Programming
Article

Gone Phishing

By Alex Walker

Although this isn’t strictly a web development topic, it’s at least an interesting quirk about the way domains work that many may not know — we certainly didn’t till today, so it’s probably worth bringing to attention.

Ebay Phishing Scam

Today I received another eBay phishing scam. This is nothing new in itself — like most people I’ve received dozens over the last year — but this one was a little different. Generally the URLs embedded in phishing emails are quite obviously dodgy as they clearly begin with an IP number. However, as you can see above, the URL looked more reasonable than most.

I’m listing the real IPs here for reference but I’ve disabled the links as they are obviously controlled by shady characters, so we don’t recommend you visit them.

To my surprise the ‘http://3281702273′ part was a viable IP.

Now I’d personally never seen anything like this before, but as I’m no DNS expert so that’s no big deal there. However after tossing the URL around the office I found no-one else seemed to have seen anything similar either.

Kevin did a little trial and error and figured out how it works. The number ‘3281702273’ is a decimal conversion of a hex number — ‘c39acd81’ (try it here) — which, in turn, can be translated to an IP address.
c3 = 195
9a = 154
cd = 205
81 = 129

So in theory ‘http://3281702273′ and ‘http://195.154.205.129′ are the same thing.

IE7 anti-phishing measures

Interestingly, IE7 seems to do a better job than Firefox or IE6 with these obscured IP addresses, by automatically converting them to normal IP before sending them. The page renders fine but the URL displays the standard IP.

No doubt most sysadmins are snoring at point in the post by now, but I suspect plenty of relatively tech savvy people (and their friends and family) might be more susceptible to the subtleties of this scam than most others.

Hopefully a few less now anyway.

It’s nice to see that since this morning Firefox is clearly reporting the URL as a ‘Suspected Web Forgery’. Hooray for Web services.

Suspected Web Forgery

  • http://www.reflectivestudios.co.uk Bonzo_CS

    Well said, although us developers can recognise more than most such a scam, the issue seems to be becoming more popular these days and no doubt the scam will evolve to new techniques. I hadn’t heard of that DNS trick myself, although I wouldn’t of trusted ebay to begin with that path in the URL. Thanks for explaining that.

    Cheers

  • http://boyohazard.net Octal

    I heard about this trick a while ago but have never seen it in actual use by a Phisher. Thanks for highlighting the issue Alex.

    As a matter of course I tell all my friends and family to never click on a link in an email; if they want to visit the site then type the address in manually.

  • http://www.sitepoint.com AlexW

    I wouldn’t of trusted ebay to begin with that path in the URL. Thanks for explaining that.

    As a matter of course I tell all my friends and family to never click on a link in an email; if they want to visit the site then type the address in manually.

    Yes, I think applying a normal level of healthy online cynicism should protect most people, and I should add that at least Thunderbird flagged the mail as a scam before I’d even read it. I suspect Outlook would too.

    Still, for the many people who relatively active on eBay, I would think this email would have a decent chance of blending in with the dozens on legitimate eBay messages they receive.

  • http://diigital.com cranial-bore

    I should add that at least Thunderbird flagged the mail as a scam before I’d even read it

    Thunderbird also does that to all the Sitepoint newsletters I receive, and other legitimate mail. I’m in the habbit of clicking that “Not a Scam” button pretty quickly.

  • http://www.deletespyware-adware.com smithkarl

    Hi,

    I never even open such emails, but your point is interesting.

    They are all phising attacks if they don’t welcome you by your name or username. Ebay, paypal, alertpay and so contact you by saying:

    Dear Karl Smith
    not Hello or Dear Webmaster …

    That is another trick :)

    Karl

  • TechSay

    I cannot believe people still fall for Ebay and Paypal scam email. I get four or five a day.

    techsay.com

Recommended

Learn Coding Online
Learn Web Development

Start learning web development and design for free with SitePoint Premium!

Get the latest in Front-end, once a week, for free.