We examined a phishing email in our lab recently that was interesting from a social-engineering perspective. Phishing attempts commonly impersonate financial institutions. In these cases a phisher seeks to cause alarm with an official-looking email warning of supposed cancellations, fees, or some other negative consequence in an attempt to push victims into “confirming” their account information on the imposter’s Web site, which is linked in the message.
In this case the email purported to be confirmation of puchase for a trial membership on an adult Web site. Included was a login and password, account number, and a link to the site. The message also cited possible recurring charges. The adult site the email claimed to originate from and link to does actually exist; however, the actual URL associated with the linked text pointed to a now-defunct account on a commercial hosting service in Asia. Additionally, the name of the billing service referenced for the recurring charges is also a real online e-commerce billing company.
The text of the email follows:
“Dear Louise,
Thank you for your subscription to Z Pornstars.
Your subscription number is 0107006601000011329
Please include your subscription number in all correspondence.URL: http://www.zpornstars.com/members/
[actually linked to http://[removed].dothome.co.kr/]Your username is: Mileref
Your password is: gere446You have been billed as CCBILL Ltd. for the amount of $9.95 for 5 days (trial) then $39.95 recurring every 30 days. If you selected an automatically rebilled option, your subscription will automatically be renewed for your convenience until you cancel.”
What’s interesting is that the phisher is luring the victim with dual motivations, the second being more emotional than pragmatic:
- Threat of monetary charges (negative incentive)
- “What? I have an account at an adult site? Hmm, maybe I’ll just go look around a bit before I cancel it.” (positive* incentive)
Though it’s no longer possible to examine the actual imposter phishing site, it’s easy to speculate that the phisher would set it up so that the victim had to “confirm billing information” either way (whether they were trying to cancel immediately, or wanting to actually peruse pornography).
* Depending on personal taste and/or morals, the idea that one has an account on an adult Web site could serve as an additional negative incentive. In any case, it is interesting to see such deft use of an emotional motivator.