Archives


Atom Feed

Associated Blogs
 
Edge City
 
Numbering Peano
 
Praxis101
 
Prof. von Clueless in the Blunder Dome

Recent Items
 
ODMA: The Little Middleware That Could
 
What Programmers Do
 
The Comfort of Open Development Processes
 
Abandoning an M.Sc
 
Relaxing Patent Licenses for Open Documents
 
Windows Media Center's Been Good To Me ...
 
Responding to Hurricane Katrina
 
Consigning Software Patents to the Turing Tar Pit
 
Merchants of Attention
 
Symbols of Trust

Phish Eggs: "We Can't Do Anything About That ..."

I receive one or two phish e-mail daily.  Lately, they have been taking turns threatening me about lock-down of my eBay and PayPal accounts.  They are usually sent to e-mail addresses that I do not use with those accounts.  They also end up in my junk e-mail folder because anything from an unknown sender goes there (including mail that is faked with one of my e-mail addresses because I really don’t spend much time sending e-mail to myself).  I also have all e-mail received in plaintext, so it is very easy to inspect and detect the phish-hook in these.  There are some, involving images, that make it quite difficult to find the hook, but I have been successful, when curious enough, in capturing the HTML and inspecting that for the URL of a compromised system, without actually visiting any sites or fetching images or anything else from an imposter site.  (The legitimate sites should watch how often their images are fetched for other than their pages to gain a sense for the extent of these impersonations, though.)

With all of these defenses in place, I have also began forwarding the few daily arrivals to the appropriate security authorities at the web sites of the impersonated senders.  Some of these are easier to use than others.  Security contact information tends to be buried in the bowels of the site, often obscured completely as sites are updated for mercantile purposes.  The most peculiar condition of the various security centers is that you often need to be an account holder to submit information about fraudulent e-mail (although both amazon.com and Microsoft have public e-mail addresses for contacting their security organizations). 

The odd thing about limiting contact to account holders is that is it is easier, as a member of the public, to notice a likely fraud when I don’t have an account.  Working as I am to maintain my anti-phishing good-citizen merit badge, I notify those institutions, often in distant places, that are unfortunate enough to not have my business.

Today, I failed miserably.  I received an incredibly lame phish email (one each to e-mail addresses that I haven’t given out in years), one so deficient that I wonder if it has some other purpose.  This email had the following amazing announcement, in both plaintext and HTML:

Dear National City Account Holder, During our regular update and verification of the Internet Banking Accounts, we could not verify your current information. Either your information has been changed or incomplete, as a result your access to use our services has been limited. Please update your information by clicking Reply and providing your account login and password. Sincerely, National City Accounts Department.

Please Click Reply?  How 80’s retro.  The subject of the mail is “National City Account Problem” and by golly there’s a reply address, to Customer Service with an obviously-bogus comcast.net address.  I feel like I’ve walked into the middle of a roadrunner cartoon where the coyote has painted a bulls-eye on his chest and a kick-me sign on his butt.  

Aw go on, report it.  Give it your best shot.  Lacking a National City account, but bemused by the peculiarity of the phish message, I did an Internet search and settled on a likely National City financial institution.  Not being a customer of anyone with that name, I am not that confident that I’ve found a legitimate site nor the intended institution.  I don’t see anything about fraud or security on the home page, and the “Contact Us” link requires JavaScript, which I have disabled by default for unknown Internet sites.  Imagining all sorts of movie-plot scams, I am unwilling to trust this site and I take the “Locations” tab.  There I discover that National City Corporation is in Cleveland, Ohio, and I call the listed local number.  I’m offered two menu choices but choice three, “0”, works and I tell the representative that I want to report a security/fraud-email incident.  I am transferred to the “loss prevention” center and offered two more choices.  Here, choice three is rejected so I claim to be an account holder (not a branch) calling with a problem and press “1”.  The “loss prevention” center is not interested in the e-mail I received.  I’m told they can’t do anything about that and they receive untold numbers of reports like this already.  When I’m advised to contact my local law-enforcement authorities, I know I’m in the wrong place and end the call.

Is It That Bad?  While muttering that Bruce Schneier is absolutely correct about putting the cost of fraud where it will do the most good at obtaining a cure, I fact check the site a little more before I post this blog entry.  The “online banking” link doesn’t require JavaScript and on that page there is a consumer-fraud warning and link.   That’s more like it.  The instructions are clear and I call the first-listed number.   They refuse a call from my cell phone (the announcement says my phone has calling restrictions), so I drag the land-line instrument over to my computer.  The number is a general one for account holders, but I can wait for an operator.  I state the purpose of my call to Anita, and after “just a moment” I encounter the first hold music in my experience so far.  I switch to speaker phone and go back to my typing.  Anita returns a minute later and says that they have an alert about that, I should delete the message, and as long as I’m not a customer there is nothing else for me to do.  I ask if they want to see the e-mail and Anita claims they already have it (their alert was passed around last Friday).

Now What?   I can’t believe that someone was so thick as to use email reply as a means to harvest account-access information, so I figure I’ll have some fun (assuming the e-mail address is still active).  Using my account with the ancient but no-longer-used email address, I send a warning reply:

Dear [redacted]@comcast.net

I thought I should alert you to the fact that someone is
using your e-mail address as a destination for harvesting
account log-on information via a fraudulent e-mail.

When you contact your local law-enforcement authorities
(or they contact you), you might want to know that the 
message is being transmitted with header information 
that might be useful in locating the culprit that is 
passing around your address:

Received: from c-24-8-194-220.hsd1.co.comcast.net 
(c-24-8-194-220.hsd1.co.comcast.net [24.8.194.220])	
   by infonuovo.com (8.8.7/8.8.5) with SMTP id FAA11920
	for <orcmid@infonuovo.com>; 
         Thu, 22 Dec 2005 05:20:07 -0800 (PST)

X-Message-Info: ETOZ28sVCqlrBSBwb20ad335+BTPsk108rsHBF

Received: from mail0391.vhxz.mindspring.com
   (62.40.218.243) by ytd264-gen056.mindspring.com 
   with Microsoft SMTPSVC(5.0.2195.6824);
	 Thu, 22 Dec 2005 15:12:07 +0200Received: from MHE7 
   (nxd25.132.50.151.qqlw377.lwy.mindspring.com 137.61.8.55)
	by mail1.zho.mindspring.com (74.99.627alb982/25.5.91) 
         with SMTP id o302D08PRni89;
	Thu, 22 Dec 2005 11:16:07 -0200

Message-ID: <99htx5ry588lli8iyp$owy8gx35rf49$qb9370vli34@XX61>

From: "Customer Service" <[redacted]@comcast.net>

To: "Orcmid"

References: <mendacious8-I011DFXzELUhcfU9X76194o6@mindspring.com>

Subject: National City Account Problem

Date: Thu, 22 Dec 2005 19:18:07 +0600

MIME-Version: 1.0Content-Type: multipart/alternative;
	boundary="--998074522543757"

X-UIDL: bMT"!*>a!!a?1"!$iK"!

Where’s the gimmick?  My movie-plot mind is still wondering how something this bare-faced might harbor a tricky way to actually harvest account information.  The message is not marked as being in an interesting character set (where “comcast.net” might not be what it seems), but the time-zone indications are suggestive.  I know there is information in the headers of replies that allow message threads to be reconstructed, and that might be enough to divert the reply in a way where good old [redacted]@comcast.net doesn’t ever notice.  Meanwhile, my realistic-assessment mind says I should expect an e-mail bounce message in response.

It bounced all right.  I got the bounce message, but it wasn’t exactly what I was expecting:

A message (from <ORCMID@INFONUOVO.COM>) was 
   received at 22 Dec 2005 19:57:28 +0000.

The following addresses had delivery problems:

<[redacted]@COMCAST.NET>	Permanent Failure: 522_mailbox_full;_
         sz=77003127/262144000_ct=25000/25000

	Delivery last attempted at 
         Thu, 22 Dec 2005 19:57:32 -0000

Well, that isn’t quite what I was expecting.  I may have been shilled into DOS-ing some poor soul’s in box, and I wonder what all those other messages are about.  Because Comcast returned my e-mail, I get to see some things about the headers that might be useful to someone:

Received: from mail9.atl.registeredsite.com ([64.224.219.83])
          by sccrmxc16.comcast.net (sccrmxc16) with ESMTP[…]
Received: from Scampo (70-56-72-209.tukw.qwest.net [70.56.72.209])
	[…] Thu, 22 Dec 2005 11:57:25 -0800 (PST)

[…]
thread-index: AcYG+m0ukTUuJZDLTqW9EYbPNWdXFAAMaS+A

In-Reply-To: <99htx5ry588lli8iyp$owy8gx35rf49$qb9370vli34@XX61>

There's the IP address that has been assigned to my DSL modem for now, but that doesn't really increase the vulnerability of my residential firewall and Scampo, the machine I sent the message from. There is the automatically-generated "In-Reply-To" that might be useful in diverting arriving e-mail to a zombie (welcome-back, movie plot). And there's just the mystery of it all (maybe my computer password is encoded in the thread-index?).