I received a Phishing email the other day. Phishing is pronounced like “Fishing”, unlike the time honored activity of trying to catch a fish, phishing is the attempt to fool a person into revealing their personal information.

Believe it or not, there are websites devoted to sharing information on how to phish. These websites contain all kinds of information needed to successfully phish for information.  They contain posts about everything phishing related from creating a phishing website to sending official looking emails. Their intent is to trick unsuspecting users into giving up their passwords or personal information.

A facebook phishing expedition
The phishing email I received said it was from “The Facebook Team”  The subject was “Facebook Password Reset Confirmation.”  It had a zip file as an attachement.   Here’s the body of the original email I received

From: The Facebook Team[service@facebook.com]Subject: Facebook Reset Confirmation

Attachment: Facebook_Password_bc42b.zip
 

Hey wjohnson ,

Because of the measures taken to provide safety to our clients, your password has been changed. You can find your new password in attached document.

Thanks,

The Facebook Team

Phishing email clues:

  1. Unsolicited email
    • I never requested an account reset
  2. The subject
    • Facebook Password Reset Confirmation – see reason #1
  3. The salutation of the email starts with “Hey wjohnson,”
    • That’s part of my email name, but nobody addresses me as wjohnson.
  4. Your password has been changed.
    • If it changed, then why would I need to confirm it?
    • Wouldn’t it be more likely that you would confirm a request in order to change the password?
  5. The ZIP file attachment
    • Tech support doesn’t usually attach any kind of file in an email, unless you specifically requested it.
    • ZIP files are commonly used to hide executables which may contain a virus
    • FYI: This attachment did contain an executable which I did not execute.

I have an Assassin for a friend

The Assassin’s name is SPAMAssassin.  This software runs on my email server and detects potential email threats before I receive them.  If it believes an email is a potential threat it will step into action.

SPAM Assassin safety measures:

  1. Creates an email container with a new subject [SPAM] original subject
  2. Describes in the email body why the email is considered a threat
    Spam detection software, running on the system “*.com”, has identified this incoming email as possible spam.  The original message has been attached to this so you can view it (if it isn’t spam) or label similar future email. If you have any questions, see the administrator of that system for details.
    Content preview: Hey wjohnson , Because of the measures taken to provide safety
    to our clients, your password has been changed. You can find your new password
    in attached document. Thanks, The Facebook Team […]
    Content analysis details: (29.7 points, 5.0 required)
    pts rule name description
    —- ———————- ————————————————–
    4.4 HELO_DYNAMIC_IPADDR2 Relay HELO’d using suspicious hostname (IP addr2)
    4.2 HELO_DYNAMIC_SPLIT_IP Relay HELO’d using suspicious hostname (SplitIP)
    1.0 KB_DATE_CONTAINS_TAB KB_DATE_CONTAINS_TAB
    5.0 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL[219.130.197.55 listed in zen.spamhaus.org]
    5.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
    3.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address[219.130.197.55 listed in dnsbl.sorbs.net]
    1.2 SPF_NEUTRAL SPF: sender does not match SPF record (neutral)
    2.6 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
    2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
    [Blocked – see < 1.0 KB_FAKED_THE_BAT KB_FAKED_THE_BAT 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. http://www.spamcop.net/bl.shtml?219.130.197.55>]
  3. It attaches the offending email for further examination.

NOTE:  If I am want to see who is associated with the IP addresses being used in the SPAM report, I would perform an IP lookup using the tools found at DomainTools.com.

What is so cool about SPAMAssassin is that it is right most of the time.  I would rather have to deal with a mislabeled threat than to deal with the threat directly.  So far, in my experience, it has caught the phishing emails every time.  If it looks or smells like SPAM it’s going to flag it.

What should you do about those Phishing emails:

  1. DO NOT CLICK on anything inside the email
  2. Clicking a link inside a phishing email could prove detrimental to your identity.  There are sharp hooks attached.
  3. DO NOT open any document attached to your email
  4. You can quickly verify if your password has been changed
    • Visit your Social Network in the way that you usually would.
    • For most people their browser default to their favorite social network as their homepage.
    • Login as you usually would, my bet is the password wasn’t changed at all, someone was phishing for it.
  5. If your trusted Social Network has a program to report phishing emails, follow their suggestions
    • Usually they will ask you to Foward the email you received via email.

A suggested email policy:

  • DO NOT trust unsolicited emails
  • DO NOT open any email that has attachments unless you specifically requested the sender to send you a file
  • If you didn’t request an email that has an attachment, trash it
  • DO NOT click on any link period unless you know the source
  • Make sure your computer has anti-virus software installed