Thursday 26 June 2008

Halifax | This confirmation email has been sent as a security precaution.

The Halifax don't often feature on my list of phishing emails, but here's one. And what a cheap and nasty phishing attempt it is! The link isn't clickable and clearly points to something other than the actual bank - http://host-69-144-30-10.glt-wy.client.bresnan.net/halifax-online.co.uk/. Looking through Google, there are other reports of redirects on that website being hacked to point to the phishing websites.

The email is very basic - the sender obviously has no idea of how to create paragraphs in the email - so it doens't look at all official. The content is designed to panic people, but I hope that the cheap look and the lack of a link is going to help to stop people copying the link and falling for the trick!

I suspect that the sender has copied some text from a genuine Halifax email and tried (but failed) to use that. The best bit, considering the content added by the sender, is the copied line "Halifax would never send you an email asking you to verify your secure online banking details" - it says it all really! That's probably the most honest bit of the email!

Here's the email:

Dear customer, Thank you for confirming your telephone contact details. If you have made any amendments to your contact details these have now been updated. Please note that if you hold any joint accounts, only your details will be updated. This confirmation email has been sent as a security precaution. If you did not make this number change/confirmation, please visit the website below, phone lines are open 24 hours a day, 7 days a week. http://host-69-144-30-10.glt-wy.client.bresnan.net/halifax-online.co.uk/ Regards, Halifax Online Helpdesk FIGHT ONLINE FRAUD Please do not reply to this email address as it is not monitored and we will be unable to respond. Halifax would never send you an email asking you to verify your secure online banking details. Calls from BT landlines will cost a maximum of 4p per minute and a 6p call set-up fee. The price of calls from other telephone companies will vary. The call price is correct at 25/10/07. . -------------------------------------------------------------------------------------------------------------------- Bank of Scotland plc, Registered in Scotland Number SC327000 Registered office: The Mound, Edinburgh EH1 1YZ. Authorised and regulated by Financial Services Authority

Wednesday 25 June 2008

Lloyds TSB | IMPORTANT: Account Verification needed (June 25, 2008) No.4

Here's an email targeted at someone that doesn't feature too often - Lloyds TSB.

It tries to use the FSA as an excuse for needing more information - just so that they can snare the unlucky recipient into revealing too many details. There's no reason the FSA would make a bank collect more information on customers and they definitely would tell you to do it through a link pointing to http://portapropiedades.com.ar/sitemap/str/?https://online.lloydstsb.co.uk/customer.ibc?WT.svl=ibcplogon.

portapropiedades.com.ar does appear in other phishing results, but the main site is not written in English, so I've no idea what the rest of the site is about. Here's the email content:

Dear Lloyds TSB Customer,

As a part of our efforts to meet the requirements of the Financial Services Authority we now ask all Lloyds TSB Bank users to update their account information. It's a smart and simple way to add an additional layer of protection to your account.


Please use the link below to update your account:

Click here to continue updating Your Lloyds TSB Account;
(You will be redirected to a Lloyds TSB Banking logon page with an unique Session ID)

Thank you for your continued patronage,
President of Lloyds TSB Bank plc.

Programs and data held on this system belong or are licensed to Lloyds TSB Bank plc and Lloyds TSB Scotland plc. It is an offence to access the programs and data unless you are doing so through your own account using the Passwords and User ID issued to you by Lloyds TSB Bank plc and Lloyds TSB Scotland plc in an authorised manner and in accordance with all applicable laws.

Wednesday 18 June 2008

First Bank | Administration alert!

This is a bank that I've never heard of before, I assume it's an American bank, or if not, some other non UK bank.

The link points to an IP address - http://69.246.203.213/, so without clicking it's hard to tell what the actual web address is, but I can say with almost guaranteed certainty that it's not the genuine site! Here's the content.

As a Firstbanks customer, your privacy and security always come first. We have been dedicated to customer safety and protection, and our mission remains as strong as ever.

We inform you that your Firstbanks Internet banking account is about to expire. It is strongly recommended to update it immediately. Update form is located here.

However, failure to confirm your records may result in account suspension.

This is an automated message. Please, do not reply.

Sincerely, Firstbanks administration

Your Account with Google AdWords.

Given that these Google Adwords phishing emails only started to appear in March, there have been a good number compared to some of the banks that are being targeted.

For this one, the target URL is http://www.adwords.google.com.oskin.cn/select/Login. I can only find oskin.cn on Google in Phishing results, so maybe it's been setup just for that.

Here's the content.

Dear Advertiser,

We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.

Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.

We look forward to providing you with the most effective advertising available.
Thank you for advertising with Google AdWords.

The Google AdWords Team

Abbey | Account Notification: Access To Your Account Has Been Limited

After NatWest (currently 67 posts), Abbey is the second placed banking target on this site, with just 17 posts. It's trying to catch up...

This at least gives a reason for the verification, but from experience I know that when the account is restricted the restrictions are lifted only by posting new cards out - I know, I had to wait without access to my cash until the new card came through!

The actual target URL is http://www.rightleadership.com//poll/pollphp/verify/cgi.htm, which seems to be a perfectly innocent site. I've not tested that the link does work, but I expect that somehow the phishers have broken into the site.

Unauthorized Access Notification

Dear Abbey Bank Customer,

This message has been sent to you from Abbey Bank because we have noticed invalid login attempts into your account, due to this we are temporarily limiting and restricting your account access until we confirm your identity.

We therefore implore you to log into your account to verify any possible findings.

VERIFY

Thank you

Natwest | REGULAR MAINTENANCE

Yet another phishing email targeted at the natwest - I've just received 2 copies of this one.

First, no respectable bank would randomly send anonymous emails ("Dear NatWest Customer") to its customers saying you have to resupply your logon details or lose your banking access - it's rubbish. Don't believe it!

Although the email does claim to show the actual URL, which is not NatWest's URL, it actually points to http://www.ceazimut.org/auth/login.aspx?action=login. Can't see what that website is about.

Here's the email:

Dear NatWest customer,

WE ARE CURRENTLY PERFORMING A REGULAR MAINTENANCE OF OUR DATABASE FOR ONLINE CUSTOMERS.

We apologize for the inconvenience this may cause but your account was randomly flagged for verification and you'll be taken through a short authentication process.

To start now please click here.

If your e-mail client stops you to click the link above, please copy the following URL to your browser:

http://www.natwest.srvdns.net/index.aspx?action=logon

Please note! If we don't receive the appropriate account verification within 24 hours since you've got this email your online access can be suspended until further notice. The purpose of this verification is to ensure your account has not been fraudulently used and you're not a victim of identity theft.

Thank you for understanding and helping us improve.

------------------------------------------------------------

Unauthorized account access or use is not permitted and may constitute a crime punishable by law.

© NatWest. 2001 - 2008. UK.

Thursday 12 June 2008

NatWest Important Security Notice

A quick count up and over 25% of the phishing emails posted to this blog are aimed at the NatWest, and I don't publish them all - some that are too similar when I'm too busy get deleted rather than posted. Not very helpful, but time isn't always on my side...

So it's not surprising that here's another Natwest phishing email, received by me twice in different email boxes. These are the people that list a dozen or so names in the to: field to send the email to all of those at once. Not very convincing...

The link is harder to cut & paste as it's behind a graphic, but retyping it, it goes something like http://www1.nwolb.com.jgnvvhx742.com/default.aspx etc. Once more, jgnvvhx742.com does appear in a couple of phishing results on Google.

Here's the content.

National Westminster Bank has been receiving complaints from our customers for unauthorised use of the Natwest Online accounts. As a result we periodically review Natwest Online Accounts and temporarily restrict access of those accounts which we think are vunerable to the unauthorised use.

This message has been sent to you from National Westminster Bank because we have noticed invalid login attempts into your account, due to this we are temporarily limiting and restricting your account access until we confirm your identity.

To confirm your identity and remove your account limitation please following the link below.

National Westminster Bank is committed to ensure the safeguard of each customer's personal information, making sure only authorised individuals have access to their accounts. It is all about your security.

Accounts Management As outlined in our User Agreement, Natwest will
periodically send you information about site changes and enhancements.

Visit our Privacy Policy and User Agreement if you have any questions.
http://www.Natwest.com/help/index.jhtml

Natwest | Details confirmation

Does a day go by without this lot sending an email targeted at the poor Natwest??? There's plenty of variations of this about with the referer id / cookie id in the link.

The actual destination of the link points to http://www.natwest.co.uk.harvioe.name/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed]. harvioe.name appears in a couple of phishing results in Google. Here's the content...

Dear NatWest bank customer,

Security and confidentiality are at the heart of Natwest Bankline. Your data (and your money) is protected by a number of technologies, including Secure Sockets Layer (SSL) encryption.
We would like to notify you that NatWest bank carries out customer data verification procedure that is compulsory for all Natwest bank customers. This procedure is attributed to a routine banking software update.

Please login to Natwest online banking using the link below and follow the instructions on the screen.

http://www.natwest.co.uk/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed]

Natwest Customer Service


ref l-cmr

Problems with account Abbey’s Business Bank

Here's a new one. I've not seen this content before and it's targeted at Abbey, who do appear occasionally. The difference is that this time it's targeted at their business division.

The link actually goes to http://ibank.anbusiness.servlet.logonservlet.signon.passcode09u5d125a87hn1j.discover.ceo89u6kj811.business.portal06460.required.4598ry.com/LogonServlet.htm - presumably that complicated setup of subdirectories is to try to bury the actual website name of "4598ry.com", which doesn't yet feature in any Google results (give me a short while...).

I have never seen any genuine emails from Abbey, I can only assume they don't actually send any (which in my opinion is good). It does look like a genuine (rushed)email, but it's sent to a random account and I'm sure they wouldn't introduce themselves with "Dear Abbey's Business Bank Account Customer". I'm not even sure that is proper English (why the "'s"?).

Don't touch the email, here's the content:

Dear Abbey's Business Bank Account Customer:

Due to the emergency situation with security server, Abbey's Business Service is presently
verifying your web browsers and ip address.
In order to check your security level on a website, please follow the instructions below.

IMPORTANT! Customers must validate personal information today.

Continue>>

This situation involves circumstances outside of our control, so we ask for your patience.
We will keep you advised as the situation changes.

Abbey's Business Bank - Complete Solutions to protect your business and secure your computer.
Thank you.
2008 All Rights Reserved Abbey's Business Bank


ref i-cmr

You've received a question about eBay item: BRAND NEW GENUINE APPLE *iPod touch* 16GB 16 GB WIFI (170227727186)

Another realistic looking email question about email, but intent on robbing your security details. I'm not sure how much damage can be done by getting hold of Ebay details - I thought that Ebay didn't store any personal information, but maybe there are addresses there or they are assuming a lot of people will use the same password for PayPal...

Like other recent phishing emails, this one uses an IP address to hide the fact that it's the wrong URL: http://66.206.18.94/index.htm. But that doesn't make it any safer. Here's the email content...

Hi, I will send you the item today via "Royal Mail Sameday".

Have a nice day!
Scott

-saabman1970 Respond to this question

If you use My Messages to respond, your email address will not be shared.

Item and user details
Item Title: BRAND NEW GENUINE APPLE *iPod touch* 16GB 16 GB WIFI
Item Number: 170227727186
Item URL: http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=170227727186
End Date: 11-Jun-08 01:11:32 BST
From User: asmdirect1 ( 16657 )
98.7 % Positive
since 18-Nov-03 in United Kingdom


ref i-cmr

Tuesday 10 June 2008

NatWest Bank: Online Banking Form! (Mon, 09 Jun 2008 00:27:48 -0500)

Would the day be complete with also being able to post about another Natwest Customer Form! This looks word for word the same as last time, just the sent to a different recipient email address and a different URL.

The URL this time is http://www.natwest.co.uk.richardjacob.co.uk/serverstack/usersdirectory/ncf.aspx?pc==[removed]&id=[removed] and like today's earlier post, there's nothing on Google about richardjacob.co.uk, so I can't say anything about the site.

Here's the content:

Dear customer of NatWest bank,

We are running a scheduled maintenance on our servers. We want to make sure your money and your personal details are safe and secure.
Due to new security policies all NatWest bank customers must complete the Natwest Customer Form.

To complete the form, please use the link below:

Natwest Customer Form

This should take you directly to the Natwest Customer Form.

Sincerely,
Natwest Customer Service


ref i-cmr
It's the old referer id / cookie id natwest phishing emails again. This time the URL is http://www.natwest.com.eloriid.com/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed]. I can't find any results for eloriid.com, so no idea what is going on there. Maybe it's newly registered.

Here's the content:

Dear NatWest bank customer,

Security and confidentiality are at the heart of Natwest Bankline. Your data (and your money) is protected by a number of technologies, including Secure Sockets Layer (SSL) encryption.
We would like to notify you that NatWest bank carries out customer data verification procedure that is compulsory for all Natwest bank customers. This procedure is attributed to a routine banking software update.

Please login to Natwest online banking using the link below and follow the instructions on the screen.

http://www.natwest.com/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed]

Natwest Customer Service

NatWest Online Accounts Limited Access

Here's a new looking phishing email, targeted at an old favourite - the NatWest. As frequently happens, the email is a little confusing. I'm never sure whether this reflects the sender's grasp of English or is intentional, so that the recipient doesn't bother too much about what the email says and instead follows the phishing link to see what's going on.

This one first talks about regular screening, then suspicious ativity then finally limitations. But, there's loads of pointers to the unwary that it is phishing:

1 - 'Dear NatWest customer' - a bank should email you by name so you know the email is more likely to be for real

2 - it's sent to undisclosed-recipients - why hide the recipient's email address? Because the one email is going to thousands of addresses. If it were genuine, it would go to just the one.

3 - I'm certain the natwest would never send you to a link http://www.swsme.net/auth/login.aspx to sign on! It would always be to their own site, even if you were later redirected. You can see the URL by placing the mouse over the link, but not clicking. swsme.net does appear in a few results, with the comment from Google 'This site may harm your computer.'. So it's probably not a very good site to visit!

Here's the content.

Dear NatWest customer,

NatWest is constantly working to ensure security by regularly screening the accounts in our system. We recently reviewed your account, and we need more information to help us provide you with secure service. Until we can collect this information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.

--------------------------------------------------------------------------------
Why is my account access limited?

Your account access has been limited for the following reason(s):

Jun. 9, 2008: We have detected suspicious activity regarding the receipt or withdrawal of funds.

(Your case ID for this reason is NW-682-258-517.)

--------------------------------------------------------------------------------
How can I restore my account access?

Please Click Here to Log In to your account and complete the "Steps to Remove Limitations."

Once you complete all of the checklist items, your case will be reviewed by one of our Account Specialists. We will send you an email with the outcome of the review.

Copyright © National Westminster Bank plc, NatWest UK, 2008.

Friday 6 June 2008

WINNINING NOTICATION

Another amazing $2m winning lottery ticket, for a lottery I've never entered... This one even has a realistic, if not genuine, address at the top of it.

It is strange that they want me to reply in 7 days to a draw that took place 4 and a half months ago! Seems that the scammers haven't checked their email carefully enough! Also, if it was genuine, why a Yahoo email address!

Don't touch it if you have also received this email - it's nothing more than a scam. It does amuse me that there are adverts at the bottom of the email.

UK National lottery
3b Olympic Way, Sefton Business Park,
Aintree,Liverpool , L30 1RD
REF N? UKL/74-A0802742007
BATCHNO:LTBK00018
TICKET NO:A669340221
WINNING NUMBER:7041

DearWinner,

This is to inform you that you have been selected for a cash prize of
(US$2,000,000.00 ) held on 24th of January 2008. The selection process
was carried out through random selection in our computerized email
selection system from a database of over 250,000 email addresses drawn from which
you were selected.
To file your claims please contactour claims processing department for
clearance procedures.
Mr. James Nichson(Claim Agent)
International claim Department,UK
Email:drclaravein@yahoo.com


You are advised to provide thebelow informations for final claim inspection.

FULLNAME:...........................
ADDRESS-----------------------------
SEX:......................................
AGE.......................................
NATIONALITY.........................
OCCUPATION.........................
PHONE..................................
FAX:--------------------------------------
BATCHNUMBER:------------------
TICKET NUMBER: ----------------
WINNINGNUMBER:--------------

You have to contact your claim agent before 7 working days
Yours faithfully,
Mrs Mary James
Online coordinator for
UK NATIONAL LOTTERY

Now book your Railway Tickets by cash at Sify Iway. For more details contact our Customer Care

Watch latest movie trailers and behind the scenes footage of Bigg Boss and much more! www.sifymax.com

Wednesday 4 June 2008

You've received a question about eBay item: HP COMPAQ N400C LAPTOP 850MHZ 256MB 20GB CD WINDOWS.. (160246121318)

Another Ebay one, trying to convince the recipient that you have been bidding on a laptop that you didn't really want... For this one the destination URL is http://4u2gifts.com/eindex.htm?ViewItem&item=160246121318&ssPageName=ADME:X:AAQ:GB:1123.4www.u2gifts.com looks like a respectable website that has been 'invaded' by the phishers - there are other phishing reports dating back to at least 1st June on Google. So I suspect someone has guessed their ftp passwords...

Here's the email content:

From: eBay Member: asmdirect1

Your question from an eBay member

Do not respond to the sender if this message requests that you complete the transaction outside of eBay. This type of offer is against eBay policy, may be fraudulent, and is not covered by buyer protection programs. Learn More .

Hello, how do you intend to pay, PayPal or Bank Transfer?
Let me know a.s.a.p. please.

Jamie

Thanks.


- asmdirect1 Respond to this question

If you use My Messages to respond, your email address will not be shared.


Item and user details
Item Title: HP COMPAQ N400C LAPTOP 850MHZ 256MB 20GB CD WINDOWS..
Item Number: 160246121318
Item URL: http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=160246121318
End Date: 03-Jun-08 09:00:00 BST
From User: asmdirect1 ( 4093 )
97.4 % Positive
since 10-May-02 in United Kingdom


ref i-cmr

Tuesday 3 June 2008

Anglo Irish Bank customer:1 new ALERT message.

This one is very similar to yesterday's Anglo Irish Bank phishing email. The target URL is still http://72.214.45.5/~admin/.cgi/, so I assume the scam is yet to be shut down. Here's the content.

Dear customer for Anglo Irish Bank,

You have 1 new security message
Please login to your Anglo Irish Bank
and visit the Message Center section in order to read the message.

To Login, fast in your account:

Anglo Irish Bank Online

© 2008 Anglo Irish Bank. All rights reserved

NatWest Bank Reminder: Client Details Confirmation -Mon, 02 Jun 2008 14:09:52 -0600

The Natwest are once more the target of a phishing email. This time around the destination URL is http://www.natwest.co.uk.dg-yar5.org.uk/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed] - so probably yet another of the current series targeting the NatWest.

Here's the email content.

Dear NatWest bank customer,

Security and confidentiality are at the heart of Natwest Bankline. Your data (and your money) is protected by a number of technologies, including Secure Sockets Layer (SSL) encryption.
We would like to notify you that NatWest bank carries out customer data verification procedure that is compulsory for all Natwest bank customers. This procedure is attributed to a routine banking software update.

Please login to Natwest online banking using the link below and follow the instructions on the screen.

http://www.natwest.co.uk/newmeasures/procedure/default.aspx?refererident=54381748798756137278337923438792855237123444418666954&cookieid=7674508179521

Natwest Customer Service


ref i-cmr

Monday 2 June 2008

A secondary e-mail address has been added to your PayPal.

Here's a new style of Phishing email - I had to look twice to convince myself here that it was the email that was phishing and not someone really breaking into my account. Indications that it's phishing:

1 - 'Dear PayPal user' - should give my name

2 - sent to 'undisclosed recipients' - would have been sent to my registered email address.

3 - the destination of the link is http://210.187.79.36/~anna/.bin/ - an IP address to mask the fake website name, it would be www.paypal.co.uk / www.paypal.com if it was real.

If in doubt, open a ne browser window and type in www.paypal.com to sign into your account. Never use the links in emails, even on genuine emails. It leads you into a flase sense of security.

Here's the email content:

Dear PayPal user,


You've added an additional email address to your account.Us for details


To make sure you can use your PayPal account the next time you make a purchase, all you need to do is confirm or not your email address.


To Login, fast in your paypal account :

https://www.paypal.com/uk/cgi-bin/webscr?cmd=_login-run&dispatch=5d80a13c0db1f1ff80d5423b5265b6559fc2aae010bfb00cf3c64


If your email program has problems with hypertext links, you may also confirm your email address by logging in to your account.

>>> Apply online


Please do not reply to this email.This mailbox is not monitored and you will not receive a response.


PayPal Email ID PP025197.

NatWest Bank: Automatic Account Reminder (Mon, 02 Jun 2008 03:09:37 -0500)

The Natwest continue to be a popular victim / target of the phishing emails. This one, like another recent email, uses the domain http://www.nwolb.com.nwolb.org.uk/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed] - very similar to the recent nwolb.me.uk and nwol emails, that have also used the refererident / cookie pairing in the link.

Here's the email.

Dear NatWest bank customer,

Security and confidentiality are at the heart of Natwest Bankline. Your data (and your money) is protected by a number of technologies, including Secure Sockets Layer (SSL) encryption.
We would like to notify you that NatWest bank carries out customer data verification procedure that is compulsory for all Natwest bank customers. This procedure is attributed to a routine banking software update.

Please login to Natwest online banking using the link below and follow the instructions on the screen.

http://www.nwolb.com/newmeasures/procedure/default.aspx?refererident=7111256171904203771463961967533580325045981996921&cookieid=07223497

Natwest Customer Service


ref l-cmr

Anglo Irish Bank customer:1 new ALERT message.

It seems the fake message alert is becoming quite popular - this time it's on a new target bank.

Also like some recent emails, the actual destination URL is hidden by using the website's IP address, rather than the URL - http://72.214.45.5/~admin/.cgi/ is shown. Here's the email...

Dear customer for Anglo Irish Bank,

You have 1 new security message
Please login to your Anglo Irish Bank
and visit the Message Center section in order to read the message.

To Login, fast in your account:

Anglo Irish Bank Online