Click the comments link on any
story to see comments or add your own.
Subscribe to this blog
RSS feed
|
Home :: Email
23 Jun 2005
Phishing is a big problem, and banks have given us lots of advice like
don't click on links in e-mail messages and watch for mail from
fake sources.
So take a look at this message that I got earlier this year
and tell me whether it's real or a phish.
(I already know the answer. This is a thought experiment.)
Clues:
- Helo with nonexistent domain name unrelated to the bank
- Actual IP has no rDNS, SWIP is to some company with no visible
connection to the bank
- Return address is in securesuiteemail.com, a domain unrelated to the bank
- Return address domain is at Yahoo domains with a yahoo.com contact, a
mailing address in Israel, and a bogus phone number
- Headers include "Comment: Unauthenticated sender"
- HTML contents include URLs that they encourage you to click through,
that don't match the ones in the text part and are not in the bank's
domain or any domain in the header, rather they're at
bankofamerica.vbv.cyota.com
So tell me, if you found this in your mailbox, would you believe that it's
a genuine communication from the Bank of America credit card department?
(I've reformatted this message a little bit to make it look OK on the
weblog. The headers are verbatim other than the recipient address,
and the HTML is basically the way it was. The links are all live, and
take you to a site purporting to be Bank of America.)
Return-Path:
Received: (qmail 4897 invoked by uid 100); 27 Feb 2005 19:32:01 -0000
Received: (qmail 4155 invoked from network); 27 Feb 2005 19:30:20 -0000
Received: from unknown (HELO cyomail1.cyota.dotsconnect.com) (63.150.74.73)
by mail.iecc.com with SMTP; 27 Feb 2005 19:30:20 -0000
Received: from cyoweb1 (cyoweb1 [172.29.1.10])
by cyomail1.cyota.dotsconnect.com (8.11.7p1+Sun/8.10.2) with SMTP
id j1RJKXF27254
for xxx@yyy.com; Sun, 27 Feb 2005 14:20:33 -0500 (EST)
Date: 27 Feb 2005 19:31:39 -0000
Message-Id: <200502271920.j1RJKXF27254@cyomail1.cyota.dotsconnect.com>
From: "Bank of America"
Reply-To: bankofamerica@securesuiteemail.com
To: xxx@yyy.com
Subject: Bank of America - Verified by Visa Registration Confirmation
Comment: Unauthenticated sender
X-Mailer: JNet CSmtpWrapper
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="CyotaVBV"
--CyotaVBV
Content-Type: text/plain; charset=iso-8859-1
Dear Bank of America Visa Cardholder:
This message confirms your registration into Verified by Visa
services.
This is an outbound message only. Please do not reply. If you have
any questions, please refer to our Frequently Asked Questions (FAQs)
or contact us by secure e-mail at
http://www.bankofamerica.com/verifiedbyvisa (select this link or copy
and paste it into your browser). On this page, select "FAQs" or
choose "Contact Us" to send us an e-mail.We will get back to you
within 2 business days.
You can always visit the Verified by Visa site at
http://www.bankofamerica.com/verifiedbyvisa to track your
transactions and manage account settings.
Please keep this email with the Verified by Visa site URL in a safe
place.
Thank you,
Bank of America
--CyotaVBV
Content-Type: text/html; charset=iso-8859-1
Dear Bank of America Visa Cardholder:
This message confirms your registration into Verified by Visa
services.
This is an outbound message only. Please do not reply. if you
have any questions,
please refer to our Frequently Asked Questions (FAQs) or
contact us by secure e-mail at
the Verified by Visa site.
On this page, select "FAQs" or choose "Contact Us" to send us
an e-mail.
We will get back to you within 2 business days.
You can always visit the Verified by Visa site.
to track your transactions and manage account
settings.
Please keep this email with the Verified by Visa site link in
a safe place.
Thank you,
Bank of America
posted at: 23:15 :: permanent link to this entry ::
3 comments
comments... (Jump to the end to add your own comment)
> So tell me, if you found this in your mailbox, would you believe that it's a genuine communication from the Bank of America credit card department? (...The headers are verbatim other than the recipient address...)If I found this in my mailbox, I'd look at the recipient address and see if it was the *unique* address that I use only for BoA correspondence. But, since you've hidden the recipient address (and I don't know if you use unique addresses for this type of correspondence), my guess is that it's phair. And it's a great example of something that looks like a phish.
(by Nancy McGough
24 Jun 2005 03:04)
Per-corrspondent addresses It's true (as Nancy knows) that I hand out a unique address to each commercial correspondent, which is why I obscured the address here so you couldn't tell whether the sender sent it to that address. But most people use the same address everywhere which isn't likely to change soon.
(by John L
24 Jun 2005 15:46)
Phish I found out it was a phishing email which is working with netdetective.com, they now have my cc# and ss#, my life is about to suck, and im an idiot
(by
19 Nov 2006 00:22)
Add your comment...
Note: all comments require an email address to send a confirmation
to verify that it was posted by a person and not a spambot.
The comment won't be visible until you click the link in the
confirmation.
Unless you check the box below, which almost nobody does, your email
won't be displayed, and I won't use it for other purposes.
|
Topics
My other sites
Who is this guy?
Airline ticket info
Taughannock Networks
Other blogs
CAUCE It turns out you don’t need a license to hunt for spam. 30 days ago
A keen grasp of the obvious Italian Apple Cake 589 days ago
Related sites
Coalition Against Unsolicited Commercial E-mail
Network Abuse Clearinghouse
|