Identifying A Phishing Attack

Phishing is a form of fraud in which an email sender attempts to trick the recipient into divulging important personal information like a password or bank account number, by pretending to be a representative of a legitimate organization.
Even net savvy people have fallen victim to phishing attacks by learning the hard way, that they have been too trusting of the messages reaching

their in-boxes: too trusting that the sender identification is accurate.

Who hasn’t done something in haste, because he was distracted or pre-occupied? Mistakes happen.

Here are the tools you can use to differentiate between a phishing attack and legitimate e-mail from your banks and credit card companies. You can learn an easy way to confirm your feelings about that dubious message. And, you might learn a thing or two about how the Internet works.
This trip will take you beyond your bank’s general disclaimer, to paraphrase, “Don’t follow a link in an e-mail to reach our bank’s web site; we will never ask you to verify your username, passwords, certificates, or other sensitive account information via e-mail.”
Our rational left-brain knows all that, but our emotional right brain sometimes ignores it.
Check the Domain, Traveler!
The example of a phishing attack I’m using, arrived in my in-box disguised as a message from the Colonial Bank. By the way, I don’t have a Colonial account or credit card.
Let’s identify the red flags that should go up immediately:
  • Why would this bank contact me?
  • Is everything all right with my accounts? When anything is wrong, they either call me or send me snail-mail.
So, that one was easy, since it’s from a bank with whom I don’t do business.
But, if it’s a bank I do business with, my preoccupation with money and current gas prices might make me miss the red flag.

Look twice at links and download buttons

Phishers rely on people to click on links in their e-mail without thinking.
We are all accustomed to clicking on links in our e-mail to get to more information about something that interests us. We have visited websites many times and nothing evil has transpired. But, sometimes the link says ‘Download.’
The word download means “Get software to install on my computer.” That is a tricky thing.
Many of us have clicked on downloads and been burned. Or, we find our browser toolbars full of notifications and icons that we never wanted but magically appeared. Periodically, we ask a nerdy friend to clean up our desktop and browser.
Here’s the e-mail that came into my in-box:

Graphic: Example Phishing E-Mail

Here’s the address that was under the ‘Download Now’ link:

http://connect.colonialbank.b5d7z03jqj343lx262uc.
secureserv.onlineupdatemirror6120f48zo9bf9r.
colonial.certificaterenewal.uyyhg.com/logon.htm

The e-mail itself seems fairly well written. Gone are the days when we could identify phishers by the incredible number of spelling errors and bad grammar. But remember, phishers rely on people to click on links in their e-mail without thinking.
Don’t click anywhere unless you know for sure where on the net you are going.
A phisher wants you to click on a link because it will take you out on the net where he can do his dirty work. So, that’s where your behavior needs to change: don’t click anywhere unless you know where you are going.
The only way to know for sure where a link will take you is to learn to read the link to identify the party you will visit. Here’s how.

How to read a link address?

A link has two parts. One is the label, the text you see. In this example, the label is ‘Download Now.‘ The text can be anything. Ignore it.
The second part is the URL underneath the label. Every browser and e-mail program shows you the URL, either in your status bar at the bottom of the program’s window or in a tool-tip as soon as you hover over it with the mouse.
And, it’s the domain name in the URL that gives those creeps away.
Almost everyone today knows what a domain name is: it’s the www.google.com, the www.naples.net etc.
A website not only identifies the domain name but also has a file name or a folder name after the domain name, separated by a forward slash(/), like ‘education’ in home.naples.net/education. This identifies the specific page on the website.
For our quest to understand the link in our example, we ignore everything after the first forward slash . So we ignore the /logon.html. But that still leaves a domain with eight levels of sub domains, each level separated by a dot.
connect.colonialbank.b5d7z03jqj343lx262uc.
secureserv.onlineupdatemirror6120f48zo9bf9r.
colonial.certificaterenewal.uyyhg.com

Domain owners can add sub-domains, or additional words in front of their domain names separated by dots, to their addresses. Like home.naples.net or picasaweb.google.com, you can stack as many sub-domains as you want with a domain name.
This means I could get my self a sub-domain like: “check.your.account.at.colonialbank.naples.net.”

To the uneducated, that would make my site look as if it’s part of Colonial Bank. In reality, it would only make me a target for cease and desist letters and hefty fines. The Colonial Bank could find out with one step, whom to pursue. After reading this article, you’ll know, too!
The first thing to know about sub domains is that only the last two items of a domain name identify the site, no matter how long the sub-domains are.
To dissect this domain name (everything in front of the first “/”), we start reading it backwards dot-by-dot. You just learned that only the last two levels identify the base domain name. In this case, (drum roll please), we see: uyyhg.com

Huh? What happened to Colonial Bank? And, who are these people? Now you know, uyyhg.com is most certainly not the Colonial Bank.
So remember, to identify a Phisher, look for the ‘/’ in the URL, and go backwards two dot levels to see whose web site you will visit if you click the link. Don’t be lead astray.

That should be the end of it. Our example is definitely a Phisher.
The delete button will keep you safe.
Graphic courtesy of Rahul Bansal, DevilsWorshop.org.

Posted by Birgit Pauli-Haack

Since 1998 Birgit Pauli-Haack has worked with nonprofits as a web developer, a technology strategist, a trainer and community organizer. She founded Pauli Systems, LC in 2002, now a team of six. It is a 100% distributed company. Since 2010, her team has used WordPress to build new nonprofit sites and applications. In her spare time, Birgit serves as a deputy with the WordPress Global Community team, as a WordPress Meetup organizer and a Tech4Good organizer.