PDA

View Full Version : FYI antiphishing example,Google,Amazon,Paypal


davidh
May 11th, 2006, 02:30 PM
Example of anti-phishing in google mail.

I thought this might be interesting to someone who has never looked into the details of how phishing HTML works.

When viewing a message body in google mail, you can click "More options" and then click "Show original" to see the full HTML text of the original message. Here is what a piece of the original message containing a phishing attack looked like when I clicked "Show original":

<br>
<a href=3D"http://www.ucoresoft.com/amazon.com/secure/login.htm">https=
://www.amazon.com/cgi-bin/webscr?cmd=3Dlogin-run</a><br>
<br>

---------------------------------------

And here is what the phishing link looked like when I selected the phishing link text with the mouse and then right clicked (in Firefox) and chose "View selection source" from the pop-up menu (in Firefox):

<br>
<a>https://www.amazon.com/cgi-bin<wbr>/webscr?cmd=login-run</a><br>
<br>

Notice the "<wbr>" tag (inserted by google) in the middle of the fake link. Of course, since the "href" is gone (intentionally deleted by google), the link no longer works. Thank goodness.

I did NOT try to go to the phishing site on ucoresoft.com out of fear that they might already have an implementation of some malware even able to attack my PC via the latest release of Firefox. However, I assume that the ... ucoresoft.com/amazon.com ... site probably is virtually indistinguishable from the real Amazon site (at least to an untrained eye).

Google mail had already put this message into my google spam folder and in addition it also inserted a big red banner warning into the message in the form of the message displayed in the regular google webmail message reader (not the same as the "Show original" version of the message).

Since I was viewing the message via the browser in the (google) webmail view, the original was still available. However, if I had somehow been able to view it via POP3 mail (also possible in free google mail), I assume that the warning banner and the intentionally disabled phishing link would be in the POPPED message, but not the original version. Of course, this could/should never happen in practice, since google puts phishing mail into the spam folder in its webmail and such spam messages are never available for POP3 mail (unless perhaps you stupidly intentionally manually move them to your regular google webmail inbox).

I assume Yahoo webmail anti-phishing works similarly since my wife got a PayPal phishing attack in her Yahoo mail and the phishing link did not work, thank goodness. I'm guessing/hoping that if the Yahoo message did not have a warning banner then they just deleted the phishing part of the link and left the "valid" part. At least in these two instances, even the "valid" part of the link (when copied and pasted into the browser) came up with a "page not found" anyway.

David H.

P.S.
Just checking that UNchecking "Automatically parse links in text" DOES work too.

Judy G. Russell
May 12th, 2006, 09:57 AM
Notice the "<wbr>" tag (inserted by google) in the middle of the fake link. Of course, since the "href" is gone (intentionally deleted by google), the link no longer works. Thank goodness.Very nice. Good to hear somebody is being proactive about this.

Gary Maltzen
May 12th, 2006, 12:33 PM
I assume Yahoo webmail anti-phishing works similarly since my wife got a PayPal phishing attack in her Yahoo mail and the phishing link did not work, thank goodness. I'm guessing/hoping that if the Yahoo message did not have a warning banner then they just deleted the phishing part of the link and left the "valid" part.More likely the site has already been taken down. In addition to checking the ownership of the phish domain, I routinely look up the IP of the web host to which the phish actually leads and then the ISP managing the IP block. Frequently the host-to-IP mapping is already gone by the time I get there or the site is non-responsive.