Anatomy of a Phish


I received an email recently from a client, or at least, from his email account. The account had been hacked and was being used to send phishing emails. Phishing is when attackers spoof popular login pages to get their victims to enter their username and passwords. Instead of being logged in, their details are saved to be used in further attacks/sending spam/fraud.

In the email, the attacker claimed that the link led to a Google Docs spreadcheet and used html to hide the address but it appeared in the notification area at bottom left (see image below). The page was on a Portuguese local council website which had also been hacked in order to host the offending page.

Thunderbird Inbox

Curious as ever, I followed the link, arriving here:

Phish Site Screenshot

Clicking on each logo brought up a generic, grey form asking for username and password. I chose not to but instead took a look at the page source where I found references to a website called isolatedcano(dot)com which is a parked domain. On further inspection, I found that the owner of isolatedcano uses a privacy protection service provided by Moniker Privacy Services, based in Florida, US. Unfortunately there is little that individual’s can do against the numerous phishing sites beyond reporting them as web forgeries. In this case, Firefox soon marked the page as potentially malicious, as can be seen in the following image:

Firefox Forgery Warning

Many more will pop up however. The major defence is vigilance and a healthy dose of paranoia.