*adjective, easily modified or changed; opposite of hardcoded

toronto web design article

Don't Get Spoofed

As Published in Plug In,
June 2004 by
Peter Lavin

Introduction

Opening my e-mail, my eye was naturally drawn to the high-priority notice from PayPal. PayPal is a service I use for receiving or sending payments online. Ever the optimist, I anticipated that it was a notification of receipt of payment into my account, preferably a large one. After reading a few lines I realized that something was not quite right and in fact, that someone was trying to spoof me.

Spoofing is sometimes referred to as “phishing” and generally takes the form of an imitation web page used to induce you to divulge your username and password. In this particular instance, an e-mail that seemed to originate with PayPal was sent. This e-mail contained a link to a website that purported to be a secure PayPal site. Here a username and password was requested. Once given, this username and password would be used to steal money from my account.

In general usage the word spoof has a certain good-natured or humourous connotation. Not so online. The intent is identity theft in order to gain access to your money. The spoofer is out to deceive you. He is an online con man.

Spoofing is not a problem limited to PayPal. Any online account you have is susceptible. With this in mind, let’s examine a real case of how this confidence game works so that you can guard against it in any situation.

The E-mail

Find below a verbatim reproduction of the e-mail I received:

From: service@paypal.

Sent: March 4, 2004

Subject:Important Notice

Dear PayPal Costumer,

This email was sent automatically by the PayPal server in response to verify if you are the real owner of this account.

We have recently noticed that your account may be used for fraudulent/illegal things.

So, if you are the real owner of this account, please follow theses steps.

This is done for your protection --- only you, the recipient of this email can take the next step.

To Verify your Identify and access your account, follow these steps:

1. Click on the link below. If nothing happens when you click on the link (or if you use AOL), copy and paste the link into the address bar of your web browser.

https://www.paypal.com/row/fq/ac=AgIAbBPIcjuelmBjKIUwlKMK
w7HMs3LwMUegfxtf9qhF7LHAk1dN4c2qfhIN3UQpQ6v9Q7Hse5pWZA&t=pr


The link will take you to our Verify Your Identity page.

2. On the Verify Your Identity page, fill out the form, and click
Submit.

* IF YOU DON'T FOLLOW THESES INTRUCTIONS, YOUR PAYPAL ACCOUNT
WILL BE LIMITED.

Thank you for using PayPal!
The eBay Security Team

----------------------------------------------------------------
PROTECT YOUR PASSWORD

NEVER give your password to anyone and ONLY log in at
https://www.paypal.com/. Protect yourself against fraudulent websites by opening a new web browser (e.g. Internet Explorer or Netscape) and typing in the eBay URL every time you log in to your account.

----------------------------------------------------------------

Please do not reply to this e-mail. Mail sent to this address cannot be
answered. For assistance, log in to your PayPal account and choose the
"Help" link in the header of any page.

What tipped me off? Being a writer, the misspelling of “customer” immediately raised alarm bells. Likewise, the first three sentences were very poorly constructed and contained grammatical errors. But this evidence is hardly conclusive and bad grammar is not criminal, despite what your English teachers may have told you. As someone familiar with web and e-mail technology I knew there were a couple of easy tests that would confirm or remove my suspicions.

The Link

Most e-mail client software offers you the choice of sending your e-mails in HTML or plain text format. The title bar of the message announced that this message had been sent as HTML – the format of web pages on the internet. While the link to the PayPal site looked legitimate enough, and the fact that it started with “https” (hypertext transfer protocol secure) seemed to indicate a secure server, a link can say anything and often says no more than “click here”.

The actual address to which you are linking is hidden in the HTML code. It is a simple matter to view the code of an internet page. Open your browser at any web page and right click a blank area of the screen and choose “View Source Code” from the menu that appears. (What you see may not make a lot of sense but we’ll indicate the one thing you need to know shortly.) Exactly the same capability is available if you are using Outlook as your e-mail client. Viewing the source code revealed the following:

<a href="http://69.56.218.114/~kodorzz/">

https://www.paypal.com/row/fq/ac=AgIAbBPIcjuelmBjKIUwlKMKw7HMs3LwMUegfxtf9qhF
7LHAk1dN4c2qfhIN3UQpQ6v9Q7Hse5pWZA&amp;t=pr

</a>

Not very informative for the average e-mail user but all you need to know is that the web address you are being taken to follows the words “href=”. You can see that the hidden link does not match what appears in the e-mail. This is the single most important thing you can do to avoid being spoofed. Be aware that links can lie.

Origin of the E-mail

Not absolutely conclusive evidence yet, but there is also something we can do to verify the source of an e-mail. The “from “address in our e-mail says “service@paypal” and seems to indicate authenticity. But this is not a definitive indicator of the e-mail’s source of origin. Fortunately, there is an easy way to check this. Again, if you are using Outlook, right clicking any e-mail in your “Inbox” and a menu will pop up. Choose “Options” and you can see more information about the sender. What you should pay particular attention to is the second line starting with “Received”. In my spoof e-mail it looked like this:

Received: from relais.videotron.ca ([24.201.245.36])

Recognizing the word “relais” as French and the country code “ca” as Canada I concluded that this e-mail originated in French Canada – not a likely source for an e-mail from an American-based company. A legitimate e-mail from PayPal shows the following information:

Received: from smtp1.nix.paypal.com ([64.4.240.74])

An e-mail from any major corporation will usually originate from a mail server (that’s what “smtp1” indicates) address that includes the corporate name. Just like links, the “from” line in an e-mail is sometimes less than truthful.

The security precautions advised by PayPal at their site also confirm that this is a spoofing e-mail. Any legitimate e-mail from PayPal is always sent using the user’s name or the name of their business. As you can see this is certainly not the case with our e-mail. Secondly, PayPal suggests that you never click on a link in an e-mail but instead open your browser and type or paste the address into the address bar. The reason for doing this has already been pointed out - HTML can hide the real location of a link.

At this point I notified PayPal of the spoofing e-mail.

The Spoofed Site

Of course I couldn’t resist having a look at the site itself. Clicking on the link opened a perfect replica of the PayPal site in my browser. The graphics had been copied exactly and most of the links took me to the authentic PayPal site. Prominently displayed in the centre of the page was a request for a user name and password accompanied by a submit button. Getting me to enter my information here was the whole point of this elaborate ruse. Needless to say I didn’t do so but if I had the information would have been saved in a file, retrieved by the spoofer and then my account would have been cleaned out. (By the way, it would have proved a disappointing take.)

Thinking, some twenty minutes later, that it might be useful to have a screen capture of the site and a copy of the HTML code I again clicked on the link in the e-mail only to find that the website had already been removed. Disappointing for me perhaps but comforting to know that it had been closed down so quickly.

Being Aware is the Best Defence

PayPal provides documentation online regarding security though you won’t find any description of how spoofing works and without this some of the security precautions recommended don’t really make sense. There are a couple of reasons for this. For one it’s not good marketing to dwell overly on security issues – it tends to frighten potential customers. The second issue is a little thornier. By showing how to guard against spoofing you are also showing how to get around it. Unfortunately, someone intent on fraud might read an article such as this to learn what pitfalls to avoid.

On balance though it pays to be an informed consumer. Learn a little bit more about the software you are using and you’ll be much less vulnerable. Most importantly remember that links and e-mail addresses can lie. Don’t click on a suspicious link but instead open your favourite browser yourself and type in the address manually after ensuring that it is correct.

Remember too that spoofing is not a problem restricted to PayPal. A spoof attempt may be made against any online account that you have. Finally, you should be aware that there are other more sophisticated spoofing schemes than the one described here.

Resources

http://www.millersmiles.co.uk/

http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/fraud-prevention-outside

About the Author

Peter Lavin runs a Web Design/Development firm in Toronto, Canada. He has been published in a number of magazines and online sites, including UnixReview.com, php|architect and International PHP Magazine. He is a contributor to the recently published O'Reilly book, PHP Hacks and is also the author of Object Oriented PHP, published by No Starch Press.

Please do not reproduce this article in whole or part, in any form, without obtaining written permission.

top