Contact Form

Name

Email *

Message *

CSI EFFECT- How to spot a phishing website with a click


The crime scene

You clicked (deliberately or by accident) a link embedded in an email you received, or you Google a well-known site but the link you've clicked brings you to a suspicious webpage.
Something doesn't add up, but you can't say exactly what.



















You're up with a phishing scam and the webpage you're visiting has been created by hackers for the sole purpose of stealing your account or your financial information.

It may be beneficial to clarify right away that phishing has nothing to do with fishing, even though there's some analogy between the two concepts: like a fisher lies in wait hoping a fish will fall for his bait, a hacker sets up a website that looks legit (the bait) hoping for a sucker (the fish) to log to it, in order to steal its personal and financial information, or he tries to trick you into revealing your user id and password over the phone with social engineering techniques. In this post, we'll stick to the website scam case.

 

Defense methods and "CSI effect"

There are several elements and methods to understand whether the site you're visiting is really what it appears to be.

To explain you more clearly the concept of phishing websites, I'll use a spam email I received some days ago. The email seems coming from a legit source, i.e. University of Phoenix, a well-known online University, and the logo displayed in it looks authentic but, if you click the embedded link, you end up on a webpage that looks right away suspicious.

In fact, its layout looks like a bad amateurish Dreamweaver work, which is odd for a website like that one, and the URL (Uniform Resource Locator or, in layman's terms, the address of the page you're viewing, i.e your www.something.something) of the page is cryptic and doesn't look right: degree.uophx.info (DON'T VISIT IT).
This is a red flag and so you want to Google the official webpage of University of Phoenix, which results to be www.phoenix.edu (see figures).

That's an important information because the genuine top level domain of the official website, .edu, is commonly assigned by Internet authorities, such as ARIN (American Registry of Internet Numbers, i.e. the yellow pages for the World Wide Web in North America), to educational websites (e.g.: my college website is www.starkstate.edu).

Once you've gotten the correct URL, you can determine the corresponding IP address of the official page with a command (available both in UNIX/Linux and in Windows systems) that, given the URL of a website, returns its IP address. In OS X you can run lookup  from Network Utility, or nslookup from Terminal.


In Windows nslookup is available from Command Prompt (you need to have administrative rights on the machine).

Running the above-mentioned command, the IP address for www.phoenix.edu results to be 206.169.235.211 (write this IP down because it'll come in handy later).
Now, quoting my Computer Crime class instructor, it's time for some CSI effect. Using the Whois service at http://network-tools.com/ you find out that www.phoenix.edu belongs to University of Phoenix, located in Phoenix, Arizona.

If you utilize the ping or traceroute services at Network Tools website with regards to www.phoenix.edu (or you enter www.phoenix.edu in the lookup search box), you'll see that the IP for University of Phoenix corresponds to the same IP address resulting from the lookup (or nslookup) command execution, i.e. 206.169.235.211 (now you know why you had to write it down). If you're not satisfied yet, you can enter the above IP address in your browser and you'll be brought to the official website once again.

What if we'd like to have more information about the fake website?

After running the nslookup command, we find it has a totally different IP address (70.42.22.24).

Utilizing the Whois service like we did before, we gather that our phishing website (degree.uophx.info) has nothing to do with University of Phoenix because its IP, according to our results, belongs to Network Solutions, LLC, an ISP (Internet Service Provider) located in Florida.

Therefore, the real owner of that IP is a user who signed up for an account with Network Solutions, LLC but the only way to track down its complete IP address is to have a subpoena issued by a Federal judge, which can be done only as a consequence of a criminal investigation.

If this is not the case, you can only report the attacker's IP address for abuses (all ISPs, according to international agreements, implement a specific email address to report abuses, which is in the form abuse@providername.domain. E.g. for yahoo it's abuse@yahoo.com), to have its user account suspended, provided that IP isn't spoofed, or anyway masked.

Wrap up

You can end up on a phishing website either by clicking a link embedded in an email or by clicking a link included in a Web search.

If you pay close attention to the webpage, though, you will notice several elements that can put you on the right track:
  • The site may utilize a poor/amateurish layout.
  • Its text is often poorly worded, featuring numerous spelling and grammar errors.
  • The URL of the page may be different from the URL of the authentic website. The domain is often different, too.

The attackers behind these malicious websites can be sometimes sneaky.

Trend Micro, a well-established anti-virus software company, reports to have detected a phishing website looking very similar to Twitter official webpage.

Unlike our sample case, the URL of this phishing site might appear as the genuine Twitter URL to a distracted user, because it includes tvvitter (that can be easily mistaken for twitter unless you pay close attention) and its layout is a lot alike.

This technique is known as typosquatting (or URL hijacking) and is very insidious.

The golden rule to avoid being victim of a phishing scam is to never click a link unless you're absolutely sure it's genuine.

But, should you find yourself on a phishing website for any reasons, a close analysis of the above elements can put you on the right track, allowing you to surf the Internet more safely.

Comments

Related Posts Plugin for WordPress, Blogger...