Application security, Malware, Phishing

Phresh phish from the Keepnet

It has been a while since I wrote anything substantial (by which I mean chapters, papers or even long articles, rather than blog articles) on phishing. So writing an article for a new banking security-oriented magazine had me turning over some rocks I haven't touched in a while. In fact, searching through some spam folders to see what was getting through these days, I came upon the two examples below. I've stripped the graphic content, which was actually pretty convincing. In fact, the presentation of banking phish is a lot better these days than when I was writing about the topic in the noughties. However, I thought some readers might find it useful to be reminded of some of the “red lights” that often distinguish phishing messages from real banking communications.


Phish 1

From: HSBC Bank Plc. <[email protected]>

reply-to: [email protected]

[The domain is correct, but the address is spoofed.]


[There's no address there because the message has been blind copied, to hide the fact that it has been sent to lots of people all at once. You might also see it addressed to one email address that isn't yours, which is just as suspicious. Of course, it could be addressed to your email account, appear to be from a bank you actually have an account with, and still be a phish.]

date: 15 April 2011 18:38

subject: Verify your activity ,

Dear Valued Customer,

[We don't know anything about you: we just have your address. Of course, if we were really your bank, we'd at least know your name. Sometimes, we might be really sneaky and put your email address in here. That's easy to do, and if your friends already know you as [email protected], it might even be convincing.]

We detected irregular activity on your HSBC Bank. internet banking account on 15/04/2011. For your protection, you must verify this activity before you can continue using your account. [Phishing mails are often better presented than this nowadays (see the second example). Poor presentation and English is still a giveaway, but not seen so often as in the previous decade. I've tweaked the formatting slightly for readability.]

Please download the document attached to this email to review your account activity. [Please install the malware this script downloads so that we can get a closer view of your sensitive data.]

We will review the activity on your account with you upon verification, and we will remove any restrictions placed on your account.

If you choose to ignore our request, you leave us no choice but to temporaly suspend your account. [I once thought of offering a spellchecking service to phishing gangs, but ethics won out over profit in the end. Note the threat: respond PDQ or lose access to your money.]

We ask that you allow at least 72 hours for the case to be investigated . [We have lots of accounts to pilfer: please give us time to get to yours.]

Best Regards,

HSBC Bank - internet Banking

© Copyright HSBC Bank. Holdings plc 2011 - All rights reserved

<HSBC Notification.html>

Phish 2

From: [email protected]

[note that the domain is paypai, not paypal]

To: [account name]

Date: 31 March 2011 00:03

Subject: Your account is restricted

Dear Paypal User,

[Generic salutation: “we don't know if you're really a PayPal user, we don't know your name and we don't care. We just want access to your account...”]

You may have noticed that some limitations have been placed on your PayPal account. As a valued PayPal customer, we want to let you know what this means and how to resolve the situation.

What does it mean to have limited access?

Your account may be restricted for a number of reasons; you'll find out when you next log in to PayPal. As a result, you'll notice that some of the following options are now unavailable:

  • Send money to other PayPal users
  • Request or receive money from other users
  • Edit or remove account details
  • Close your PayPal account

[In fact, pretty much anything you'd want to do. Of course, this is to panic you into logging in as suggested below.]

How do I resolve the issue?

To assist us in our review, please log in to your account here [link removed for obvious reasons]. You will see a message explaining why your account has been restricted, with details of what to do next.

The account limitation process helps to maintain PayPal as a safer way to buy and sell. It's similar to passing through a security checkpoint. When we limit an account we often simply ask the user to supply information to verify their identity, financial information or the merchandise they're selling.

PayPal aims to review account information within 48 hours* so please aim to get the information to us as soon as possible.

Yours sincerely,


*Reviews are performed in the order they are received.

[Please give us plenty of time to plunder your account.]

How do I know this is not a spoof email? Spoof, or phishing, emails tend to have generic greetings, such as "Dear PayPal member." Emails from PayPal will always address you by your first and last name. Find out more here. [Which, strangely enough, doesn't apply to this mail.]

<buttons snipped>

[The passage above is stolen from real PayPal messages. The fact that it includes an excellent pointer as to why this is an obvious phish (no personal identifier) indicates that either phishers aren't good at reading the small print, or that they know that their victims aren't. Actually, both probably apply. This is followed by a copyright notice: since it includes the correct address for PayPal's Luxembourg office, I presume that's taken from real PayPal email, too.]

Here are just a few links that you might find useful if you want to find out more about phishing.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.