Lamest phishing attempt evar...

[Karlos]

Today an email arrived that simply cracked me up:

From:    H-S-B-C
To:    undisclosed-recipients : ;
Subject:    IB suspended
Date:    30/03/11 11:20:03

Yes, that looks entirely authentic already :lol:

Dear Customer,

Your IB access has been suspended (multiple failed log-in
attempts).

To remove the suspension, please complete the attached document.

What, you mean your bank doesn't send you forms to put your internet banking details in?

For any inquiries, contact Customer Service.

:roflmao: I suspect an inquiry is warranted...

Please do not reply to this message.

HSBC 2011

Don't worry, I won't. They didn't say anything about not ridiculing it on the web however...

So, let's have a look at the form. For a start, it's really messy table based HTML, but the fun parts are:

Code: [Select]

<link href=&quot;http://www.cefims.ac.uk/forms/appform/application.css&quot; media=&quot;screen&quot; rel=&quot;stylesheet&quot; type=&quot;text/css&quot; />
Wait, you HSBC use CSS files hosted on a university server?

Code: [Select]

 

Obviously Steveee is a bigshot in their IT department :lol:

Code: [Select]



Seems legit :roflmao:

Code: [Select]


~$ whois 114.33.23.187
% [whois.apnic.net node-1]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:      114.32.0.0 - 114.47.255.255
netname:      HINET-NET
descr:        CHTD, Chunghwa Telecom Co.,Ltd.
descr:        No.21-3, Sec.1, Hsin-Yi Rd.
descr:        Taipei Taiwan 100
country:      TW
admin-c:      FC76-AP
tech-c:       HN27-AP
status:       ALLOCATED PORTABLE
mnt-by:       MAINT-TW-TWNIC
mnt-lower:    MAINT-TW-TWNIC
mnt-routes:   MAINT-TW-TWNIC
changed:      hm-changed@apnic.net 20080418
source:       APNIC

person:       Fu-Kuei Chung
address:      Internet Service Department,
address:      Data Communication Business Group, Chunghwa Telecom Co., Ltd.
address:      Data-Comm Bldg, No. 21, Sec 1, Hsin-Yi Rd.
address:      Taipei, Taiwan 100
country:      TW
phone:        +886 2 2344 4709
phone:        +886 2 2344 3007
fax-no:       +886 2 2396 0399
fax-no:       +886 2 2344 2513
e-mail:       fkchung@ms1.hinet.net
nic-hdl:      FC76-AP
mnt-by:       MAINT-TW-TWNIC
changed:      hostmaster@twnic.net 20001230
source:       APNIC

person:       HINET Network-Adm
address:      CHTD, Chunghwa Telecom Co., Ltd.
address:      Data-Bldg. 6F,  No. 21, Sec. 21, Hsin-Yi Rd.,
address:      Taipei Taiwan 100
country:      TW
phone:        +886 2 2322 3495
phone:        +886 2 2322 3442
phone:        +886 2 2344 3007
fax-no:       +886 2 2344 2513
fax-no:       +886 2 2395 5671
e-mail:       network-adm@hinet.net
nic-hdl:      HN27-AP
remarks:      same as TWNIC nic-handle HN184-TW
mnt-by:       MAINT-TW-TWNIC
changed:      hostmaster@twnic.net 20000721
source:       APNIC

inetnum:        114.33.0.0 - 114.33.255.255
netname:        HINET-NET
descr:          Chunghwa Telecom Data Communication Business Group
descr:          Taipei Taiwan
country:        TW
admin-c:        HN184-TW
tech-c:         HN184-TW
mnt-by:         MAINT-TW-TWNIC
remarks:        This information has been partially mirrored by APNIC from
remarks:        TWNIC. To obtain more specific information, please use the
remarks:        TWNIC whois server at whois.twnic.net.
changed:        network-adm@hinet.net 20080421
status:         ASSIGNED NON-PORTABLE
source:         TWNIC

person:         HINET Network-Adm
address:        CHTD, Chunghwa Telecom Co., Ltd.
address:        Taipei Taiwan
e-mail:         network-adm@hinet.net
nic-hdl:        HN184-TW
changed:        hostmaster@twnic.net.tw20000721
source:         TWNIC

Lastly, if all that doesn't seem quite suspect enough already, I don't actually bank with HSBC :roflmao:

[Franko]

You should fill out their form with a load of made up false stuff just to waste the numpties time trying to hack a dummy account...

[zipper]

Long time without spam from Taiwan - more from China and Russia lately.

[runequester]

I miss the Nigerians. I do win the Spanish lottery on a monthly basis though, so thats nice

[zipper]

I get a steady flood of Nigerians - 1 -2 per week but the country varies.

[Franko]

It's worse when you get them on the phone and it's big George...

[youtube]5MTFauI8INY[/youtube]

then again it could be worse'r, could be Irish Mike... :eek:

[youtube]iWXi7-Xta8o&feature=fvst[/youtube]

[whabang]

I haven't received anything from the Nigerians since I literally flooded their mailboxes with low-quality porn. Having a 100 mbit connection at home was fun. >

[Dandy]

You should fill out their form with a load of made up false stuff just to waste the numpties time trying to hack a dummy account...

Hmmmm - "fill out their form with a load of made up false stuff" - this doesn't work always.
Some forms are intelligent enough to recognise "made up false" account numbers and tell you that this is not a valid account for the bank identifier code you entered.

Solution:
Better enter the number of your local court cashier.

Or - if you know the location of the sender (like in the case at hand) - enter the bank data of the Taipei Taiwan court cashier.

I'd like to see their faces when thei get a visit/letter from their State Attorney...
 

[Zac67]

Some forms are intelligent enough to recognise "made up false" account numbers and tell you that this is not a valid account for the bank identifier code you entered.

Nahhhh - 've never seen a halfway decent attempt from anyone, nothing you'd remotely consider "serious" or "professional". The very poor attempts don't even work (usually for obvious reasons), the slightly better ones are so obviously amateurish that really nobody could fall for them. Only those deserving so anyway... :rtfm:

[runequester]

Looking at my spam folder, apparently my world of warcraft account was compromised.
Never subscribed to an MMO in my life
 
I dont imagine there's much financial fraud that can be carried out that way, so would this be people looking to steal accounts for gold farming or something?

[persia]

I got a scam email "from" a bank with a university address and a disclaimer from the university saying the message was individual and didn't reflect university policy...

I should hope not!

[Karlos]

I just got another one, claiming to be from Lloyds TSB this time, equally lame and spoof as the first, containing a html form I'm just supposed to fill in.

Code: [Select]

<img src=&quot;http://www.100mortgages.org/wp-content/img/2008/09/lloyds-logo1.jpg&quot;/>
LOL! Slightly better than using a .ac.uk address, I suppose. Let's see where my details would be going this time:

Code: [Select]

Oh dear.

Code: [Select]

~$ whois 118.174.15.218
% [whois.apnic.net node-2]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:        118.174.15.216 - 118.174.15.223
netname:        Bunyawat-Witthayalai-School
notify:         abuse@totisp.net
descr:          Educational Institute, Lampang province
country:        th
admin-c:        pa82-ap
tech-c:         ag100-ap
status:         assigned non-portable
mnt-by:         MAINT-TH-TOT
mnt-irt:        IRT-TOT-TH
changed:        apipolg@tot.co.th 20110201
source:         APNIC

route:          118.174.0.0/19
descr:          TOT Public Company Limited
origin:         AS9737
mnt-by:         MAINT-TH-TOT
changed:        worawat@totbb.com 20100725
source:         APNIC

person:         Pansak Arpakajorn
nic-hdl:        PA82-AP
e-mail:         abuse@totisp.net
address:        TOT Public Company Limited
address:        89/2 Moo 3 Chaengwattana Rd, Laksi,Bangkok 10210 THAILAND
phone:          +66-2574-9178
fax-no:         +66-2574-8401
country:        TH
changed:        suraches@tot.co.th 20050720
changed:        ag100.ap@gmail.com 20100507
mnt-by:         MAINT-TH-TOT
source:         APNIC

person:         Apipol Gunabhibal
nic-hdl:        AG100-AP
e-mail:         apipolg@tot.co.th
address:        TOT Public Company Limited
address:        89/2 Moo 3 Chaengwattana Rd, Laksi, Bangkok 10210 THAILAND
phone:          +66-2574-9178
fax-no:         +66-2574-8401
country:        TH
changed:        apipolg@tot.co.th 20110215
mnt-by:         MAINT-TH-TOT
source:         APNIC


[Franko]

@ Karlos

Where & how do you find out all that info you posted when you receive these junk emails

I can't find any info like that using my Sky, Gmail or Yahoo email accounts...

[Karlos]

@ Karlos

Where & how do you find out all that info you posted when you receive these junk emails

I can't find any info like that using my Sky, Gmail or Yahoo email accounts...

Well, they are sending me a HTML page as an attachment. I just open it in a text editor. If there are any IP addresses (usually used for the form submission in these cases) I just perform a basic whois lookup.

[zipper]

Like this:
http://whois.domaintools.com/118.174.15.218
or:
http://www.ip-adress.com/whois/118.174.15.218