Anatomy of a phishing email

I got the coolest phishing email today that I have received in quite some time in my gmail inbox. Typically gmail does a great job of filtering but this one got through. It looked legitimate but I want to take it apart so if anyone else receives a message like this they will know what to do. First, here is what the message looked like in my gmail account.

Phishing email example image -1

This email looks legitimate and for all practical purposes the site that you see in the links – http://lloydstsb.com/ – is a real banking site. But if you click on the menu in gmail and “view original” or if you highlight the links without clicking on them you see that the status bar of your web browser that the true destination is – http://www.tabletennisstore.es/images/aa/index.html – which is not where the message claims to be taking you, so we will assume it is a malware site or a site that wants to sell you something you are not looking to buy. I will paste the original code below and I will bold the nefarious links.

Delivered-To: emailaddressremoved@gmail.com
Received: by 10.223.156.195 with SMTP id y3cs50486faw;
Mon, 8 Aug 2011 11:02:51 -0700 (PDT)
Received: from mr.google.com ([10.216.238.80])
by 10.216.238.80 with SMTP id z58mr4574038weq.106.1312826571548 (num_hops = 1);
Mon, 08 Aug 2011 11:02:51 -0700 (PDT)
Received: by 10.216.238.80 with SMTP id z58mr3289384weq.106.1312826570681;
Mon, 08 Aug 2011 11:02:50 -0700 (PDT)
Return-Path: <examiner@exa.examiner.org>
Received: from exa.examiner.org (exa.examiner.org [174.121.46.250])
by mx.google.com with ESMTPS id l52si12504877weq.75.2011.08.08.11.02.50
(version=TLSv1/SSLv3 cipher=OTHER);
Mon, 08 Aug 2011 11:02:50 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of examiner@exa.examiner.org designates 174.121.46.250 as permitted sender) client-ip=174.121.46.250;
Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of examiner@exa.examiner.org designates 174.121.46.250 as permitted sender) smtp.mail=examiner@exa.examiner.org
Received: from examiner by exa.examiner.org with local (Exim 4.69)
(envelope-from <examiner@exa.examiner.org>)
id 1QqUA2-0002aL-SY
for emailaddressremoved@gmail.com; Mon, 08 Aug 2011 13:02:46 -0500
To: emailaddressremoved@gmail.com
Subject: Changes in your account information(CONFIRMATION CODE NO.. 58293330098147)
X-PHP-Script: www.examiner.org/mail.php for 92.41.82.125
From: Lloyds Tsb plc <noreply@Lloydstsb.co.uk>
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: <E1QqUA2-0002aL-SY@exa.examiner.org>
Date: Mon, 08 Aug 2011 13:02:46 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname – exa.examiner.org
X-AntiAbuse: Original Domain – gmail.com
X-AntiAbuse: Originator/Caller UID/GID – [500 500] / [47 12]
X-AntiAbuse: Sender Address Domain – exa.examiner.org

Your Lloyds TSB® Online Accoount Activity<br><br><br><br>Dear Customer,<br> <br>Your information for your account has recently been changed.This message is simply a notification to protect the security of your account.<br><br>Please note: your new account details may take awhile to activate. If it doesn’t work on your first try, please try it again later<br><br>DO NOT REPLY TO THIS MESSAGE. For further help or to contact support, please see <a href=”http://www.tabletennisstore.es/images/aa/index.html”_blank”&gt
;http://help.lloydstsb.com/help/edit/</a>
<br>
***************************************************************
<br>If you have received this message by error,You are kindly advised to follow the following instructions.Click here : <a href=”http://www.tabletennisstore.es/images/aa/index.html” target=”_blank”>http://lloydstsb.com/myaccount/securitycheck.html</a><br><br>If you cannot find an “Account Info” link, you can sign in to Your account ! (<a href=”http://www.tabletennisstore.es/images/aa/index.html” target=”_blank”>http://my.acc.lloydstsb.com/</a>) and you’ll find it in the upper right corner

As you can see every link in the email takes you to the same possible malware site. Another hint to this is that email originated at a source other than lloydstsb.com. The email originated from exa.examiner.org which is a site unrelated to Lloyd’s of London. Finally the most obvious clue was that it was addressed to “Dear Customer” and not to me directly. My bank always addresses my mail to me individually. Anyway thanks for reading and happy surfing.

This entry was posted in Ramblings. Bookmark the permalink.

Comments are closed.