lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: adam at nhh.hu (Szilveszter Adam)
Subject: Your account at Wells Fargo has been suspended
 (Phishing Scam)

Hi,

[Since phishing seems to be all the rage today, I feel compelled to add...]

Babak Pasdar wrote:
> We have uncovered a phishing scam.  This is a perfect example of a
> phishing scam.  All indicators (that the recipient sees) show a valid and
> legitimate e-mail from Wells Fargo.  This e-mail tells the user their
> account has been frozen due to fraudulent activity and gives them a link
> to go to.  However when you click on the link it takes you to a site in
> Korea and not Wells Fargo:

<...>

> Here is a quick assessment that confirms the e-mail is fraudulent.  In
> the header notice the source sending it to igxglobal is not identifiable
> via reverse DNS:

<lots of info eluded>

Well, maybe it's just me, but to me, the *very* first reason to believe 
that the mail was a fraud would be, that I never, ever would expect my 
bank to send me such sensitive and time-critical information in an email 
message, which can be read by any party while in transit and be delayed 
for arbitrary amounts of time, or not delivered at all. (insert rant 
here about why more and more applications are relying on email and SMS 
messages as a timely and dependable communications mechanism, when 
clearly neither was designed to be either) How would they maintain the 
privacy of banking operations if they sent such messages to customers? 
Please, please US people tell me that even US banks are not so stupid as 
to do this... convenience is surely a trump, but not in banking... there 
I want security first of all.

P.S. Remember, when we used to tell people "Never open messages claiming 
to be virus warnings or security patches from MS, they will never ever 
going to send such things in email, only offer them through the web."? 
Well, the other day I received an email from MS Hungary (I was 
registered for several TechNet events in the past) about the 
"worm-du-jour" and how it is dangerous and how MS recommends applying 
the patch immediately. Dang. The only thing missing was the patch 
attached. This is why police say as long as criminals are people there 
is not going to be a perfect crime. Everybody gets lazy after a time.

Regards,
Sz.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ