Phishing. Easy to spot.

[Wayne]

I'll use a perfect example for this. Going through my "catcher account" (the email address I use to collect scammer emails) I had an email claiming "FINALLY YAHOOBeta IS HERE".



Now, a lot of people will click on the link, assuming they're being sent there by Yahoo. Not so fast Grasshopper. Firstly, let's check the email address out.



Well, it's from a Yahoo address. That's a start at least. How about the IP address. Where does that lead to?



Well that's fishy (or "phishy" if you will). Yahoo is in Sunnyvale, California. Wouldn't they send them from their own server, not Egix? I smell a rat. Now, let's look at that link. If you hover your mouse over the link, you should see the link location appear at the bottom of the browser's window.



Well that's not right. No, not right at all. TinyURL is a brilliant site that makes long website names short. Easier for posting and sharing, but also easier for hiding the true location. If you see a link, and hovering over it doesn't give you the address it should, or if it shows up as a TinyURL, be VERY suspicious. Now, for educational purposes only, I clicked on the link. I would never advise anyone to do so in case the link installs a virus on your PC. However, I happen to be an expert. I also have a laptop that only runs Linux, so any Windows based virus won't be able to install itself onto it. Here's the URL it sent me to.



Chembx? What the hell is that? That's not Yahoo! The site certainly LOOKS like yahoo tho.



Let's do a whois on this, shall we? This is what we see.

Registrant:
CEEJAY COMMUNICATIONS
#24 Egbe Road
Oke-afa Isolo
Isolo, Lagos 23401
Nigeria

Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
Domain Name: CHEMBX.COM
Created on: 21-Jun-10
Expires on: 21-Jun-12
Last Updated on: 14-Jun-11

Administrative Contact:
COMMUNICATIONS, CEEJAY domains@ceejayhost.com
#24 Egbe Road
Oke-afa Isolo
Isolo, Lagos 23401
Nigeria
+234.08085089527

Technical Contact:
COMMUNICATIONS, CEEJAY domains@ceejayhost.com
#24 Egbe Road
Oke-afa Isolo
Isolo, Lagos 23401
Nigeria
+234.08085089527

Domain servers in listed order:
NS1.CEEJAYHOST.COM
NS2.CEEJAYHOST.COM

An email has been sent to ceejayhost.com reporting the phishing site. Let's see how long it takes them to remove it.

[Wayne]

Just checked the phishing link, and the good news is that we now get this when we click on it

"Not Found

The requested URL /Update/login_verify2.php was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request."

A job well done

[Wayne]

Had another one today. This time a quick email (always include the full headers of the phishing email) to the support team at site5 had it killed within 30 minutes. Well done site5.com Fake sites, paid for profiles and vanity email addresses (as in ones the scammers pay for) are always worth killing as they cost a scammer money. Throwaway email addresses (like Yahoo or Gmail ones) and accounts on free to join sites are best left untouched as the amount of damage it causes scammer databases make it counterproductive. Also, scammers will usually have several free accounts lined up ready for when one is deleted. One mass mailed email with the new address and they carry on as if nothing happened.