Following through the course of a phishing attempt and tips on how to spot the scam
Recently I had the (mis)fortune to come across a live phishing attempt (take a look at the Glossary if you’re not familiar with the concept of phishing). What follows is a brief run through of the scenario with some pointers of what to look out for to make sure you don’t fall foul of similar efforts.
The first step is receiving an email that’s crafted to look like it has come from a legitimate source. At this stage a well crafted email can be very difficult to spot and often a legitimate will employ some of the same bad practices. Hopefully you’ll be up against the usual numpties who fire out emails with terrible English, spelling errors, inconsistencies and no effort to replicate a legitimate communication, which should make the fake easy to spot.
There is more information on what to look out for in an email at the bottom of the article. At this point, other than the web links not going to gocompare.com there’s very little else to give the game away as the other website might be a marketing agency or link tracking service.
The email links take you to http:/<X>/www.dragmen.nl/indexw.php (links disabled for safety) and that bounces you on to another website at http:/<X>/18.104.22.168/uk/uk/Login.htm and at this point alarm bells should start ringing.
It’s reasonable for a link tracking service to register your click and bounce you on to the intended website but it’s very unusual for a legitimate public website to use an IP address.
The website looks very convincing because the crooks have simply copied the real website and tweaked the code for their own purposes. If you’re duped into entering your details here and click the “sign in” button, regardless of what you’ve entered you’ll receive a second page asking you to ‘verify’ some more information.
If you fill in the blanks and hit “continue” you’ll get a “Thank-you” page before being bounced on to the real GoCompare website.
The convincing website presentation continues throughout with consistent design and operation. The website even goes so far as to include prompts if you’ve not put information into key fields although there is no validation on what you’ve entered; you can put one digit in the bank account field for example. In fairness this is one of the better productions I’ve seen. Links on the website will take you to the real GoCompare website.
The second page that asks for more information is good but there are some giveaways if you pay attention. Although GoCompare uses an international .com domain the company is very much UK focused but the date is in US format and you’re asked for a Zip Code instead of a Post Code. Both would be easily overlooked.
Overall, it is understandable that people are fooled by these fakes and it’s really only the website address that is a big giveaway. If you’ve read my earlier post on HTTPS then that would also be an indicator that you should not be entering sensitive information. Considering the effort the criminals have already gone through it would have been trivial and reasonably cheap for them to register a website address and buy an SSL certificate that would have made the phish very difficult to spot.
If you had fallen for this scam you’d probably find yourself with unauthorised charges against your credit card and/or bank account and you’d probably think nothing of this occurrence in a few weeks time once you discover the charges
Hopefully though this will highlight how easy it is to fall for a scam. If you have any questions, as always feel free to get in touch…
More Info… The Email
- The email sendermight appear to be legitimate but this can be faked
- Some legitimate companies will use marketing agencies so for example an email for GoCompare might come from Eclipse.com
- The linksin the email might appear to send to you a legitimate website but this can be faked
- Again a legitimate campaign might come from a marketing agency so the links might go to a different website for response tracking
- Where the link says it will take you and where it actually takes you might not be the same so check your web browser address bar after you’ve clicked
- Is the link entirely different from what you expect? Does it look not quite right? A quick web search of the company name will probably show you what the web address should be
- The appearancemight be convincing and look very real but it’s a simple case of copying an actual email from
- Some companies have appalling designers and the bad guys do a better job of producing a good looking email!
More Info… The Websites
The website used in the email links that bounced you on to the target phish site appears to be a legitimate business so it is likely that they had been compromised to host the bounce page. The purpose behind the bounce page is simply to avoid detection and to prolong the life of the scam.
Within a few days of the phishing scam first being seen several web services were identifying the websites involved as being malicious and several web browsers would automatically warn anyone that tried to browse to either the bounce website or the phishing website. This is one reason to keep your browsers up to date as these protective services are constantly evolving.
Inspecting the websites related to this scam showed that GoCompare was not the only target on their radar and several other prominent company names are shown in file lists. Unfortunately we’ll probably never know how widespread this round of scams has reached, how many people fell for it or whether the crooks responsible will ever be held accountable.
Image Attribution: Thanks to scottchan @ FreeDigitalPhotos.net for the image