Computing Security Tip: Very Tricky Phishing Emails

Last month, we explained how viewing e-mail in plain text exposes the tricks of phishing e-mails. We closed the article with a warning to be wary of clever e-mails and to use your own bookmarked URLs or to call your bank if you receive a suspicious message which purports to be from your bank.

This month we'll show you a phishing e-mail received at SLAC which wasn't exposed as a forgery by reading it in plain text. We had to go one step further to find out it was a phishing e-mail.

Below is the original message in HTML format:

But you are a careful e-mail reader and you view it in plain text:

Still looks fine, doesn't it? But it's not!

If we dig a little deeper we'll see what is really going on in this e-mail. For this we will re-convert the e-mail to HTML (click on the grey info bar in Outlook). Then we right-click on the body of the e-mail to view the HTML source and here is the proof this isn't a valid email:

By viewing the HTML code, you can see that the URL really takes you to a non-VISA server (see the web address in red above). From the URL, we can determine that this one happens to be a major Internet Service Provider in Hong Kong (netvigator.com).

The spammers and phishers are making money off people who fall for their tricks. They won't stop coming up with new ways to fool us, so we have to be smarter than they are. Sometimes the easiest way to check to see if an e-mail is a scam is to enter a sentence from the e-mail into a search engine. Entering "Someone from Bulgaria tried to access your personal account" into a search field yields several hits which will confirm this is just another phishing e-mail.

—SLAC Computer Security
SLAC Today, July 27, 2006

Handy Links

SLAC News Center

SLAC Today

SLAC News

Lab News

SLAC Links

Stanford

Around the Bay

Computing Security Tip: Very Tricky Phishing Emails



Handy Links SLAC News Center News Center home page SLAC Today SLAC Today Subscribe Archives: Feb 2006-May 20, 2011 Archives: May 23, 2011 and later Submit Feedback or Story Ideas About SLAC Today SLAC News SSRL Headlines symmetry magazine TIP Archives Lab News Interactions Lightsources.org ILC NewsLine Int'l Science Grid This Week Fermilab Today Berkeley Lab News @brookhaven TODAY DOE Pulse CERN Courier DESY inForm US / LHC SLAC Links Emergency Safety Policy Repository Site Entry Form Site Maps M & O Review Computing Status & Calendar SLAC Colloquium SLACspeak SLACspace SLAC Logo Café Menu Flea Market Web E-mail Marguerite Shuttle Discount Commuter Passes Award Reporting Form SPIRES SciDoc Activity Groups Library Stanford Stanford University Stanford Report Stanford Events Life on Campus Around the Bay Bay Area Traffic Bay Area Weather Caltrain BART	Computing Security Tip: Very Tricky Phishing Emails Last month, we explained how viewing e-mail in plain text exposes the tricks of phishing e-mails. We closed the article with a warning to be wary of clever e-mails and to use your own bookmarked URLs or to call your bank if you receive a suspicious message which purports to be from your bank. This month we'll show you a phishing e-mail received at SLAC which wasn't exposed as a forgery by reading it in plain text. We had to go one step further to find out it was a phishing e-mail. Below is the original message in HTML format: But you are a careful e-mail reader and you view it in plain text: Still looks fine, doesn't it? But it's not! If we dig a little deeper we'll see what is really going on in this e-mail. For this we will re-convert the e-mail to HTML (click on the grey info bar in Outlook). Then we right-click on the body of the e-mail to view the HTML source and here is the proof this isn't a valid email: <FORM action=http://ipvpn142138.netvigator.com:86/usa.visa.com/colportal/update.html> <A href="https://www.usa.visa.com/verifiedbyvisa/us/update.asp"> <INPUT style="BORDER-RIGHT: 0pt; BORDER-TOP: 0pt; FONT-SIZE: 10pt; BORDER-LEFT: 0pt; CURSOR: hand; COLOR: blue; BORDER-BOTTOM: 0pt; BACKGROUND-COLOR: transparent; TEXT-DECORATION: underline" tabIndex=2 type=submit value=https://www.usa.visa.com/verifiedbyvisa/us/update.asp> </A> [...]</FORM> By viewing the HTML code, you can see that the URL really takes you to a non-VISA server (see the web address in red above). From the URL, we can determine that this one happens to be a major Internet Service Provider in Hong Kong (netvigator.com). The spammers and phishers are making money off people who fall for their tricks. They won't stop coming up with new ways to fool us, so we have to be smarter than they are. Sometimes the easiest way to check to see if an e-mail is a scam is to enter a sentence from the e-mail into a search engine. Entering "Someone from Bulgaria tried to access your personal account" into a search field yields several hits which will confirm this is just another phishing e-mail. —SLAC Computer Security SLAC Today, July 27, 2006