Anatomy of an eBay phishing scam |
On the 3rd of October 2003 I got an e-mail, apparently from eBay, with "Official Notice for all users of eBay" as its subject. It contained the following text:
At the time I was still using Windows as my desktop and my mail reader was Pegasus Mail. I normally had it configured to display plain text rather than HTML or some other fancy format. As this e-mail contained bold text and was not in my default typeface or character size I assumed that I'd swapped to fancy text display by accident. When switching between the two modes did nothing I became a bit suspicious, particularly as I remembered seeing a warning in a recent edition of the Risks Digest newsgroup, comp.risks. As an aside, this is near-essential reading for the security-conscious and, for the USENET-averse, can be accessed via the Web at http://catless.ncl.ac.uk/Risks. Anyway, as a result of all this I decided to take the e-mail apart and see how much I could find out about how it worked and who had sent it. The rest of this page describes how I did it and what I found.
Normally, the first step is to get your mail reader to show you the message headers, but I was initially more interested in how Pegasus' display had been subverted. The way to do this was to select Raw view, which showed the whole message as an ASCII text file like this. Any decent mail reader should have a similar capability. A quick look at the message body showed it to be a correctly formatted MIME message but there was no Content-Type: text/plain; section, which explained why Pegasus didn't show plain text. The absence of this section was suspicious because no reputable mail editor omits it. Instead, we find:
MIME part Meaning Content-Type: multipart/alternative; This section was empty and could be ignored. Content-Type: text/html; This section contained HTML text that looked like high-grade gibberish. We'll return to this later. Content-Type: image/jpeg; This base64 encoded section contained an image file named "pic.gif".
So, there were two useful MIME sections in the e-mail but nothing that looked remotely like the text that appeared when I opened the e-mail. However, Pegasus will save an image file so I saved it and looked at it with the L-View Pro image viewer. Bingo! The image was a picture of the "e-mail message". Taking a closer look at the gibberish HTML now seemed like a good idea. It turned out to have a properly formatted skeleton containing a minimal <HEAD> section and a <BODY> section which set the default background to white. Most of the body was pure garbage and presumably just there as low-grade camouflage to deceive the gullible. It consisted of two paragraphs which each started with a <FONT> tag that set the text to white. White text on a white background? Hmmm... deceptive. The really interesting bit was the first paragraph:
<p><a href=3D"http://scgi.ebay.com%73%65%63%75%72%65%75%70%64
%61%74%65%79%6F%75%72%61%63%63%6F%75%6E%74%69%64%70%6C%65%61%73
%65%65%6E%74%65%72@%32%31%31%2E%31%37%30%2E%31%38%36%2E%31%30
%34:%38%30%38%39/%69%6E%64%65%78%2E%68%74%6D">
<IMG SRC=3D"cid:pic.gif" border=3D"0" ALT=3D""></a>
</p>
which consisted of a single anchor tag. This contained a heavily obfuscated URL and used an image of the e-mail text as the displayable hypertext link. So, clicking anywhere on the message, not just on the blue URL, would have taken me to a web site, but which one? The "%hh" are hexadecimal codes, each representing an obfuscated ASCII character. Decoding them revealed:
http://scgi.ebay.comsecureupdateyouraccountidpleaseenter@211.170.186.104:8089/index.htm
The way this is interpreted as a URL is quite interesting:
URL component Meaning http:// This URL references an insecure web server. scgi.ebay.comsecureupdateyouraccountidpleaseenter@ The login name for this server. 211.170.186.104 The IP address of the web server. :8089 The port number to be used on the server. The default web server port is 80. /index.htm The requested web page.
So, this was a reference to a web server that seemed to be trying rather hard to hide its identity. For starters most of it was written in a form that intentionally made it hard to read. Even after decoding it things were not straight forward. The only readable part of the original URL turned out to be so much noise because it was part of a, possibly ignored, login name. The host name was hidden from the casually curious by using an IP address rather than a human readable host name and the web server port was non-standard.
The next task was to find out more about the web site. As I ran a Linux system this was really easy. All that was needed was to login and use the whois utility:
$ whois 211.170.186.104@whois.arin.net
The whois server at arin.net didn't know the answer, but did know that more details were available from the Asia Pacific Network Information Centre in Queensland, Australia. The next try:
$ whois 211.170.186.104@whois.apnic.net
delivered the goods. I now knew that the e-mail was part of an identity theft scam, aka phishing expedition. The host computer running the offending web site belonged to a Korean business, HOSAN, with a street address of 456 2 Idong-myun Yongin-shi, KYONGGI, Korea. I got some contact details too. Their phone number was +82-31-335-5599, e-mail address was b4029242@users.bora.net and their Internet administrator was one Kwangjung Han. I couldn't tell whether the firm or one of it's employees organised the phishing expedition or if they were merely so careless about security that a third party was able to hijack their computer. What I could say, though, is that they bore some responsibility for the exploit. At the very least they were guilty of negligence: either they failed to monitor and control their employees' activities or they failed to protect their property from misuse by a third party.
bora.net, who provided the mailbox used by HOSAN, were an international network provider who controlled the 211.170.186.64 - 211.170.186.127 block of IP addresses and provided e-mail services to their subscribers.
There was still a valid route to HOSAN's computer but it was either switched off by then or behind a firewall that silently discarded all connection attempts. Attempts to ping it, interrogate its ident server (see RFC1413 for details) or to connect to its web browser all timed out rather than reporting an unreachable host. In view of this its probable that the computer was still running but was now behind a firewall that rejected all attempts to contact it.
Now it was time to revisit the e-mail headers. The Return-path:, From: and Reply-to: fields were all set to user-support9@ebay.com, so the first step was to send e-mail to this address with delivery and user-read notification requested. The mail did not bounce, so the address was valid, but no response of any sort was received: eBay had evidently set this address up as a black hole for their own inscrutable reasons.
The next step was to look at the Received: entries in the message header:
Received: from punt-3.mail.demon.net by mailstore
for martin@gregorie.demon.co.uk id 1A5S90-00021Z-Dl;
Fri, 03 Oct 2003 15:47:08 +0000
Received: from [68.49.171.58] (helo=pcp730630pcs.arlngt01.va.comcast.net)
by punt-3.mail.demon.net with smtp id 1A5S90-00021Z-Dl
for martin@gregorie.demon.co.uk; Fri, 03 Oct 2003 15:47:08 +0000
Received: from [40.235.47.48] by pcp730630pcs.arlngt01.va.comcast.net
SMTP id mTsZF2s8i903K8; Fri, 03 Oct 2003 22:47:05 +0500
These showed the path the message took across the Internet in reverse order. The last entry showed where the message originated from and identified the first mail server to relay it. This trail is automatically generated and so cannot be faked. It was noticeable that originating IP, 40.235.47.48, didn't respond to address validation: there was no helo response shown against it but the first mail system to handle the message belonged to Comcast, so the spammer must have been one of their subscribers. Another hunt round with whois showed that 40.235.47.48 belonged to Eli Lilly, the well-known pharmaceutical manufacturer. Running traceroute against 40.235.47.48 and Eli Lilly's web site confirmed that Comcast was not Eli Lilly's ISP. I now knew that the e-mail originated from a spammer who was probably using bulk spamming software configured to hide his identity. The delivery path, given in the Received: headers showed that their ISP was Comcast. This told me that they were probably American and almost certainly resident in the USA.
In a fit of public spiritedness I decided to tell eBay about the scam. There was no e-mail help desk, so I logged into the web site and described the scam as best I could by slotting text into a scrolling section of the Help Desk's problem reporting web page. When I'd told them all I could I hit send. I can't tell you if they saw or acted on my report; I've had no response, not even an auto-reply, from them.
And so, dear readers, I've built this web page as a warning that all that appears kosher isn't, and to show you that the only person who will protect you against the Bad Guys is yourself.