A phishing scam dissected

Here's a very nice explanation of the details and mechanics of a recent phishing scam which involved simultating a Better Business Bureau complaint. A scary mix of technical and social hacks are at work in the scam.

It's worth noting that a couple third parties end up being complicit in this scam. One is whatever mail server originally accepted the email; it didn't check the SPF records of bbb.org. If it had, it would have found that the scammer's zombie computer wasn't authorized to send email for bbb.org and would have rejected the message.

The second unwitting collaborator is the BBB itself. As the blog post details, their website has a security hole that allowed the bad chaps can craft a URL that not only looked like it goes to the BBB site, it did go to the BBB site -- then quickly redirected to the scammers' server where they do their mischief.

More: http://www.jgc.org/blog/2008/02/clever-targeted-emailweb-scam-with.html

February 8th, 2008