Being your own Phishing Philter

Today it became readily apparent that despite the warnings of many many people to be careful of a Twitter phishing attack, many people fell pray to it – including many famous people/accounts, including @foxnews, @britneyspears, (completely NSFW!!), and @ricksanchezcnn.  (Thanks to Best Damn Tech Show for the quick screen-shots before the tweets were deleted.) Even the supposedly internet-savvy Barack Obama team seem to have fallen prey.

How do you avoid such social-engineering, or, “phishing” attacks?  By some smart reading.  Here are some basic rules.

What is “Phishing?”

First, let’s define this “phishing” thing.  Let’s steal some Wikipedia definition, shall we?

In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

Phishing, therefore, is basically tricking people into handing over their sensitive information by making them think that in fact they’re handing over said information to the appropriate entity, when in fact, it’s not that entity.  Think bank account websites, etc.

Below are two screenshots.  One is of Twitter’s login page.  The second, of the phishing site that stole all the lovely logins that ended up with bizarre tweets this morning.  See if you can guess which is which.

Twitter?

Twitter?

If you can tell from the two screenshots which is which, you probably can stop reading now.  If not, let’s take a closer look.

Social Engineering

Phishing attacks usually go like this:

  1. Make the user think you’re the real deal
  2. Take user’s information

In this case, the first thing that happens is you receive an email claiming that you have a Direct Message (DM) and all you have to do is sign on to Twitter to get it.  This should immediately ring alarm bells.  Unless new to Twitter (which many probably are) you should know that if you have ever received a Direct Message (DM) that the DM is automatically emailed to you with the contents of the DM, never with a link asking you to sign on to read the DM.  (You can turn off this email feature, but then you would receive no emails at all when you receive a DM.)

Assuming that you’re new and have never received an email like this before, and have never received a DM, look closer.  The “link” points to a blogspot.com domain.  Why would Twitter ever send you an email asking you to log on, with a link to Blogspot?  But let’s assume that you’ve missed this as well.  It’s easily overlooked.  Social Engineering has just taken place – the email seems to you authentic enough, and therefore you believe it actually came from Twitter.

Without Social Engineering, part 2 (taking the user’s information) would never be possible.  But it’s incredibly easy to gain someone’s trust.  We’re all quite busy, and if we receive an email from Twitter, who has time to assume it’s not valid?  Especially if the from email address is a twitter.com email address, right?

Never believe the email address that an email says it has come from.  If you believe an email to be fraudulent, investigate further.  It’s incredibly easy to send an email and forge the “from” address – it’s actually something that almost anyone can do with a little Google investigating, and is not a trick only reserved for the most seasoned of hackers.

But those domain names…

Now that they’ve got your attention and trust, you click on the provided link, which takes you to a page that looks exactly like Twitter’s.  Which brings us back to the test above.  The first picture is actually the phishing site, the second Twitter’s actual home page.  When two pages look so identical, how can it not be authentic?

For the most part, paying close attention to the URL in your browser’s address bar can save you from 99% of all Phishing attacks.  Let’s look at this particular example.

The twitter website’s address is

http://twitter.com

Everything you do starts with this.  Your home Twitter stream resides at http://twitter.com/home/.  My stream resides at http://twitter.com/themartorana.

Then there is the phishing attack.  Here is their url:

http://twitter.access-logins.com/login/

But wait – that has “twitter.” in the address!  It looks authentic right?  Let’s look at domain parlance.  Domain names run in Right-To-Left (RTL) order of high-level to low-level domain naming, separating important pieces by “.” (dots, or periods).  For instance, look at the last bit of the domain “www.google.com” – it’s “.com“.  You should know by now that there are lots of endings to urls, the popular ones being .com, .net, .org, .edu, .gov, etc.  When you type in a domain name, it’s last bit – that .com or .gov indicate what class the domain name is in.  .edu are educational domains.  .gov are all government.  There are also country domains, like .mx, for Mexico.  These end-pieces to domains are often referred to as TLDs, or Top Level Domains.

After placing your domain in its class, it then detects the second part of the domain, reading in the RTL order.  “google” is the 2nd part, after “com“.  This is an organizational level domain, and its name belongs to a single group or organization.  In this case, the name “google” belongs to Google, the company that we all know.  On this site, the name “davidmartorana” comes after “com” – “com” puts me in the common name space, and “davidmartorana” is the organization level, owned by yours truly.

Finally, anything following the organizational part of the domain points to a place inside of that organization.  So while “www” in “www.google.com” points to the main website, “docs.google.com” points to their Google Docs site, and “mail.google.com” points to their GMail service – both subsidiaries of the Google organization.  You can assume even in the most complicated of domain names, such as “http://glassboro.k12.nj.us” which has four domain parts, it is just a list of subs of subs.  The “.us” end indicator is the TLD for the United States.  Below that, “nj” refers to the state of New Jersey, inside of the United States.  Below that, the state of New Jersey has split out the “k12” sub-organization to be dedicated to all lower-level learning institutions between the grades Kindergarten to 12th grade.  Finally, “glassboro” refers to the K-12 school system of the town of Glassboro in New Jersey.

Make sense?  Awesome.  Now let’s take a look at those domains again.

http://twitter.com

These domains start with “com” and move to “twitter“.  Using a “whois” search, we can see that the organizational name “twitter” in the “com” TLD space is registered by Twitter, Inc.  Everything that is owned by Twitter regarding the Twitter service will exist at or below “twitter.com“.  For instance, http://search.twitter.com, which lets you “search” the “twitter.com” organization level domain space.

However:

http://twitter.access-logins.com/login/

Well, this is different.  Despite the fact that it has “twitter” somewhere in the domain space, it’s below the organizational level!  Once someone owns a domain name, they can create subs of that domain any way they wish.  This is important – let’s look again.

Here, remove the /login/ part.  Any part of a domain after the original / is not part of the domain structure.  We’ll get to that in a second.  So we’re left with “twitter.access-logins.com” – “com” puts the domain in the common namespace for domain names, but the organization level is “access-logins” – this isn’t Twitter!  In fact, a “whois” lookup of “access-logins.com” gives us an error:

Connection refused connecting to whois.paycenter.com.cn

What?  So first off, we can’t even tell who owns the domain, because a common request for that information is refused by the carrier.  That’s a big tell.  Finally, “cn” is the country level domain for China, which means this domain is located somewhere inside of China!  More than likely, their “Great Firewall” is blocking access, but as you can see, just a little investigation brings up a lot of doubts.

Finally, the owners of the organizational domain level “access-logins” can, again, put anything they want after the “access-logins” portion of the domain in the RTL direction.  Here, they put “twitter“, but if they want, they could use “com” first, and THEN “twitter“, making the domain then “twitter.com.access-logins.com” – and this is an easy way to fool people.  Why not?  There it is, “twitter.com“, right in the domain.  This is why it’s so important to remember to read domain names from Right-To-Left.

IP Address / Domain spoofing

Furthering the spoofing of domains to the common eye, you’ll sometimes see something like this:

http://78.233.142.211/twitter.com/

Again, this can look relatively legit.  You see “twitter.com/” right there!  This goes back to our earlier point that any part of a domain after the original / is not part of the domain structure. In fact, 99 times out of 100, anything after the first slash indicates the folder structure on the web server.  Here, the link doesn’t even use a domain name, but instead uses a quartet of numbers, commonly referred to as an IP address.  Next, they have a folder named “twitter.com” – that’s it.

(For the record, domain names are nice ways of covering IP addresses so you can remember “google.com“, not Google’s IP address. That IP address, by the way, is totally made up.)

Finally

Although admittedly somewhat lengthy, I hope this gives you some indication of how to be able to smell out the most common of phishing attacks.  Even if they get you on the initial social engineering part, once you get to any site via a link provided to you, check out the URL in your address bar.  You may just see something a little… phishy.

  • http://www.deltaangel.com Reed Gustow

    What an excellent tutorial! This is a real service, Dave. You have done many people a huge favor.