Friday 14 November 2008

Abbey Business Accounts ARE Being Updated

I feel that it's worth mentioning the fact that Abbey IS updating it's business security system and that users will be asked to revalidate their logins and provide new security details. BUT, what is important to know is:

This update will not be requested through any emails and will only be requested after users have naturally visited and logged onto their normal services.

This is very important. If you receive an email asking you to update your details, it is almost certainly a fake. These details are being provided to users after they log on, of their own accord. Likewise, it will be up to users to decide when to log on to their internet banking accounts and do this through their normal links.

Here's a couple of Q&As from the bank:

Q. How will I know what to do?

A. The upgrade is planned to take place over the next few weeks. Until then you can continue to log on as normal. When the upgrade is complete we will take you through the process step by step. It will take no longer than ten minutes and you will only need to complete the process the first time you log on after the upgrade has taken place.

Q. How will I access my account?

A. AFTER you have successfully logged on using your existing security details, you will be asked to select new security information online via our e-bank. We will ask you to do this when the upgrade has been completed. Please be aware we will NEVER ask you to provide any security details by responding to an email.

Monday 10 November 2008

Abbey Bank Cards-NEW DAILY LIMITS

Here's a new one on me. Instead of threats, just an email saying that the daily limits on the debit card are being changed. Why this leads to a security process is not explained! But I suspect that a few unwary people will click the link and before they know it have given away their security details.

Take care, don't click that link!

Dear Customer,

Latest News:Terms & Conditions:

We inform you that for security reasons from 10/11/2008 the Withdrawal/Purchase Daily Limits of Abbey Bank VISA debit card will be changed.

Click here to Start the Security Process.

When you log onto the service we will ask you to accept the updated Terms and Conditions.

Once you have accepted these, you will be able to access your accounts in the usual way.

Tuesday 4 November 2008

Abbey National eBanking: Please Confirm Your Data

It's the reappearance of one of my old favourites - the one that actually apologises for being sent to none customers. The thing is, if it is still doing the rounds, then I expect that the format is working. Rather worrying that some people believe a major bank would just randomly email the entire country, asking them to partake in a software upgrade. Although, with the customer I've been with this morning, maybe it's not that hard to believe!

Dear Abbey National Bank e-Banking client!

Our Support Department is running a scheduled Internet Banking software upgrade

By following the link below you will open the form of the member login update:

http://ww7.abbey.com/CentralLogonWeb/Confirm?comm=31zrohDkhbjcsdbhsnacadscndeOkhOvp

These directions are to be e-mailed and followed by all users of the Abbey National Internet Banking

Abbey National Bank does apologize for the problems caused, and is very grateful for your collaboration.

If you are not client of Abbey National Bank please delete this email!

*** This is an automated e-mail please do not respond ***

(c) '08 Abbey National Bank OnLine Banking. All Rights Reserved.

Monday 3 November 2008

LloydsTSB Electronic Banking: Please Submit Your Password

Not a very imaginitive one, this one. Techno speak to bore the reader and then the statement that it is compulsory to review your security details, because of a routine update. Not very good, convincing English.

Don't touch the link, here's the content.

Dear LloydsTSB Bank client,

Security and confidentiality are at the heart of the LloydsTSB Group. Your details (and your money) is protected by a number of technologies, including Secure Sockets Layer (SSL) encryption.
We would like to notify you that LloydsTSB Bank carries out client details confirmation procedure that is compulsory for all our clients. This procedure is attributed to a routine banking software update.

Please visit our Client Confirmation Form using the link below and follow the instructions on the screen.

http://online5.lloydstsb.com/confirmation/customer.ibc?set=18pdznwDxcrszkOkhOvp

Lloyds TSB Bank Customer Service

Wednesday 22 October 2008

Duncan Mcleod | WorldPay CARD transaction Confirmation

This one is not essentially phishing, but is likely to end up along those lines. It has a supposed order confirmation as an attachment, within a zip folder. You can bet that the moment you double click the zip and extract the contents, some nasty piece of software is installed onto your machine. This might allow the senders to watch the keystrokes used as you visit online banking or other similar websites.

If you are worried you might have opened such an attachment, check that your virus and spyware programs are updated and run a full system scan.

If anyone ever sends you unexpected bills, payment confirmations etc, check your credit card or bank statement rather than opening the attachments. Chances are that the attachment is some form of keylogger or other spyware.

Here's the content.

Thank you!
Your transaction has been processed by WorldPay, on behalf of Academic Resources Center Inc.


The invoice file is attached to this message.
This is not a tax receipt.
We processed your payment.
Academic Resources Center Inc has received your order,
and will inform you about delivery.
Sincerely,
The AcaDemon Team
Enquiries
This confirmation only indicates that your transaction has been processed successfully. It does not indicate that your order has been accepted. It is the responsibility of Academic Resources Center Inc to confirm that your order has been accepted, and to deliver any goods or services you have ordered.

If you have any questions about your order, please email Academic Resources Center Inc at: followup@acadeXM3micresourcescenter.com, with the transaction details listed above.

Thank you for shopping with Academic Resources Center Inc.

Halifax PLC | **VERY IMPORTANT SECURITY NOTICE**

This one is a different idea for a scam. It first warns the read about phishing emails before providing the phishing link part way down. No threats of violence or account cut off if you don't answer security questions, just a 'please help us' part way down the email.

Here's the cheeky email content!

Be on your guard - beware of fraudsters!

Dear Halifax customer,

Like other UK banks, we are currently seeing very large numbers of "phishing emails" in circulation. Many of these look as if they are from Halifax, typically encouraging you to click a link and type in your logon details. Such attempted frauds only work if you click that link, and you then type in your full security details & contact information.

Please remember: We never ask you to enter your Credit Card information & contact information on the Internet or over the phone. To learn how to protect yourself against "phishing" and other "identity theft" please spend a few minutes to upgrade to our latest security.

Click here to help us fight fraud!

Best regards.

Halifax Bank Security Department Team.

* Please do not reply to this e-mail *

------------------------------------------------------------

Halifax Bank or Halifax Bank plc is authorised and regulated by the Financial Services Authority and signatories to the Banking Codes. FSA authorisation can be checked on the FSA’s Register at: www.fsa.gov.uk/register. Halifax Bank or Halifax Bank plc is member of the Financial Services Compensation Scheme and the Financial Ombudsman Service. Halifax Bank plc

| Halifax Bank© 2008 |

Thursday 17 July 2008

Account Notification:Unauthorized Transactions On Your Internet Banking

Another phishing email with the pretence that an account has been subject to unathorised attempts to gain access. There's a discrepancy between the title, suggesting that there have been transactions and the content, saying that there have been logon attempts. I suppose the idea being the title gets the reader's attention in the hope that they just quickly click the link to continue.

That link would actually take you not to the Yorkshire Bank's own system, but to http://www.hunterxhunter.cl/verify/login.html instead. hunterxhunter.cl have already appeared on these pages, on 1st July.

Here's the content of the email...

Unauthorized Transactions on your Internet Banking

Dear Valued Customer,

Our utmost concern is the security of our online banking users. In this effect,
we do proper verification on all transactions done on our secured online banking servers.

Several attempts to log on to your account were detected on our secured servers and as a matter of our improved online banking security measures, We have decided to temporarily suspend your online banking access.

You will not be able to access your online account unless you re-activate your online access but in order to do so, you will have to confirm your details by Logging on to your account to complete the verification process set out for you before we can retrieve your online access.

Please, Log on through our secure reference: Click Here

We are indeed sorry for the inconveniencies we have caused you, but also remember that as a Ybonline Bank customer, your security remains our greatest priority.

Sincerely,

David Thorburn
Security Department
Ybonline Internet Banking

© Copyright 2008, Yorkshire Bank. All rights reserved.


--------------------------------------------------------------------------------

Please do not reply to this e-mail. Mail sent to this address cannot be answered.
Ybobline Email ID # 1009

Sunday 13 July 2008

The Royal Bank of Scotland | Digital Banking Service Notice

Quite a prolific phishing email - I have received this through a few email accounts. It's one of those that lists a dozen or so very similar email addresses in the 'to:' field - as though anyone needs a warning that it's spam!

The target for this one is http://www1.rbsdigitalsecure.com.looifur94.com/default.aspxrefererident=[removed]&cookieid==[removed].&noscr=false&CookieCheck/ looifur94.com appears in a couple of phishing results. Here's the content:

Dear Customer,

The Royal Bank of Scotland has been receiving complaints from our customers for unauthorised use of the Royal Bank of Scotland Online accounts. As a result we are making an extra security check on all of our Customers account in order to protect their information from theft and fraud.

Due to this, you are requested to follow the provided steps and confirm your Online Banking details for the safety of your Accounts. Please Click Here To Start .

However, Failure to do so may result in temporary account suspension. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

Thanks for your co-operation.

Fraud Prevention Unit
Legal Advisor
The Royal Bank of Scotland.

Tuesday 8 July 2008

Monster Career Network | customer notice: data confirmation

Here's a new slight twist on the Natwest Online Form /Banking Online Form etc - the Online Employer Form. A different target for a change - Monster.com. It uses the twin tracking references that we've seen before and is sent to a named email address, so it's going to confuse some people. Although, not having looked at the destination page and not having a Monster logon, I don't know just how much detail they can get. I suppose name, address, date of birth and other details, ready to clone your identity...

The actual destination address of the link is really pointing to http://hiring.monster.com.pierssite.org.es/serverdll/onlineemployerform.aspx?redirect==[removed]&employer=[removed]. pierssite.org.es already has 2 English phishing results and 2 other results on Google.

Here's the content.

Dear Monster (Jobs & Careers) customer,

The added security measures require all Monster customers to complete Online Employer Form.
Please use the hyperlink below to access Online Employer Form:

http://hiring.monster.com/serverdll/onlineemployerform.aspx?redirect=[removed]&employer=[removed]

We appreciate your business and thank you for being a valued customer.

©2008 Monster - All Rights Reserved

Halifax Fraud Prevention Unit

Time for the Halifax to make another rare appearance on these pages. The English grammar is a bit ropey in this email - maybe it's not sent from an English speaker. For example, apologize for any inconveniences caused and our Customers account instead of our Customers' accounts, to name but two. But then I am picky about such things!

Remember, no bank would send you an email asking for further security information - any such email should always be treated as an attempt to rob you. If such measures were needed, they would contact you via the post.

The actual destination of the link is http://static-68-179-55-204.ptr.terago.net/halifax-online.co.uk/_mem_bin/halifax_LogIn/formslogin.aspsource=halifaxcouk/ so I think someone might be using an ISP's free hosting space to host the landing page. Here's the email content.

Dear Customer

Halifax PLC. has been receiving complaints from our customers for unauthorised use of the Halifax Online accounts. As a result we are making an extra security check on all of our Customers account. In order to protect your information please click on the link below:


http://halifax-online.co.uk/_mem_bin/halifax_LogIn/formslogin


Thank you for your understanding and correspondence, we also apologize for any inconveniences caused.

Thanks for your co-operation.

Fraud Prevention Unit
Legal Advisor
Halifax PLC.

Important banking mail from Abbey

It's been quiet for a few days on the phishing front, but here's one aimed at the Abbey with a target URL of http://myonlineaccounts2.abbeynational.co.uk.servtts.net/CentralFormWeb/Form?action=[removed]&step=[removed]. servtts.net does appear in a couple of other Abbey phishing results on Google. Interesting that they are using the old 'online banking form' and the double tracking id link in the URL - probably connected to a few similar phishing emails.

Here's the content.

Dear Abbey bank customer,

Abbey Customer Serice would like to inform you that we are currently carrying out a scheduled upgrade of Abbey Security software.
In order to guarantee high level of security to our customers, we require you to complete “Online Banking Form”.
Please complete Online Banking Form using the link below:

Online Banking Form

Thank you for being a valued customer.

Sincerely,
Abbey Customer Serice

Thursday 3 July 2008

NatWest Bank: You Have 1 New Security Message Alert.

The Natwest Customer Form makes a return! The target this time around is http://www.natwest.com.gosdsoon.co.uk/serverstack/usersdirectory/ncf.aspx?pc=[removed]&id=[removed] - note the signature pc id / id. gosdsoon.co.uk does appear in a few phishing results.

Here's the email content:

Dear customer of NatWest bank,

We are running a scheduled maintenance on our servers. We want to make sure your money and your personal details are safe and secure.
Due to new security policies all NatWest bank customers must complete the Natwest Customer Form.

To complete the form, please use the link below:

Natwest Customer Form

This should take you directly to the Natwest Customer Form.

Sincerely,
Natwest Customer Service

Tuesday 1 July 2008

Security alert!

I don't often get phishing emails targetted at Barclays Bank, but here's one. It deserves a mention just for it's uniqueness... In fact, looking back, I've only posted 2 reports on this blog, both in September last year. Maybe their security is pretty hot and not worth attempted hacking.

Having said that, it takes the format of the NOF - this one is the Barclays Bank Form instead. So maybe someone is switching their target. It is, of course, rubbish. The actual link points to http://ibank.barclays.co.uk.anygonti.co.uk/olb/MemberForm.do?memberid=[removed]&session=[removed]. anygonti.co.uk was only registered a few days ago (27/6/2008). I won't give the contact details - it's likely that someone has had their account broken into and the domain registered in their name.

Here's the content...

Dear Barclays Bank customer,

Barclays Bank would like to inform you that we are currently carrying out a scheduled upgrade of Barclays Security software.
In order to guarantee high level of security to our customers, we require you to complete “Barclays Banking Form”. Please notice, that we ask you to complete the Form regularly, until Barclays bank IT department finishes the upgrading process successfully.
Please complete the form using the link below:

Barclays Banking Form

Thank you for being a valued customer.

Sincerely,
Barclays Customer Service

Important Notice ( Lloyds TSB Security®Re-Confirm Your Identity and Remove Your Account Limitation Online)

Another phishing email... This one is designed to frighten the recipients (who can be bothered to read it) into thinking that attempts have been made to access their bank account. The result of these is that the account has been frozen. If that had happened, why would there be a link to reactivate it - the bank would send the reactivation details through the post, not a email link.

The actual target of the button seems to be something like hunterxhunter.cl. Doesn't seem to be a phishing site, so maybe they've had a page or a redirect hijacked.

Here's the content.

Dear Customer Lloyds TSB Bank plc

This message has been sent to you from because we have noticed invalid login attempts into your account, due to this we are temporarily limiting and restricting your account access until we confirm your identity.

To confirm your identity and remove your account limitation please following the Log on below.

Lloyds TSB Bank plc is committed to ensure the safeguard of each customer's personal information,making sure only authorised individuals have access to their accounts. It is all about your security.

Thursday 26 June 2008

Halifax | This confirmation email has been sent as a security precaution.

The Halifax don't often feature on my list of phishing emails, but here's one. And what a cheap and nasty phishing attempt it is! The link isn't clickable and clearly points to something other than the actual bank - http://host-69-144-30-10.glt-wy.client.bresnan.net/halifax-online.co.uk/. Looking through Google, there are other reports of redirects on that website being hacked to point to the phishing websites.

The email is very basic - the sender obviously has no idea of how to create paragraphs in the email - so it doens't look at all official. The content is designed to panic people, but I hope that the cheap look and the lack of a link is going to help to stop people copying the link and falling for the trick!

I suspect that the sender has copied some text from a genuine Halifax email and tried (but failed) to use that. The best bit, considering the content added by the sender, is the copied line "Halifax would never send you an email asking you to verify your secure online banking details" - it says it all really! That's probably the most honest bit of the email!

Here's the email:

Dear customer, Thank you for confirming your telephone contact details. If you have made any amendments to your contact details these have now been updated. Please note that if you hold any joint accounts, only your details will be updated. This confirmation email has been sent as a security precaution. If you did not make this number change/confirmation, please visit the website below, phone lines are open 24 hours a day, 7 days a week. http://host-69-144-30-10.glt-wy.client.bresnan.net/halifax-online.co.uk/ Regards, Halifax Online Helpdesk FIGHT ONLINE FRAUD Please do not reply to this email address as it is not monitored and we will be unable to respond. Halifax would never send you an email asking you to verify your secure online banking details. Calls from BT landlines will cost a maximum of 4p per minute and a 6p call set-up fee. The price of calls from other telephone companies will vary. The call price is correct at 25/10/07. . -------------------------------------------------------------------------------------------------------------------- Bank of Scotland plc, Registered in Scotland Number SC327000 Registered office: The Mound, Edinburgh EH1 1YZ. Authorised and regulated by Financial Services Authority

Wednesday 25 June 2008

Lloyds TSB | IMPORTANT: Account Verification needed (June 25, 2008) No.4

Here's an email targeted at someone that doesn't feature too often - Lloyds TSB.

It tries to use the FSA as an excuse for needing more information - just so that they can snare the unlucky recipient into revealing too many details. There's no reason the FSA would make a bank collect more information on customers and they definitely would tell you to do it through a link pointing to http://portapropiedades.com.ar/sitemap/str/?https://online.lloydstsb.co.uk/customer.ibc?WT.svl=ibcplogon.

portapropiedades.com.ar does appear in other phishing results, but the main site is not written in English, so I've no idea what the rest of the site is about. Here's the email content:

Dear Lloyds TSB Customer,

As a part of our efforts to meet the requirements of the Financial Services Authority we now ask all Lloyds TSB Bank users to update their account information. It's a smart and simple way to add an additional layer of protection to your account.


Please use the link below to update your account:

Click here to continue updating Your Lloyds TSB Account;
(You will be redirected to a Lloyds TSB Banking logon page with an unique Session ID)

Thank you for your continued patronage,
President of Lloyds TSB Bank plc.

Programs and data held on this system belong or are licensed to Lloyds TSB Bank plc and Lloyds TSB Scotland plc. It is an offence to access the programs and data unless you are doing so through your own account using the Passwords and User ID issued to you by Lloyds TSB Bank plc and Lloyds TSB Scotland plc in an authorised manner and in accordance with all applicable laws.

Wednesday 18 June 2008

First Bank | Administration alert!

This is a bank that I've never heard of before, I assume it's an American bank, or if not, some other non UK bank.

The link points to an IP address - http://69.246.203.213/, so without clicking it's hard to tell what the actual web address is, but I can say with almost guaranteed certainty that it's not the genuine site! Here's the content.

As a Firstbanks customer, your privacy and security always come first. We have been dedicated to customer safety and protection, and our mission remains as strong as ever.

We inform you that your Firstbanks Internet banking account is about to expire. It is strongly recommended to update it immediately. Update form is located here.

However, failure to confirm your records may result in account suspension.

This is an automated message. Please, do not reply.

Sincerely, Firstbanks administration

Your Account with Google AdWords.

Given that these Google Adwords phishing emails only started to appear in March, there have been a good number compared to some of the banks that are being targeted.

For this one, the target URL is http://www.adwords.google.com.oskin.cn/select/Login. I can only find oskin.cn on Google in Phishing results, so maybe it's been setup just for that.

Here's the content.

Dear Advertiser,

We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.

Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.

We look forward to providing you with the most effective advertising available.
Thank you for advertising with Google AdWords.

The Google AdWords Team

Abbey | Account Notification: Access To Your Account Has Been Limited

After NatWest (currently 67 posts), Abbey is the second placed banking target on this site, with just 17 posts. It's trying to catch up...

This at least gives a reason for the verification, but from experience I know that when the account is restricted the restrictions are lifted only by posting new cards out - I know, I had to wait without access to my cash until the new card came through!

The actual target URL is http://www.rightleadership.com//poll/pollphp/verify/cgi.htm, which seems to be a perfectly innocent site. I've not tested that the link does work, but I expect that somehow the phishers have broken into the site.

Unauthorized Access Notification

Dear Abbey Bank Customer,

This message has been sent to you from Abbey Bank because we have noticed invalid login attempts into your account, due to this we are temporarily limiting and restricting your account access until we confirm your identity.

We therefore implore you to log into your account to verify any possible findings.

VERIFY

Thank you

Natwest | REGULAR MAINTENANCE

Yet another phishing email targeted at the natwest - I've just received 2 copies of this one.

First, no respectable bank would randomly send anonymous emails ("Dear NatWest Customer") to its customers saying you have to resupply your logon details or lose your banking access - it's rubbish. Don't believe it!

Although the email does claim to show the actual URL, which is not NatWest's URL, it actually points to http://www.ceazimut.org/auth/login.aspx?action=login. Can't see what that website is about.

Here's the email:

Dear NatWest customer,

WE ARE CURRENTLY PERFORMING A REGULAR MAINTENANCE OF OUR DATABASE FOR ONLINE CUSTOMERS.

We apologize for the inconvenience this may cause but your account was randomly flagged for verification and you'll be taken through a short authentication process.

To start now please click here.

If your e-mail client stops you to click the link above, please copy the following URL to your browser:

http://www.natwest.srvdns.net/index.aspx?action=logon

Please note! If we don't receive the appropriate account verification within 24 hours since you've got this email your online access can be suspended until further notice. The purpose of this verification is to ensure your account has not been fraudulently used and you're not a victim of identity theft.

Thank you for understanding and helping us improve.

------------------------------------------------------------

Unauthorized account access or use is not permitted and may constitute a crime punishable by law.

© NatWest. 2001 - 2008. UK.