Computer Crime Research Center


Internet phishing

Date: November 14, 2005
Source: Computer Crime Research Center
By: David Green

Hmm, what’s this message from eBay in my inbox?

Dear eBay User,

During our regular update and verification of accounts, we couldn’t verify your current information. Either your information has changed or it is incorrect.

If your account information is not updated to current information within 5 days, then your access to bid or buy on eBay will be suspended.

Go to the link below, and re-enter your information.

Click here to update your account.

***Please Do Not Reply To This E-Mail As You Will Not Receive A Response***

Thank You,

Accounts Management

Copyright ©1995-2005 eBay Inc.

Welcome to the world of Internet Phishing Expeditions!

You’ve just received a “phishing” email – one that casts out some “social engineering” bait to sucker you into clicking on the link to update your account information. The problem is that doing so will really take you to a look-alike web site that’s been setup to net your personal account information and use it for criminal purposes!

After reeling in your account details, the scammers will usually pass you along to the actual web site of the business they’re imitating; meanwhile, they’ll use your account to make purchases, withdraw funds, and access your paid services. You may not know there’s anything fishy about it until you start having checks bounce or see unauthorized expenditures on your credit card or bank statement.

The fake web site could also attempt to install a “worm,” such as a keystroke capturing tool to harvest your other userids and passwords and send them to the ne’er-do-wells to use. It could even try to install a “botnet” program that recruits your PC into a network of “zombies” – systems that can be remotely controlled for criminal purposes such as sending spam emails or launching Denial of Service (DoS) attacks on corporate web sites!

There’s Plenty of Phish in the Sea

The term "phishing" was coined in 1996 by hackers who were stealing America On-Line accounts by scamming passwords from unsuspecting AOL users. (Hackers will often replace letters with other letters or numbers that sound or look similar. They like to think that this makes them “1337” or “LEET” – hacker-talk for “elite.”)

Often these phishing attempts will pose as concerned email messages from banks, credit unions, online stock trading companies, major retailers, Internet service providers – any institution that handles financial transactions for a large number of customers. The messages use the return email address, logos, fonts, formatting, and slogans of the company they are trying to imitate, and usually contain urgent warnings requesting you to take action such as the following:

“We recently noticed one or more attempts to login to your account from a foreign IP address. Please visit PayPal as soon as possible to verity your identity.”

“Your primary email address for Bank of America has been changed. Did you know? You can change your address, order checks, and more online. Sign in for online banking.”

“Dear Chase customer: This is your official notification from Chase Bank that the service(s) listed below will be deactivated and deleted if not renewed immediately. … Login to your chase account.”

All of the above are excerpts from actual phishing emails. You can see an updated list and examples of reported phishing emails at

Something Smells Phishy

One way to tell if the link in the email is legitimate or not is move your mouse pointer over the website link in the message, then look at the bottom of the window of your email application – many of them (Outlook and Outlook Express for example) will show you the actual URL embedded in that link. Does it point to the “real” site?

Or if you do click on a link to a suspected phishing web site (which I do NOT recommend, as it could even try to download a “Trojan” or virus to your PC!), look closely at what’s in the address bar in your web browser.

Either way, a scammer site will usually contain a different “.com” address or an actual “dotted decimal” IP address in place of the URL for the real company. However, they may also include the real company’s address after the slash (/) following their own site’s address, such as this example from a Sky Bank phishing email:

Only the left-most “.com” address or the IP address (as shown above) actually direct you to the scammer’s web site; the rest of the address points to the directory path on their web site where the (fake) web page files are stored. In the above example, the URL points to the web server at “” – everything after that makes it look like it’s Sky Bank’s site, but it’s really just a path to a specific page on the phishing site that prompts you for your account ID and password.

Another trick scammers may use is to setup a domain name that looks like the real one but substitutes one or more look-alike characters. For example, someone could setup a domain name such as www.micrο - but the middle ‘o’ in “microsoft” that I used here is actually the Greek ‘Omicron’ character ‘ο’ – they look the same, but are actually different characters which would point you to different domains. If you suspect a look-alike a URL may be used, manually type in the proper URL in your web browser’s address bar to make sure you go to the right site.

Is there a foolproof way to tell if an email you’ve received with website links in it is valid or not? The above tips can help, but the scammers are getting better at hiding their tracks all the time. One basic rule to follow is this: any reputable financial institution or business should never send you an email requesting you to provide personal account information online. They already have your account information – you shouldn’t have to verify it other than for the usual sign-up processes for a new member!
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo