SLAC Computer Security
Search SLAC
SLAC Home | Computing Home | Computing Outages | Help
Computer Security | Windows Security | Passwords | User Education | Policies

Very Tricky Phishing Emails

Last month we told you how viewing email in plain text exposes the tricks of phishing emails. We closed the article with a warning to not believe clever emails but to use your own bookmarked URLs or to call your bank, etc. if you get a suspicous email.

This month we'll show you a phishing email received at SLAC which wasn't exposed as a forgery by reading it in plain text. We had to go one step further to find out it was a phishing email.

Below you see the message if viewed in HTML format:

But you are a careful email reader and you view it in plain text:

Still looks fine, doesn't it? But it's not!

If we dig a little deeper we'll see what is really going on in this email. For this we will convert the email to HTML (click on the grey info bar in Outlook). Then we right-click on the body of the email to view the HTML source and here is the proof this isn't a valid email:

<FORM
action=http://ipvpn142138.netvigator.com:86/usa.visa.com/colportal/update.html>
<A href="https://www.usa.visa.com/verifiedbyvisa/us/update.asp">
<INPUT style="BORDER-RIGHT: 0pt; BORDER-TOP: 0pt; FONT-SIZE: 10pt;
BORDER-LEFT: 0pt; CURSOR: hand; COLOR: blue; BORDER-BOTTOM: 0pt;
BACKGROUND-COLOR: transparent; TEXT-DECORATION: underline" tabIndex=2
type=submit value=https://www.usa.visa.com/verifiedbyvisa/us/update.asp>
</A>
[...]
</FORM>

Now you see that the URL really takes you to a server in a Hong Kong ISP (netvigator.com)...

The spammers and phishers are making money off the people who fall for their tricks. They won't stop at coming up with new ways to fool us so we have to be smarter than them. Sometimes the easiest way to check to see if an email is a scam is to enter a sentence from the email into a browser search field. Enter "Someone from Bulgaria tried to access your personal account" into a search field and you'll get several hits which will confirm this is just another phishing email.

Above article appeared in July 27th, 2006 SLAC Today.

Owner: SLAC Computer Security
Last Updated: 02/19/2008
Feedback: Please send to Computer Security Feedback