Hook, Line, and Sinker – Internet Phishing Expeditions
Hook, Line, and Sinker – Internet Phishing Expeditions
Don’t get suckered by scam emails requesting
you to provide personal or financial information. Hmm, what’s
this message from eBay in my inbox?
"Dear eBay User,
During our regular update and verification of accounts, we couldn’t
verify your current information. Either your information has changed
or it is incorrect.
If your account information is not updated to current information
within 5 days, then your access to bid or buy on eBay will be suspended.
Go to the link below, and re-enter your information.
Click here to update your account.
***Please Do Not Reply To This E-Mail As You Will Not Receive A
Copyright ©1995-2005 eBay Inc."
Welcome to the world of Internet Phishing Expeditions!
You’ve just received a “phishing” email –
one that casts out some “social engineering” bait to
sucker you into clicking on the link to update your account information.
The problem is that doing so will really take you to a look-alike
web site that’s been setup to net your personal account information
and use it for criminal purposes!
After reeling in your account details, the scammers will usually
pass you along to the actual web site of the business they’re
imitating; meanwhile, they’ll use your account to make purchases,
withdraw funds, and access your paid services. You may not know
there’s anything fishy about it until you start having checks
bounce or see unauthorized expenditures on your credit card or bank
The fake web site could also attempt to install a “worm,”
such as a keystroke capturing tool to harvest your other userids
and passwords and send them to the ne’er-do-wells to use.
It could even try to install a “botnet” program that
recruits your PC into a network of “zombies” –
systems that can be remotely controlled for criminal purposes such
as sending spam emails or launching Denial of Service (DoS) attacks
on corporate web sites!
There’s Plenty of Phish in the Sea
The term "phishing" was coined in 1996 by hackers who
were stealing America On-Line accounts by scamming passwords from
unsuspecting AOL users. (Hackers will often replace letters with
other letters or numbers that sound or look similar. They like to
think that this makes them “1337” or “LEET”
– hacker-talk for “elite.”)
Often these phishing attempts will pose as concerned email messages
from banks, credit unions, online stock trading companies, major
retailers, Internet service providers – any institution that
handles financial transactions for a large number of customers.
The messages use the return email address, logos, fonts, formatting,
and slogans of the company they are trying to imitate, and usually
contain urgent warnings requesting you to take action such as the
“We recently noticed one or more attempts to login to your
account from a foreign IP address. Please visit PayPal as soon as
possible to verity your identity.”
“Your primary email address for Bank of America has been changed.
Did you know? You can change your address, order checks, and more
online. Sign in for online banking.”
“Dear Chase customer: This is your official notification from
Chase Bank that the service(s) listed below will be deactivated
and deleted if not renewed immediately. … Login to your Chase
All of the above are excerpts from actual phishing emails. You
can see an updated list and examples of reported phishing emails
Something Smells Phishy
One way to tell if the link in the email is legitimate or not is
move your mouse pointer over the website link in the message, then
look at the bottom of the window of your email application –
many of them (Outlook and Outlook Express for example) will show
you the actual URL embedded in that link. Does it point to the “real”
Or if you do click on a link to a suspected phishing web site (which
I do NOT recommend, as it could even try to download a “Trojan”
or virus to your PC!), look closely at what’s in the address
bar in your web browser.
Either way, a scammer site will usually contain a different “.com”
address or an actual “dotted decimal” IP address in
place of the URL for the real company. However, they may also include
the real company’s address after the slash (/) following their
own site’s address, such as this example from a Sky Bank phishing
Only the left-most “.com” address or the IP address
(as shown above) actually direct you to the scammer’s web
site; the rest of the address points to the directory path on their
web site where the (fake) web page files are stored. In the above
example, the URL points to the web server at “220.127.116.11”
– everything after that makes it look like it’s Sky
Bank’s site, but it’s really just a path to a specific
page on the phishing site that prompts you for your account ID and
Another trick scammers may use is to setup a domain name that looks
like the real one but substitutes one or more look-alike characters.
For example, someone could setup a domain name such as www.micr?soft.com
- but the middle ‘o’ in “microsoft” that
I used here is actually the Greek ‘Omicron’ character
‘?’ – they look the same, but are actually different
characters which would point you to different domains. If you suspect
a look-alike a URL may be used, manually type in the proper URL
in your web browser’s address bar to make sure you go to the
Is there a foolproof way to tell if an email you’ve received
with website links in it is valid or not? The above tips can help,
but the scammers are getting better at hiding their tracks all the
time. One basic rule to follow is this: any reputable financial
institution or business should never send you an email requesting
you to provide personal account information online. They already
have your account information – you shouldn’t have to
verify it other than for the usual sign-up processes for a new member!
About the Author
David Green has wrassled
with networking gear for 19 years and has so far managed to retain
both his hair and his faith (more of the latter, though). He is
the founder and president of NetGreen Consulting, Inc., (www.netgreenconsulting.com)
which provides "self-service" websites, network analysis,
and Internet security consulting services, including Common Criteria
Certification documentation. He can be reached at firstname.lastname@example.org.