; An Analysis of Phishing E-mail
Learning Center
Plans & pricing Sign in
Sign Out

An Analysis of Phishing E-mail


  • pg 1
									                           An Analysis of Phishing E-mail
                                                          Nattakant Utakrit
                                            School of Computer and Information Science
                                                       Edith Cowan University
                                                       Perth, Western Australia

    Abstract—E-mail has become an important communication             Recipients may respond to the sender with the required
channel in the digital world, due to its ability to make fast         information, as they may be afraid or interested.
contacts globally and the low cost of transferring data.
Governments, businesses and individuals have used e-mail to                               II. RISK OF PHISHING
communicate with each other by sending messages and attaching
                                                                                The main purpose of phishing attacks is ‘money’ [3].
files. Nevertheless, abuse of e-mail has increased dramatically.
Social engineering techniques have been implemented in order to       The information required by phishers is usually credit card
gain information from targets. Phishers send bogus e-mails to         numbers, bank account information, social security numbers,
recipients in order to compromise them and to assume their            usernames and passwords, e-mail accounts and other personal
identities. Viruses and malware have been attached to destroy         information [4]. Additionally, the e-mail messages which have
victims’ computer systems or spy on them in the hope of               been sent to all of the contacts in an e-mail address book may
obtaining information. This paper focuses on discovering              contain viruses, worms, or malicious software which replicate
vulnerabilities of phishing e-mail attacks against online users.      themselves into the message [5]. For instance, the ‘Forgotten’
Strategies of acquiring e-mail addresses for counter-attack will      worm which was written in Visual Basic Script spread without
be identified. Additionally, the author uses examples to illustrate
                                                                      any attachment. Instead, the worm code was embedded into
e-mail vulnerabilities by using different investigating techniques
to analyse cases.                                                     the HTML formatted message body [6]. Also, the ‘I Love
                                                                      You’ worm exploited an ActiveX vulnerability and was
                                                                      executed just by viewing or previewing the e-mail message
                       I. INTRODUCTION                                without opening any attachments [6]. This may result in an
    Phishing refers to an act of stealing confidential                expansion of phishing breaches if receivers see what they
information on the Internet without users’ authorization and          think is their friends’ e-mail addresses in their inboxes.
knowledge [1] and has become one of the most common                   Research has found that there were 5% of recipients who
online attacks. Phishing has been used by phishers to attack          responded to their e-mails which were compromised from
possible victims on the Internet and to gain personal                 phishing senders [1]. This result may increase due to the
information from online users. People, who use the Internet to        number of consumers who have suffered from credit card
transfer money, pay bills, buy products, invest in business,          fraud, identity fraud, and financial loss [1]. The research also
and donate money to charity, are at risk.                             found that 2,000,000 e-mails have been sent by phishers or
                                                                      spammers. These may have gone to legitimate e-mails in 5%
    There are two primary methods of phishing attacks, either         or 100,000 e-mail addresses. It was estimated that 5% or
or both may be used in one attack. Firstly a forged return            5,000 of people receiving the phishing e-mail responded [7].
address where phishers attach a hoax e-mail address in the            At this stage, only 2% or 100 people gave their personal
‘Return to’ tag without the recipient’s notification. Secondly,       information [7]. Reference [5] described how phishers may
phishers may register a domain name similar to a legitimate           benefit from attacks:
business’ e-mail address [2]. There are also many techniques
used to acquire e-mail addresses; for instance stealing e-mail           The profit from spamming can be significant. If a
addresses from mail account websites, such as yahoo and                  spammer sent out spam to six million users for a
hotmail, particularly from the carbon copy (CC:) bar of the e-           product with a sale price of $50 that cost only $5 to
mail address. Phishers may employ an open proxy to cache                 make, and if 0.001 percent of the recipients responded
web pages or to firewall a network: the better way of doing              and bought the product (a typical response rate), the
this is to rent or grow a bot net to control compromised                 spammer would make over $270,000 in profit (p.103).
computers [3]. They may buy stolen e-mail addresses from
crooked employees or competitors, use some phishing kit                        Phishing breaches on the Internet have an impact not
tools to suck live e-mail from mailing websites or create a           only on general users, but also on organizations and security
program to steal information including e-mail addresses.              departments. US-CERT reported that one effect of this
Phishing e-mail uses social engineering techniques to                 vulnerability was that users may suffer from e-mail attack just
compromise recipients with interesting or fear-causing subject        because of opening a Word document that has been attached
lines or e-mail content, for example ‘password disclosed’,            to an e-mail message [8]. This could give the attacker
‘money lost’, or ‘work from home and get $200 a day’.                 complete control of the system. The risk is significant, and yet
                                                                      there has been no way of handling this risk beyond avoiding
opening the document.d0c, note the digit ‘0’ rather that the                Trojans can activate automatically and become embedded
lower case ‘o’, and other untrusted documents [9].                          inside the user’s machine. Whenever the customer logs into a
                                                                            website and provides personal details, the Trojan software will
           III. PHISHING E-MAIL TECHNIQUES                                  record the data and send it back to the phishers without the
In general, users may get trapped by phishers or spammers                   user’s knowledge.
through e-mail receipt. They may give information to the
sender directly and deliberately or simply by opening the e-                          E-mails and websites are created from Hyper Text
mail. The processes of phishing are illustrated by two primary              Markup Language (HTML), a text-based structure. To be able
scenarios below:                                                            to view e-mails, HTML viewers such as Internet Explorer
                                                                            (IE), Mozilla Firefox, Netscape Navigator and many web
                                                                            browsers are required. Some websites allow users to view
  Customer has received a                  Customers provide
                                                                            their e-mail in different views, as is shown in Fig. 3. E-mail
  phishing e-mail that asks                information                      can be viewed in a plaintext as in the middle figure, a normal
  for information                                                           web based view which supports graphic user interface on the
                                                                            left figure, and basic HTML source code on the right figure.
                                                                            Source code can be viewed from every mail daemon by
                                                                            selecting View Source from the right click button.
                                           Phisher has used
                                           information from
                                           customer for fraudulent

    Fig. 1. A Simple Process of Phishing E-mail [adapted from 3, p.11]

 Customer has               Spyware                  Customer has
 received a                 will be                     recorded
 phishing e-mail            operated                  information
 that asks for              and                     with keystroke
 information                embedded                 logger while
                            into user’s             surfing the Net
                                                                                     Fig. 3. The Different Types of E-mail Viewers in Gmail

                                                                                      The Web based view is more convenient, more
                            Phisher has              Spyware has            attractive, and easier to see. Thus, people may prefer checking
                            used                       recorded
                                                                            e-mail through the web based view in which users can see
                                                                            images, and animated icons, rather than the plaintext view
                            information              information
                                                                            which only displays a blank dialog box with its list of figures.
                            from                     for phishing
                                                                            The graphic user interface view takes up bandwidth to
                            customer                    sender              download pictures, symbols and scripts. Scripts, such as
                                                                            JavaScript, ActiveX, Visual Basic Macros, are dangerous and
                                                                            may lead to infection by phishing and malware attacks, yet
                            purposes                                        they are legitimately used in web or office applications. In
                                                                            fact, users do not need to install scripts unless they are being
                                                                            forced by businesses that require scripts in order to perform
                                                                            online services such pay bills, and check account balances.
 Fig. 2. A More Complex Process of Phishing E-mail [adapted from 3, p.11]
                                                                                     There are many techniques that phishers use to send
                                                                            e-mails without being caught by spam filters. One of the very
        Fig. 1 above shows the process by which customers                   common techniques used to avoid spam filters is breaking the
may reveal personal information during a phishing attack. In                trigger words with HTML commands. This technique allows
more complicated cases, as shown in Fig. 2, where the                       the unsolicited mail to bypass trigger words, such as money,
phishing e-mail contains malware such as Trojans or                         free, home, and winner [3]. Besides, there are some fancy
backdoors inside the e-mail, users do not even need to provide              words contained in e-mail, which may deceive spam filters to
any information. As soon as the mail has been opened, the                   overlook e-mails. Types of fancy words can be:
        Deceptive text with symbols and digits such as,                IV. SIMPLY IDENTIFYING PHISHING E-MAILS
         @h0me (at home) , Ietter (letter), em@il (e-mail), &
         (and), and rep1@ce (replace) [10].                                 Most e-mail filters have been set up by users to
        Hiding trigger words with chatting phrases such as,       identify phishing e-mails which contain words such as
         D’ ya mizz fishing n’ viiiruusses? Plz n’roll ur pl@ce    ‘money’ or ‘XXX’ [11]. In addition, trigger words such as
         b low 2 j0In us. These can be evaluated as ‘Do you        home, free, Viagra, or winner may be included in phishing e-
         miss phishing and viruses? Please enrol your place        mails [3]. If the spam filter finds these words in an e-mail, it
         below to join us.’                                        will be moved automatically to a junk mail or bulk-mail folder
        Using creative messages to avoid spam filter such as,     [11]. Analysing an e-mail header is another way to verify a
         sp (^.^)am & mal >O.O<!!ware. This include hiding         phishing e-mail. In normal view, an e-mail header includes
         spam within the creative icon, for instance,              source (From:), destination (To:), subject, date and time, and
                      ......oooO...............                    the options of blind carbon copy (BCC:) or carbon copy
                      .....(....).....sp..am...                    (CC:). E-mail users can only see a normal view; they cannot
                      ....(...)../...phi..sh....                   see the full e-mail header unless they have previously set up
                                                                   the View full header mode. In MS Outlook one may view full
         Interestingly, the anti-HTML filter seems to be the       headings by selecting the View menu, then Show Fields to see
technique most often used so that spam filters do not see the      a dialog box which contains useful information [12]. In Yahoo
trigger words. This section illustrates an example of using        the user can view headers by selecting Full Header in the right
HTML code to bypass spam filters in different ways. The            bottom menu in the inbox. Hotmail users can view full
spam filters will consider these structures as normal coding. In   headers by selecting View Source from the right click button
normal web browsers, online users will see these structures as     which points over a particular e-mail message that users want
in normal text.                                                    to be read in the inbox.

                                                                            The following example is another case of an actual
                                                                   spam e-mail in which the author used various techniques to
                                                                   identify an unsolicited e-mail header. Although the example
                                                                   was not a type of phishing e-mail, yet the same procedures or
                                                                   techniques may be used to verify suspicious e-mails.

                                                                                        Fig. 5. Full E-mail Header
                Fig. 4. Avoid Spam Filter with HTML
                                                                             Fig. 5 shows a spam e-mail which has been reviewed
          Fig. 4 shows various types of HTML source code           through Thaimail, a Thai e-mail server. Deciphering e-mail
created to deceive spam filters. The first example in bold font    headers can identify an actual sender, a factual receiver, date
uses a tiny font size <font size=”1”> to separate parts of the     and time e-mails have been sent, and the content of e-mail
‘Phishing’ word so that the gap between ‘Phis’ and ‘hing’ is       messages [13]. In simple verification, this e-mail can be
invisible. Next, example 2 uses a comment tag <!----> to           identified from the sender and receiver sources. The sender
separate the trigger word such as ‘Spam’ to become ‘Sp’ and        parts can be seen on Return-Path and From lines whilst the
‘am’. Example 3 shows that creating a block of table               receiver parts can be seen on X-original-To, Delivered-To,
<table><td> to separate every letter of ‘SPAM’ avoids the          and To lines according to this figure. The figure revealed that
spam filter; however, in the web browser it still can be seen as   the information in the sender lines was fortunately matched to
one word. Lastly, example 4 uses command ‘&nbsp;’ which            each other. Conversely, the receiver lines of the recipient were
refers to a space tab to separate all the letters in ‘PHISHING’.
not the same. These errors could indicate that this was a spam     to find their actual web pages, they both turned up as default
e-mail. In fact, the most important part of the e-mail header is   unsubscribed pages as in Fig. 6 below:
the ‘Received: from’ section. Multiple ‘Received’ fields may
refer to the transition of the e-mail being transferred. The
bottom paragraph identifies an initial source of e-mail as
highlighted. This paragraph indicates where the e-mail
originated and who was the actual sender. Thus, it was found
that the mail was sent from a machine calling itself helper—
ivdos.net. The sender could not identify the mail server that
had been used to send the e-mail; however, it revealed an
associated IP address of the sending machine which was The message was sent through the mail server
g3.thaimail.com, with which the recipient has an e-mail
account. The receiving machine, running the mail server
g3.thaimail.com, assigned the ID number 86F2A28C85. This
ID is an internal number used by the mailer daemon to
identify the message in its log files [14]. The message was
addressed to nattato@thaimail.com on Sunday, September 14,
2008 at 01.36.39 in the Bangkok time zone.                                             Fig. 6. The Spam Webpage

          In the Receive field itself, the most important                    It may be assumed that these unsubscribed web pages
information that can be claimed to identify sender source is       are spam web pages which require users to enter their e-mail
the IP address. The IP address reveals the sending device          address. After an e-mail address has been submitted, it would
identification [15], and may be used to track sending domain       probably be sent to all spam e-mail senders or hackers who
names in the NS lookup However, the IP can be hidden,              may want to use users’ information in order to conduct
shared, and forged (spoofed) [15]. Therefore, various              inappropriate activities. Furthermore, these two IP addresses
techniques may be required to examine it. Firstly, it is           have been linked to a company named ColoSite, LLC in
necessary to check the source of the sender and its associated     Texas, US, a Computer Facilities Management Services
information. The e-mail was received from sender machine           Provider. This company may be a spammer who registered the
named helper—ivdos.net with its unknown mail server but            fake mail servers and websites such as helper—ivdos.net and
this name was associated with the IP address        unix.online—instant—news.net in order to send e-mails to
in the parentheses. Using NSlookup to verify these details, the    attack Internet users. In more detail, this company owns a
author found that the helper—ivdos.net has a different IP          block of IP addresses, which
address from the one displayed. Similarly, this IP address did     means if any IP address is registered within this range, it must
not belong to the helper—ivdos.net. It could be assumed that       have been released from the ColoSite.
either or both the sender name and IP are forged. The next                   To investigate further, the ColoSite, LLC was
step was to find out more information about these two              searched to find out more information about its company. The
identities from Autowhois, Domain Dossier, or the Zoneedit         researcher found that it has been shown in ASPEWS, an RBL
web based DNS lookup and Reverse lookup to see if they are         blacklist, that the ColoSite, LLC Company is a spam website.
related to any further information. The author found that these    The author continually searched the mail server e-mail
two identities have been linked to Enom, Inc, a domain name        news—to—inbox.com displayed in the From: line. If this
and online service provider. E-mail senders may use this           domain was a real sender and had a valid address, one could
domain name to register themselves and may create phishing         find some information about it. This assumption was true; this
or spam mail servers and send e-mail. The Enom site owners         domain had been found in joewein.de LLC, a website which
may not even know that the phisher or spammer helper—              has listed many spam blacklists including the news—to—
ivdos.net used Enom resources to attack Internet users. Hence,     inbox.com.
it should have been reported by writing an e-mail to
abuse@enom.com (abuse@ followed by the domain name                           The final analysis is verifying the e-mail content
which may be suspected to be forged) [15]. Another way to          which seems to be the easiest method in this investigation. As
inform Enom is for the recipients to use information from the      in Fig. 7 below, this e-mail was sent from a suspicious address
Whois program to contact the company. Additionally, the            according to the given address at the bottom of the e-mail.
author found that helper—ivdos.net has verified its IP address     This e-mail claimed that it came from a software company
as whereas the IP address that         named TV2PC Software, which is located at Plaza Neptuno,
showed in the e-mail header belonged to the domain name            local #7, Via Ricardo J Alfaro, Tumba Muerto Panama
unix.online—instant—news.net. More interestingly, when             Ciudad, Republica de Panama. There was no postcode given,
typing IP and IP in the URL bar        nor contact number to call beyond the attached links to look
                                                                   for more details. This e-mail asked recipients to download
software and read more details by clicking on the given links.    danger of spam attached to e-mail. Organizations need to
However, these links, as shown in blue fonts in Fig. 7, were      implement strong security policies to eliminate unnecessary
linked to the same URL which was http://news--to--                risks. Home users may install anti-virus software and anti-
inbox.com/re.php?Ink=... shown while the mouse was over the       spyware as well as using firewalls. Governments might also
links. It is too suspicious for multiple links to transfer        inform the general public about the need to be alert to the
themselves to the one exact unsubscribed web page which           dangers of cyberspace and how to use the Internet safely.
requires recipients to confirm his/her e-mail. Noticeably these
links did not refer to an actual website; they were designed to
record the e-mail addresses of recipients as mentioned above.                           REFERENCES
From the content one can also assume that this is an unreliable
e-mail which may hook recipients to be cyber victims.             [1]     Binational Working Group, "Report on Phishing,"
                                                                          the Minister of Public Safety and Emergency
                                                                          Preparedness Canada and the Attorney General of the
                                                                          United States 2006.
                                                                  [2]     A. Emigh and R. Labs, "Online Identity Theft:
                                                                          Phishing      Technology,         Chokepoints    and
                                                                          Countermeasures," Anti-Phishing Working Group
                                                                          (APWG), 2005.
                                                                  [3]     R. Lininger and R. D. Vines, Phishing: Cutting the
                                                                          Identity Theft Line. Indiana: Wiley Publishing, Inc.,
                                                                  [4]     Avira. vol. 2008: Avira, 2008.
                                                                  [5]     M. Ciampa, Security Awareness: Applying Practical
                                                                          Security in Your World (Second Edition).
                                                                          Massachusetts: Course Technology, a division of
                                                                          Thomson Learning, Inc., 2007.
                                                                  [6]     G. E. Boyd, "Configuring Mail Clients to Send Plain
                                                                          ASCII Text." vol. 2008: Expita.com, 2004.
                                                                  [7]     M. Mckeay, "Phishing statistics." vol. 2008:
                                                                          Computerworld Inc. , 2006.
                                                                  [8]     US-CERT, "National Cyber Alert System- Technical
                                                                          Cyber Security Alert TA07-089A: Microsoft
                  Fig. 7. The Forgery Links                               Windows Animated Cursor Buffer Overflow." vol.
                                                                          2008: Department of Homeland Security, 2006.
          This paper has identified concepts and techniques       [9]     US-CERT, "National Cyber Alert System- Technical
used in phishing attacks and described how to identify e-mail             Cyber Security Alert TA07-089A: Microsoft
headers from different resources. It was designed to help                 Windows Animated Cursor Buffer Overflow." vol.
readers to be able to identify their own e-mail address as well           2008: Department of Homeland Security, 2007.
as becoming aware of the threats associated with e-mail           [10]    R. Dhamija, J. D. Tygar, and M. Hearst, "Why
attacks. Anti-spam software such as Spybot and McAfee Anti-               Phishing Works," Harvard School of Engineering
Spam should be installed in addition to enhance and                       and Applied Sciences MA 2006.
strengthen computer and network security systems. Spam            [11]    D. P. Hamilton, "E-Commerce (A Special Report):
filters on web based mail servers should be activated to filter           Selling Strategies --- You've Got Mail (You Don't
possible spam mails. Stay up-to-date with security patches as             Want): E-mail spam is remarkably successful -- and
updated anti-spam and anti-virus may protect the computer                 annoying," April 23 ed: Wall Street Journal (Eastern
and system from malware attacks [16]. Internet use policy and             Edition), 2001, p. R.21.
e-mail use policy for both public and private sectors should be   [12]    R. Farrow, "Revealing E-mail Headers," Network
introduced to encourage employees or members to use                       Magazine, vol. 15, p. 100, 2000.
resources appropriately.                                          [13]    I. IC Group, "Examples of Valid Email Headers ".
                                                                          vol. 2008: Pobox, n.d.
                     V. CONCLUSION                                [14]    G. E. Boyd, "Tracking E-mail - Part 1." vol. 2008:
                                                                          Expita, 2003.
This paper has outlined the general dangers associated with       [15]    R. Goldsborough, "Deciphering E-mail Headers,"
phishing and has analysed examples of attacks on the                      Office Solutions, vol. 24, p. 43, 2007.
researcher. Further work is needed in this area so that the       [16]    C. Sun, "SPAM FILTERS: Making Them Work,"
serious issues of phishing are exposed; government,                       Computerworld, vol. 42, p. 36, September 22 2008.
businesses, and individuals need to become more aware of the
Nattakant Utakrit ©2008 The Ninth Postgraduate Electrical
Engineering & Computing Symposium (PEECS 2008). The
author/s assign PEECS 2008 a non-exclusive license to use
this document for personal use provided that the article is used
in full and this copyright statement is reproduced.
Such documents may be published on the World Wide Web,
CD-ROM, in printed form, and on mirror sites on
the World Wide Web. The authors also grant a non-exclusive
license to PEECS 2008 to publish this document in full in
the Conference Proceedings. Any other usage is prohibited
without the express permission of the authors.

To top