On the Soapbox

Life is full of little coincidences. Not long after reading an article about the rise of "phishing" and its increasing sophistication, I received a phishing e-mail.

Normally, this would not be something worth writing about. Indeed, I have gotten a number of phishing e-mails before in e-mail accounts that were subject to spam. But this time, it was very different. As the owner of a number of domain names, I have the luxury of using a unique and different address with every site that I deal with (e.g., something that looks like amazon@example.com or paypal@example.com), and I have a special obscure domain name that I use just for this purpose. This way, e-mails that claim to be from, for example, PayPal that are not sent to the e-mail address that I use for solely for PayPal are easy to reject (it also allows me to figure out which sites sell or leak out e-mail addresses to spammers, which was the original purpose of such a scheme). Anyway, this phishing e-mail passed this first test: it came from an online store where I had bought an item a couple of years ago, and it used the correct name and e-mail address.

The second test is an examination of the e-mail headers to see if the IP address that my mail server received the e-mail from makes sense. This e-mail passed this test as well: the IP addresses of the transmitting server belonged to the service provider that was hosting the servers for the company that supposedly sent the e-mail.

The third test is the believability of the content. The e-mail was plain-text, which helped its legitimacy (because it's easy to hide things in HTML, most phishers use HTML e-mails), and the story that it told was plausible. The e-mail claimed that the company's servers have been hacked and that this e-mail was being sent to inform me of that. The language was formal and correct. The alarm bells finally rang when it then requested users to log on and verify some of the information in their database. Not only is this a typical phishing lure, it also makes no sense if one stops to think about it: what exactly would this verification accomplish in respect to this security breach?

Anyway, things seemed fishy enough that I reported the e-mail to anti-phishing sites and CC'ed a copy of my report to the company's customer service. I suspect that their site has indeed been breached (thus, ironically, rendering the story true), and that was how the perpetrators were able to get the right e-mail address and also send the e-mail from the right server. A few hours later, I received a reply from the company, confirming that my suspicions were correct, that the e-mail was illegitimate, and that they are now looking to address the problem.

This particular experience was similar to a recent incident in Florida where bank sites were hacked and used in a phishing scheme. By hacking the company that they are trying to masquerade as, it allows the criminals to clear many of the hurdles and present a hook and lure that is much more convincing and tempting.

I suppose that I am fortunate to be sufficiently tech-savvy that I can easily avoid such Internet hazards, but there are so many people who I could picture falling for this particular trap: a few of my friends, my relatives, Joe Sixpack, etc. With its high efficacy, it's no wonder that phishing is growing so fast.