Security News
Harder and harder to detect phishing: New types of phishing emails in the wild
Wed, 29 November 2006
Tettnang 29 November 2006 - As previously described in our October Virus Top 10 most phishing emails received in the last months are the usual PayPal and eBay. These emails are the classic types which try hard to make the emails look like, or better than, the originals (See Figure 1). Partially, this is why they are so easily detected.
Figure 1. The usual PayPal phishing emails
|
However, during the last weeks, new trends of phishing emails have been noticed: plain text messages with a new structure and unobfuscated links to the phishing website.
The phishing emails seem to come from two well known organizations, eBay and Sears Cards. Their content can hardly be detected as phishing when using known dedicated techniques.
When writing emails by using plain text format instead of the rich HTML, the attackers try to escape from a “shameful detection” as a simple spam. On one hand, the rich content is usually a strong indicator of spam but on the other hand, it makes the emails look more real, tempting more users to click. In plain text emails, the links can not be spoofed anymore, so this will not alarm emails clients with antiphishing mechanisms.
There are two different sources of the same phishing campaign. In the first one, the links are written with IP addresses instead of domain names, which is a strong indicator of emails scam. In the second one, as in Figure 2, a domain name is used which makes the emails look less dangerous to an untrained eye. The strongest phishing indicator in this message is the obfuscation of the original URL in the fake link.
Figure 2. The Sears phishing email with host
name
|
The second interesting phishing attack is directed toward the eBay customers and has the subject “Billing Update” (Figure 3). Plain text emails do not contain a spoofed link. Therefore, this phishing campaign doesn’t count on people to disregard a long link. This is why no obfuscation mechanisms are used and the link appears in plain text, using a freely registered redirector. Another highlight regarding these emails is the informal text used to alert the user that his account will be blocked. Of course, it is childish to think that someone could fall into this trap and that eBay would actually write such emails.
However, the attackers didn’t seem to care about this and they even added some random characters in different parts of the emails in order to fool spam filters based only on signatures.
Figure 3. eBay plain text phishing emails
|
Virus threats 
Print this page
.gif)
