Explanation of the Typical Phishing Scam
The Delivery Mechanism
I just received an email this morning, purportedly from Apple that alerted me to changes in my Apple ID. The subject line was a generic Account Info Change warning and the email subject was heavily-laden with links to various phoney apple.com sites. Please keep in mind that you can have a link state it points to anything without it actually taking you to that location
All is Not as it Seems
Take for instance the link that follows. It looks as though it’s taking you to bing.com but click on it and see where you end up (don’t worry, it’s safe for work.) Now, this was a completely harmless example. You see a teaser video for some fun training. Put this tool in the hands of someone much more nefarious than I and this link (or the appleid.apple.com link that was in the phishing email I received) can take you to a website that looks like a valid Apple website. You’ll be prompted to enter your login id and password for your Apple account and then the shadowy figure that controls this site somewhere in Eastern Europe has access to your credit card, etc until you figure out you’ve been screwed by your ignorance.
This happens because the code behind the link allows you to display whatever text you want and then have that send you to a website that has absolutely nothing to do to the text that’s displayed. You can also add a tooltip to reinforce the scam. For instance, the following code:
title="Claim your free 5lb. Bacon Roast!" href="http://sqlcruise.com/get/training/" free_bacon.com/offers
Looks like this: free_bacon.com/offers.
Let’s dissect the code at a high level. What it does is
- Displays a tooltip telling you your 5lbs of bacon is waiting for you via the “title” parameter.
- Sends you to the website that shows you the current training offered on my next SQL Cruises for 2013 via the href parameter.
- Ties the link to the free_bacon.com text on the web page.
At no point is there any bacon; free or otherwise. I’m deeply sorry. Once a fake web page is set up to collect user ids and passwords a link can be pointed to it and the bad guys start collecting free data; in the 21st century free data usually leads to free money. In this case it’s free money at your expense.
This practice is employed to coax you into fixing fake issues with your online bank accounts, credit card accounts, online shopping accounts and so forth. Don’t fall for it.
If it Walks Like a Duck and Looks Like a Duck it May be a Platypus
So what triggered me to not click any of the links? I must say for a second I was concerned about someone hacking into my Apple account and stealing all my Apple-y goodness, including my credit card info. However always ALWAYS check the source of the email, in this case the source was appleid@id.apple.com. Note that this is quite different from any valid apple.com address. The domain id.apple.com is not the same as apple.com.
If You Remember Only One Thing from This Post
If you ever received an email such as this, Apple Insider recommends the same thing I do: As a precautionary measure, users should remember not to click directly on links from email messages and instead navigate to the website in question on their own.
Author’s Note
Written for my mom and everyone else’s parents to save us from hours of free technical support calls. 😉
[…] Tim Ford explains a phishing scam. His explanation really concerns standard phishing and not spearphishing, in which you try to gather as much information about the victim as possible before deploying your payload. […]