Sunday, April 11, 2010

Investigating a Phishing Attack

A former student noticed this strange email sent to a Georgetown University mailing address on Friday April 9, 2010. My former student noticed immediately that the email's return address was not in the domain and was instead is a Yahoo! email address. Further, the email requested students reply with their university userid and passwords. Clearly this was a phishing attempt. I trust that all current and former students of this class would have immediately recognized this email scam.

As I had some spare time this weekend, I decided to investigate this amateurish attempt to steal personal information from the student body. This first thing I did was examine the headers of the email. From the GMail web client you can view the headers by clicking on the down arrow immediately to the right of the reply icon and selecting show original.

An examination of the headers revealed that the email originated from a server in South Korea with the IP address Further, it appears the spammers utilized a hacked email account belonging to a real estate agent in Roseburg, Oregon.

According to Project Honeypot, the South Korean server has previously been used by spam harvesters and comment spammers.

While satisfied that I understood how the spammers executed their fraud, I still wanted to know more about the individual(s) attempting to steal personal information from the student body. So, I decided to respond to their phishing attempt with one of my own. I setup a fake email account and responded to the phishing attempt with phony information. I embedded my phony reply with web bugs and links back a blog that I established to act as a honeypot.

My plan was simple. The scammer would open my response email thinking that they had stolen data from an unwitting victim. As they opened my email, the web bugs would beacon back to my blog giving me the hackers IP address. Alternatively, the attacker would be dumb enough to click on the embedded links to my phony blog. In this case, it appears the hacker was dumb enough to click on the links back to the fake blog. This action revealed that the hacker was retrieving the stolen information via a computer in Hyderabad, India. It is possible that the attacker was using a proxy to retrieve his stolen data, but the fact that he clicked on the blog link in my phony email doesnt give me much confidence that this clown practices solid operation security.


Christopher Butterfield said...

This phishing attack is quite certainly an amateur operation. Any seasoned cyber-security professional, any student in our class, or quite possibly anyone with a decent helping of common sense would recognize this instantly as a scam. However, I would contend that if the email itself could have been written properly and with a better command of the English language, a large number of Georgetown students might have walked blindly into this scam.
To members of our class, the warning signs are obvious. The three exclamation points in the subject line? I don’t think anyone in the Tech Department at Georgetown University is ever that excited. The email also addresses “subscribers,” while I would imagine the university, should it send an important tech email to the student body, would be more likely to address the email to “students.” There are strange phrases such as “Georgetowngrade” and “Georgetowndate.” And there is of course the warning that the students’ email accounts would be systematically destroyed if they were to fail in responding properly to this hackneyed email. Anyone might be able to tell that these elements would not be in a professional, legitimate Georgetown University email to the student body.
Had the email been more simple in nature, however, it could have been far less obvious. If it simply asked for students to respond with their ID and Password to verify their contact list, without threatening to destroy their accounts, it might have been far more enticing. This is based on the simple fact that students don’t consider their net ID a security issue in the way that we view credit cards or PIN numbers. Many students parents handle their payment accounts, so all these students use their Net ID for are pre-registering, using Blackboard or logging into hoyamail. I personally don’t often think about how much access to my personal information my Net ID and password could give someone. If I was in a rush and I saw a seemingly well-written email from a department at Georgetown I rarely deal with anyway, and I had never been educated about such scams, I might fall for such a scam easily.
So before we laugh at the possibly pathetic attempt by an amateur scam-artist in Hyderabad, India, we should consider that for the criminal to be successful in attaining significant amounts of personal information, he really only needs to dupe one Georgetown student. Even in this email’s present state, if it successfully made it to a Hoyas inbox and not the spam folder, a tired stressed out student might not be willing to take the chance of losing their net ID account. This is one of the challenges of cyber-security. In many instances, the criminal only has to be successful one time to do major damage. When that criminal targets a population of over six thousand students, many of which do not have the privilege of cyber-security education, the results can be disastrous for those targeted.

Oliver Silsby said...

I just saw the e-mail "Security update: Phishing scam targeting Georgetown" and instantly came here to see if there was a post about it. Information that you teach in class, on how to successfully locate a phishing scam, should be public knowledge. If everyone got a basic education in Info Privacy, there would be less of those who get scammed every day. I also thought it was really interesting how you could simply locate the position of the hacker. But at this point, after finding out that he's situated in India, what is the next step? Basically, what legislative action can someone take in this? I am guessing that there is nothing that someone can do, which makes this phishing profession so appealing. How many internet phishing scammers actually get caught? And in addition, how many international phishing scammers get caught? No wonder there is so much phishing/spam because there is hardly any way to catch and reprimand people in Hyderabad and elsewhere.

Mary C. said...

All Georgetown students, not including seniors, have been pre-registering this week for the fall semester. Unless you’re a junior, I assume that most of us are still in the process of completing requirements. The reason I took this class was to fill a math requirement, but after reading Oliver’s post I realized I’m fulfilling a much more important requirement. This class has taught me so much information about privacy and security, about threats and how to protect oneself in the cyber world; it has been more useful and applicable than any calculus or statistics course would ever be in my opinion. We talked about in class how our generation is the first to have always had the Internet, so I agree with Oliver that in this day and age an Information Privacy class should be required and the Phishing scam that reached 273 Georgetown users is a perfect example of why. When I opened the Security Update email I read the entire message and noticed “For more guidance on how to protect your personal information, visit the Georgetown University Information Security Office website at” I visited the website, but I highly doubt a high percentage of Georgetown students and faculty did. This website is simple but informative and includes security highlights, information about protecting yourself and your NetID, as well as news and alerts. This is a website I think all students should visit and spend some time on for their own security. Ultimately I think all students should be required, not to take a full semester of an Information Privacy class necessarily, but to take at least a series of seminars about protecting oneself on the internet and about risks on the Internet because this specific Georgetown Phishing attack demonstrates how easy it is to be targeted and exploited on the Internet.