Phishing - Un attacco sulla presente homepage come esempio
Il 31.10.2009 ho ricevuto la mail sottostante. Questa email era così ben fatta che
(di seguito ho rimpiazzato il nome della mia URL con XYZ, per rendorlo inservibile)
Ma prima la testata (header) di questa email:
From - Sat Oct 31 18:40:51 2009
X-Account-Key: account6
X-UIDL: UID52-1239349698
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-path: <3_D7rSgcKBHEcdgTeanVddVaT.RdbXcUdTVeTad.Rdb@phishing.bounces.google.com>
Envelope-to: info@XYZ.com
Delivery-date: Fri, 30 Oct 2009 20:31:09 +0100
Received: from mail-px0-f221.google.com ([209.85.216.221])
(falsificazione dell'emittente)
by server16.cyon.ch with esmtp (Exim 4.69)
(envelope-from <3_D7rSgcKBHEcdgTeanVddVaT.RdbXcUdTVeTad.Rdb@phishing.bounces.google.com>)
id 1N3xBe-000339-Lh
for info@XYZ.com; Fri, 30 Oct 2009 20:31:09 +0100
Received: by pxi18 with SMTP id 18so839085pxi.2
for
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=beta;
h=domainkey-signature:mime-version:auto-submitted:received:message-id
:date:subject:from:to:content-type;
bh=xNdyIcn9o0BOBh2hjdrQsoyopaCJwi296tZaI1EXlMA=;
b=aQVeFhrMwPPlrEFCJSWpQWe130WqK7U+r7ZHtH0yugXhMcZ+yPWynK8ErB10Wh2+2F
0KIMA/kEwMjhFW+21YUw==
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=google.com; s=beta;
h=mime-version:auto-submitted:message-id:date:subject:from:to
:content-type;
b=dBsYH8aZw80Nn+TDRtw/vN0831jeMDIjLJpLwvaAxezfxH1J7kpdYYigDB80GVp0mT
79o3nL2YwB5MS+1JaDvw==
MIME-Version: 1.0
Auto-Submitted: auto-generated
Received: by 10.143.21.35 with SMTP
(numero IP non registrato!) id
y35mr261733wfi.24.1256931068953;
Fri, 30 Oct 2009 12:31:08 -0700 (PDT)
Message-ID: <00504502cb1edf49a404772c1133@google.com>
Date: Fri, 30 Oct 2009 19:31:08 +0000
Subject: Phishing notification regarding XYZ.com
From: noreply@google.com
To: abuse@XYZ.com, admin@XYZ.com, administrator@XYZ.com,
contact@XYZ.com, info@XYZ.com, postmaster@XYZ.com,
support@XYZ.com, webmaster@XYZ.com
(8 indirizzi email sparati a vanvera al fine di fare almeno una volta centro. E di fatti ci sono riusciti.)
Content-Type: multipart/alternative; boundary=00504502cb1edf499204772c1130
X-Spam-Status: No, score=1.8
X-Spam-Score: 18
X-Spam-Bar: +
X-Spam-Flag: NO
--00504502cb1edf499204772c1130 Content-Type: text/plain; charset=ISO-8859-1; format=flowed; delsp=yes
Dear site owner or webmaster of XYZ.com,
We recently discovered that some pages on your site look like a probable phishing attack, in which users are encouraged to give up sensitive information such as login credentials or banking information. We have begun showing a warning page to users who visit this site in certain browsers that receive anti-phishing data from Google, as well as users redirected to this site from various Google properties.
Below are one or more example URLs on your site which appear to be part of a phishing attack:
http://www.XYZ.com/~atajachc/fr/login/active/compte/
Here is a link to a sample warning page:
http://www.google.com/interstitial?url=http%3A//www.XYZ.com/~atajachc/fr/login/active/compte/
We strongly encourage you to investigate this immediately to protect users who are being directed to a suspected phishing attack being hosted on your web site. Although some sites intentionally host such attacks, in many cases the webmaster is unaware because:
1) the site was compromised
2) the site doesn't monitor for malicious user-contributed content
If your site was compromised, it's important to not only remove the content involved in the phishing attack, but to also identify and fix the vulnerability that enabled such content to be placed on your site. We suggest contacting your hosting provider if you are unsure of how to proceed.
Once you've secured your site, and removed the content involved in the suspected phishing attack, or if you believe we have made an error and this is not actually a phishing attack, you can request that the warning be removed by visiting
http://sb.google.com/safebrowsing/report_error/
and reporting an "incorrect forgery alert." We will review this request and take the appropriate actions.
Sincerely,
Google Search Quality Team (Falsificazione totale)
L'emittente ha commesso 2 errori:
1. Il destinatario non era chiaramente definito, dato che ha "sparato" 8 email, di cui 7 sbagliate.
2. Numero IP di prima origine sconosciuto
Ma cosa sarebbe successo se avessi seguito i link indicati?
Allora mi sarebbe stato presentato un "serissimo" sito di Google (falsificato) e mi sarebbe stato chiesto di dicitare login e password del server del mio sito. Se poi lo avessi fatto veramente, allora avrei potuto dire per un po' di tempo arrivederci al presente sito.....