Orcmid's Lair

BlunderLab Notebook B040802
Candling Phish

orcmid>
BlunderDome>

B040802>
0.10 2004-08-30 -20:09 -0700


Introduction

I happened to receive some phish e-mails while I was in the midst of an on-line course in Information Security Engineering.  It was perfect time for my receiving some spam in my student account, because the mail reader that we use for the computer-mediated distance learning does not render HTML-formatted e-mail properly.  

When I realized from the message subject that one of the spam had to be a phish, I was curious enough to look it over.  And I found out how it works.

It is rather clever how some phish e-mail is arranged to hide the URL of the phish-hook.  Then pop-up techniques are used for sleight-of-hand purposes and to prevent you from noticing that the spoof is in front of a legitimate web page.  I'll talk about that another time.  

What I want to share with you right now is a way to detect a wide class of spam and phish attacks from the safety of your in-basket.  You can do it now, it takes almost no effort, and it can be quite entertaining.

Angler in a Business Suit

I have a small collection of e-mail spam, viruses, and phish attacks.  Here's one exactly like the one that was received in the in-basket for my on-line course.  But it arrived in my Microsoft Outlook in-basket, and it would look like this in Outlook Express, in Hotmail on-line, and who knows where else:

This is a simulated phish image.  Do you reall want to click here?

I'm showing you this nearly full size so that you can appreciate the impact of it.  I have a trained eye and I already know that this is a phish.  I wouldn't be opening it now except there's something I want you to see.   

I also disconnected from the internet before I opened this email.  I knew that I wasn't going to follow that apparent link even by accident.  

For what we are about to do next, it is like letting the dental assistant put the lead blanket over you.

Please Do Not Move Until the X-Ray Beeps

So, you've received this in your e-mail, wherever you receive e-mail, and there's this nagging question.  You've opened it, so your guard is already down, but there's some hesitation.  Here's what you do:

Find the equivalent of this in your mail reader. You'll love it.

Find the Edit | Select All menu item or its equivalent in your mail reader.  This is going to stick a gamma-ray candle behind that message.  Just do it, there's no harm.

Well Would You Look At That!

Uh excuse me, but if you wouldn't click on the phish, why would you click on this?

Look at all of that nonsense!  Do you really think Citibank hides secret messages in their e-mail?  Well, maybe you do.

There are two important things to notice, along with all of the other give-aways that this is not a legitimate message:

  1. The visible message is actually an image.  That means the URL in the image is not a link, it is a picture of a link.  Since there is a link behind the image (look at the change of cursor in the first screen shot), it might be a phish-hook -- a well-hidden phish-hook.  Don't bite.

  2. I first thought the nonsense words were some sort of secret message that phishers use for their anti-social purposes.  Or it is some kind of hacker's signature and bragging?  Well, I have an over-active imagination and it is simpler than that.  It is so simple that it is a death trap for this kind of spam.  I'm not going to say why here.  I will let readers of my blog figure it out and report in the comments to my blog about this.

Now What?

First, make it a habit to "candle" mail that has links in it, assuming you have bothered to open it and you just can't resist thrill-seeking.

Secondly, tell all your friends.  If you have teen-agers, or you are a teen-ager, tell and show all of your friends that are/have teen-agers.  And, once you figure out how that invisible ink works, use it.  Send notes to your friends, talk about your parents and teachers, do all sorts of things that has those of you in the know go looking for the secret messages.  And most of all, Always Use Protection.

I cannot believe how simple this is.  I am beside myself.  As Billy Connelly once said, "wanking brilliant!"  Well, that was the gist of what he said.

-- Prof. Heinz Arnold Said von Clueless, DMV OHC BOB


0.10 2004-08-29-18:40 Correct and Expand
Tidy up, add a job jar, and plant some links to other material.
0.00 2004-08-29-15:49 Initiate Provisional Version (orcmid)
Get a quickie version in place so that the images can be accessed from a blog posting that has the essential part of this message and illustration.

Construction Zone (Hard Hat Area)

You are navigating Orcmid's Lair

created 2004-08-03-15:47 -0700 (pdt) by orcmid
$$Author: Orcmid $
$$Date: 05-02-11 16:46 $
$$Revision: 8 $

Home