[Dshield] Interesting phishing attempt on Wells Fargo

Laurent Saplairoles lsaplai at megassistance.com
Tue Oct 12 17:03:29 GMT 2004


Hello List

I've received the following piece in my spam folder this morning (actually it arrived 
yesterday but it was holidays in this corner of the vast World):

***Message "raw" view***
Received: from rdu168-181-076.nc.rr.com [24.168.181.76] by megassistance.com
  (SMTPD32-8.02) id A4CE23ED0020; Sun, 10 Oct 2004 15:16:46 -0700
Received: from 208.67.16.222 by 24.168.181.76; Sun, 10 Oct 2004 22:03:46 -0100
Message-ID: <GCXRRRTPPAQJGVENYAZXGUT at altacocina.com>
From: "WellsFargo" <service at wellsfargo.com>
Reply-To: "WellsFargo" <service at wellsfargo.com>
To: operations at megassistance.com
Subject: Security Alert on Microsoft Internet Explorer
Date: Mon, 11 Oct 2004 00:07:46 +0100
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="--0072484291242692983"
X-Priority: 3
X-MSMail-Priority: Normal
X-RCPT-TO: <operations at megassistance.com>
Status: U

----0072484291242692983
Content-Type: text/html;
Content-Transfer-Encoding: 7Bit

<table border="0" cellpadding="0" cellspacing="0" width="70%">
<tr>
<td>
<img 
src="https://a248.e.akamai.net/7/248/3608/bb61162e7a787f/online.wellsfargo.com/co
mmon/images/logo_62sq.gif" border="0" alt=""><br>
<font face="Arial" color="#000000">
<p>Dear Wells Fargo Customer,</p>

<p>To provide our customers the most effective and secure online access to their 
accounts, we are continually upgrading our online services. As we add new features 
and enhancements to our service, there are certain browser versions, which will not 
suppo
rt these system upgrades.  As many customers already know, Microsoft Internet 
Explorer has significant 'holes' or vulnerabilities that virus creators can easily take 
advantage of.</p>

<p>In order to further protect your account, we have introduced some new important 
security standards and browser requirements. Wells Fargo security systems require 
that you test your browser now to see if it meets the requirements for Wells Fargo Onlin
e or Wells Fargo Business Online banking.</p>

<p>Please sign on to <a href="http://200.97.128.42/welsfargo/"  
onMouseMove="window.status='https://www.wellsfargo.com./cards/index.jsp';return 
true;" onMouseout="window.status=''"><font color="#990000" face="Arial">Wells Fargo 
Online</font></a><sup><fo
nt color="#990000" size="-1" face="Arial">®</font></sup> <font face="Arial" 
color="#000000">in order to verify security update installation. This security update will 
be effective immediately. In the meantime, some of the Online banking services may 
not
 be available.</font></p>

<p><font face="Arial" color="#000000">Wells Fargo Online Services</font></p>

<p><font face="Arial" color="#8A8A8A" size="-1">Wells Fargo Banks. Member 
FDIC.</font></p>

</font>
</td>
</tr>
<tr><td>&nbsp;</td></tr>
<tr><td align="center" bgcolor="#EEEFE1" face="Arial"><font face="Arial" 
color="#8A8A8A" size="-2">© 1999 - 2004 Wells Fargo Bank, N.A. All rights 
reserved.</font></td></tr>
</table>


----0072484291242692983--

(I've only removed headers added by my spam classifier and my mail client)

Following the link into my browser (Opera) with everything disabled (java, js, plug-ins, 
cookies...) leads me to a blank page. Sorry, this is my _work_station so I won't attempt 
to trash it ;-)

Has anyone seen this particular scam? What hides behind the web page?

Cheers!
-- 
Laurent




More information about the list mailing list