Saturday 31 May 2008

NatWest Bank: safeguarding customer information

This one is very similar, but still subtly different to the email received earlier today. The tracking is there, but is following referer and cookie, rather than machine and 'id'. This one looks exactly like yesterday's Natwest EMail. So it's possible that they are both sent from different sources and it's just a coincidence that both have hit the same email address overnight.

I alos didn't record which email address received yesterday's email, so no idea if they are working through the same list, sending repeat emails, or if they are on a different list. This email is sent to one address at a time, so it's possible they are working down a list that my email addresses appear on several times.

This time around the link is to http://www.natwest.co.uk.nwol.me.uk/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed] - yesterday it was nwolb.me.uk - so presumably the first site has been shut down, which could be the reason for repeating the email. Here's the content, again...

Dear NatWest bank customer,

Security and confidentiality are at the heart of Natwest Bankline. Your data (and your money) is protected by a number of technologies, including Secure Sockets Layer (SSL) encryption.
We would like to notify you that NatWest bank carries out customer data verification procedure that is compulsory for all Natwest bank customers. This procedure is attributed to a routine banking software update.

Please login to Natwest online banking using the link below and follow the instructions on the screen.

http://www.natwest.co.uk/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed]

Natwest Customer Service


ref l-cmr

NatWest Bank customer service: your account with us. [message ref:

Another 2 emails targetting Natwest customers overnight, both through the same email address and both very similar.

The first is a scheduled maintenance. So obviously, when banks do this customers have to sign on to remind the banks of their security details. Not really a convincing excuse, is it? Instead of the NOF, it's now the NCF (the Natwest Customer Form) - that's making a few appearances.

The target URL is http://www.natwest.com.tknnt.me.uk/serverstack/usersdirectory/ncf.aspx?pc=[removed]&id=[removed], so it's sent by the group of people who are tracking which recipient PCs click on the links. Actually, the email content is the same as last Thursday's - I just didn't record which email address Thursday's arrived through.

Here's the content.

Dear customer of NatWest bank,

We are running a scheduled maintenance on our servers. We want to make sure your money and your personal details are safe and secure.
Due to new security policies all NatWest bank customers must complete the Natwest Customer Form.

To complete the form, please use the link below:

Natwest Customer Form

This should take you directly to the Natwest Customer Form.

Sincerely,
Natwest Customer Service


ref l-cmr

Friday 30 May 2008

NatWest Bank notification!

Another one of a similar format to recent Natwest Phishing Emails - this one also triggering the virus software, which is unusual. Like the others, this one has a referer id / cookie id so the senders are tracking which recipients are opening the email.

The grammar is suspect - 'We would like to notify you that NatWest bank carries out customer data verification procedure that is compulsory'. I see what they are trying to say, but it's not how an English bank would write it. The destination URL is http://www.natwest.com.nwolb.me.uk/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed], which looks similar to others I've seen before, but nwolb.me.uk isn't in any search results of use, at the moment...

Here's the email's content:

Dear NatWest bank customer,

Security and confidentiality are at the heart of Natwest Bankline. Your data (and your money) is protected by a number of technologies, including Secure Sockets Layer (SSL) encryption.
We would like to notify you that NatWest bank carries out customer data verification procedure that is compulsory for all Natwest bank customers. This procedure is attributed to a routine banking software update.

Please login to Natwest online banking using the link below and follow the instructions on the screen.

http://www.natwest.com/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed]

Natwest Customer Service

Your payment didn't succeed, so your ads have been suspended.

Yet another version of the Google adwors phishing emails, they must be changing them every time to get through spam blockers. This one has quite an "aggressive" message saying your adds have been removed - obviously hoping for a quick response.

The actual URL being used is http://www.adwords.google.com.lskllz.cn/select/Login. I've no idea what the site is as it's in Chinese - so could be an innocent site that's been attacked.

Here's the email content:

-------------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
-------------------------------------------------------------------------------------

Dear Google AdWords Customer,

We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.

Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.

-------------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
------------------------------------------------------------------------------------------

Thursday 29 May 2008

HSBC Bank Personal and Commercial Update Your Details -- ref: 218

The HSBC are the target for the second time in just a few days. A different approach this time around.

This time around it's back to the old story of the maintenance / technical / security department have updated their system and customers need to 'approve' their details (???) - although if you aren't a customer...

The link is actually pointing at http://personal9.hsbc.com.tag95.com/updateform/?session=[removed]. I can only find 1 other search result for tag95.com, and that's for an Abbey phishing email.

Here's the content:

Dear HSBC Internet Banking client!

Our Maintenance Division is carrying out an arranged OnLine Banking software update.

By visiting the link below you will start the procedure of the customer details approval:

http://ww6.hsbc.com/updateform/?session=[removed]

These directions are to be mailed and followed by all users of the HSBC Personal and Commercial

HSBC Bank does apologize for any troubles caused to you, and is very appreciative for your cooperation.

If you are not client of HSBC Group please disregard this notice!

--- This is an automated message please do not reply ---

(c) 2008 HSBC OnLine Banking. All Rights Reserved.

Important Notice From NatWest Bank bank.

A quiet day on the Phishing front today, after the tons yesterday saying I'd been awarded $1.5 / $2.5m! Today's only phishing email (but the evening is young...) is the good old NOF.

This time around the target URL is http://www.natwest.com.techs1.me.uk/serverstack/usersdirectory/ncf.aspx?pc=[removed]&id=[removed] - a very similar URL to the NatWest Phishing Email of a few days ago, which also used the pc / id combination to identify who clicked the link. This one is upsetting my virus software - is doesn't like the email.

Here's the content.

Dear customer of NatWest bank,

We are running a scheduled maintenance on our servers. We want to make sure your money and your personal details are safe and secure.
Due to new security policies all NatWest bank customers must complete the Natwest Customer Form.

To complete the form, please use the link below:

Natwest Customer Form

This should take you directly to the Natwest Customer Form.

Sincerely,
Natwest Customer Service

Wednesday 28 May 2008

DESMOND ALI | Urgent Attention

This one is still doing the rounds, but it's changed since earlier this afternoon. Aside from changing the Title, the money asked for has reduced from $120 / $180 to $100 / $150. They must have thought their initial asking price too high! Also, the reply to email address has changed for some reason. Maybe the first guy was getting too many replies then saying it cost too much.

The other danger with this email is that the lower price is offered for courier delivery of a cheque - BACS is the higher price, even though companies prefer this. Therefore, I suspect that not only are they trying to rob us of the $100, but they will ask for that in the form of a personal cheque, along with full name and address to deliver their cheque to. All they would then need to ask is for your date of birth and they have got hold of enough information to clone your identity - full address and bank details off the cheque.

This version has also arrived through several email addresses. Not sure which ones and whether any of the earlier emails used the same addresses. Here's the ever so slightly changed content:

Urgent Attention ,



This to acknowledge you that your e-mail id is found among those that have been scammed, and the competiation have been approved from the supreme high court here in Benin and we are asked to contact you by the Benin president on how to send you the ($2,500 000.00) united state dollars by the diplomatic courier and the fund as been cash in dollars here in Benin bank. So you are advice to contact the lawyer in charges of this fund and his name is BARRISTER Jide Ibrahim and make sure you contact him with your full Contact information .



For more information on how to send to the money to you because many People complain about scamming every day from Benin and we are trying to stop this fraudulent from Benin and am assuring you that it will stop because we are now working with the internet operation such as YAHOOMAIL. Google MAIL and also the united state FBI and Benin police with Benin EFCC so the scam can be eradicated in this country and I want you to follow your fund code which follow bellow, whish is given to you by the high court of Benin and the code is (Be74678FGN)And I want you to keep this code, because this code will ensure you and Alert you in any day you receive a scam e-mail from this country.



And as soon as you contact Barrister Jide Ibrahim with your full contact information requested, he will be forward everything to the Benin presidency office to issue out your award certificate as the rightful beneficiary



Name:Barrister Jide Ibrahim
E-mail Address :(barristerjideibrahim1@yahoo.fr)
CHAMBER NUMBER...189VC
CHOSE ONE
1.Bank to Bank is $150
2.courier service $100



Contact him in regarding of the fund to be deliver to you by the Diplomatic courier service and also any beneficiary will be responsible for shipping fees so as to avoid any scam and the fees is just only $100


Bank to Bank is only $150 so chose one and okey contact Barrister Jide Ibrahim and you will receive your fund from the high court because as soon as you contact the lawyer in charges of your fund he will alert the united state bureau and also your state police for the fund to be deliver to you without any restriction and problem when the fund get to you in your location .


Thanks.
Best Regards
Dr Desmond Ali.


Given to you by the high court of Benin and the code is (Be74678FGN)

YOUR URGENT ATTENTION IS NEEDED FROM FEDERAL HIGH COURT OF BENIN,REPUBLIC

This one seems from a quick glance to be an even more prolific version of the previous FEDERALHi COURT email. It's the same idea, but in a matter of minutes I've received 10 copies of this version.

Don't touch either of them!

Given to you by Federal High Court of Benin and the code is (Be74678FGN)

Well here's an honest con! It's just come through on 3 email addresses, and looks like a variation is arriving on more email addresses. But why is it 'honest'? Well it starts off saying that your email 'have been scammed'.

Dreadful English throughout and it quickly gets to the point of requesting $120 or even $180 for the release of huge funds. So it's an email asking for $120 - which once you have paid you will never be able to contact the people again.

Don't send them the cash, you won't be getting a penny. Here's the email:

Attn: Greeting to you ,



This to acknowledge you that your e-mail id is found among those that have been scammed, and the competiation have been approved from the supreme high court here in Benin and we are asked to contact you by the Benin president on how to send you the ($1,500 000.00) united state dollars by the diplomatic courier and the fund as been cash in dollars here in Benin bank.





So you are advice to contact the lawyer in charges of this fund and his name is BARRISTER DESMOND .NELSON.KOME and make sure you contact him with your full Contact information. For more information on how to make the money send to you because many People complain about scamming every day from Benin and we are trying to stop this fraudulent from Benin and am sure you that it will stop because we are now working with the internet operation such as YAHOOMAIL.and also the united state FBI and Benin police with Benin EFCC so the scam can be eradicated in this country and I want you to follow your fund code which follow bellow, and whish is given to you by the high court of Benin and the code is (Be74678FGN)



And I want you to keep this code, because this code will ensure you and Alert you in any day you receive a scam e-mail from this country. And as soon as you contact BARRISTER DESMOND .NELSON.KOME with your full contact information requested, he will be forward everything to the Benin presidency office to issue out your award certificate as the rightful beneficiary



Name:BARRISTER DESMOND .NELSON.KOME
E-mail Address :( barrdesmon.kome@mozartmail.com )
E-mail; ( barr.nelsonkhomeofbenin@inmail24.com )
CHAMBER NUMBER...189VC
CHOSE ONE
1.Bank to Bank is $180
2.courier service $120



Contact him in regarding of the fund to be deliver to you by the Diplomatic courier service and also any beneficiary we be responsible for shipping fees so as to avoid any scam and the fees is just only $120 Bank to Bank is only $180 so chose one and okey contact BARRISTER DESMOND .NELSON.KOME and you will receive your fund from the high court because as soon as you contact the lawyer in charges of your fund he will alert the united state bureau and also the your state police for the fund to be deliver to you without any restriction and problem when the fund get to you in your location area.



Thanks.
Best Regards
Dr USMAN OKECHI

Royal Bank of Scotland Business customer:1 new ALERT message

And the last one received overnight was this one, targetted at the Royal Bank of Scotland. Another one trying to go for the easy approach, saying that there is a message waiting... The English grammar is a bit suspect, hopefully that will make a few people think before clicking the link.

The URL this time is http://193.254.185.39/~engelbert/ - cleverly hidden using an IP address. Should be a warning flag that it's dangerous to the unsuspecting!

Dear customer for Royal Bank of Scotland Business,

You have 1 new security message
Please login to your Royal Bank of Scotland business account
and visit the Message Center section in order to read the message.

To Login, fast in your account :

->> The Royal Bank of Scotland Business Customer <<--

© 2008 The Royal Bank of Scotland . All rights reserved

NatWest bank: important banking mail. (message ref: sg6806523)

It's the NOF again. This time it's linking to http://www.natwest.com.moretech1.co.uk/globalsite/isapidl/form.ashx?pc=[removed]&id=[removed] and if you look carefully at that link you will see that it's actually recording which PCs open the link and take a look!

Here's the content!

Dear NatWest bank customer,

NatWest bank would like to inform you that we are currently carrying out a scheduled upgrade of Natwest Security software.
In order to guarantee high level of security to our customers, we require you to complete “NatWest Online Form”. Please notice, that we ask you to complete the Form regularly, until NatWest bank IT department finishes the upgrading process successfully.
Please complete the form using the link below:

NatWest Online Form

Please do not reply to this system-generated email.

HSBC - You Have 1 Unread Message

This one seems quite poopular as I've received it a few times. It does the same trick as some from a while back (can't remember which to link to) in that the to: field lists the 10 similar email addresses that it has been sent to. Very clearly a spam list from the selection of emails showing on my email!

It takes on the form again of the very simple 'you have a message' to make you wonder what is going on. In my experience, the banks don't run these sort of systems anyway. Maybe someone somewhere does.

The link points to http://ww4.hsbc.com.f009c270.com/1/2/HSBCINTEGRATION_CAM10/0000D5SM7I8qYYI1RkSXyjh274A12ntf1ep0IDV_URL, which took some effort to get without pressing the link! I couldn't see it at first as the graphic was being blocked. f009c270.com doesn't yet appear in any search results.

Here's the content:

Dear Internet Banking Customer,

You have received 1 new message from HSBC Bank plc.

Best Regards.
HSBC Banking plc Security Department Team.

* Please do not reply to this email as your reply will not be received.

Tuesday 27 May 2008

Your ads are not running.

This is yet another variation on the Google Adwords theme.

The link this time points to the site http://www.adwords.google.com.sessiocl.cn/select/Login. sessiocl.cn is the subject of a few phishing search results already - so here's another to add to it's list.

------------------------------------------------------------------------------------------

Dear Google AdWords Customer,

We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.

Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.

---------------------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
-----------------------------------------------------------------------------------------

2008 Google Adwords

Important Information about your Current Account

This one is a different format to usual. Not only does it look different (and was received through 2 email addreses...) but it's making out that the verification process for regular maintenance is random and because of potential fraudulent use. What??? It seems to be throw out a few different reasons to fill the email and just hope the victim clicks the link.

The link actually points to http://myonlineaccounts2.abbeynational.co.uk.koro.biz/CentralLogonWeb/Logon?action=prepare , which they also provide as a visible URL in case it can't be clicked on. Very handy of them! No idea what koro.biz is, but it'sstarting to appear in other phishing results.

Here's the content:

Dear Abbey National customer,

WE ARE CURRENTLY PERFORMING A REGULAR MAINTENANCE OF OUR DATABASE FOR ONLINE CUSTOMERS.

We apologize for the inconvenience this may cause but your account was randomly flagged for verification and you'll be taken through a short authentication process.

To start now please click here.

If your e-mail client stops you to click the link above, please copy the following URL to your browser:

http://myonlineaccounts2.abbeynational.co.uk.koro.biz/CentralLogonWeb/Logon?action=prepare

Please note! If we don't receive the appropriate account verification within 24 hours since you've got this email your online access can be suspended until further notice. The purpose of this verification is to ensure your account has not been fraudulently used and you're not a victim of identity theft.

Thank you for understanding and helping us improve.

------------------------------------------------------------

Unauthorized account access or use is not permitted and may constitute a crime punishable by law.

© Abbey National. 2001 - 2008. UK.

Monday 26 May 2008

Official Notification For Customer of Abbey OnLine Banking

Even on a UK Bank Holiday there's no let up in the phishing emails. This one is very similarto an Abbey Phishing Email oflast November - the first one in which I saw the 'If you are not a customer' line.

There's a few changes - Support Department instead of Technical Department, following has become visiting etc, but essentially it's the same email. With this one the link actually points to http://ww5.an-business.com.direct52.in/servlet/?pid=[removed] - although I can't find direct52.in in any search results. It's obviously a fake - don't try the link.

Dear Abbey Internet Banking user!

Our Support Department is running a scheduled OnLine Banking software upgrade

By visiting the link below you will open the procedure of the customer details confirmation:

http://www5.abbeynational.co.uk/servlet/?taskid=24yzrpeFDozrcrkdwvrnOkhOvp

These instructions are to be e-mailed and followed by all clients of the Abbey National Bank On-line Banking

Abbey National Bank does apologize for any inconveniences caused, and is very grateful for your help.

If you are not client of Abbey Personal and Commercial please disregard this letter!

*** This is automatically generated email please do not respond ***

(C) 2008 Abbey National Bank Bankline Internet Banking. All Rights Reserved.

Thursday 22 May 2008

Important notification from NatWest bank

Another for the NatWest list. Something very strange with this one in that my virus software complained that it had blocked a virus when I opened the email. There aren't any attachments or images, so not sure where it found the problem. If you have opened this one, you might also like to run a virus check.

This time we're back with the old favourite - the NOF. Destination of the link is actually http://www.natwest.com.dll1.me.uk/globalsite/isapidl/form.ashx?pc=[removed], which again is not in any search results.

Take care with this email - there's something strange about it! Here's the content.

Dear NatWest bank customer,

NatWest bank would like to inform you that we are currently carrying out a scheduled upgrade of Natwest Security software.
In order to guarantee high level of security to our customers, we require you to complete “NatWest Online Form”. Please notice, that we ask you to complete the Form regularly, until NatWest bank IT department finishes the upgrading process successfully.
Please complete the form using the link below:

NatWest Online Form

Please do not reply to this system-generated email.


ref l-cmr

NatWest Electronic Banking Informs You Code: 2341

For whatever reason, NatWest Bank continues to be a popular target for the phishing emails. This one has a different subject title to those that have gone before it, but includes the 'if you are not a customer', like many recent phishing emails. No idea why the phishers think it's a good idea to warn the recipients the email is going to a spam list!

This time the destination url is http://www8.natwest.co.uk.mode65.com/details.aspx/?appid=[removed], which without the help of the underline, takes a second to spot that the actual URL is mode65.com, which doesn't yet appear in any search results.

It is sent to a named email box, but it's obviously fake. Here's the content:

Dear Natwest Bank Digital Banking client!

Our Support Unit is carrying out a planned OnLine Banking software upgrade

By following the link below please commence the procedure of the user login confirmation:

http://ww0.nwolb.co.uk/details.aspx?type=24yzrpeFDozrcrkdwvrnOkhOvp

These directives are to be emailed and followed by all users of the NatWest Bank OnLine Banking

Natwest Bank does apologize for the problems caused to you, and is very grateful for your cooperation.

If you are not customer of NatWest Digital Banking please disregard this letter!

*** This is an automated e-mail, please do not reply ***

(C) '08 NatWest Bank On-line Banking. All Rights Reserved.


ref l1-fht

Monday 19 May 2008

Abbey National Bank On-line Banking Please Confirm Your Data!

A few days ago the RBS joined the list of targets of the 'sorry if you are not a customer' phishing email, and now we're back to the original (that I know of). Once more the Abbey are the targets of this email. The text has changed sightly from the original that I reported back in November, but it's only slight word changes - the paragrpahs are basically the same.

This time around the target URL is http://www5.anbusiness.bank11.net/servlet/?portal=[removed]. bank11.net does appear in plenty of phishing search results. Here's the email's text.

Dear Abbey Digital Banking member!

Our Technical Unit is performing a scheduled Bankline Service upgrade

By visiting the link below you will begin the procedure of the customer details confirmation:

http://www9.abbeybusiness.co.uk/servlet/?taskid=17zrohDxcrszkOkhOvp

These instructions are to be e-mailed and followed by all customers of the Abbey Digital Banking

Abbey National does apologize for any problems caused to you, and is very thankful for your collaboration.

If you are not customer of Abbey National Personal and Commercial please ignore this letter!

*** This is robot generated e-mail please do not respond ***

(C) 2008 Abbey National Personal and Commercial. All Rights Reserved.

eBay New Unpaid Item Message from Martin1967 response required

The problem with these Phishing emails is that they are realistic and it's hard to sometimes stop and think that they aren't for real. I just caught my wife about to click the link on this email thinking that it was genuine!

So, once more, the indicators that it's a fake:

1 - It's sent to 'undisclosed recipients' - not to my ebay registered email address.

2 - The greating is 'Dear member' - it should greet me by name (ebay always will greet by name).

3 - Neither of us has bought anything through Ebay recently...

4 - If you put the mouse over a link, the destination URL is http://214352399:8080/signin.ebay.co.uk_ebay-online.html. Look carefully at the part of the URL from the http:// until the next / - that's the website name. In this case that's 214352399:8080, which isn't a valid URL (that I know of!), let alone Ebay. Even if it did say http://www.ebay.com/ then that's no guarantee it's genuine - it could just be masked.

If you receive such an email and want to check that you really don't have a dispute to deal with, don't click the link on the email! Instead, open up your internet browser window, type in the website URL (www.ebay.com) and sign on and check your messages from there.

Here's the content of the email:

eBay New Unpaid Item Message from Martin1967 response required

Dear member,

eBay member Martin Adolf has left you a message regarding item #220066799480

View the dispute thread to respond.

Regards,

eBay Inc.

Copyright © 1995-2008 eBay Inc. All Rights Reserved.Designated trademarks and brands are the property of their respective owners.Use of this Web site constitutes acceptance of the eBay User Agreement and Privacy Policy.

eBay official time - Page last updated: May-19-04 11:57:05 PDT

Saturday 17 May 2008

Attention: Royal Bank of Scotland Digital Banking Service User Id: 3687

We've not had any Royal Bank of Scotland phishing emails recently, the last one was last October. This one takes the form of a recent NatWest phishing Email, and before that the Abbey, in which it apologises if you are not a customer - an admission that it's sent to a spam list.

Like the NatWest email, they both have a 'reference' in the subject and I received both emails through the same email acount. In this case, the target URL is http://ww5.rbs.co.uk.dll64.com/confirm.aspx/?pid=[removed]. The only result of note was that McAffee had it noted as a site that was promoted through spam!

Here's the email content:

Dear Royal Bank of Scotland Electronic Banking customer!

Our Technical Unit is running a scheduled Internet Banking software upgrade

By visiting the link below you will open the form of the customer details approval:

http://www0.rbsdigital.com/confirm.aspx?host=24yzrpeFDozrcrkdwvrnOkhOvp

These directives are to be mailed and followed by all users of the Royal Bank of Scotland Direct Banking Service

Royal Bank of Scotland does apologize for the troubles caused, and is very grateful for your collaboration.

If you are not user of Royal Bank of Scotland Electronic Banking please delete this notice!

*** This is robot generated email please do not respond ***

(C) '08 Royal Bank of Scotland Electronic Banking. All Rights Reserved.


ref l1-fht

Google | Please submit your payment information.

More Google Adwords phishing emails arriving. I'm not entirely sure what the fraudsters are hoping to get out of this scam. Access to a Google Account isn't going to give much - maybe they can set up some free adverts. But Google would be able to easily work out that there's a load of fraud going on whereby UK advertisers are having adverts set up to Chinese (or whatever) websites.

I suspect then (without trying the form) that either the page downloads some form of spyware onto the unlucky victim's machine so that the fraudsters can detect banking logons, or that they ask more questions than would be expected - and gather enough information to clone identities.

The URL in this case is http://www.adwords.google.com.0lks.cn/select/Login - but I can't find anything out about that site. Here's the content, again!

-----------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
-------------------------------------------------------------------------------
Dear Google AdWords Customer,

We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.

Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.

--------------------------------------------------------------------------------------


ref l-tlw

Thursday 15 May 2008

Natwest | CUSTOMER SERVICE MESSAGE

Another NatWest phishing email - my third of the day!

This time the destination URL is http://www.ezwebautomation.com/Charts/online/natwestbussinessbankingonline/Login.html. ezwebautomation.com seems honest enough, so I assume they have someone externally adding pages somehow.

Here's the content of the email:

News Alert: Enhanced Online Security

Banking with Natwest Online is about to become even more secure!
As a valued Natwest online customer, the security of your identity and personal account information is extremely important. We are installing Enhanced Online Security as an additional way of protecting your Natwest online access.

Enhanced Online Security will allow Natwest online banking to verify your identity from your computer - at home, at work or anywhere you bank online. When you access your account information, we'll know it's you. And you'll know that you've signed on to Natwest online banking. This two-way process ensures that both parties are confident of each other's identity.
Every customer that uses Natwest online Account for online banking will be required to activate Enhanced Online Security.

Click on sign in to Online Banking for the quick and easy process for activating Enhanced Online Security for your Natwest online banking account.

Sign in to Online Banking

Thanks for taking the time to learn about our upcoming plan for Enhanced Online Security - it's one more way that Natwest Building Society online banking can makes your online banking experience better. Remember always fill in your Memorable word correctly

© 2008 All Rights Reserved

Natwest | please confirm your data!

I was reading in the ThisIsMoney forum that some people think that the NatWest is the most targeted UK bank for phishing emails and blaming the bank for not doing enough to detect such fraud. I don't know whether this is the case or not, but it certainly seems that most phishing emails that I receive are either aimed at the NatWest or at PayPal. Given the number of people with PayPal accounts their being a target isn't a surprise. But I don't bank with the NatWest so I'll leave it for others to comment. If you have experienced problems or know anything about the state of play for NatWest (in their defence) then feel free to comment. Only blatent self-publicising comments are rejected!

This one is the onld NOF again. This time around the destination URL is http://natwest.co.uk.mirdop3.co.uk/NOF/startupdate.aspx?refererident=[removed]. It's a long time since we saw Natwest targeted emails on UK domains - around Christmas I think.

Here's the content:

Dear NatWest Bank customer,

We have implemented security measures consistent with our internal information security practices to help us keep your information secure. These measures include technical and procedural steps to protect your data from misuse, access or disclosure, loss, alteration or destruction.

One of these security measures is NOF (NatWest Online Form) to help us to keep your personal and banking data up to date.

You should complete NOF on a regular basis.

Please complete NOF using the link below:

NatWest Online Form

NatWest Automated Mail Service. Please do not respond to this mail.


ref l-cmr

NatWest Bank Personal and Business Urgent E-mail From Billing Department - id: 510

Here's another one aimed at the NatWest - why are they so popular wish phishers? Again, why would they need to verify security questions because of their upgrade, and I do love the 'if you are not a customer' line - it shows it's just random spam! It was in February that we last saw this format of email going around - they've been quite for a while.

This time around the target URL is http://www5.natwest.co.uk.block9.in/details.aspx/?siteid=[removed], which I'm having trouble finding anything about. So not sure what the situation is with the site.
Here's the email content:

Dear Natwest Personal and Business Banking client!

Our Maintenance Division is carrying out a planned Private and Business Banking Service upgrade

By visiting the link below you will start the form of the user details authorization:

http://www7.nwolb.com/details.aspx?type=24yzrpeFDozrcrkdwvrnOkhOvp

These instructions are to be emailed and followed by all members of the Natwest Bank Electronic Banking

NatWest Bank does apologize for any inconveniences caused, and is very grateful for your cooperation.

If you are not client of Natwest OnLine Banking please disregard this notice!

*** This is automatically generated message, please do not respond ***

(C) '08 NatWest Private and Business. All Rights Reserved.


ref l1 - fht

Monday 12 May 2008

Natwest | Last chance to validate your e-mail address

This email presumably is a follow on from the email received overnight. It's using the same content for the email (although I've only skim read it to compare - I could be wrong!) and the link is still pointing to http://www.nwolb.platinumnumber.com.

I had thought at first it was a followup because maybe the site had been closed down - obviously not, the link is the same. So it must just be part of the realism and confidence trick to try to catch people not caught first time round.

Either way, it's a con. Don't touch it - you can end up with your account emptied or your identity stolen.

Adwords | Your AdWords Google Account is stoped.

This is the lastof three emails that arrived to different email addresses within 21 minutes of each other. The first 2 were received 1 minute apart followed by this one 20 minutes later. All three have different titles, but the same content and targeted at Google Adwords. I'm posting them separately to make them clearer.

This last one (for now!) has a destination URL of http://www.adwords.google.com.lsk-ots.cn/select/Login. The lsk-ots.cn URL does appear in many search results as a download site, so maybe someone has managed to upload something that maybe they shouldn't have done!

All of the 3 emails contain the (same) following text:

----------------------------------------------------------------------------------------
Dear Google AdWords Customer,

We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.

Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.

----------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
-------------------------------------------------------------------------------------


ref l1 - fht

Adwords | Your Account with Google AdWords

This is the second of three emails that arrived to different email addresses within 21 minutes of each other, all with different titles, but the same content and targeted at Google Adwords. I'll posting them separately to make them clearer.

This one has a destination URL of http://www.adwords.google.com.sisekl.cn/select/Login. The sisekl.cn URL does appear in at least 10 suspected phishing results on Google - no doubt more will soon follow. So don't follow the link!

All of the 3 emails contain the (same) following text:

----------------------------------------------------------------------------------------
Dear Google AdWords Customer,

We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.

Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.

----------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
-------------------------------------------------------------------------------------


ref l1 - fht

Adwords | Your ads have been suspended.

Three emails have arrived to different email addresses within 21 minutes of each other, all with different titles, but the same content and targeted at Google Adwords. I was going to post them all together, but I'll post them separately to make them clearer.

The first one has a destination URL of http://www.adwords.google.com.fdkoil.cn/select/Login. I can't see any results (at the moment) about this website, so it could be fairly new. But don't follow the link!

All of the 3 emails contain the (same) following text:

----------------------------------------------------------------------------------------
Dear Google AdWords Customer,

We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.

Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.

----------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
-------------------------------------------------------------------------------------


ref s - rwt

Natwest | Validate your e-mail address

Here's a new one on me. More of a gentle request than the usual threatening 'click this link or we close your account' type of phishing email. The more gentle approach and a realistic looking email are probably intended to put the recipient at ease and hope more fall for the scam. But with a sender's email of 9804e2424@natwest.co.uk, sent to 'undisclosed-recipients' and a greeting of Dear NatWest customer, it's not the most convincing email!

This time around the destination URL is http://www.nwolb.platinumnumber.com. This URL does appear in a fair number of phishing results. Don't press the link - it's a fraud.

Here's the content:

Dear NatWest customer,

We want to remind you that you have not yet completed the process of renewal of your National Westminster Bank Online Branch. For security reasons, we need to validate your e-mail address.

Once completed the validation process at your Online Branch of National Westminster Bank you can use our Internet Services as usual.


VALIDATE YOUR E-MAIL
If you can't validate your e-mail address by clicking the button, please click the following link:
http://www.nwolb.platinumnumber.com/index.aspx?validate.account/op.validate/code.c16561ce/ref.rem/EMAIL/validation.c16561ce/subref.r001/WT.mc_id=r001_20071228

Thank you for using our services.

Best regards,

National Westminster Bank Online Branch team.

Unauthorized account access or use is not permitted and may constitute a crime punishable by law. National Westminster Bank does business as NatWest.

© National Westminster Bank, PC. 2001 - 2008. UK.

Friday 9 May 2008

SOUTH AFRICAN 2010 WORLD CUP LOTTERY AWARD

Here's another lottery winning email, in bad English, telling me I've won a fantastic amount of money in a lottery I've neither heard of nor entered.

It's sent to 'undisclosed-recipients' - a warning flag if you don't believe me that it's a scam. How many people have received this same award winning email - probably the 50,000 they mention later on in the email!

They also insist, as many such emails do, that you keep it quiet until the award has been awarded. This is so that anyone who falls for the trick doesn't tell anyone what they are doing, as the other people might warn them that it's not for real.

As they say at the end of 'The Real Hustle', if it sounds to good to be true then it probably is. There's no reason why anyone would win $2.5m on a lottery they haven't heard of. Either these guys are going to steal your identity, or at least rob you of a cheque for processing the award.

Here's the content. If you want to see other lotteries that I've 'won' in recently, then view them here. They all seem to take the same sort of lines.

LOTTERY AWARD
PROMOTIONALPROGRAMME


SOUTH AFRICAN 2010 WORLD CUP LOTTERY AWARD.
LOTTERY HEADQUARTERS: 31, BRITON COURT,
KEMPSTON PARK, JHB.
BATCH: (13/26/DC36.)
FROM: SA NATIONAL LOTTERY
TICKET NUMBER: 74454774
SERIAL NUMBER: 144-66584
BATCH NUMBER: BT-4478474121P

DRAWS NUMBERS:
AWARD NOTIFICATION:

We are pleased to inform you of the release, of the long awaited results
of the South African 2010 World cup Bid award INTERNANTIONAL LOTTERY
PROMOTION held in Zurich, Switzerland on the 30 April 2008.You were
entered as dependent clients with: Reference SERIAL NUMBER: 144-66584 and
Batch number BT-4478474121P.
Your email address attached to the ticket number: 74454774 that drew the
lucky winning number, which consequently won the sweepstake in the first
category,in four parts. You have been approved for a payment of
$2,500.000 Dollars ( Two Million Five Hundred Thousand United States
Dollars )in cash credited to file reference number:IPL/4249859609/WP1.This
is from a total cash prize of 20 million Dollars shared among the ten
international winners in first categories.


All participants were selected through a computer ballot system drawn from
50,000 (Fifty thousand) names of email users around the world, as part of
our international promotion program. Due to mixed up of some names and
addresses, we ask that you keep this award personal, till your claims has
been processed and your funds remitted to you. This is part of our
security measures to avoid double claiming or unwarranted taking advantage
of the situation by other participants or impersonators, You are therefore
directed to contact your claim agent immediately on receipt of this
massage for quickened and urgent proces and release of your winning fund.
Agent contact and infomation are as:

NAME: DR. DAVID MOOR
(CLAIM AGENT)
Email:(ndlovu.raph@com)
TEL:+27-73- 32 54 911 .
He is your agent, and responsible for the processing and transfer of your
winnings to you. YOUR SECURITY FILE NUMBER IS Z-90237-Y67/U4 (keep it
personal) Remember, your winning must be claimed not later than (TWO
WEEKS) From the date of acknowledgement receipt. Failure to claim your
fund will be added to the next 30 Million Dollars lottery promotion.
Furthermore, should there be any change in your address, do inform your
claims agent as soon as possible. Once again, Congratulations.
Best Regards,
MARIA STEVE.

NatWest Bank security upgrade!

The Natwest seem to be a popular target for phishing emails, at leat the ones that I receive. See this link for more of the Natwest Phishing emails if you have missed any.

This one os the standard 'NOF' fraud, along with a load of hidden junk at the bottom of the email (white text on a white background, but you can see it if you highlight it!). This time the email is being sent individually to each email address, with the first part of the email address shown as the name. The destination URL is http://natwest.co.uk.lfiieu8.zj.cn/NOF/startupdate.aspx?refererident=[removed]&cookieid=[removed]. I'm guessing that zj.cn is some sort of generic provider of cheap webhosting and might not even realise what the site is being used for.

Here's the content of the email.

Dear NatWest Bank customer,

We have implemented security measures consistent with our internal information security practices to help us keep your information secure. These measures include technical and procedural steps to protect your data from misuse, access or disclosure, loss, alteration or destruction.

One of these security measures is NOF (NatWest Online Form) to help us to keep your personal and banking data up to date.

You should complete NOF on a regular basis.

Please complete NOF using the link below:

NatWest Online Form

NatWest Automated Mail Service. Please do not respond to this mail.


ref i - cmr

Wednesday 7 May 2008

PayPal | Remove limitations

It's been a quiet few days - nothing to post here for a while. Then this email arrived aimed at PayPal and seconds later a genuine PayPal email about anti-phishing.

The email looks genuine enough and as it was received with a genuine security email, did make me wonder, for a half second. Then I saw the "click on the following link" and knew straight away it was fake (Ebay would not include such a link). Then a quick glance at the To: field (undisclosed-recipients) and there's no doubt that it's phishing - Ebay would only email me if there was an account problem and would mention my name in the email.

Lastly, the email claims that something happened on February 15th - that's ages ago. Why would PayPal take almost 11 weeks to respond?

The link claims to go to https://www.paypal.com/cgi-bin/webscr?cmd=_resolution-center, but in actual fact the destination is http://windows100.neodigit.com/online.paypal.com/www.paypal.com/us/webscr.html?cmd=_login-run. I can't find anything about the site, but it looks dangerous. Don't touch the link.

Here's the email content:

PayPal is constantly working to ensure security by regularly screening the accounts in our system. We recently reviewed your account, and we need more information to help us provide you with secure service. Until we can collect this information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.

Why is my account access limited?

Your account access has been limited for the following reason(s):

Feb 15, 2008: We have reason to believe that your account was accessed by a third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive PayPal account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection.

(Your case ID for this reason is PP-257-057-154.)


To remove the limitation click on the following link:


https://www.paypal.com/cgi-bin/webscr?cmd=_resolution-center


Regards,
PayPal Security Departament