Email Phishing and Spams Trends - Be wary

Below is typical phishing email I received on Dec 8, 2007. It was send to one of my active gmail accounts.

The Email Header

From

“Gmail Team” <customercareteamalert4@gmail.com>

Subject

Gmail Warning!!!! Verify Your Gmail Account To Avoid Close.

Part of the message ↓

Dear member,

This message is from gmail message center to all gmail free account owners
and premium account owners. We are currently upgrading our data base and
e-mail account center. We are deleting all unused gmail account to create
more space for new accounts.

*To prevent your account from closing, you will have to verify it below so
that we will know that it’s a present used account.*

* CONFIRM YOUR IDENTITY. VERIFY YOUR FREE GMAIL ACCOUNT NOW !!! [...]

Raw Email Content

This are part of of the raw message on gmail its not download via pop3. Certain meta info is not available as its got filtered by gmail services (spam automatic removal).

Delivered-To random-victims-name@gmail.com
Received: by 10.114.235.19 with SMTP id i19cs230694wah;
 Sat, 8 Dec 2007 04:27:12 -0800 (PST)
Received: by 10.141.20.7 with SMTP id x7mr3231780rvi.1197116792300;
 Sat, 08 Dec 2007 04:26:32 -0800 (PST)
Received: by 10.141.115.15 with HTTP; Sat, 8 Dec 2007 04:26:32 -0800 (PST)
Message-ID: <2f83b9150712080426n4a018c86mc2af4a4ed271f223@mail.gmail.com>
Date: Sat, 8 Dec 2007 13:26:32 +0100
From: "Gmail Team" <customercareteamalert4@gmail.com>
Reply-To: customercareteamalert2@gmail.com
Subject: Gmail Warning!!!! Verify Your Gmail Account To Avoid Close.
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_Part_11145_31274162.1197116792293"

------=_Part_11145_31274162.1197116792293
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

 Dear Member*,* **
 * Account Alert*
***
 *
 *VERIFY YOUR GMAIL ACCOUNT NOW TO AVOID CLOSE !!!*
***GMAI L
*Dear Member*,*
 This message is from gmail message center to all gmail free account owners
and premium account owners. We are currently upgrading our data base and
e-mail account center. We are deleting all unused gmail account to create
more space for new accounts.

 *To prevent your account from closing, you will have to verify it below so
that we will know that it's a present used account.*

* CONFIRM YOUR IDENTITY. VERIFY YOUR FREE GMAIL ACCOUNT NOW !!!

 <http://amazon.com/>
 Gmail! ID:.........................

 Password:........................

 Your Birthday:.................

 Your Country or Territory:...........
 Enter the Security
Characters:......... [image: Registration
Verification Code]
*

 *Warning!!! **Account owner that refuses to update his or her account
before two weeks of receiving this warning will lose his or her account
permanently. *
**
*Sincerely,*
*Gmail Team*

------=_Part_11145_31274162.1197116792293
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<table style="WIDTH: 595px; HEIGHT: 813px" width="595" border="0">
<tbody>
<tr bgcolor="#cccc99">
<td valign="center" colspan="3"><font face="Arial,Helvetica" color="#333300" size="+0"><span style="FONT-SIZE: 13px; FONT-FAMILY: Arial">Dear&nbsp;<font size="3">Member</font><strong>,</strong></span></font></td></tr>
<tr>
<td colspan="3"><font face="Arial,Helvetica" size="-1">
<div align="center"><font face="Arial Cyr" size="2"><span style="FONT-SIZE: 13px; FONT-FAMILY: Arial"><font face="Arial Cyr" size="2"><font face="Arial Cyr" size="2"><span style="FONT-SIZE: 23px; FONT-FAMILY: Arial"><b><font color="#dd6600">
<img style="WIDTH: 430px; HEIGHT: 99px" height="330" src="http://www.google.com/intl/en/press/images/logos/gmail.jpg" width="418"></font></b></span></font></font></span></font></div>
<div align="center">
<div><font face="Arial Cyr" size="2"><span style="FONT-SIZE: 13px; FONT-FAMILY: Arial"><font face="Arial Cyr" size="2"><font face="Arial Cyr" size="2"><span style="FONT-SIZE: 23px; FONT-FAMILY: Arial"><b><u><font color="#ff0000">
&nbsp;Account Alert</font></u></b></span></font></font></span></font></div></div>
<div align="center"><font face="Arial Cyr" size="2"><span style="FONT-SIZE: 13px; FONT-FAMILY: Arial"><font face="Arial Cyr" size="2"><font face="Arial Cyr" size="2"><span style="FONT-SIZE: 23px; FONT-FAMILY: Arial"><strong>
</strong></span><b><u><font face="Arial" color="#ff0000"></font></u><br>&nbsp; </b></font></font></span></font></div>
<div align="center">
<table cellspacing="0" cellpadding="4" width="585" border="0">
<tbody>
<tr bgcolor="#a0b8c8">
<td colspan="2">
<div align="center"><font face="Arial"><font face="Arial Narrow" size="4"><u><strong>VERIFY YOUR GMAIL ACCOUNT NOW TO AVOID CLOSE&nbsp;!!!</strong></u></font></font></div></td></tr></tbody></table></div>
<div align="center"><font face="Arial Cyr" size="2"><font face="Arial Cyr" size="2"><font face="Arial Cyr" size="2"><strong><font size="5"><font face="arial"></font></font></strong></font></font></font><font face="Arial Cyr" size="2">
<font face="Arial
 Cyr" size="2"><font face="Arial Cyr" size="2"><strong><font face="Arial"><font size="7"><u><font color="#0000bf">G</font><font color="#ff0000">M</font><font color="#ffff00">A</font><font color="#0000bf">I</font><font color="#007f40">
 L</font></u></font></font><br></strong><span style="FONT-SIZE: 21px; FONT-FAMILY: Arial"><font color="#ff0000">Dear</font><font color="#ff0000">&nbsp;Member</font><font color="#ff0000"><strong>,</strong></font></span></font></font>
 </font></div></font></td></tr>
<tr>
<td><font face="Arial Cyr" color="#124282" size="2"><span style="FONT-SIZE: 13px; FONT-FAMILY: Arial">
<div class="MsoNormal"><span style="FONT-SIZE: 10pt; COLOR: rgb(18,66,130); FONT-FAMILY: Arial"><font color="#0000ff"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><font color="#00007f">This message is from gmail message center to all&nbsp;gmail free account owners and premium account owners. We are currently upgrading our data base and e-mail account center. We are deleting all unused&nbsp;gmail account to create more space for new accounts.
</font></span></font></span></div>
<div class="MsoNormal"><span style="FONT-SIZE: 10pt; COLOR: rgb(18,66,130); FONT-FAMILY: Arial"></span>&nbsp;</div>
<div class="MsoNormal">
<div class="MsoNormal" style="MARGIN: 0in 0in 0pt"><font face="Times

 New

 Roman"><strong>To prevent your account from closing, you will have to&nbsp;verify it&nbsp;below so that we will know that it&#39;s a present used account.</strong></font></div><span style="FONT-SIZE: 10pt; COLOR: rgb(18,66,130)">
</span></div>
<div class="MsoNormal"><span style="FONT-SIZE: 10pt; COLOR: rgb(18,66,130)"></span>&nbsp;</div>
<div class="MsoNormal"><strong><span style="FONT-SIZE: 10pt; COLOR: rgb(18,66,130); FONT-FAMILY: Arial">
<table cellspacing="0" cellpadding="4" width="585" border="0">
<tbody>
<tr bgcolor="#a0b8c8">
<td colspan="2"><font size="4">
<div><strong>
<font size="4">
<div><strong>CONFIRM YOUR IDENTITY. VERIFY YOUR FREE GMAIL ACCOUNT NOW !!!</strong> </div></font></strong></div></font></td></tr></tbody></table>
<div><strong><font size="5"><font face="arial">&nbsp;
<div>
<div><img style="WIDTH: 469px; HEIGHT: 75px" height="75" src="http://pics.ebaystatic.com/aw/pics/securityCenter/hdr1_649x75.gif" width="649"></div>
<div><font size="2"><font face="Verdana"><strong><a href="http://amazon.com/" target="_blank" rel="nofollow"><span id="lw_1190759841_12"><font color="#003399"></font></span></a></strong></font></font>&nbsp;</div></div></font>
</font></strong></div>
<div><strong><font size="5"><font face="arial"><font face="arial narrow" size="4">
<div class="MsoNormal" style="MARGIN: 0in 0in 0pt"><strong><span style="FONT-SIZE: 13.5pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Gmail! ID:.........................</span></strong></div>
<div class="MsoNormal" style="MARGIN: 0in 0in 0pt"><strong><span style="FONT-SIZE: 13.5pt"></span></strong>&nbsp;</div>
<div class="MsoNormal" style="MARGIN: 0in 0in 0pt"><strong><span style="FONT-SIZE: 13.5pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Password:........................</span></strong></div>
<div class="MsoNormal" style="MARGIN: 0in 0in 0pt"><strong><span style="FONT-SIZE: 13.5pt"></span></strong>&nbsp;</div>
<div class="MsoNormal" style="MARGIN: 0in 0in 0pt"><font size="4"><font face="arial narrow"><strong style="FONT-FAMILY: arial narrow"><span style="FONT-SIZE: 13.5pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Your Birthday:.................</span></strong>
 </font></font></div>
<div class="MsoNormal" style="MARGIN: 0in 0in 0pt"><font size="4"><font face="arial
 narrow"><strong style="FONT-FAMILY: arial narrow"><span style="FONT-SIZE: 13.5pt"></span></strong></font></font>&nbsp;</div>
<div class="MsoNormal" style="MARGIN: 0in 0in 0pt"><strong><span style="FONT-SIZE: 13.5pt"><label for="persistent"></label>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Your Country or Territory:...........</span></strong> </div></font></font></font></strong>
</div>
<div>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Enter the <strong>Security Characters:.........&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <img style="WIDTH: 125px; HEIGHT: 38px" alt="Registration Verification Code" src="https://ab.login.yahoo.com/img/LVnEpeVZFekTjDHcj06RTVxEZ3._lwVb0bZmRLXJUxldX3JOnZnejReq4nmXD_..xGmoMjBT9h9WFcSARc5o427WyZP6hQ1z1juqhTkOyV68FA04yd2HiHVj.jpg" border="0">
 </strong></div></span></strong></div>
<div class="MsoNormal"><span style="FONT-SIZE: 10pt; COLOR: rgb(18,66,130); FONT-FAMILY: Arial"></span>&nbsp;</div>
<div class="MsoNormal"><span style="FONT-SIZE: 10pt; COLOR: rgb(18,66,130); FONT-FAMILY: Arial"><img style="WIDTH: 148px; HEIGHT: 53px" height="139" src="http://www.genbeta.com/images/2007/01/gmail%20logo%20blanco.gif" width="118">
 </span></div>
<div><strong><span style="FONT-SIZE: 12pt; COLOR: red; FONT-FAMILY: Arial">Warning!!! &nbsp;</span> </strong><strong><span style="FONT-SIZE: 12pt; COLOR: black">Account owner that refuses to update his or her account before two weeks of receiving this warning will lose his or her account permanently.
</span></strong></div>
<div><strong><span style="FONT-SIZE: 12pt; COLOR: black"></span></strong>&nbsp;</div>
<div><strong><span style="FONT-SIZE: 12pt; COLOR: black">Sincerely,</span></strong></div>
<div><strong><span style="FONT-SIZE: 12pt; COLOR: black">Gmail Team</span></strong></div></span></font></td></tr></tbody></table>

------=_Part_11145_31274162.1197116792293--

They used Outlook to published this email and leeched numbers of images across different “known” web services ↓

Image Sources

Gmail Logo: Google Presskit logo

Captcha : yahoo (SSL)

Gmail Logo 2: genbeta.com (might be their host)

Header: EbayStatic Server

Whats the motiff

It may seem funny to read the message as this are pretty much a script kiddies at work. I’m sure that most savvy users will not trust this types of threat. But what most people unaware of is the “Image” portions of the message. It can play a big role for expoiting email.

QuickInfo: Spam “images” trends start around june 2006 and earlier version of popular email client (Outlook and Thunderbird) doesn’t block images by default.

If you are familliar with Internet Security in general,you may notice that there is many attemp and proof of concept method in exploiting Images like “TIFF & JPEG“. Both of this vulnurebilities exists in Internet Explorer Browser and various microsoft windows products. While we can only make educated guesses as there is no real working proof yet.

My doodling scenario produce this ↓

Session “hacker” create a malicious server side image → proxy tunnel send to multiple email server → the curious victim open the email → steal client informations (cookie or server session cookie) → spoof the request → send RST back to client (reset) → dump the victims data in one instance. → write signature on victim email (avoid loop) → propogate using victims session → new net-worm is born

Try digging around VX Heavens & milw0rm Database you’ll find something to start thinkering.