Phishing (fish’ing) (n.) The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.
–Webopedia
This morning i recieved a notice from “eBay” letting me know that my account wasn’t working propery… actually, here, let me just copy the body of the message:
During our regulary schedule account maintenance and verification we have detected a slight error in your billing information on file with eBay. This might be due to either following reasons:
– A recent change in your personal information (i.e. change of address)
– Submiting invalid information during the initial sign up process.
– An inability to accurately verify your selected option of payment due an internal error within
our processors.Your credit card on file with eBay
Card number: XXXX-XXXX-XXXX-4322 (Not shown for security purposes) Expiration date: 11/05
Please sign in to your eBay account and update your billing information:
http://signin.ebay.com/eBayXXXXX.dll?SignIn&ssPageName=h:h:sin:US”
If your account information is not update, your ability to sell or bid on eBay will become restricted.
Thank you,
eBay Billing Department
[Roll Eyes] looks legit enough, “signin.ebay.com”, but if you roll over it with your mouse, you will see something much different show up in the location bar: http://XX.XXX.XXX.XXX/.signin.ebay.com/ws/eBayXXXXXdllSignIn.php
Yeah, this is deffinatly a phishing attempt.
(Please note: I have used ‘X’s to mark out actual IP address and parts of file names. There’s no need for one of my readers to accidently get cought up in something)
In this case, whoever it was that sent the message, wasn’t very good. Most of these phishers are going to spoof their IP address and/or email addresses. In this case, i looked at the full message header (In Thunderbird its View Message Source) and got all the info i needed:
From – Wed Apr 27 08:08:52 2005
X-Account-Key: account3
X-UIDL: bb30d4c115e1675a71d21ce086a69026
X-Mozilla-Status: 1201
X-Mozilla-Status2: 00000000
Return-path: [tina @hac3.XXXXaustralia.com.au]
Envelope-to: keaven@keaven.com
Delivery-date: Wed, 27 Apr 2005 01:45:23 -0400
Received: from kcom by quest.securenet-server.net with local-bsmtp (Exim 4.44)
id 1DQfML-00016E-Vr
for keaven@keaven.com; Wed, 27 Apr 2005 01:45:22 -0400
Received: from [XXX.XXX.XX.XX] (helo=hac3.XXXXaustralia.com.au)
by quest.securenet-server.net with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.44)
id 1DQfML-000161-3L
for keaven@keaven.com; Wed, 27 Apr 2005 01:45:17 -0400
Received: from hac3.XXXXaustralia.com.au (localhost.localdomain [127.0.0.1])
by hac3.XXXXaustralia.com.au (8.13.1/8.12.8) with ESMTP id j3R5jG0t007897
for [keaven @keaven.com]; Wed, 27 Apr 2005 15:45:16 +1000
Received: (from tina@localhost)
by hac3.XXXXaustralia.com.au (8.13.1/8.13.1/Submit) id j3R5jG0O007893;
Wed, 27 Apr 2005 15:45:16 +1000
Date: Wed, 27 Apr 2005 15:45:16 +1000
Message-Id: <200504270545.j3R5jG0O007893@hac3.XXXXaustralia.com.au>
To: keaven@keaven.com
Subject: Your Final Warning From eBay
From: “aw-confirm@ebay.com”[aw -confirm@ebay.com]
Content-Type: text/html
This tells me all i need to know. First, i know where the message actually came from now (at least.. a better idea, anyway). The second ‘recieved: from’ line even has an IP address. It looks like i may even have a user name, ‘Tina’.
What happens next is a two step process. First you must find out who these IP address belong to (which can sometimes be a multi-stop process itself) and then you start emailing.
So, I did a whois on both IP address (the one from the link where they were trying to send me, and the one in the header from where the email really came).
WhoIs An Internet utility that returns information about a domain name or IP address. For example, if you enter a domain name such as microsoft.com, whois will return the name and address of the domain’s owner (in this case, Microsoft Corporation).
–Webopedia
Using whois can be like following a trail. Not all whois utilities will give you all information. Even though it dosn’t hold as much clout as it once did, a good place to start is still the InterNIC WhoIs. They continue to be a public access point for domain reginstartion information. Another good starting point would be the Network Solutions, Inc WhoIs. NSI has their fingers in many, many, many internet pies.
Using these serveses got me the following information:
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NLReferralServer: whois://whois.ripe.net:43
NetRange: XX.0.0.0 – XX.255.255.255
[SnIp]
This tells me a few things. It tells me that the IP address i entered is part of an IP Pool. It also tells me that this IP Pool is owned by a company (RIPE Network Coordination Centre) who maintains their own internal whois directory service. That’s good.
Remember when i said this could be a multi-step process? 
Going to the RIPE homepage, i find their whois utility and, again, enter the IP address. This time i’m given better, more relavent, information. I’m given a company name, address, phone numbers, the works. Remember, this is the information for the people who own the IP address, not nessesarily people part of the scam. Included with all this information is also this:
remarks: ************************************************
remarks: * Pay attention *
remarks: * Any communication sent to email different *
remarks: * from the following will be ignored! *
remarks: * Any abuse reports, please send them to *
remarks: * abuse@business.XXXXXXXXX.it *
remarks: ************************************************
Brilliant. So now i have an abuse email 
that’s just what i was looking for. I forward the original email i got to this abuse email, allong with a copy of the full header.
***********************************
Important
It is always important to include the FULL header information when you report spam/phishing/abuse. The full header will look similar to what i have in this post. Most email programs will not show you the full header by default… you have to go looking for them. In the case of Thunderbird you have to View->Message Source. For Microsoft Outlook, you right click on the message and go to Options; at the bottom is a box labled ‘Internet Headers’. IT guys will use the full header in order to trace the path of the message, and bring the culprit to justice!
***********************************
I went through the same process with the IP address i got from the message header. I eventually found an address and phone number for the company where the email originated. I forwarded them the email as well (again, including the FULL header).
Last but not least, i sent a copy of the message (didn’t just forward it, i added it as an attachment to a new message) to the Anti-Phishing Workgroup. See the end of this post for more information on the workgroup and how you can help!
Now… we just wait and see. Most likely i will not hear back from anyone. I can only hope that justice is served and that my actions may help to stop them before one of their intended vicims becomes an actual victim.
[cross fingers]
Anti-Phishing Workgroup
For more information on what’s being done, and what you can do to help, visit the Anti-Phishing Workgroup website.
Report Report Report!
The Anti-Phishing Workgroup has a repository for phishing scams. If you recieve a scam, send it over to the workgroup to help them better fight phishing!
- Create a new mail to reportphishing@antiphishing.org.
- Drag and drop the phishing email from your inbox onto this new email message
- In Netscape drop it on the ‘attachment’ area
- Do not use “forward” if you can help it, as this approach loses information and requires more manual processing. The exception is when you use the Web interface to outlook: in that case forward is the only solution.
Fight back!
