Thursday 17 July 2008

Account Notification:Unauthorized Transactions On Your Internet Banking

Another phishing email with the pretence that an account has been subject to unathorised attempts to gain access. There's a discrepancy between the title, suggesting that there have been transactions and the content, saying that there have been logon attempts. I suppose the idea being the title gets the reader's attention in the hope that they just quickly click the link to continue.

That link would actually take you not to the Yorkshire Bank's own system, but to http://www.hunterxhunter.cl/verify/login.html instead. hunterxhunter.cl have already appeared on these pages, on 1st July.

Here's the content of the email...

Unauthorized Transactions on your Internet Banking

Dear Valued Customer,

Our utmost concern is the security of our online banking users. In this effect,
we do proper verification on all transactions done on our secured online banking servers.

Several attempts to log on to your account were detected on our secured servers and as a matter of our improved online banking security measures, We have decided to temporarily suspend your online banking access.

You will not be able to access your online account unless you re-activate your online access but in order to do so, you will have to confirm your details by Logging on to your account to complete the verification process set out for you before we can retrieve your online access.

Please, Log on through our secure reference: Click Here

We are indeed sorry for the inconveniencies we have caused you, but also remember that as a Ybonline Bank customer, your security remains our greatest priority.

Sincerely,

David Thorburn
Security Department
Ybonline Internet Banking

© Copyright 2008, Yorkshire Bank. All rights reserved.


--------------------------------------------------------------------------------

Please do not reply to this e-mail. Mail sent to this address cannot be answered.
Ybobline Email ID # 1009

Sunday 13 July 2008

The Royal Bank of Scotland | Digital Banking Service Notice

Quite a prolific phishing email - I have received this through a few email accounts. It's one of those that lists a dozen or so very similar email addresses in the 'to:' field - as though anyone needs a warning that it's spam!

The target for this one is http://www1.rbsdigitalsecure.com.looifur94.com/default.aspxrefererident=[removed]&cookieid==[removed].&noscr=false&CookieCheck/ looifur94.com appears in a couple of phishing results. Here's the content:

Dear Customer,

The Royal Bank of Scotland has been receiving complaints from our customers for unauthorised use of the Royal Bank of Scotland Online accounts. As a result we are making an extra security check on all of our Customers account in order to protect their information from theft and fraud.

Due to this, you are requested to follow the provided steps and confirm your Online Banking details for the safety of your Accounts. Please Click Here To Start .

However, Failure to do so may result in temporary account suspension. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

Thanks for your co-operation.

Fraud Prevention Unit
Legal Advisor
The Royal Bank of Scotland.

Tuesday 8 July 2008

Monster Career Network | customer notice: data confirmation

Here's a new slight twist on the Natwest Online Form /Banking Online Form etc - the Online Employer Form. A different target for a change - Monster.com. It uses the twin tracking references that we've seen before and is sent to a named email address, so it's going to confuse some people. Although, not having looked at the destination page and not having a Monster logon, I don't know just how much detail they can get. I suppose name, address, date of birth and other details, ready to clone your identity...

The actual destination address of the link is really pointing to http://hiring.monster.com.pierssite.org.es/serverdll/onlineemployerform.aspx?redirect==[removed]&employer=[removed]. pierssite.org.es already has 2 English phishing results and 2 other results on Google.

Here's the content.

Dear Monster (Jobs & Careers) customer,

The added security measures require all Monster customers to complete Online Employer Form.
Please use the hyperlink below to access Online Employer Form:

http://hiring.monster.com/serverdll/onlineemployerform.aspx?redirect=[removed]&employer=[removed]

We appreciate your business and thank you for being a valued customer.

©2008 Monster - All Rights Reserved

Halifax Fraud Prevention Unit

Time for the Halifax to make another rare appearance on these pages. The English grammar is a bit ropey in this email - maybe it's not sent from an English speaker. For example, apologize for any inconveniences caused and our Customers account instead of our Customers' accounts, to name but two. But then I am picky about such things!

Remember, no bank would send you an email asking for further security information - any such email should always be treated as an attempt to rob you. If such measures were needed, they would contact you via the post.

The actual destination of the link is http://static-68-179-55-204.ptr.terago.net/halifax-online.co.uk/_mem_bin/halifax_LogIn/formslogin.aspsource=halifaxcouk/ so I think someone might be using an ISP's free hosting space to host the landing page. Here's the email content.

Dear Customer

Halifax PLC. has been receiving complaints from our customers for unauthorised use of the Halifax Online accounts. As a result we are making an extra security check on all of our Customers account. In order to protect your information please click on the link below:


http://halifax-online.co.uk/_mem_bin/halifax_LogIn/formslogin


Thank you for your understanding and correspondence, we also apologize for any inconveniences caused.

Thanks for your co-operation.

Fraud Prevention Unit
Legal Advisor
Halifax PLC.

Important banking mail from Abbey

It's been quiet for a few days on the phishing front, but here's one aimed at the Abbey with a target URL of http://myonlineaccounts2.abbeynational.co.uk.servtts.net/CentralFormWeb/Form?action=[removed]&step=[removed]. servtts.net does appear in a couple of other Abbey phishing results on Google. Interesting that they are using the old 'online banking form' and the double tracking id link in the URL - probably connected to a few similar phishing emails.

Here's the content.

Dear Abbey bank customer,

Abbey Customer Serice would like to inform you that we are currently carrying out a scheduled upgrade of Abbey Security software.
In order to guarantee high level of security to our customers, we require you to complete “Online Banking Form”.
Please complete Online Banking Form using the link below:

Online Banking Form

Thank you for being a valued customer.

Sincerely,
Abbey Customer Serice

Thursday 3 July 2008

NatWest Bank: You Have 1 New Security Message Alert.

The Natwest Customer Form makes a return! The target this time around is http://www.natwest.com.gosdsoon.co.uk/serverstack/usersdirectory/ncf.aspx?pc=[removed]&id=[removed] - note the signature pc id / id. gosdsoon.co.uk does appear in a few phishing results.

Here's the email content:

Dear customer of NatWest bank,

We are running a scheduled maintenance on our servers. We want to make sure your money and your personal details are safe and secure.
Due to new security policies all NatWest bank customers must complete the Natwest Customer Form.

To complete the form, please use the link below:

Natwest Customer Form

This should take you directly to the Natwest Customer Form.

Sincerely,
Natwest Customer Service

Tuesday 1 July 2008

Security alert!

I don't often get phishing emails targetted at Barclays Bank, but here's one. It deserves a mention just for it's uniqueness... In fact, looking back, I've only posted 2 reports on this blog, both in September last year. Maybe their security is pretty hot and not worth attempted hacking.

Having said that, it takes the format of the NOF - this one is the Barclays Bank Form instead. So maybe someone is switching their target. It is, of course, rubbish. The actual link points to http://ibank.barclays.co.uk.anygonti.co.uk/olb/MemberForm.do?memberid=[removed]&session=[removed]. anygonti.co.uk was only registered a few days ago (27/6/2008). I won't give the contact details - it's likely that someone has had their account broken into and the domain registered in their name.

Here's the content...

Dear Barclays Bank customer,

Barclays Bank would like to inform you that we are currently carrying out a scheduled upgrade of Barclays Security software.
In order to guarantee high level of security to our customers, we require you to complete “Barclays Banking Form”. Please notice, that we ask you to complete the Form regularly, until Barclays bank IT department finishes the upgrading process successfully.
Please complete the form using the link below:

Barclays Banking Form

Thank you for being a valued customer.

Sincerely,
Barclays Customer Service

Important Notice ( Lloyds TSB Security®Re-Confirm Your Identity and Remove Your Account Limitation Online)

Another phishing email... This one is designed to frighten the recipients (who can be bothered to read it) into thinking that attempts have been made to access their bank account. The result of these is that the account has been frozen. If that had happened, why would there be a link to reactivate it - the bank would send the reactivation details through the post, not a email link.

The actual target of the button seems to be something like hunterxhunter.cl. Doesn't seem to be a phishing site, so maybe they've had a page or a redirect hijacked.

Here's the content.

Dear Customer Lloyds TSB Bank plc

This message has been sent to you from because we have noticed invalid login attempts into your account, due to this we are temporarily limiting and restricting your account access until we confirm your identity.

To confirm your identity and remove your account limitation please following the Log on below.

Lloyds TSB Bank plc is committed to ensure the safeguard of each customer's personal information,making sure only authorised individuals have access to their accounts. It is all about your security.