Thursday, March 8, 2012

Let's talk about phishing!

Phishing is an action of trying to trick a person out of personal information through a means called social engineering. In other words, it is, basically, me calling you up and asking generic questions to try and find out your bank PIN. That is a real world example. Online, it tends to look like this;

I got this email this afternoon.







Now, it may or may not be obvious, but that is definitely a phishing email. Firstly, I don't have a Citibank account. Secondly, why would Citibank take me to a site that isn't related to citi.com? Thirdly, "undisclosed recipients"...

Let's take a look at the page, it's ok, they aren't installing anything and most of the buttons don't work.
It's ok to click
If you click around, the only areas that actually do anything are located where the user would sign in. If you click on Ingresar en espanol, you will find that it goes to a page that isn't located on the server this page is located. Also, the whole top of this page is one image. Here, look.
Here is the top of the page

Also, if you go to Citibank's actual site, it looks a little more polished. Citibank

Now, we can go to Who.is and put in exitaudiovisuales.com. Here is what we find.
Domain name: EXITAUDIOVISUALES.COM
     Created on: 1997-03-03
     Updated on: 2012-03-02
     Expires on: 2013-03-04
     Registrant Name: AUDIOVISUALES EXIT, SL
     Contact: Audiovisuales Exit, SL
     Registrant Address: Consell de cent, 77
     Registrant City: Barcelona
     Registrant Postal Code: 08015
     Registrant Country: ES
     Administrative Contact Organization: Audiovisuales Exit S.L
     Administrative Contact Name: Miguel Angel Leon Garcia null
     Administrative Contact Address: Consell de Cent 77
     Administrative Contact City: Barcelona
     Administrative Contact Postal Code: 08015
     Administrative Contact Country: ES
     Administrative Contact Email: @disvirtual.com
     Administrative Contact Tel: +34 932928330
     Technical Contact Organization: Juan Poblet
     Technical Contact Name:
     Technical Contact Address: Balmes 229
     Technical Contact City: arcelona
     Technical Contact Postal Code: 0800
     Technical Contact Country: null
     Technical Contact Email: @disvirtual.com


So, what does this mean? This is a Brazilian site looking for Citibank information.

Now, if you will look at the arrests that have happened the last few months of the hacker sects of 4chan.org's Anonymous, and the twitter feeds of an Anonymous brazilian counterpart, Havittaja, there is a lot of brazilian activity. So, this is obviously a site looking for you to put your information into it so that the person who set it up can get into your account.

Why does this matter? Why did I break down the information? Why did I go through so many steps if I knew it was phishing from the get go?

To educate. We see on Facebook, all the time, people screaming that they got hacked. Or someone saying they hacked another person by abusing the trust of someone who didn't log out when they left the room. This isn't hacking. This is social engineering and, in the case of the latter, abusing the trust of someone you know. Now you know and knowing is half the battle.