Friday, 29. April 2005
PermaLink Spot the difference
One of these is a phish. The other is not.

MBNA credit card - log in to review your statement.

MBNA

Abbey bank - we lost your account data.

Abbey"
I actually have accounts with both of these and the presentation style of each email is entirely consistent with the branding of each purported sender.

OK - to more sophisticated readers such as you (why else are you here?), the answer is reasonably obvious...

MBNA is on the level; Abbey is being phished.

But consider:
  1. Incidents wherein reputable banks have lost users' information and have written to them about the problem are not exactly unheard of.

  2. Banks are still failing to do enough to protect themselves.

    • Neither MBNA nor Abbey publishes SPF in its DNS.

    • MBNA has not sent this email itself but has used the services of an American e-marketer which is widely listed on popular DNSBLs, presumably due to allegations of spamming.

      NB - I have seen no evidence myself that this particular e-marketer is a spammer and myself make no assertion that it is.

      This third party involvement exists though despite that invitation to log in via an https site belonging to and operated by MBNA and the presence in that email of personal information which has been exported. Such export would be against the terms of the Data Protection Act unless I signed a waiver and I have no recollection of doing so though I concede that I may have done so and forgotten about it.

    So based on sender, route and content it is very difficult to discern a difference between the two and we must fall back on intuition or perhaps common sense.

    I'll say no more about that save to observe that, based on the rapidity with which so many mass mailing worms manage to propagate despite the manifold obvious signs that they are not what they seem, neither commodity is as commonplace among the great unwashed as one might hope.

Clearly banks could and should do more to protect themselves and their customers from phishing and to make their own communications more difficult to forge. Techniques to do this are available and are not necessarily that costly either.

A final twist in this tale...

That link in the Abbey phish does not follow the usual pattern of:

<a href="http://bad_guys_server:port/path">https://banks_real_server/path</a>

Both the link itself and the link text (actually a gif image) do in fact go to the same server which really exists and does belong to Abbey bank. The redirection to the bad guy's server is caused by an HTML <MAP> nested inside that <A> tag.

I had originally quoted sample HTML here to demonstrate the technique but on second thoughts, I have removed it. No free clues for the bad guys here.

This is horribly broken HTML (two HREFs nested using different tags) and it fails completely to render in either Notes or Mozilla Thunderbird showing just a broken image.

It renders perfectly in Outlook Express.

Remind me. What were we just saying about the great unwashed?

Category: Phish
Technorati:

Comments :
None yet...
Unable to post a comment? Please read this for a possible explanation...
Add Manual Trackback
Please enter the details of the trackback post. Your trackback will not appear on the site until it has been verified. This won't be immediate, as trackbacks are validated on a scheduled basis. Be patient.











Search
Hot Categories
Domains
IPv6
Internet
Malware
Monthly Archive
2009
2008
2008
2008
2008
2008
Full Archive
Links
CircleID
Anti-Spam Tools
Misc Links
Land banking information
Contact Me
email - Chris Linfoot
Subscribe
Subscribe to articlesArticles

Subscribe to commentsComments