Thursday, June 21, 2012

Clever Phishing

I keep getting e-mail like this one:

Image credit: Screenshot by Cujo359



It looks like an official e-mail from a real bank. There really is an RBC Royal Bank, of course, and it really does use that particular Internet domain. This wouldn't be much of a phishing attempt if that weren't true, now would it?

Of course, this is not my bank, which was the first clue that it was a phishing attempt. There are others, though, and I think it's a good idea to review some of the other clues, in case the next phishing e-mail purports to be from your bank or mine.

First off, that's the entire e-mail. Whenever my bank communicates with me, it will always identify what account we're discussing in some way that does not give away the secrets, of course. Something like my complete name, and/or a partial account number, or some such thing. There's nothing like that here.

Second, there's the clue of what happens when you put your mouse cursor on top of the link button at the bottom of the e-mail. Here is the URL it was going to take me to, if I had clicked on it:

http://www.royalbank.com.eb9def5.rbc.blahblah-notreal.com/rbc/

Once again, there's a clear difference, if you're able to understand what you're looking at. A Uniform Resource Locater (URL) string consists of a method, which is the string http to the left of the colon (':'), followed by the domain, which is the string that identifies what bunch of Internet addresses contain whatever it is you're attempting to access. In this case, the domain string is:

www.royalbank.com.eb9def5.rbc.blahblah-notreal.com

That part in the normal color type is what appears to be an Internet domain of the RBC Royal Bank, and it would be if it weren't for the part of the string that I highlighted in red. That is the domain of some sort of Internet art hosting service. I suspect it's just one of many boutique online web services scammers use, which in all likelihood has neither the time nor the expertise to make sure that its customers aren't doing this sort of thing. I changed the URL to protect the (possibly) innocent.

The important thing, though, is that that URL is deceptive. It looks like the RBC's web address, but it's not. It almost takes knowing you should be able to spot something to see it. If I had clicked on that button, the URL window on the browser would have started out with the string www.royalbank.com, and I might not have noticed the real domain.

So, be careful with these e-mails. If it appears that it comes from your bank, check these things, at a minimum, before clicking on a convenient button that will take you to just the place you need to go to clear up your problem. Better still, you should probably go to your bank's online banking site directly, and try to deal with the issue from there, or call them.

Afterword: Do I need to add that the RBC Royal Bank was not responsible for either this article, nor the e-mail that inspired this article? No doubt I do, so there we are.

No comments: