Amiga.org

Coffee House => Coffee House Boards => CH / Science and Technology => Topic started by: Karlos on March 30, 2011, 07:28:35 PM

Title: Lamest phishing attempt evar...
Post by: Karlos on March 30, 2011, 07:28:35 PM: Today an email arrived that simply cracked me up:

Quote
From:    H-S-B-C
To:    undisclosed-recipients : ;
Subject:    IB suspended
Date:    30/03/11 11:20:03

Yes, that looks entirely authentic already :lol:

Quote
Dear Customer,

Your IB access has been suspended (multiple failed log-in
attempts).

To remove the suspension, please complete the attached document.

What, you mean your bank doesn't send you forms to put your internet banking details in?

Quote
For any inquiries, contact Customer Service.

:roflmao: I suspect an inquiry is warranted...

Quote
Please do not reply to this message.

HSBC 2011

Don't worry, I won't. They didn't say anything about not ridiculing it on the web however...

So, let's have a look at the form. For a start, it's really messy table based HTML, but the fun parts are:

Code: [Select]
<link href="http://www.cefims.ac.uk/forms/appform/application.css" media="screen" rel="stylesheet" type="text/css" />
Wait, you HSBC use CSS files hosted on a university server?

Code: [Select]

Obviously Steveee is a bigshot in their IT department :lol:

Code: [Select]

Seems legit :roflmao:

Code: [Select]
~$ whois 114.33.23.187 % [whois.apnic.net node-1] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 114.32.0.0 - 114.47.255.255 netname: HINET-NET descr: CHTD, Chunghwa Telecom Co.,Ltd. descr: No.21-3, Sec.1, Hsin-Yi Rd. descr: Taipei Taiwan 100 country: TW admin-c: FC76-AP tech-c: HN27-AP status: ALLOCATED PORTABLE mnt-by: MAINT-TW-TWNIC mnt-lower: MAINT-TW-TWNIC mnt-routes: MAINT-TW-TWNIC changed: hm-changed@apnic.net 20080418 source: APNIC person: Fu-Kuei Chung address: Internet Service Department, address: Data Communication Business Group, Chunghwa Telecom Co., Ltd. address: Data-Comm Bldg, No. 21, Sec 1, Hsin-Yi Rd. address: Taipei, Taiwan 100 country: TW phone: +886 2 2344 4709 phone: +886 2 2344 3007 fax-no: +886 2 2396 0399 fax-no: +886 2 2344 2513 e-mail: fkchung@ms1.hinet.net nic-hdl: FC76-AP mnt-by: MAINT-TW-TWNIC changed: hostmaster@twnic.net 20001230 source: APNIC person: HINET Network-Adm address: CHTD, Chunghwa Telecom Co., Ltd. address: Data-Bldg. 6F, No. 21, Sec. 21, Hsin-Yi Rd., address: Taipei Taiwan 100 country: TW phone: +886 2 2322 3495 phone: +886 2 2322 3442 phone: +886 2 2344 3007 fax-no: +886 2 2344 2513 fax-no: +886 2 2395 5671 e-mail: network-adm@hinet.net nic-hdl: HN27-AP remarks: same as TWNIC nic-handle HN184-TW mnt-by: MAINT-TW-TWNIC changed: hostmaster@twnic.net 20000721 source: APNIC inetnum: 114.33.0.0 - 114.33.255.255 netname: HINET-NET descr: Chunghwa Telecom Data Communication Business Group descr: Taipei Taiwan country: TW admin-c: HN184-TW tech-c: HN184-TW mnt-by: MAINT-TW-TWNIC remarks: This information has been partially mirrored by APNIC from remarks: TWNIC. To obtain more specific information, please use the remarks: TWNIC whois server at whois.twnic.net. changed: network-adm@hinet.net 20080421 status: ASSIGNED NON-PORTABLE source: TWNIC person: HINET Network-Adm address: CHTD, Chunghwa Telecom Co., Ltd. address: Taipei Taiwan e-mail: network-adm@hinet.net nic-hdl: HN184-TW changed: hostmaster@twnic.net.tw20000721 source: TWNIC
Lastly, if all that doesn't seem quite suspect enough already, I don't actually bank with HSBC :roflmao:
Title: Re: Lamest phishing attempt evar...
Post by: Franko on March 30, 2011, 11:36:51 PM: You should fill out their form with a load of made up false stuff just to waste the numpties time trying to hack a dummy account... :D
Title: Re: Lamest phishing attempt evar...
Post by: zipper on March 31, 2011, 04:27:20 AM: Long time without spam from Taiwan - more from China and Russia lately.
Title: Re: Lamest phishing attempt evar...
Post by: runequester on March 31, 2011, 04:50:11 AM: I miss the Nigerians. I do win the Spanish lottery on a monthly basis though, so thats nice
Title: Re: Lamest phishing attempt evar...
Post by: zipper on March 31, 2011, 05:25:23 AM: I get a steady flood of Nigerians - 1 -2 per week but the country varies.
Title: Re: Lamest phishing attempt evar...
Post by: Franko on March 31, 2011, 08:01:27 AM: It's worse when you get them on the phone and it's big George... :D

[youtube]5MTFauI8INY[/youtube]

then again it could be worse'r, could be Irish Mike... :eek:

[youtube]iWXi7-Xta8o&feature=fvst[/youtube]
Title: Re: Lamest phishing attempt evar...
Post by: whabang on March 31, 2011, 11:00:29 AM: I haven't received anything from the Nigerians since I literally flooded their mailboxes with low-quality porn. Having a 100 mbit connection at home was fun. >:)
Title: Re: Lamest phishing attempt evar...
Post by: Dandy on April 13, 2011, 11:10:22 AM: Quote from: Franko;626113

You should fill out their form with a load of made up false stuff just to waste the numpties time trying to hack a dummy account... :D

Hmmmm - "fill out their form with a load of made up false stuff" - this doesn't work always.
Some forms are intelligent enough to recognise "made up false" account numbers and tell you that this is not a valid account for the bank identifier code you entered.

Solution:
Better enter the number of your local court cashier.

Or - if you know the location of the sender (like in the case at hand) - enter the bank data of the Taipei Taiwan court cashier.

I'd like to see their faces when thei get a visit/letter from their State Attorney...
:D
Title: Re: Lamest phishing attempt evar...
Post by: Zac67 on April 13, 2011, 06:42:56 PM: Quote from: Dandy;631397
Some forms are intelligent enough to recognise "made up false" account numbers and tell you that this is not a valid account for the bank identifier code you entered.

Nahhhh - 've never seen a halfway decent attempt from anyone, nothing you'd remotely consider "serious" or "professional". The very poor attempts don't even work (usually for obvious reasons), the slightly better ones are so obviously amateurish that really nobody could fall for them. Only those deserving so anyway... :rtfm:
Title: Re: Lamest phishing attempt evar...
Post by: runequester on April 13, 2011, 07:02:18 PM: Looking at my spam folder, apparently my world of warcraft account was compromised.
Never subscribed to an MMO in my life :)

I dont imagine there's much financial fraud that can be carried out that way, so would this be people looking to steal accounts for gold farming or something?
Title: Re: Lamest phishing attempt evar...
Post by: persia on April 13, 2011, 08:45:41 PM: I got a scam email "from" a bank with a university address and a disclaimer from the university saying the message was individual and didn't reflect university policy...

I should hope not!

(http://www.clipartguide.com/_thumbs/0511-1002-2801-3268.jpg)
Title: Re: Lamest phishing attempt evar...
Post by: Karlos on May 01, 2011, 12:46:56 PM: I just got another one, claiming to be from Lloyds TSB this time, equally lame and spoof as the first, containing a html form I'm just supposed to fill in.

Code: [Select]
<img src="http://www.100mortgages.org/wp-content/img/2008/09/lloyds-logo1.jpg"/>
LOL! Slightly better than using a .ac.uk address, I suppose. Let's see where my details would be going this time:

Code: [Select]

Oh dear.

Code: [Select]
~$ whois 118.174.15.218 % [whois.apnic.net node-2] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 118.174.15.216 - 118.174.15.223 netname: Bunyawat-Witthayalai-School notify: abuse@totisp.net descr: Educational Institute, Lampang province country: th admin-c: pa82-ap tech-c: ag100-ap status: assigned non-portable mnt-by: MAINT-TH-TOT mnt-irt: IRT-TOT-TH changed: apipolg@tot.co.th 20110201 source: APNIC route: 118.174.0.0/19 descr: TOT Public Company Limited origin: AS9737 mnt-by: MAINT-TH-TOT changed: worawat@totbb.com 20100725 source: APNIC person: Pansak Arpakajorn nic-hdl: PA82-AP e-mail: abuse@totisp.net address: TOT Public Company Limited address: 89/2 Moo 3 Chaengwattana Rd, Laksi,Bangkok 10210 THAILAND phone: +66-2574-9178 fax-no: +66-2574-8401 country: TH changed: suraches@tot.co.th 20050720 changed: ag100.ap@gmail.com 20100507 mnt-by: MAINT-TH-TOT source: APNIC person: Apipol Gunabhibal nic-hdl: AG100-AP e-mail: apipolg@tot.co.th address: TOT Public Company Limited address: 89/2 Moo 3 Chaengwattana Rd, Laksi, Bangkok 10210 THAILAND phone: +66-2574-9178 fax-no: +66-2574-8401 country: TH changed: apipolg@tot.co.th 20110215 mnt-by: MAINT-TH-TOT source: APNIC
Title: Re: Lamest phishing attempt evar...
Post by: Franko on May 01, 2011, 12:54:59 PM: @ Karlos

Where & how do you find out all that info you posted when you receive these junk emails ???

I can't find any info like that using my Sky, Gmail or Yahoo email accounts... ???
Title: Re: Lamest phishing attempt evar...
Post by: Karlos on May 01, 2011, 01:15:29 PM: Quote from: Franko;634661
@ Karlos

Where & how do you find out all that info you posted when you receive these junk emails ???

I can't find any info like that using my Sky, Gmail or Yahoo email accounts... ???

Well, they are sending me a HTML page as an attachment. I just open it in a text editor. If there are any IP addresses (usually used for the form submission in these cases) I just perform a basic whois lookup.
Title: Re: Lamest phishing attempt evar...
Post by: zipper on May 01, 2011, 01:53:20 PM: Like this:
http://whois.domaintools.com/118.174.15.218
or:
http://www.ip-adress.com/whois/118.174.15.218
Title: Re: Lamest phishing attempt evar...
Post by: Karlos on May 01, 2011, 03:14:36 PM: Quote from: zipper;634671
Like this:
http://whois.domaintools.com/118.174.15.218
or:
http://www.ip-adress.com/whois/118.174.15.218

Indeed.

I wonder how many people are taken in by scams like this? What percentage of targeted addresses happen to be using the bank in question, that haven't already received one or more near-identical messages from banks they don't bank with that are naive enough to think the bank would contact them with a "fill in the attached form" ?
Title: Re: Lamest phishing attempt evar...
Post by: zipper on May 01, 2011, 05:43:15 PM: Should ring a bell when the pointer is over a link and shows an odd address.
Here is an example from a junk post - don't click it!!!! http://ow.ly/4GLkX?arquivo_comprovante.comprovante-004206.PD (for security I left the last F out of it... or do you want to test your virus software?)
Title: Re: Lamest phishing attempt evar...
Post by: Franko on May 02, 2011, 03:11:04 AM: @ Karlos @ Zipper

Thanks for that info, I'll need to use it on the next load of spam I get to see where all this junk comes from... :)

I often wonder myself how many people actually fall for these things (and they must do otherwise it would have stopped by now), I mean you wouldn't give such details out over the phone or to some salesman at your front door so why do some folks do it on the internet... :crazy: