Sunday, July 01, 2007
Scary phishing attempt...beware!
I'm an evangelist about the danger of e-mail spam and phishing attempts crafted to lure you to click on links in an e-mail (I'm always warning my wife not to click on e-mail links), but this one had me doing a double-take. My family and friends send me e-cards from time-to-time, and although I feel that e-cards are by and large as annoying as spam, I appreciate the sentiment (and will often go to the e-card link). I received this e-mail the other day telling me "you received a postcard from a family member", and without thinking I opened the e-mail. Fortunately, there were several suspicious clues that jumped out at me before I clicked on anything, but by and large the message was pretty well crafted (netfuncards.com is a real e-card service). Read on to learn more about this clever phish...
See the mail details below...I removed all the IP addresses in the URLs (i.e. 10.34.121.10 for example) so no chance of anyone accidentally going there:
FROM: netfuncards.com [firstname.lastname@example.org]
Your family member has sent you an ecard from netfuncards.com.
Send free ecards from netfuncards.com with your choice of colors, words and music.
Your ecard will be available with us for the next 30 days. If you wish to keep the ecard longer, you may save it on your computer or take a print.
To view your ecard, choose from any of the following options:
Click on the following Internet address or copy & paste it into your browser's address box.
Copy & paste the ecard number in the "View Your Card" box at http://IPADDR/
Your ecard number is
The first thing that jumped out at me (and you too, probably) is there is no name included of who in my family sent the card. The second thing that should alert you is that the email address is not even in the same domain as netfuncards.com (iland.net), which is unusual. Then, there's the fact that a FQDN (like netfuncards.com) is not used in the links to my card. No respected web-service on the Internet would typically use anything but an FQDN in such e-mails. After some forensic investigation of the supposed e-card hotlinks themselves, I found that they were actually registered to some cable provider in the Netherlands (netfuncards is D.C. based). Other users online who have posted warnings on this same phish say the actual web-sites try to coax you to download or install an "Outlook plug-in". Finally I visited the real netfuncards.com site and cut/pasted my "e-card number" into the required field as instructed and of course could find no e-card. Busted! Remember, if someone you know, or a site you can verify sends you a link, it pays to still be suspicious. When something appears out of the blue unsolicited, look it up online. Perform a Google search of the subject line text, and read what other users may have posted on it. Chances are the first page results will reveal if it's a scam. Never visit a link directly from an e-mail. Go to the site's main page and try navigating through the real website instead of clicking through from the e-mail. It just might save you from a virus or worse. I'm pretty good about this stuff and admit to being a tad paranoid, but this one came pretty close to fooling me at first.
Posted by Natestera