Yesterday morning, I personally received an example of a new (to me) category of phish: someone trying to get me to provide Yahoo credentials. Not my personal Yahoo credentials, but my “Sponsored Search” account, where I’d control my advertising spend with Yahoo Search Marketing…if I had an account!

I suppose the purpose was to steal my credentials and then have “me” schedule and pay for pay-per-click advertising on behalf of the criminal. Phishers keep following the money, even via more indirect routes.

• The phish: http://yahincmarketing.com/Login.html (purposefully not linked)
• PhishTank submission: http://www.phishtank.com/phish_detail.php?phish_id=316499
• Real URL: https://login.marketingsolutions.yahoo.com/ (redirects to another Yahoo.com URL, but totally legitimate!)

The phisher even copied the Javascript popup from the legitimate site encouraging me to bookmark this new location!

Note: Besides the community’s vote (thank you!), I’ve notified someone at Yahoo Search Marketing, so I would expect and hope this site will be taken offline rapidly. It’s already blocked for OpenDNS customers, of course.

whois info:

Domain name: yahincmarketing.com

Registrant:
   Jim Johnson  (SROW-615849)
   mdumi82u@aol.com
   5 rue de Thorigny
   PAris   PARIS
   75003   FR
   +33 42719715

PhishTank caught five IRS phishes this tax season and prevented who knows how many people from readily handing over their personal information.

Now what are you doing reading this blog? Don’t you have taxes to do?

Question: What do the following web addresses have in common?

1. http://66.135.40.79/
2. http://1116153935/
3. http://0×42.0207.10319/
4. http://0102.8857679/

Answer: Don’t look here — try them out and see! (Caveat: In most browsers and operating systems — all four URLs will work. If your computer had trouble with a link, see “Something Not Working” below to understand why.)

So why did that happen?

We websurfers are trained to think of Internet sites as Double-U, Double-U, Double-U, Dot, Google, Dot, Com — because that is easier to remember than http://1208941928/. The network translates those names into numbers, so we don’t have to. But, every computer accessible on the Internet has a long and unique number as an address. It’s like a telephone number — uniquely yours.

The hostnames in the four web addresses at the top of this page are all different ways of expressing the same Internet address number.

Just as websurfers use a method that is easy to remember, programmers do, too. If they’re working in a system or programming language that prefers base-16 or hexadecimal numbers, they’re likely to express a 3 like 0×3 and a 12 like 0xC. An octal system would likely replace those with base-8 numbers, expressed as 03 and 014.

Why do this, when the rest of the world speaks in base-10 (decimal)? You’ll see in a moment — multiplication and division are much easier when you’re speaking the same language as the system.

The third example at the top of the page begins with 0×42, which is a hexadecimal number (66 in decimal). The next segment of example 3 is 0207, an octal number equal to 135. But what about that third number?

The “dots” in the address are meant for organization. Twenty-five years ago, our internet founders segmented the IP space into 255 (0xFF) segments. Those segments were split between five address types — large, medium, small, private, and special-use/future. The number before the first dot indicates this segment.

Knowing this, you can begin to do the math to make the above conversions.

If there is a first dot, the number before it is multiplied by 0×1000000 (or 16777216 to us Base-10 users). The number after it is not multiplied. This would work just fine for a very large organization, they would have their unique organizational number and over 16 million IP addresses that they could use on the Internet.

A second dot would help mid-size organizations — the first two segments would be assigned to the business and the final segment was theirs to divide as they pleased. And so on, for smaller businesses and the fourth segment. That sounded good back in the early 1980s, and it worked for a while. But, more importantly for our topic, it set the stage for how IP addressing works.

Let’s untwist our 4th example. 0102 is the octal equal to 66. This means that http://66.8857679/ should work? Does it? So we multiply that 66 by 16777216, and we get 1107296256. We add the last half of example 4 to that. 1107296256 plus 8857679 is 1116153935. That number is hard to remember, but it is the same number we tried in Example 2, above! So, the unique network address to PhishTank is 1116153935!

If there are two or three dots, the first number is multiplied by 0×1000000, the second by 0×10000, and the last is not multiplied. If there are four segments, the third segment is multiplied by 0×100.

Remember that the dots are there for organization — for human convenience. Computers do not need them (as we have shown here).

Now you can turn any dotted decimal (what most would call “normal”) IP address into its actual single-integer address, and back again! Reverse the process using division…

… and that leaves us back at 66.135.40.79, the dotted-decimal IP address that we used in Example 1.

Something not working, or working differently? In twenty-five years, programmers and administrators have grown accustomed to the four-segment dotted-decimal IP addresses, even in the largest organizations. While most network software still accepts these other forms of an address, some do not.

Although these forms of addressing are valid, almost nobody is used to them. Spammers and Phishing Fraudsters are taking advantage of this. They attempt to get around detection by changing the IP address into something other than a dotted-decimal form. It also tends to make a Phishing URL more legitimate. Here are some examples:

• Submission #44124: http://0×4231ddb2/www.amazon.com/login/exec.php?cmd=sign-in
• Submission #48434: http://0xd2.0xf3.0xe9.0×22/www.paypal.com/
• Submission #91296: http://3630742891/cgi-bin/webscr_cmd_login-submit/

So when you see such an address, don’t panic. Know that the address is a number, and not a name that can be resolved in DNS. Submit the Phishing Site to the PhishTank “As-Is,” using the same style address that the Phisher put in his spam email. Then, if you want, deconstruct the dotted decimal IP address and submit the site using the more “normal” form. Doing this will help remove some of the confusion for verifiers, down-stream users, and others who aren’t as smart as you!

Isn’t that cool?

Like to write a post for PhishTank? Let us know.

The PhishTank community is slowly reaching the right conclusion. Emphasis on slowly. But it’s hardly the community’s fault.

The site is http://www.paypalchristmas.co.uk/. It is not operated by PayPal, as you can tell on the Technical Details tab of #40965, adding to the confusion!

But the site is affiliated with and approved by PayPal.

Given their high profile (#2 in November 2006, for example), PayPal should think very carefully about using alternate URLs for anything with their name on it. Submissions 42483 and 42482 are additional examples where the site is legitimately affiliated with PayPal, but it is very hard to know that without digging deep.

But a company’s domains are their choice. I simply wanted to draw the attention of the PhishTank community to this example, as I’ve done with other examples.

Firefox 2.0 improperly calls this site a phish. IE 7 is confused, some times saying it’s a phish, some times saying it doesn’t know. I’d like to encourage PhishTank to get it right.

So, vote wisely. Vote NOT a phish. Please.

P.S. eBay (parent company of PayPal) hosts images and other, well, static content at the genuine domain ebaystatic.com is a genuine domain, so submission 46522 is also NOT a phish.

P.P.S. 42482, 42483 and 40965 were submitted by MASA as tests, with approval: they were known to be confusing, but legitimate. The community is passing the test, but I wanted to hurry the process along. Just wanted to make it clear that MASA is not polluting the Tank here; in fact, MASA is a moderator.

I want to call attention to another example today.

The submission is 36895. There are nearly 250 votes on this submission, with a slight majority correctly recognizing that this is NOT a phish.

Why the confusion? The website is branded as NatWest, a major bank in the United Kingdom, but the domain name is nwolb.com (go to the submission to see the entire URL submitted).

The registrant for nwolb.com is:

The Royal Bank of Scotland Group plc
Waterhouse Square
138-142 Holborn
London EC1N 2TH
UK

NatWest was purchased by Royal Bank of Scotland Group in 2000, so this is legit.

You can also simply start at NatWest.com. Click the button at the top right titled “Log in.” The link redirects to…you guessed it…https://www.nwolb.com/ (with lots of other session/security stuff on the end of the URL).

I’m sure there are technical reasons, or historical business reasons, why the online bank lives on a different URL than the corporate website, but it’s certainly led to some confusion among an ever-more cautious online crowd.

If you have not yet voted on 36895, please vote “NOT a phish.”

Related note

In the comments about 53.com, some asked why we (the PhishTank administrators) don’t go ahead and decide this submission once and for all. My answer remains the same: as long as this is undecided, we will not step in. PhishTank administrators will step in to overrule false positives, if necessary. It rarely has been: maybe three times in nearly 25,000 submissions as I write this post.

The moderators are instrumental in flagging confusing submissions and drawing attention to possible problems, though they don’t overrule the community.

Submission 22779 is such a professional-looking employment ad, one might even wonder why it was submitted as a suspected phish site. Most likely, redpriest realized that the ad was looking for a Money Mule — a person who launders phishy money through their personal accounts and moves it overseas.

It’s both illegal and risky — and most Money Mules end up getting burned as soon as the phish-site victims realize that their credit cards or identities have been compromised. In addition to possible trouble with the police, the Money Mule gets to pay back the banks and institutions that were involved in the fraud. Money Mules take all the heat while the real crooks disappear into anonymity.

So why was Submission 22779 marked “Verified: Is NOT a phish?” Because, even though it probably is related to phishing, it really is not a phish. It isn’t masquerading as an institution one already trusts in order to obtain financial information.

While PhishTank endeavors to quickly and accurately identify Phish, our friends at CastleCops.com specialize in working with government and internet concerns to shut these criminals down. CastleCops has an e-mail address to report suspected Money Mule advertisements: mules@castlecops.com.

Got a phish? As always, throw it in the PhishTank. But if the crooks are “fishing” for a Money Mule, then report it to mules@castlecops.com.

But some of the folks on the dark side of the Internet defy such categorization. They don’t limit themselves to phishing. So, we’ve had a few submissions of phish URLs which also try to infect the visitor with a virus.

In the past, we’ve deleted these submissions out of hand, but we don’t want to give phishers an easy way to avoid identification by compounding their crimes.

How we deal with these submissions now, thanks to miked:

1. All submissions are scanned for viruses.
2. We never display the actual suspected phishing site by default. (Always been the case.)
3. If our scan indicates a possible virus in the submission, then when you click the “View site in frame” tab, you will be warned. You will be able to continue, but you should be even more careful than usual.
4. Same general experience holds for the “View site in new window” link: a warning, with an option to continue.

No virus scanning is perfect, and phishing sites change, so please make sure that if you venture over to the site itself, that you always do so in a very-up-to-date browser, with security settings at their highest levels. We hope the technical information tab also limits the need to visit the site itself.

If you want to see this in action, then take a look at 19880, which is online still as I write this.

To cite Hill Street Blues (long-gone TV show), let’s be careful out there.

http://www.53.com/wps/portal/contenttype/secure/confirm_context.id

The screenshot shows Fifth Third Bank.

The technical details give the strongest evidence. Admittedly, the technical details tab did not exist when this was submitted on October 17, 2006.

Registrant:
Fifth Third Bank
38 Fountain Square Plaza
Cincinnati, OH 45263-0001
US

There are 250+ votes so far, with 60% saying “Is NOT a phish.”

Hint: This bank exists, and this site is real. If you have not voted, please vote Is NOT a phish.

The lesson is that number-only domain names do not inspire trust, but don’t dismiss them out of hand.