Recently I had a conversation about phishing emails on Twitter. Today a perfect example of a phishing email to use for a tutorial popped into my inbox. Phishing emails are ones that try to fool you into clicking on a link a scammer has control of, while thinking you’re clicking on a completley different one (your bank for example). It could be to trick you into giving them information or to load a virus on your computer. Let’s pick the one I have apart to see the signs that it’s a scam. Firstly, if you receive an email with links, the safest thing to do is not click on it. If you get an email from your bank etc. and you’re worried, then go directly to the site itself rather than click on the link. However, some of us like digging deeper. Some of us even go as far as to get as many details as we can so we can attempt to get the fake site shut down. This is for the more curious of us.
The very fact I received it at an address specifically set up to collect scam emails tells me it’s fake. However, we’ll skip over that fact and look at the email itself. I’m using a PC to do this. Those using touch screens won’t be able to do all these steps, but can still do some. Here’s a screen grab of the email in question. If you click on it, you can see a larger version.
Even from this, it’s obvious to me it’s a scam. Take a look at the email address.
Why would “Diamond Bank Plc” send out an email from a completely different domain? The scammer could have faked the email address to make it appear as if it had come from the bank, but didn’t in this case. That site used in the email actually does exist, and has been around for a while. It’s likely the scammer has hacked into the site to use as a way to send out emails.
Let’s hover over the link. This is the single step you usually see as advice, but as you’ll see, there’s much more an inquisitive mind can do. Hovering shows up a completely different link.
Gee, that’s not the bank’s address now, is it? Scammers can alter the link to make it appear as if it’s genuine. Not in this case though. This is a nice, easy one to spot. The site is genuine and likely another one hacked by the scammer (or hacked by someone else and the details sold to the scammer).
What next? Well, let’s take a look at the bank’s logo. By right clicking on it and copying its address, we get this link.
https://ci4.googleusercontent.com/proxy/8iaLuXT6miPo0hQH8VyUz38= sz0XuF3lJ0TOfYnud9xblce1XitvZBJGik6UVx__Yz5I3t0dKj_T3e1DcuoJMEOLe9kmcJNUlaX= 78zsTdp7eKfizCuYDES3RYiKxqhA=3Ds0-d-e1-ft#http://www.diamondbank.com/wp-con= tent/themes/diamondbank/images/logo.png
The image link is from a Google search and not the actual site. Real emails would link directly to the actual image on their own server. Some scammers do that of course, so while it’s something to check, don’t take it as being genuine just because the image is from the right place. Everything we’re doing are pieces of a picture, one that’ll show the email to be a scam.
Now, here’s something cool regarding that image. When I took its location, stripped out all the Google stuff and put it into my browser, the way the word “content” is broken up throws up an error page. Want to see it?
See, I told you it was cool!
Edit – The link no longer gives the error page it used to, which was a scam warning.
We haven’t even looked at the headers yet. Let’s do that now to see what we can see. My catcher account is a Yahoo one, so I click “More” and “View raw message”. Other accounts may have “Show original”, “show headers” or something similar. What you should see at this point is a lot of text, most of which will look like garbage. We’re going to look at a few things here, and let’s start with the originating IP address. This can be another piece of that picture if we’re lucky. IP addresses in headers are a clue to the route the email took to get to you.
The IP address in this case is 184.108.40.206 so let’s look it up.
Let’s look around for another IP address to see what that gives us. Your location will be on the top, theirs on the bottom. Sure enough, we find one last IP address just below the one we showed earlier. You can ignore the one starting with 192. That just an internal number that identifies the computer to any other devices connected to the router.
Before we get to the other IP address, did you spot that site address, and did it ring a bell? It’s the same as the details from the previous IP address. We’ve now got three possibly compromised websites listed. OK, so back to the new IP address. Where does that lead us?
Now there’s a place we all recognise as a hot bed of scammer activity. Seems we’ve found the actual source of the email at last. We’re not in an episode of CSI though, so we can’t go any further than that on the IP address route. Time to move on to see what else we can find. How about those links? We’re going to look at the coding of the links.
For those with an understanding of HTML, there’s no need for me to explain. For those without, ignore all that stuff in the square brackets. The only things you need to look at are the links. The link you’ll be taken to if you click it is in the quotation marks, and the text you’ll see on the link to make it appear legitimate is next. That could say anything at all, but the scammer used a web address to make it appear on first glance that’s where you’ll go if you click it.
So, what did we get out of this phishing email? Hovering showed us it was an obvious fake, but more digging not only showed us where the scam was sent from, but gave us a list of three different compromised websites and let us see the code the scammer used. Hovering can work in detecting an obvious fake, digging deeper can show you so much more, but not clicking on any links you receive in emails or messages will 100% guarantee you, your data and your computer remain safe.