lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1089152214.2986.94.camel@tumbleweed.igxglobal.com>
From: bpasdar at igxglobal.com (Babak Pasdar)
Subject: Your account at Wells Fargo has been suspended (Phishing Scam)

ATTENTION,

We have uncovered a phishing scam.  This is a perfect example of a
phishing scam.  All indicators (that the recipient sees) show a valid and
legitimate e-mail from Wells Fargo.  This e-mail tells the user their
account has been frozen due to fraudulent activity and gives them a link
to go to.  However when you click on the link it takes you to a site in
Korea and not Wells Fargo:

http://online_wellsfargo_com_account.rndsystems.co.kr:7301/wells.htm

If you clink on the link an exact model of the Wells Fargo web site
replicated.  This is the exact type of issue we had success with in
working with the FBI which led to an arrest of an unsavory Russian
character.

There are no products to protect against phishing other than user
education and vigilance along with refining the current model for mail.

Babak



Here is a quick assessment that confirms the e-mail is fraudulent.  In
the header notice the source sending it to igxglobal is not identifiable
via reverse DNS:

Received:  from dns (unknown [211.238.157.101]) by
imgxs43.goimaginex.net (Postfix) with SMTP id 15105B0016 for
<bpasdar@...maginex.net>; Tue,  6 Jul 2004 15:08:21 -0400 (EDT)


Further research shows that the contact for the network IP in question
is Kanghyun Lee out of Seoul, South Korea:

person:       KANGHYUN
LEE
descr: 	      BUSYKOREA
descr: 	      , Guro 5(o)-dong , Guro-gu
descr: 	      SEOUL
descr: 	      152-055
country:      KR
phone: 	      +82-2-862-1780
e-mail:       YHMARIA02@...MAIL.COM
nic-hdl:      KL512-KR
mnt-by:       MNT-KRNIC-AP


Further investigation on
the web site shows the
following owner:


Domain Name               : rndsystems.co.kr
Registrant                : R&D SYSTEMS
Registrant Address        : Pusan Venture Bldg.#305 651-1 Eomgung-dong, Sasang-gu, Busan, Republic of Korea
Registrant Zip Code       : 617831
Administrative Contact(AC): Kang Young Gyun AC
E-Mail                    : rndsys@...llian.net
AC Phone Number           : 0513261777
Registered Date           : 2002. 05. 17.
Last updated Date         : 2003. 04. 24.
Expiration Date           : 2005. 05. 17.
Publishes                 : Y
Authorized Agency         : I-NAMES(the "I" stands for "Internet") Corporation (http://www.i-names.co.kr)
Primary Name Server   Host Name              : www.rndsystems.co.kr
   IP Address             : 211.33.221.36

- KRNIC Whois Service -


Return-Path: <services@...lsfargo.com> Received:  from groupware.igxglobal.com ([unix socket]) by groupware (Cyrus v2.1.16) with LMTP; Tue, 06 Jul 2004 15:08:31 -0400
Received:  from dns (unknown [211.238.157.101]) by imgxs43.goimaginex.net (Postfix) with SMTP id 15105B0016 for <bpasdar@...maginex.net>; Tue,  6 Jul 2004 15:08:21 -0400 (EDT)
From: Wells Fargo National Association <services@...lsfargo.com>
To: Bpasdar <bpasdar@...maginex.net>
Subject: Your account at Wells Fargo has been suspended
Date: Wed, 7 Jul 2004 03:59:20 +0900
Reply-To: Wells Fargo National Association <services@...lsfargo.com>
Message-ID: <xxxxxxxx.xxxxxxxx@...lsfargo.com>
MIME-Version:  1.0 X-Priority:  3 (Normal)
Importance:  Normal
X-Mailer:  
EM: 4.52.0.790
Content-Type: multipart/alternative; boundary="----_PartID_337380760025388"
X-Virus-Scanned:  IGX Global Secure Mail Relay
X-Evolution-Source: imap://bpasdar@....168.22.7:993/


-----Forwarded Message-----
From: Wells Fargo National Association <services@...lsfargo.com>
To: Bpasdar <bpasdar@...maginex.net>
Subject: Your account at Wells Fargo has been suspended
Date: Wed, 07 Jul 2004 03:59:20 +0900

Dear Wells Fargo account holder, 

We regret to inform you, that we had to block your Wells Fargo account
because we have been notified that your account may have been
compromised by outside parties.

Our terms and conditions you agreed to state that your account must
always be under your control or those you designate at all times. We
have noticed some activity related to your account that indicates that
other parties may have access and or control of your information in your
account.

These parties have in the past been involved with money laundering,
illegal drugs, terrorism and various Federal Title 18 violations. In
order that you may access your account we must verify your identity by
clicking on the link below.

Please be aware that until we can verify your identity 
no further access to your account will be allowed and we will have no
other liability for your account
or any transactions that may have occurred as a result of your failure
to reactivate your account as
instructed below.

Thank you for your time and consideration in this matter.

Please follow the link below and renew your account information

https://online.wellsfargo.com/cgi-bin/signon.cgi

Before you reactivate your account, all payments have been frozen, and you will not be able to use your
account in any way until we have verified your identity.


-- 

Babak Pasdar
Founder / Chief Technology & Information Security Officer
e-mail: bpasdar@...global.com
phone:  201.498.0555 x2205
pgp fingerprint:  
F901 028B 7658 8621 3EF9 D505 BBF2 35F2 C922 B416

Get Daily Security Intelligence on the DSB Online
http://dsb.igxglobal.com

Subscribe to the igxglobal Daily Security Briefing Newsletter
http://www.igxglobal.com/dsb/register.html

igxglobal Announces the DSB Online Security Community Web Site
http://www.prweb.com/releases/2004/6/prweb131815.htm

igxglobal delivers integrated real-time security reporting
http://www.igxglobal.com/rrf.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040706/a8c42e5d/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ