Weblogs: Spam

What a phishing scam email looks like

Friday, March 26, 2004

The BBC reports that phishing scams are on the rise again. Many UK banks have been targeted, including Natwest, Barclays and Lloyds TSB.

Typically, UK banking is rather reactionary, and they will decide to make "improvements" to their security, and insist on informing their clients. They will insist on insert a link within the email to their website.

So expect numerous notifications from banks you do bank online with and those you don't to send you emails. They will typically be from scammers phishing for your details by pretending to be the bank upgrading their security the thwart the very same scammers.

Expect something like the following:

Dear Customer

This message is from Barclays Bank, to inform you that we had updated our anti-fraud system to prevent frequent fraud attempts. At this moment we need you to reactivate your account due to software security updates. All accounts that haven't been reactivated will be placed on hold.

To verify your account, please visit the IBank website at http://www.barclays.co.uk

If you have questions about your online statement, please send us a Bank Mail or contact the Online Banking Helpdesk on 0845 600 2323

We appreciate your business. It's truly our pleasure to serve you.

Barclays Customer Care

This email is for notification only. To contact us, please log into your account and send a Bank Mail.

Well the obvious clue that this is a scam for me was that I am not and never have been a customer of Barclays Bank. But lets pretend I am. Obviously if the email came from Barclays it would have a from address indicating it, and the from address of this particular email is:

From: Barclays IBank service <service@ibank.barclays.co.uk>
Subject: Important notice from Barclays IBank

This is where most people will stop and decide the email does indeed come from Barclays. Don't let that fool you. Email addresses can, and normally are forged.

Its the "helpful" link in the body of the email that's a big giveaway. Unless you are using Outlook.

When you hover over the above link, the status bar of your browser should display the URL as: http://ibank.barclays.co.uk%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01@www.best-news.ru
. If it doesn't appear like this, either upgrade Internet Explorer or try an alternative like FireFox. And Get rid of Outlook as an email client.

The true destination of the above link is http://www.best-news.ru. This website has been taken down already, but it used to contain a website that looked exactly like the login page of Barclay IBank login page. Just perfect to capture your banking details to be reused later.


[ Weblog | Categories and feeds | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002 ]