'Mini' phishing

March 2007

We have all become accustomed to seeing a lot of images in emails from PayPal and other financial organizations and banks.

Within the the last couple of months, however, PayPal seems to have realized that phishers have been making use of the same graphical elements in their emails (in order to make the phishing emails look more like the real thing), and the company has now started to use fewer graphics in its emails. Of course, PayPal's emails are still a long way from plain text, but this is at least a step in the right direction.

For a while now, spammers have been using a method in which their emails contain only a couple of lines of text, one of which is a link. Now, phishers have begun to borrow the same technique in an attempt to create messages that resemble automatically generated messages (see image below).

Phishing email

Note that the paypal-us.com domain, from which the email appears to come, was also a phishing website. It was registered with Fiber Technologies Network and is marked by Netcraft as a phishing website. However, the site no longer has any content.

A host header analysis shows that the phishing email has, in fact, been sent from a computer in Germany - probably part of a botnet.

The target of the link was using a redirect through a website which made use of an exploit of an online calendar web application. The first link was (target website removed):

http://<firstwebsite>/.,/lndex.html?co_partnerId=2&siteid=0&pageType=-1&errmsg=8 &pa1=&i1=-1DATA=SabuKatVpl37b$$jbabuKatVpl37b2ol37b2oaabuKatVpl37b2oaszrQTGVnCTmsPv &a/20%&UsingSSL=0&bshowgif=0

and the target website hosting the fake website:

http://<target website>/calendar/cl_files/.,/updates-paypal/protect_files/login_files/ processing_files/paypal/log1.htm?co_partnerId=2&siteid=0&pageType=-1 &errmsg=8&pa1=&i1=-1DATA=SabuKatVpl37b

It is interesting that the trend seems to be to push entire websites on the compromised host (after the ".," , right after the "calendar" part):

http://<target website>/calendar/cl_files/.,/updates paypal /protect_files/login_files/ processing_files/paypal/done.htm

We often seen hosts with multiple phishing websites, added in subdirectories. However, the fraudsters are using original ways to host the files: unusual subdirectories, user accounts, random characters, etc.

Both websites, hosted in Belgium, were shut down a matter of hours after the exploit was seen.

Sorin Mustaca, Avira

Phishing and spam
techniques

Co-operation is the only way
XXX racted
Your filters are bypassed: Rustock.C in the kernel
Family matters
The Ottawa rules
DriveSentry Desktop 3.1/3.2 & GoAnywhere 1.0.2/2.0
The problem of backscatter – part 3

Subscribe now!

Virus Bulletin currently has 144,143 registered users.

Fighting malware and spam

'Mini' phishing

Nigerian

Blogspot spam

Meta phishing

Stock spam PDF

Advanced fee fraud or phishing?

The return of the animated spam

Do 'pump and dump' spam campaigns really work?

'Mini' phishing

Pay per click

Broken link

Bye bye OCR?

See also

Phishing and spam techniques

Resources

Poll

Virus Bulletin