Why are people sending me Phishing messages?
Your usernames and passwords have value. The value of banking credentials is obvious: they want your money. The value of other credentials, such as your UTORid, your Facebook identity or others, rests in the ability to gain access to resources that would otherwise be prohibited. There is a market in UTORid credentials for the purpose, amongst others, of accessing library materials. Access to your Facebook page gives people power over your reputation.
PCS Policies about Passwords
PCS members will not ask for your password via email, except after exhausting other options and only after having conversed with you about the issue ahead of time. You absolutely will not receive an out-of-the-blue request for your password. If you have specifically requested that we send a password, we may, after due consideration of the security implications, and after attempting to find another alternative, send a password through email.
If, by the time that you receive your password via email, you are not at least a bit pissed off with members of PCS trying to convince you that it is a bad idea, something is terribly wrong. (Actually, something is already wrong: we sent you the password by email.)
Detection Steps
Initial Checks
- Is this message part of an ongoing conversation with the sending party? The fact that the note comes from out of the blue should always be a big red flag if it is requesting security-related information.
- Are you explicitly named in the recipient list? (For example, you may see undisclosed recipients in the To: header field.) If you are not explicitly mentioned, is there an obvious good reason for that fact. Any genuine correspondent with need of security information ought to have a relationship with you that includes knowledge of your name and should not have need the cover of undisclosed recipients.
- Does the sender information look consistent and reasonable? Why would "Debra Smith" be sending from an email address of a3423876sg@hotmail.com?
- Is it offering you something for free? There is something about the word free (as in no cost) that turns the human brain into mush. Don't go there. If it doesn't cost something to you, then you are the product being sold to someone else.
- Are they asking you to run a program or unzip a zip archive? Very few emails have good cause to be accompanied by programs. Do not open it unless you know:
- Who the sender is,
- What the program is for -- not just what the sender says it is for,
- That the program is an expected delivery or a natural part of an ongoing correspondence.
- Does the message address itself to you personally in a way that displays knowledge beyond your name? It is easy to say "Hi John!". It is much harder to refer to:
- your specific job role,
- the outstanding service issue that you have with {PCS, Rogers, Bell, ...},
Looking Under the Hood
The best way to check for phishing activity is to look at the raw message. How one does this is dependent on the mail reader that you are using and we cannot address them all. We officially support Mozilla Thunderbird and the Physics Webmail systems; so we will provide specific instructions for both. Apple Mail and Microsoft Outlook will be discussed because they are also common in the local environment.
If you are already looking at a message, you can do the following to look at the raw text behind it:
Mozilla Thunderbird
Hold down the Control key and U (Ctrl + U
)
Physics Webmail
Go to the bottom of the message area and click on the Message Source link.
Apple MailCmd + Option + U
At this point you should be looking at the raw text behind the message, the beginning of which should resemble the following:
Return-Path: <bulletin@utoronto.ca>
X-Original-To: bworth@physics.utoronto.ca
Delivered-To: bworth@physics.utoronto.ca
Received: by helios.physics.utoronto.ca (Postfix, from userid 57)
id DA0954C2C8; Tue, 22 Nov 2011 03:15:25 -0500 (EST)
Received: from bureau4.utcc.utoronto.ca (bureau4.utcc.utoronto.ca [128.100.132.14])
by helios.physics.utoronto.ca (Postfix) with ESMTP id 0F9434C2C8
for <bworth@physics.utoronto.ca>; Tue, 22 Nov 2011 03:15:25 -0500 (EST)
Received: from dws-prod.dua.utoronto.ca ([142.150.60.34]:2370 "EHLO
utoronto.ca" rhost-flags-OK-OK-OK-FAIL) by bureau4.utcc.utoronto.ca
with ESMTP id S760660Ab1KVHJU (ORCPT
<rfc822;bworth@physics.utoronto.ca>); Tue, 22 Nov 2011 02:09:20 -0500
Reply-To: bulletin@utoronto.ca
From: "bulletin@utoronto.ca" <bulletin@utoronto.ca>
To: "Steven T. Butterworth" <bworth@physics.utoronto.ca>
Message-ID: <08293955da0746bfaf040cb5db5b999e@utoronto.ca>
Date: Tue, 22 Nov 2011 02:09:20 -0500
Subject: Bulletin | Remembering Dr. Fraser Mustard
While all of the fields can be useful, the one that is least vulnerable to forging is the Received field, of which there will be at least one, but could be more. The most important one is the last, which is actually the first one written in its travels. Notice that in the message above, that the message originated from from dws-prod.dua.utoronto.ca ([142.150.60.34]:2370. For a message that purports to come from the University of Toronto, that makes sense.
Analysis of Specific Phishing Message Samples
A Message from The Physics Support Team
The first message has serious tell-tales before we look under the hood:
- message from generic account (webmaster@physics.utoronto.ca)
- name is wrong and grabbed from a role account (but this could have been correct under other circumstances)
- PCS never refers to itself as The Physics Support Team
However, the decisive data is visible as soon as we look at the raw source:
Return-Path: <webmaster@physics.utoronto.ca>
X-Original-To: sales@physics.utoronto.ca
Delivered-To: root@physics.utoronto.ca
Received: by helios-store.physics.utoronto.ca (Postfix, from userid 57)
id E16F49A2F3; Tue, 14 Jun 2005 04:56:16 -0400 (EDT)
Received: from physics.utoronto.ca (ip248.flip1.remote.ne.jp [206.3.23.248])
by helios-store.physics.utoronto.ca (Postfix) with ESMTP id 796E49A2CC
for <sales@physics.utoronto.ca>; Tue, 14 Jun 2005 04:56:12 -0400 (EDT)
From: webmaster@physics.utoronto.ca
To: sales@physics.utoronto.ca
Subject: YOUR PASSWORD HAS BEEN SUCCESSFULLY UPDATED
Date: Tue, 14 Jun 2005 17:51:48 +0900
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0007_C20CD243.5A56F885"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20050614085612.796E49A2CC@helios-store.physics.utoronto.ca>
X-Bogosity: Unsure, tests=bogofilter, spamicity=0.500064, version=0.92.4
This is a multi-part message in MIME format.
------=_NextPart_000_0007_C20CD243.5A56F885
Content-Type: text/html;
charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
<html>
<body>
<BR><STRONG>Dear user sales, </STRONG><BR>
<BR>You have successfully updated the password of your Physics account.<BR>
<BR>If you did not authorize this change or if you need assistance with your
account, please contact Physics customer service at: webmaster@physics.utoronto.ca<BR>
<BR>Thank you for using Physics!
<BR>The Physics Support Team <BR>
<BR><BR><BR><BR><BR>
<BR>+++ Attachment: No Virus (Clean)
<BR>+++ Physics Antivirus - www.physics.utoronto.ca
</body>
</html>
------=_NextPart_000_0007_C20CD243.5A56F885
Content-Type: application/octet-stream;
name="account-password.zip.txt"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="account-password.zip.txt"
UEsDBAoAAAAAAHhGzjLK0cCUSXsAAEl7AABeAAAAYWNjb3VudC1wYXNzd29yZC50eHQgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgLnBpZk1aS0VSTkVMMzIuRExMAABMb2FkTGlicmFyeUEAAAAAR2V0UHJvY0FkZHJlc3MA
AFVwYWNrQnlEd2luZ0AAAABQRQAATAECAAAAAAAAAAAAAAAAAOAADwELAQAnAOAAAADwAAAAAAAA
zHYCAAAQAAAA8AAAAABAAAAQAAAAAgAABAAAAAAAAAAEAAAAAAAAAADwAgAAAgAAAAAAAAIAAAAA
ABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAACF5AgAoAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5VcGFjawAAAPABAAAQAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAOAAAOAucnNyYwAAAADwAAAAAAIASXkAAAACAAAAAAAAAAAAAAAAAADg
AADgTHlCAAcAAAAAAEIAAAAAAP////8BAAAAAQAAAAEAAAABAAAAAAQAAAAQQACbeEIA53hCAOp4
QgD4eEIA03hCAHwHAADECwAA/A9AAD94QgBBeEIA4nZCAFvxQQD5AwAAHXlCAP/fQQAzeEIAAAAA
The critical section is the second (chronologically first) Received record:
Received: from physics.utoronto.ca (ip248.flip1.remote.ne.jp [206.3.23.248])
by helios-store.physics.utoronto.ca (Postfix) with ESMTP id 796E49A2CC
for <sales@physics.utoronto.ca>; Tue, 14 Jun 2005 04:56:12 -0400 (EDT)
Notice that the sender is actually an address in Japan (ip248.flip1.remote.ne.jp). While it is not impossible for a legitimate message from the Physics Department to originate in Japan, it is highly unlikely, especially is you have seen the sender in the last 24 hours.