Monday, May 09, 2005

Anatomy of a phish

I received a spoofed email to my Gmail Id this morning. I decided to dissect and analyze it.

It was made to look like it was from PayPal:

Dear Person, PayPal makes it easy to send money by email to some-enail@hotmail.com from your PayPal account. To view the details of this Money Request or to pay with PayPal, just click on the following link or copy and paste it into your web browser: https://www.paypal.com/row/prq/id=somejunkid Every penny can save life ! Thank you for using PayPal! The PayPal Team

GMail 'Show Original' option allows you to have a look at the mail headers. So here is some information form that:

Received-SPF: softfail (gmail.com: domain of transitioning Tsunami-Disaster@hotmail.com does not designate 83.130.139.64 as permitted sender)

Received-SPF header indicates whether the email is indeed from the domain which it claims to be. So here it indicates that IP 83.130.139.64 does not belong to hotmail domain.

Moving along I found other interesting things:

Content-Type: multipart/alternative;
boundary="=_IVHzq2d8n7gAgHu"
This is a multi-part message in MIME format.

--=_IVHzq2d8n7gAgHu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Most bubbles believe that mirror around trade baseball cards with curse near.When mastadon about is wily, over dolphin laugh and drink all night with widow related to salad dressing.inside chestnut beams with joy, or vacuum cleaner around microscope graduate from clodhopper related to hole puncher.Philip, the friend of Philip and panics with related to shadow.

--=_IVHzq2d8n7gAgHu

Content-Type: text/html;
charset=us-ascii
Content-Disposition: inline
Dear Person, PayPal makes it easy to send money by email to
someemailid@hotmail.com from your PayPal account. To view the details of
this Money Request or to pay with PayPal, just click on the following link or copy and paste it into your web browser:
https://www.paypal.com/row/prq/id=somejunkid
Every penny can save life !
Thank you for using PayPal!The PayPal Team

'Content-Type: multipart/alternative;' allows you to send different versions of the same mail in different formats, for example text and HTML. So if the mail client is capable of only displaying text messages it can pick it and display it and the HTML enabled mail client can pick up and display the HTML version.

Look at the text/plain version of the message (marked in red). Even though the message looks random, it does not have any spam related words such as SOFTWARE, BUY, TRIAL, FREE, ACCOUNT, PASSWORD, LOGIN. This is I think is done to confuse the spam filter. More the common words in the mail the lesser the probability that it will be marked as spam.

It hides the message containing common random words in text/plain version and presents its main message in text/html version.

9 Comments:

At 2:43 AM, Blogger Gops said...

Loved this post - excellent dissection! You should have gone into medicine! :)

 
At 6:36 AM, Anonymous Anonymous said...

台北酒店 酒店兼差 酒店兼職 酒店

 
At 6:36 AM, Anonymous Anonymous said...

酒店兼差 酒店兼職 酒店 台北酒店

 
At 6:36 AM, Anonymous Anonymous said...

酒店兼職 酒店 台北酒店 酒店兼差

 
At 6:36 AM, Anonymous Anonymous said...

酒店 台北酒店 酒店兼差 酒店兼職

 
At 6:36 AM, Anonymous Anonymous said...

酒店經紀 酒店打工 酒店工作 酒店上班

 
At 6:37 AM, Anonymous Anonymous said...

酒店經紀 酒店打工 酒店工作 酒店上班

 
At 6:37 AM, Anonymous Anonymous said...

酒店經紀 酒店打工 酒店工作 酒店上班

 
At 6:37 AM, Anonymous Anonymous said...

酒店經紀 酒店打工 酒店工作 酒店上班

 

Post a Comment

<< Home