Lab 9: Phishing

 

Objectives

 

• Learn about phishing
• Learn how to determine if an e-mail really came from the person or organization it appears to come from
• Learn how to decode URLs

 

Background

 

Phishing is the act of sending an e-mail falsely claiming to be a legitimate enterprise in an attempt to scam the recipient into surrendering private information such as a credit card number, bank account number, or PIN.

 

Step 1: Acquire Some Data

 

Open the Phishing_Evidence_1 document. This is the original e-mail in its initial format as seen by a non-technical user, victim@students.sou.edu.

 

1. Does this document look suspicious to you?

 

 

2. If you were the recipient, would you follow the instructions in the e-mail and go to the website and provide your account details, such as your account number and PIN?

 

 

 

Open the Phishing_Evidence_2 document. This is the same e-mail saved by a technical user. The technical user found the options in the e-mail application that would allow her to “view long headers” and “view raw source.”

 

The long headers option, which may be called something else in different e-mail applications, lets a user view the actual sender and the path that the e-mail took to arrive at the recipient. The raw source option lets the user view the actual text of the message, without any formatting.

 

Study the Phishing_Evidence_2 document to determine if you can tell the path that the e-mail message took. Here are some hints:

 

• The final recipient is victim@students.sou.edu.
• The last e-mail server that received this message was students.sou.edu.
• The barracuda.sou.edu server sent this message to students.sou.edu.
• Look for a line that includes “by barracuda.sou.edu” to determine which server sent the message to barracuda. The line will tell you from whom barracuda received the message.

 

3. What is the Internet Protocol (IP) address of the server that sent the e-mail message to barracuda.sou.edu?

 

 

 

The e-mail message (after the header) includes a URL. Compare the URL in the original (non-technical) version of the e-mail to the one in the technical version. The technical version will show the URL twice. Look for lines that start with https:// or http://.

 

4. What is the URL in the original version of the e-mail (the non-technical view)?

 

 

 

5. What URLs do you see in the technical version of the e-mail?

 

 

 

 

Step 2: Analyze the E-Mail Header

 

Now it’s time to figure out the true identify of the server that sent the message to the barracuda server. In most investigations, the first step is to look up the server’s IP address at the American Registry for Internet Numbers (ARIN). Go to the following website and look up the address that you wrote down in Question 3.

 

http://www.arin.net/whois/

 

6. What does ARIN tell you about this address?

 

 

 

If ARIN tells you that the address is registered by a non-American registry, such as the Asia Pacific Network Information Center (APNIC) or the Réseaux IP Européens (RIPE), go the URL for the Whois database of that registry. (The ARIN page you went to should have a link to that registry’s Whois database.)

 

7. What company owns the IP address that you looked up?

 

 

8. What country is that company in?

 

 

 

Remember that the recipient of this message was an SOU student (victim@students.sou.edu.) Assume that the victim lives near Ashland, OR and has never opened a bank account outside the Western United States.

 

9. If this student were to receive a legitimate message from Citibank, where do you think it would come from? Go to www.citibank.com and determine the location of some reasonably close Citibank offices and jot down some possible locations:

 

 

 

 

10. Does it seem suspicious that victim@sou.students.sou.edu received a message from Citibank from the location that you discovered in Question 8?

 

 

 

Step 3: Analyze the URL

 

In the Phishing_Evidence_2 document, find the URL that looks like this:

href="http://%32%31%31%2E%39%37%2E%32%34%38%2E%36%30:%38%37/%63%69%74/%69%6E%64%65%78%2E%68%74%6D"

 

The numbers that follow the percent sign are hexadecimal (Base 16) codes for alphabetic letters and numbers. They are encoded using a system called the American Standard Code for Information Interchange (ASCII). Find an ASCII table on the Internet and convert the hex numbers to characters and determine what the URL really states.

 

11. What is the alphabetic representation of the URL?

 

 

 

The URL includes an IP address and a port number. For example, the URL might be something like: http://66.241.68.28:80/index.htm. The 66.241.68.28 is an IP address. The 80 is a port number. Use the techniques you used in the previous section to determine who owns the IP address in the URL that you decoded in Question 11.

 

 

12. What company or organization owns the IP address in the URL that you decoded in Question 11?

 

 

Port 80 is usually used for web browsing. The port number in the URL in our case isn’t 80, however.

 

 

13. What is the port number in the URL that you decoded?

 

 

The Internet Assigned Numbers Authority (IANA) maintains a list of port numbers and what they are used for. If you go to the http://www.iana.org/assignments/port-numbers website, you can determine the meaning of the port number you decoded.

 

14. What is that port number used for?

 

 

15. Does that port number seem suspicious to you?

 

 

 

Step 4: Plan for the Future

 

Every e-mail application has a different way of letting you see “long headers.” Sometimes this feature is hard to find. With the Eudora e-mail application, for example, you have to click on an icon that says “Blah, blah, blah!” With Yahoo web-based mail, you may need to click on a link that says something like “Full Headers.”

 

16. How do you display long headers with the e-mail application that you typically use? See if you can figure this out and write down the steps below.

 

 

 

 

 

17. Reflect on what you learned from the exercise. List three concepts, ideas, or precautions that you learned from this exercise.