Full Disclosure mailing list archives
RE: Your account at Wells Fargo has been suspended (Phishing Scam)
From: "Larry Seltzer" <larry () larryseltzer com>
Date: Wed, 7 Jul 2004 07:52:05 -0400
There are no products to protect against phishing other than user
education and vigilance along with refining the current model for mail. Sender ID would have blocked this because of the fraudulent From: header, even assuming it wasn't blocked because of envelope problems. This is yet another reason we need an SNTP authentication scheme in place, and not one just based on envelope data. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer larryseltzer () ziffdavis com ________________________________ From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Babak Pasdar Sent: Wednesday, July 07, 2004 7:10 AM To: full-disclosure () lists netsys com Subject: [Full-disclosure] Your account at Wells Fargo has been suspended (Phishing Scam) ATTENTION, We have uncovered a phishing scam. This is a perfect example of a phishing scam. All indicators (that the recipient sees) show a valid and legitimate e-mail from Wells Fargo. This e-mail tells the user their account has been frozen due to fraudulent activity and gives them a link to go to. However when you click on the link it takes you to a site in Korea and not Wells Fargo: http://online <http://online> _wellsfargo_com_account.rndsystems.co.kr:7301/wells.htm If you clink on the link an exact model of the Wells Fargo web site replicated. This is the exact type of issue we had success with in working with the FBI which led to an arrest of an unsavory Russian character. There are no products to protect against phishing other than user education and vigilance along with refining the current model for mail. Babak Here is a quick assessment that confirms the e-mail is fraudulent. In the header notice the source sending it to igxglobal is not identifiable via reverse DNS: Received: from dns (unknown [211.238.157.101]) by imgxs43.goimaginex.net (Postfix) with SMTP id 15105B0016 for <bpasdar () goimaginex net>; Tue, 6 Jul 2004 15:08:21 -0400 (EDT) Further research shows that the contact for the network IP in question is Kanghyun Lee out of Seoul, South Korea: person: KANGHYUN LEE descr: BUSYKOREA descr: , Guro 5(o)-dong , Guro-gu descr: SEOUL descr: 152-055 country: KR phone: +82-2-862-1780 e-mail: YHMARIA02 () HOTMAIL COM nic-hdl: KL512-KR mnt-by: MNT-KRNIC-AP Further investigation on the web site shows the following owner: Domain Name : rndsystems.co.kr Registrant : R&D SYSTEMS Registrant Address : Pusan Venture Bldg.#305 651-1 Eomgung-dong, Sasang-gu, Busan, Republic of Korea Registrant Zip Code : 617831 Administrative Contact(AC): Kang Young Gyun AC E-Mail : rndsys () chollian net AC Phone Number : 0513261777 Registered Date : 2002. 05. 17. Last updated Date : 2003. 04. 24. Expiration Date : 2005. 05. 17. Publishes : Y Authorized Agency : I-NAMES(the "I" stands for "Internet") Corporation (http://www.i-names.co.kr <http://www.i-names.co.kr> ) Primary Name Server Host Name : www.rndsystems.co.kr <http://www.rndsystems.co.kr> IP Address : 211.33.221.36 - KRNIC Whois Service - Return-Path: <services () wellsfargo com> Received: from groupware.igxglobal.com ([unix socket]) by groupware (Cyrus v2.1.16) with LMTP; Tue, 06 Jul 2004 15:08:31 -0400 Received: from dns (unknown [211.238.157.101]) by imgxs43.goimaginex.net (Postfix) with SMTP id 15105B0016 for <bpasdar () goimaginex net>; Tue, 6 Jul 2004 15:08:21 -0400 (EDT) From: Wells Fargo National Association <services () wellsfargo com> To: Bpasdar <bpasdar () goimaginex net> Subject: Your account at Wells Fargo has been suspended Date: Wed, 7 Jul 2004 03:59:20 +0900 Reply-To: Wells Fargo National Association <services () wellsfargo com> Message-ID: <xxxxxxxx.xxxxxxxx () wellsfargo com> MIME-Version: 1.0 X-Priority: 3 (Normal) Importance: Normal X-Mailer: EM: 4.52.0.790 Content-Type: multipart/alternative; boundary="----_PartID_337380760025388" X-Virus-Scanned: IGX Global Secure Mail Relay X-Evolution-Source: imap://bpasdar@192.168.22.7:993/ -----Forwarded Message----- From: Wells Fargo National Association <services () wellsfargo com> To: Bpasdar <bpasdar () goimaginex net> Subject: Your account at Wells Fargo has been suspended Date: Wed, 07 Jul 2004 03:59:20 +0900 Dear Wells Fargo account holder, We regret to inform you, that we had to block your Wells Fargo account because we have been notified that your account may have been compromised by outside parties. Our terms and conditions you agreed to state that your account must always be under your control or those you designate at all times. We have noticed some activity related to your account that indicates that other parties may have access and or control of your information in your account. These parties have in the past been involved with money laundering, illegal drugs, terrorism and various Federal Title 18 violations. In order that you may access your account we must verify your identity by clicking on the link below. Please be aware that until we can verify your identity no further access to your account will be allowed and we will have no other liability for your account or any transactions that may have occurred as a result of your failure to reactivate your account as instructed below. Thank you for your time and consideration in this matter. Please follow the link below and renew your account information https://online.wellsfargo.com/cgi-bin/signon.cgi <https://online.wellsfargo.com/cgi-bin/signon.cgi> Before you reactivate your account, all payments have been frozen, and you will not be able to use your account in any way until we have verified your identity. -- Babak Pasdar Founder / Chief Technology & Information Security Officer e-mail: bpasdar () igxglobal com phone: 201.498.0555 x2205 pgp fingerprint: F901 028B 7658 8621 3EF9 D505 BBF2 35F2 C922 B416 Get Daily Security Intelligence on the DSB Online http://dsb.igxglobal.com Subscribe to the igxglobal Daily Security Briefing Newsletter http://www.igxglobal.com/dsb/register.html igxglobal Announces the DSB Online Security Community Web Site http://www.prweb.com/releases/2004/6/prweb131815.htm igxglobal delivers integrated real-time security reporting http://www.igxglobal.com/rrf.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Your account at Wells Fargo has been suspended (Phishing Scam) Babak Pasdar (Jul 06)
- Re: Your account at Wells Fargo has been suspended (Phishing Scam) Szilveszter Adam (Jul 07)
- <Possible follow-ups>
- Your account at Wells Fargo has been suspended (Phishing Scam) Babak Pasdar (Jul 07)
- RE: Your account at Wells Fargo has been suspended (Phishing Scam) Larry Seltzer (Jul 07)