga Tablet 2 (Pictures)
    Top-rated reviews of the week (pictures)
    Best iPhone 6 and iPhone 6 Plus cases
    Make your own 'Star Wars' snowflakes (pictures)
    Bento boxes and gear for hungry geeks (pictures)