[Dshield] Interesting phishing attempt on Wells Fargo

simon@nuit.ca simon at nuit.ca
Wed Oct 13 06:33:57 GMT 2004


Ce jour Tue, 12 Oct 2004, Laurent Saplairoles a dit:

> Hello List
> 
> Content-Type: text/html;
> Content-Transfer-Encoding: 7Bit
> 
> <table border="0" cellpadding="0" cellspacing="0" width="70%">
> <tr>
> <td>
> <img 
https://a248.e.akamai.net/7/248/3608/bb61162e7a787f/online.wellsfargo.com/common/images/logo_62sq.gif :

======
curl -k
https://a248.e.akamai.net/7/248/3608/bb61162e7a787f/online.wellsfargo.com/common/images/logo_62sq.gif
nFn!8##
u\ý}#q[#qýýý#ý#|#\_#B#0###!#,>>###I##8###`(#di#h##l#p,#tm#x##|####Al<###rY"g##,####u4##/x##s#"(#
#####j  ý##ý\###ýý#±
##&#A##L#}P#3'm## 0c##JZX%| j###fq)#o¢.#mh
##:Z#M2Cd+<#x1`##=#<#y#-#@R$##';#$###<#:#a#)j<ýý#9#ý#ý«ýý# 

the '#' are little squares in my utf-8 xterm, checking in C locale xterm:

curl -k https://a248.e.akamai.net/7/248/3608/bb61162e7a787f/online.wellsfargo.com/common/images/logo_62sq.gif
GIF89a>>������������������!�,>>��I��8���`(�di�h��l�,�m������Al<��rY"g�,��
�",!8����v\                                                              �u4��x��s�"(�
nFn     u\�}�q[�q���s�  �\
�����j  �sn�\phi��pg
���q�����wX��\�v\P�
�&�A��L�}P�3'm� 0cʬ�JZX%| j���fq)�¢.�mh ��:Z
                                            �2Cd+<�1`��=��y�-�@R$��';����<�:�a�j<��e9ղ��«��� 

(including a ^g in there somewhere, it beeped my term).
======

http://200.97.128.42/welsfargo/ :

curl http://200.97.128.42/welsfargo/
<script language="JavaScript">
location.href=unescape('http://www.wellsfargo.com%01@200.97.128.42/welsfargo/Login.php');

HEAD http://www.wellsfargo.com%01@200.97.128.42/welsfargo/Login.php
200 OK
Connection: close
Date: Wed, 13 Oct 2004 06:32:17 GMT
Server: Microsoft-IIS/5.0
Content-Type: text/html
Client-Date: Wed, 13 Oct 2004 06:26:38 GMT
Client-Peer: 200.97.128.42:80
Client-Response-Num: 1
X-Powered-By: PHP/4.3.9


> onMouseMove="window.status='https://www.wellsfargo.com./cards/index.jsp';return 

this leads to a waiting curl process, stopped after about 2-3 minutes

> (I've only removed headers added by my spam classifier and my mail client)
> 
> Following the link into my browser (Opera) with everything disabled (java, js, plug-ins, 
> cookies...) leads me to a blank page. Sorry, this is my _work_station so I won't attempt 
> to trash it ;-)
> 
> Has anyone seen this particular scam? What hides behind the web page?

nope. though there's some similar crap with "citibank".

> Cheers!
> -- 
> Laurent

-- 
"I believe that part of what propels science is the thirst for wonder.  It's a
very powerful emotion.  All children feel it.  In a first grade classroom
everybody feels it; in a twelfth grade classroom almost nobody feels it, or
at least acknowledges it.  Something happens between first and twelfth grade,
and it's not just puberty.  Not only do the schools and the media not teach
much skepticism, there is also little encouragement of this stirring sense
of wonder.  Science and pseudoscience both arouse that feeling.  Poor
popularizations of science establish an ecological niche for pseudoscience."
- Carl Sagan, The Burden Of Skepticism, The Skeptical Inquirer, Vol. 12, Fall 87
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 652 bytes
Desc: Digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20041013/463c1f81/attachment.bin


More information about the list mailing list