Makiwa

The phishing community is pulling out all the stops and making their lures quite convincing. While I never follow links in emails that ask me “to update/confirm information” and basically dismiss them out of hand, I always give the email a once-over to prove that is not legit. Today I was surprised to see that the email actually linked to eBay.

Or not.

It is common practice for phishermen to show hyperlinks that display URL’s to the legitmate site but whose actual links point to something like “http://www.secure-trustworthy.com”. But the best phishermen know that the bait has got to look real. In this example the actual link is to http://awcgi-ebay.com/?eBayISAPI.dll”. That looks remarkably similar to the real thing. There are several tricks here:

1. Obviously, a domain name with “ebay” in it.
2. A domain name with “awcgi” in it - something that is often part of real eBay links.
3. The use of a dash to separate “ebay” from “awcgi”.
4. Dropping of the “www” prefix so that the “awcgi” looks like a subdomain of ebay.com

I’m sure many people will swallow this one. However, awareness campaigns are working: my wife, Holly, pointed out “But that ‘http’ thing doesn’t have an ’s’ on it”. So at least people know that without the use of SSL anybody could intercept your details en route to the phisherman.

Most people know not to follow links from service providers asking you to supply personal details. As we become more streetwise, phishing yields will start to slow down, and criminals will be forced to use the more technically-challenging but very effective art of pharming.

This entry was posted on Sunday, May 29th, 2005 at 11:02 and is filed under General. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.