Defending against a phishing e-mail message
I previously made the case that Windows users should use Thunderbird for email. When I got a fraudulent e-mail message on Saturday claiming to come from PayPal, Thunderbird offered two lines of defense.
The first was the big warning that the message might be a scam. Indeed it was.
The body of the message was a pretty standard phishing scam, with the usual typos and the true destination of the link hidden.
Dear valued PayPal member:
It has come to out attention that your PayPal account information needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online services.
However, failure to update your records will result in account suspension. Please update your records on or before Nov 02, 2007.
Once you have updated your account records, your PayPal session will not be interrupted and will continue as normal.
To update your PayPal records click on the following link: https://www.paypal.com/cgi-bin/webscr?cmd=_login-run
Thunderbird's second line of defense was not falling prey to the common practice of using hidden JavaScript code to hide the real destination of a link embedded in the message. In the screen shot below you see that the blue link appears to go to a secure PayPal login page.
This, however, is not the real destination of the link. When the mouse hovers over this link, Thunderbird shows the true destination in the status bar (shown above), a page at mardur.net. Some other e-mail programs reinforce the scam by showing the phony destination in the status bar. They willingly obey hidden JavaScript code. In this case, the code was:
<a onmouseover="window.status=
"https://www.paypal.com/cgi-bin/webscr?cmd=_login-run";return true"
onmouseout="window.status="" target="_blank" href=
"http://www.mardur.net/clickable/paypal-secure/costumers/connexion/
login/index.html">
https://www.paypal.com/cgi-bin/webscr?cmd=_login-run</a>
The formula, so to speak, for the above trickery is this:
<a onmouseover="window.status="phony-destination"";
onmouseout="window.status=""
href="real-link-destination">phony-destination</a>
The phony link destination is displayed initially. When the mouse is moved over the link, the "onmouseover" code is executed to modify the status line and make it show the phony link destination. When the mouse moves off the link, the "onmouseout" code resets the status line to not show anything.
FROM WHERE?
Everyone using e-mail needs to be aware that the FROM address of an e-mail message is easily forged. Very, very easily. To see where it really came from requires looking at the normally hidden header of the message. In this case, the header showed that it originated from HostGator.com. Specifically, it showed:
Received:
from innovas by gator133.hostgator.com with local (Exim 4.68)
(envelope-from <innovas@gator133.hostgator.com>)
The header also shows the originating IP address. This particular message came from a computer with an IP address of 74.52.58.242. According to dnsstuff.com the machine is in Dallas, Texas, and owned by The Planet. In this case, not very helpful information.
WHO GETS THE MONEY?
Unlike the FROM address and the link, the ultimate Web page destination is reliable. In this case the true destination was unusually obvious--a page at mardur.net. Who is mardur.net? There are two things about a domain that can be traced--the Web site and the domain name.
Based on the publicly available DNS servers for mardur.net, it's obvious the Web site is hosted at HostGator. Only HostGator knows who is paying for the account.
The public contact information for the domain mardur.net is
David Hayter (kgoodsoft@gmail.com)
+1.45443344
Fax: +1.565434534
South Street
Loave Sowna
Colombo, P 4543343
LK
I know of no way to verify this information. However, the domain was registered by NameCheap.com and they would know who paid for it. At times good Web sites get hijacked by the bad guys for these phishing scams, so we can't assume that David Hayter is a bad guy. It's a safe bet, however, that neither he nor mardur.net is PayPal.
Be careful out there.
Update. October 28, 2007: See my next posting Test your email program for more on this.
Michael Horowitz is an independent computer consultant and the author of several classes on Defensive Computing. He is a member of the CNET Blog Network, and is not an employee of CNET. Disclosure. 
OK, the address line can be forged; you state the header notes are not. Why not? Instead of reproducing totally useless (*)lines of code to show how to forge addresses, why not explain and show why headers can't be forged...or don't you know why?
(*) Useless, because what as end users are we supposed to do with this knowledge of the code? Do we send the correct and ethical lines of code to the phisher and hope s/he uses it? Are we supposed to be impressed by your knowledge of this particular usage of Javascript (which is soooo basic that any geek should be able to write it)?
Just text.
And yet, just try to find an email program that strips out all code and displays just text.