15 replies to this topic

[OpaQue]

BEWARE OF FRADULENT - PHISHING e-mails sent to you as @Xisto.com

Dear Members of Xisto Network,

Please beware of Phishing Emails sent to you from @xisto.com Email.

ALL XISTO emails (or any genuine company) will address you by your FIRST NAME and LAST NAME (stored in our Database Records)

Links inside E-mails from Xisto.com will point to following domains only :-

• xisto.com
• xistosupport.com
• knowledgesutra.com

If you find any other URL (hidden/cloaked), please report it to us immediately at abuse@xisto.com

EXAMPLE: PHISHING EMAIL (posing as xisto.com)

Quote

New secret questions were added to your xisto.com account.

To ensure that your account information remains accurate and secure we notify you whenever this information changes.

This change request was made on Tue, 29 Jun 2010 00:37:35 +0300

If the changes described above are accurate, no further action is needed. If anything doesn't look right, follow the link below to
make changes:

https://edit.xisto.com/blah/blah/blah ------(sample, Phishing URL - Hover over it & check it.)

Regards,
xisto.com Account Services
-------------------------
Please do not reply to this message. Mail sent to this address cannot be answered.

[The Simpleton]

That's strange. How can someone send mails using the Xisto domain? Anyway it's a good thing you alerted us, Opaque. I'm sure no one will fall for silly phishing attempts like this, but it's good to be alerted all the same. Now that I think about it, I don't think I've received any mail from Xisto whenever I made any changes to my account, so if receive one suddenly, it'll be highly suspicious!

[anwiii]

The Simpleton, on 29 June 2010 - 12:38 AM, said:

That's strange. How can someone send mails using the Xisto domain? Anyway it's a good thing you alerted us, Opaque. I'm sure no one will fall for silly phishing attempts like this, but it's good to be alerted all the same. Now that I think about it, I don't think I've received any mail from Xisto whenever I made any changes to my account, so if receive one suddenly, it'll be highly suspicious!

people can put in whatever address they please in an email if you have the right program. but just because it's saying it's coming from a certain address, doesn't mean it is. thanks for the update! i will be on the lookout. how was this caught in the first place???

[BuffaloHelp]

Email can be fooled to "look alike" it was sent from the source claimed to be by manipulating mail headers. In PHP this is achieved simply by:

<?php
$to      = 'nobody@example.com';
$subject = 'the subject';
$message = 'hello';
$headers = 'From: webmaster@example.com' . "\r\n" .
    'Reply-To: webmaster@example.com' . "\r\n" .
    'X-Mailer: PHP/' . phpversion();

mail($to, $subject, $message, $headers);
?>

What it cannot fool is the "Received" portion of the full header. In Yahoo and Gmail you can see the full header by click on "show full header" or "show original," respectively.

In the full header contains many information but it cannot disguise the originated IP address (in bold) such as:

Quote

Delivered-To: no-reply@xisto.com
Received: by 10.229.99.193 with SMTP id v1cs216067qcn;
Wed, 23 Jun 2010 02:15:16 -0700 (PDT)
Received: by 10.229.224.81 with SMTP id in17mr4025083qcb.252.1277284515492;
Wed, 23 Jun 2010 02:15:15 -0700 (PDT)
Return-Path: <root@******.xisto.com>
Received: from ******.xisto.com (******.xisto.com [00.00.00.00])
by mx.google.com with ESMTP id v30si11598770qco.96.2010.06.23.02.15.15;
Wed, 23 Jun 2010 02:15:15 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of root@******.xisto.com designates **00.00.00.00** as permitted sender) client-ip=00.00.00.00;
Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of root@******.xisto.com designates 00.00.00.00 as permitted sender) smtp.mail=root@******.xisto.com
Received: from root by ******.xisto.com with local (Exim 4.69)
(envelope-from <root@******.xisto.com>)
id 1Orrrr39-0003kdddsscc-1n
for **@xisto.com; Wed, 23 Jun 2010 09:15:15 +0000
To: user <**********************@xisto.com>
Subject: ......................................
Date: Wed, 23 Jun 2010 09:15:15 +0000
From: "ComputingHost (Xisto)" <sales{at}computinghost[dot]com>
Message-ID: <13d2454bb7cc3338b50199384jq9483732@localhost.local_domain_name>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/alternative;

Even when originated IP can be fooled (next paragraph can explain) the SPF cannot be faked (another bold from quote above). This is another reason people register proper SPF so that their emails are not marked as spam. This is another method many popular email servers will base how to filter spam from legitimate email. When you see "this email is not from where it claims" (at least in Gmail) this is how they identify spam emails.

A script can be originated from the hosting of Xisto by creating a free account under Xisto server(s) and send a quick mail script. This is why spamming accounts are quickly suspended form any of our free web hosting accounts. Since the email can be sent from the same server IP as "Xisto" it can pass for the correct IP address of Xisto mail.

In any case, see the full header information and if you can forward the copy to OpaQue. He can investigate further and put a stop to spammer's phishing attempt(s).

[web_designer]

thank you opaque for telling  , it is a horrible thing. how could that person do that and why? is he hating you this much? to hurt your business?

now we will be aware more, i even not gonna open any email from xisto any more  , just kidding.

and thank you buffelohelp for the explanation, i will be sure to check the header first.

[nirmaldaniel]

I never thought that some one will cast their phishing nets on XISTO. Phishing nets are commonly casted on Facebook,orkut and of course one all the banks. In that the PayPal is the lead victim i guess. I want to study much and go deeper into this Phishing matter so that one day i will be able to design a 100% Phish Proof algorithm which will save millions of users.

[deadmad7]

Ah! Thanks for Alerting us before any mishaps have occurred OpaQue. Now, I start to wonder how insecure e-mails really are nowadays. But, I thought that big companies like Google Mail, Yahoo! Mail and Live have already added security restrictions so can't make it look like another site, anyways just to be sure i had gotten Ad-Block's Fanboy Secuirty List which blocks are phishing and scam sites, and even if its a new one, my OpenDNS account blocks any

[anwiii]

nirmaldaniel, on 29 June 2010 - 11:27 AM, said:

I never thought that some one will cast their phishing nets on XISTO. Phishing nets are commonly casted on Facebook,orkut and of course one all the banks. In that the PayPal is the lead victim i guess. I want to study much and go deeper into this Phishing matter so that one day i will be able to design a 100% Phish Proof algorithm which will save millions of users.

exactly! it's the same thing i was thinking. phishing is good when you have a high profile site so the chances are when you send bulk email, you can snatch up 3 accounts a day or so depending on the site being phished. xisto is NOT a high profile site. so now it makes me wonder who the people are that are being targeted. do they have xisto member emails? is it an employeee? was xisto ever hacked to get that information? can it be verified that more than one email has been sent out or that only one email has been sent out to put a scare? this is not a normal m.o. for someone who wants to go phishing. like i told opaque. looks like xisto definately has an enemy here. xisto would be one of the LAST sites i would phish from if i was a hacker.

when you see a site in your inbox like buffalohelp gave as an example...

Quote

https://edit.xisto.com/blah/blah/blah ------(sample, Phishing URL - Hover over it & check it.)

, if you hover over it and look at the address bar, you can usually see the true location of where the url is pointing to.

wd- you don't have to check the full headers. that is a waste of time! you just have to check the link that you are being directed to. usually, it's ok to even click the link. instead of it taking you to "edit.xisto.com", it would have taken you to a site called something like "xxisto.com" or "xisto-members.com", etc....something to fool you that you are at a xisto site but really aren't. so all you have to do is check your address bar and make sure the site you are on is the site you actually wanted to go to. checking headers is a waste of time. it's just good to verifiy where the email come. in some cases, the headers aren't fully accurate either so it's best to go by the address bar at the top and bottom of your browser.

nirm- you will never be able to code anything that is 100% phish proof. even if you were so lucky, it would be outdated a month later. be realistic haha

[missalex]

Thank you for alerting us all. I wonder who would do such a thing? Phishing is just a waste of time in my opinion, go do something that's worth accomplishing. Also since you have just alerted us about this, the people that are phishing are going to be aware of this as well and will be extra careful next time. Scary thought if you ask me.

[Harlot]

Thanks for the heads up, however, I am kind of dumbfound on why anyone would want to phish Xisto accounts. It doesn't really make much sense, what are you going to do with the account? It seems pretty pointless to me. I could understand the idea behind phishing paypal, ebay, or rapidshare accounts. You know, accounts that are materialistically valuable. People are getting more and more ruthless everyday it seems, and are phishing accounts simply to cause destruction. Its not about the money anymore, its about simply being devilish and vandalizing without logical cause or reason.