1 / 10

Example of a “Phishing,” Email and Web Site ECE6612 - Communications Network Security

Example of a “Phishing,” Email and Web Site ECE6612 - Communications Network Security Prof. John A. Copeland Georgia Tech. "http://marketingsolutions.chesterfieldsofuk.com/yadsecure/". Your phony password does not work. Clicking “Forgot Your Password” takes you here, a real Yahoo Web page.

fahim
Download Presentation

Example of a “Phishing,” Email and Web Site ECE6612 - Communications Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Example of a “Phishing,” Email and Web Site ECE6612 - Communications Network Security Prof. John A. Copeland Georgia Tech

  2. "http://marketingsolutions.chesterfieldsofuk.com/yadsecure/"

  3. Your phony password does not work. Clicking “Forgot Your Password” takes you here, a real Yahoo Web page. If your password did work, you would have been logged in to the real Yahoo Web site (and “they” would have your username and password).

  4. Look at “source code” of HTML email - headers Return-Path: <keith@cniweb.net> Received: from mail.ee.gatech.edu (mail.ee.gatech.edu [130.207.225.105]) by imap.ece.gatech.edu (Cyrus v2.3.13) with LMTPA; Thu, 08 Jan 2009 10:50:39 -0500 X-Sieve: CMU Sieve 2.3 Received: from karmalarm1.cniweb.net (karmalarm1.cniweb.net [208.234.169.217]) by mail.ee.gatech.edu (8.14.0/8.13.7) with ESMTP id n08FoZcJ018478 for <copeland@ece.gatech.edu>; Thu, 8 Jan 2009 10:50:36 -0500 (EST) Received: from localhost.localdomain ([69.59.131.172]) (authenticated bits=0) by karmalarm1.cniweb.net (8.13.7/8.13.7) with ESMTP id n08Fm1ss028343 for <copeland@ece.gatech.edu>; Thu, 8 Jan 2009 10:48:10 -0500 (EST) Date: Thu, 8 Jan 2009 10:48:10 -0500 (EST) Message-Id: <200901081548.n08Fm1ss028343@karmalarm1.cniweb.net> From: "YAHOO MARKETING SOLUTIONS" <service@marketingsolutions.chesterfieldsofuk.com> To: <copeland@ece.gatech.edu> Subject: SERVICES EXPIRED Content-type: text/html; charset=us-ascii Sender mail server - IP address Sender info - IP address

  5. ~ copeland$ nslookup 208.234.169.217 (original email server) Non-authoritative answer: 217.169.234.208.in-addr.arpname = karmalarm1.cniweb.net. Authoritative answers can be found from: 169.234.208.in-addr.arpa nameserver = ns1.cniweb.net. ns1.cniweb.net internet address = 208.218.214.4 ~ copeland$ whois cniweb.net Creative Network Innovations 6905 N. Wickham Road Melbourne, FL 32940 US Administrative Contact, Technical Contact: Creative Network Innovations, Inc. webmaster@CNIWEB.NET 6905 N WICKHAM RD MELBOURNE, FL 32940-2031 US 321.259.1984 fax: 321.242.1965

  6. On what network was the sending host (probably a “bot” compromised PC)? -------------------------------------------------------- ~ copeland$ host 69.59.131.172 mail.irv2.com. ~ copeland$ whois irv2.com (ISP of sending host) Registrant: Social Knowledge, LLC 3523 McKinney Ave #419 Dallas, Texas 75204-1401 United States

  7. Look at links in the text (“click here”) <x-html><!x-stuff-for-pete base="" src="" id="0" charset=""> <html> <body> <table border="0" width="37%" height="227"> <tr> <td width="100%" height="221" valign="top"><img border="0" src= "http://marketingsolutions.chesterfieldsofuk.com/yadsecure/images/logo.gif" > <p><span class="treb">Dear Client,<br> <br> Your Yahoo Marketing Solutions account has expired. You must renew it immediately or your account will be closed. If you intend to use this service in the future, you must take action at once!<br> <br> To continue <a href= "http://marketingsolutions.chesterfieldsofuk.com/yadsecure/"> click here </a>, login to your Yahoo Marketing Solutions account and follow the steps.<br> <br> Thank you for using Yahoo Marketing Solutions!<br> Yahoo Marketing Solutions Services Department.</span></p>

  8. Look upURL of Phishing server ~ copeland$ whois chesterfieldsofuk.com DOMAIN: CHESTERFIELDSOFUK.COM RSP: CdWDesign URL: http://www.cdwhosting.org owner-contact: O-HOU71 owner-organization: House of England owner-street: Gildeweg 30 owner-city: Nootdorp owner-zip: 2632 BA owner-country: NL owner-email: info@chesterfieldsofuk.com This phishing Web site is registered in the Netherlands, but duplicates could be distributed over a botnet if a “fast fluxing” DNS server is used.

  9. Simple “click me” email From: bkeefe@merrillcorp.com (bomf @116.181.115.82) To: <copeland@ee.gatech.edu> Subject: Support Mccane on our site Date: Thu, 8 Jan 2009 11:55:10 -0600 When you are aged and never give up, it gives your he confidence, at any chance , at any place,. Visit. Expanded <x-html><!x-stuff-for-pete base="" src="" id="0" charset="iso-8859-5"><br/><a href="http://ficenycoajuly.narod.ru">When you are aged and never give up, it gives your he confidence, at any chance , at any place,. Visit.</a> </x-html> from Russia with (no) love.

More Related