[Dshield] Heads up, Another Phishing scheme

NetWatch netwatch at sagadc.de
Mon Mar 1 10:56:00 GMT 2004


> Agree. I just assumed that Deb posted that actual URL. Would be
interested to see the actual HTML code that produced that link. Deb --
can you post it?

Hi List,
even if it is not the Citibank phishing, the text is the same as the IP
address.
I have included the "Westpac.au" mail that I received tonight. As you
can see, it is the hex01 approach to get the people to that website. I
triggered that this host is (again) in China and that it seems to be
down (meanwhile). It's interesting to see the simple approach that users
are directed to an "https" Server and the real address is just a simple
http non-ssl server. Also the last sentence is "nice". There is NO
digital certificate attached to that mail nor is (or was) it signed.

Best regards,
Jochen Grotepass
----------------------------------------
Original email
==============================================================
Microsoft Mail Internet Headers Version 2.0
Received: from www1 ([192.168.113.187]) by internal.??????.de with
Microsoft SMTPSVC(5.0.2195.6713);
	 Mon, 1 Mar 2004 04:15:55 +0100
Received: from  ([192.168.113.190])
	by www1 (MailMonitor for SMTP v1.2.2 ) ;
	Mon, 1 Mar 2004 04:15:58 +0100 (MET)
Received: (qmail 6207 invoked by alias); 1 Mar 2004 03:15:57 -0000
Received: from evrtwa1-ar2-4-62-016-156.evrtwa1.dsl-verizon.net
(4.62.16.156)
  by mail1.??????.com with SMTP; 1 Mar 2004 03:15:57 -0000
Date: Mon, 01 Mar 2004 03:16:07 +0000
From: Westpac support <support at westpac.com.au>
Subject: Please verify your e-mail address
To: Info <info@??????.com>
References: <B77H00FFBFKKIFE6@??????.com>
In-Reply-To: <B77H00FFBFKKIFE6@??????.com>
Message-ID: <97LBBF1DHCB8A07K at westpac.com.au>
Reply-To: Westpac service center <service at olb.westpac.com.au>
Sender: Westpac support <support at westpac.com.au>
MIME-Version: 1.0
Content-Type: text/html; charset=Windows-1251
Content-Transfer-Encoding: 8bit
Return-Path: support at westpac.com.au
X-OriginalArrivalTime: 01 Mar 2004 03:15:55.0140 (UTC)
FILETIME=[82570440:01C3FF3B]
<html>
<head></head>
<body>
Dear Westpac Internet Banking Customer!<br><br>
This email was sent by the Westpac server to verify<br>
your e-mail address. You must complete this process<br>
by clicking on the link below and submiting Westpac<br>
secure verification form which appears in your browser<br>
<br>
This is done for your protection --- because some of<br>
our members no longer have access to their email addresses<br>
and we must verify it.<br>
<br>
Please use this unique link to the Westpac verification form<br>
to verify your e-mail: <a
href="http://olb.westpac.com.au%01%01%01%01%01%01%01%01%01%01%01%01%01%0
1%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%0
1%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%0
1%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%0
1%01%01 at 210.15.78.10/img/.w/westpac.html">https://olb.westpac.com.au?Ema
ilID=ksjfh86fgHGSDG></a> <br><br>
This message is digitally signed by Westpac server.
</body>
</html>

========================================================================
===




More information about the list mailing list