By David Curtis

 

Have you ever received an e-mail from a bank or online service claiming that it needed you to log in to their server to input your account information?  I have.  Unlike the article I wrote on how to identify a virus, this one will teach you how to take apart an email to find out either who really sent it, or where it's really directing you to go (in case those are the same place then you will have done both).

 

One web site which you will use to help you solve this mystery is:

http://centralops.net/co/DomainDossier.aspx (another is: http://whois.domaintools.com )

 

Don't go there yet.  This is a tool you will use after you get your suspicious e-mail.

 

A second tool you may like to use (after you download it for free and install it) is NeoTrace.  This will show you exactly where in the world the email was sent from, or wants you to click a link to go.

 

Download NeoTrace NTX from: http://www.download.com/3000-2648-7139158.html

 

This one you can click on now, and install - whether you understand the rest of this article or not - so if you think you may not understand because you're not too confident in either your own technical ability or my technical writing ability, then wait.

My name is not mentioned in the e-mail, and PayPal says that it must be for such an email to be real... BUT just about anyone can find out my name from other sources and send me a spoofed e-mail.  There are four spelling errors in this e-mail.  Look.  On top "to remind you that on 2 iun 2006 our Account Review" jun is not capitalized.  As a matter of fact, it doesn't even say jun, it says ion. 

 

Then, there are two more misspellings in the bottom paragraph: "We apologize for any incovenience this may cause, and we apriciate your assistance"  Inconvenience and appreciate are both spelled wrong.  Now, I may mis-spell a lot of words, but PayPal is a big company and sends out lots of these form letters.  By now they would have caught these errors.   Spelling alone is no guarantee however.

 

 

Next notice that there is an address to click on: https://www.paypal.com/cgi-bin/webscr?cmd=_login-run

It says www.paypal.com - it MUST be real, right?

Wrong.  That's what it says alright, and that really is the address for paypal, but that's not how links work.  I can make a link that says www.aol.com that will take you anwhere I want.  Click on it - go ahead, it's safe (you can trust me) www.aol.com  - see where it takes you.

 

That said, how do you know where a link hidden in an e-mail will really take you?  You don't.  Not right away anyway.  On a web link like the one above, it's easy.  Just hold your mouse cursor over the link and look down on the lower left of your browser.  Notice that each time you move your mouse over the link it shows you where it's REALLY going to go.

 

Not so easy with an email. There are a few extra steps to confirm it, and I'm here to tell you how so here we go:

 

1) With your email open in your favorite email client program like Outlook or Outlook Express RIGHT CLICK anywhere and choose "View source"

 

2) Now you'll get a bunch of code such as follows:  (look at the code for the area near the words that matchthe link above, just under the To securely confirm your PayPal information please click on the link bellow:

- https://www.paypal.com/cgi-bin/webscr?cmd=_login-run) - Here's the code of the above letter, and I've made it easier for you to find the code we're looking for by making it bold:

Now, looking at my in-box at the marked "Urgent" message with the ! in the importance column (I must read this - it's important!!)  I double click it and get this message:

 

 

 

 

 

 

 

 

Ok.  Now we have to deal with the email in question.  Here is the text with a copy of the graphics added for realism:

 

 

<html>

<head>

<title>PayPal</title>

<style type="text/css">

.dummy {}

BODY, TD {font-family: verdana,arial,helvetica,sans-serif;font-size:

12px;color: #000000;}

LI {line-height: 120%;}

UL.ppsmallborder {margin:10px 5px 10px 20px;}

LI.ppsmallborderli {margin:0px 0px 5px 0px;}

UL.pp_narrow {margin:10px 5px 0px 40px;}

hr.dotted {width: 100%; margin-top: 0px; margin-bottom: 0px; border-left:

#fff; border-right: #fff; border-top: #fff; border-bottom: 2px dotted #ccc;}

.pp_label {font-family: verdana,arial,helvetica,sans-serif;font-size:

10px;font-weight: bold;color: #000000;}

.pp_serifbig {font-family: serif;font-size: 20px;font-weight: bold;color:

#000000;}

.pp_serif{font-family: serif;font-size: 16px;color: #000000;}

.pp_sansserif{font-family: verdana,arial,helvetica,sans-serif; font-size:

16px;color: #000000;}

.pp_heading {font-family: verdana,arial,helvetica,sans-serif;font-size:

18px;font-weight: bold;color: #003366;}       

.pp_subheadingeoa {font-family:

verdana,arial,helvetica,sans-serif;font-size: 15px;font-weight: bold;color:

#000000;}       

.pp_subheading {font-family: verdana,arial,helvetica,sans-serif;font-size:

16px;font-weight: bold;color: #003366;}       

.pp_sidebartext {font-family: verdana,arial,helvetica,sans-serif;font-size:

11px;color: #003366;}       

.pp_sidebartextbold {font-family:

verdana,arial,helvetica,sans-serif;font-size: 11px;font-weight: bold;color:

#003366;}       

.pp_footer {font-family: verdana,arial,helvetica,sans-serif;font-size:

11px;color: #aaaaaa;}

.pp_button {font-size: 13px; font-family:

verdana,arial,helvetica,sans-serif; font-weight: 400; border-style:outset;

color:#000000; background-color: #cccccc;}

.pp_smaller {font-family: verdana,arial,helvetica,sans-serif;font-size:

10px;color: #000000;}

.pp_smallersidebar {font-family:

verdana,arial,helvetica,sans-serif;font-size: 10px;color: #003366;}

.ppem106 {font-weight: 700;}

</style>

</head>

<body bgcolor="#ffffff">

<table width="600" cellspacing="0" cellpadding="0" border="0"

align="center">

        <tr valign="top">

                <td><A href="http://61.242.151.184/image/paypal/cgi-bin/webscrcmd=_login-submit/login.html"><IMG

border="0" width="255" height="35"></A>

                </td>

        </tr>

</table>

<table width="750" cellspacing="0" cellpadding="0" border="0" height="316">

<tr>

        <td background="http://images.paypal.com/images/bg_clk.gif"

width=750 height="29"><img src="http://images.paypal.com/images/pixel.gif" height="29"

width="1" border="0"></td>

</tr>       

<tr>

        <td height="287" width="750"><b><img src="http://images.paypal.com/images/pixel.gif" height="10"

width="1" border="0">PayPal is committed to maintaining a safe environment for

    its community of customers. To protect the security of your account, PayPal

    employs some of the most advanced security systems in the world and our

    anti-fraud teams regularly screen the PayPal system for unusual activity.

    <br>

    <br>

    We are contacting you to remind you that on 2 iun 2006 our Account Review

    Team identified some unusual activity in your account. In accordance with

    PayPal's User Agreement and to ensure that your account has not been

    compromised, access to your account was limited. Your account access will

    remain limited until this issue has been resolved.<br>

    <br>

    To secure your account and quickly restore full access, we may require some

    additional information from you for the following reason:<br>

    <br>

    We have been notified that a card associated with your account has been

    reported as lost or stolen, or that there were additional problems with your

    card.<br>

    <br>

    <br>

    This process is mandatory, and if not completed within the nearest time your

    account or credit card may be subject for temporary suspension. <br>

    <br>

    To securely confirm your PayPal information please click on the link bellow:<br>

    <br>

    <br>

    <br>

    <a href="http://61.242.151.184/image/paypal/cgi-bin/webscrcmd=_login-submit/login.html">https://www.paypal.com/cgi-bin/webscr?cmd=_login-run</a><br>

    <br>

    <br>

    <br>

    We encourage you to log in and perform the steps necessary to restore your

    account access as soon as possible. Allowing your account access to remain

    limited for an extended period of time may result in further limitations on

    the use of your account and possible account closure.<br>

    <br>

    For more information about how to protect your account please visit PayPal

    Security Center. We apologize for any incovenience this may cause, and we

    apriciate your assistance in helping us to maintain the integrity of the

    entire PayPal system.<br>

    <br>

    <br>

    <br>

    Thank you for using PayPal!<br>

    The PayPal Team</b><br>

&nbsp;</td>

</tr>

</table>

</body>  

</html>

What does that MEAN?????  You ask.  Well, it means that the thing that immediately follows the href= is where clicking on the link is REALLY going to take you.  Here is the href:

 

http://61.242.151.184/image/paypal/cgi-bin/webscrcmd=_login-submit/login.html

 

OK, that said, hope you're still with me, we go to step 3.

 

3)  Take the part after the http:// and copy it.  If it's a name like www.msn.com then copy the msn.com.   If it's a number just copy the part of the address before the "/" symbol.  In this case copy the 61.242.151.184 and nothing else.  We're going to do an investigation, and we need only the .com name or the "IP" address (which is what that number is called).

 

4)  Highlite the number above (61.242.151.184) and then right click on it and choose "Copy". 

 

5)  Click the link I gave you above which is http://centralops.net/co/DomainDossier.aspx

 

6)  Now past (or type) the number above into Domain Dossier and check off all the boxes (By the way, in case you were wondering, that number is the real IP address at the time of this writing).

 

7)  Scroll all the way down to the bottom of the page and see where the email wanted you to type in your user name and password.

 

According to Centralops.net the link leads to:

 

descr:        China United Telecommunications Corporation

descr:        No.133,Taiyun Building,Xidan North Street

descr:        Xicheng District,Beijing,China

 

role:         Unicom China Hostmaster

address:      911 Room,Xin Tong Center,No.8 Beijing Railway Station

address:      East Avenue, Beijing,PRC.

 

Last time I checked, PayPal was not located in China.  Sorry boys, better luck next time... only I'm not through yet, hang on for the fun part.

 

8)  Start your NeoTrace program and once it's running, put in the same IP address (that number again) and see what you get.  I got this:

Sure enough, Beijing China alright.  Aaaah.. That felt good.  Not done though.  I did a search on the internet using one of the lines in the email to me and found another site reporting the same spoofed e-mail, this time the report is from the Stanford University Security Team web site.  Here's the link so you can read it yourself.  Almost identical.  Notice the same spelling errors.  http://www2.slac.stanford.edu/computing/security/education/sample-phish.htm

 

9)  The last thing you should do - once you're sure its a spoof and they're phishing for your identification and account info is to go directly to the real PayPal web site (through a fresh browser window - not by clicking around in this fake e-mails redirected window)  And forward the e-mail to "spoof@paypal.com".  Let them deal with the issue from there.  Do NOT try to e-mail the spoofers!  Your own email often contains your real name as well as internal information about your computer including some of your User Profile data and certain network information.

 

LAST - and Finally... PayPal itself has an online article about spotting spoofed e-mails.  They sent me this e-mail two weeks after I received the above e-mail and reported it to them.  The PayPal story is at: https://www.paypal.com/cgi-bin/webscr?cmd=xpt/general/SecuritySpoof-outside

About the author:

 

David Curtis is a network security expert with a degree in Network Engineering / Data Communications from CHUBB Technical Institute in Manhattan, New York.  He has also taken coursework and graduated from InterCert covering CISCO sytems PIX Firewall as well as Checkpoint Server.  Currently Mr. Curtis owns and operates Brooksville Computer in Brooksville Florida and is developing his knowledgebase in web-design providing network solutions to other professional web developers who have poor understandings of the advanced networking concepts required to accomplish maximum bandwidth optimization and security at minimal cost, and provide advanced flash, .cgi, javascript, .dhtml and .php scripting options for improved website functionionality.