« April 3, 2008 | Main | April 10, 2008 »
Monday, April 7, 2008
Lamest phish in the pond
Some “phishing” messages (junk E-mail scams attempting to steal recipients' identity by posing as messages from financial and other institutions with which an individual may have an account) are devilishly clever and may slip past even reasonably cautious and knowledgeable Internet users. Then there are those like the following, which came to hand today. (I have re-wrapped some of the header lines to avoid truncation and redacted information relating to Fourmilab's internal network structure.)From alerts@citibank.com Mon Apr 7 15:53:31 2008 Received: from (REDACTED.fourmilab.ch (REDACTED.fourmilab.ch [193.8.230.REDACTED]) by REDACTED.fourmilab.ch (8.13.6.20060614/8.13.6) with ESMTP id m37DpLsL013651 for <REDACTED@REDACTED.fourmilab.ch>; Mon, 7 Apr 2008 15:53:31 +0200 Received: from exch5.aclu.org (smtp03.aclu.org [65.198.126.244]) by REDACTED.fourmilab.ch (8.13.6.20060614/8.13.6) with ESMTP id m37Dngmt028960 for <REDACTED@fourmilab.ch>; Mon, 7 Apr 2008 15:51:19 +0200 Received: from NYEXFE02.aclu.org ([10.1.1.246]) by exch5.aclu.org with Microsoft SMTPSVC(6.0.3790.1830); Mon, 7 Apr 2008 09:21:37 -0400 Received: from User ([85.120.78.130]) by NYEXFE02.aclu.org with Microsoft SMTPSVC(6.0.3790.3959); Mon, 7 Apr 2008 09:21:36 -0400 From: "Citibank.com"<alerts@citibank.com> Subject: To many wrong attemps Date: Mon, 7 Apr 2008 16:23:34 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Bcc: Message-ID: <NYEXFE02md1UtYj7XGe000012db@NYEXFE02.aclu.org> X-OriginalArrivalTime: 07 Apr 2008 13:21:37.0306 (UTC) FILETIME=[4EC2F7A0:01C898B2] Because you have to many wrong attemps on your Citibank online banking, we had to put your account on hold. Account Status: Blocked We ask you to complete as soon as possible our security steps which will reactivate your online banking. To do this please follow the link bellow : http://www.citibank-autentification-message.com/ After this steps are complete you will be contacted by phone in 3 days by a citibank representative.Now, of course, in junk mail you can't assume that anything in the headers which wasn't put there by your own servers has not been forged. The originating IP address (assuming it is not bogus) belongs to an IP block in Romania. I shall be charitable and assume that the intermediate routing via the American Civil Liberties Union was forged, and that their definition of “civil liberties” does not extend to criminal fraud committed in the interest of identity theft. (A cursory test of one of their mail servers with the mail relay test page at abuse.net shows it as secure against external relays.) I would usually black out the deliciously-misspelled scam site to which the message attempts to direct the recipient, but as the domain had already been pulled by the time I received the message, I'm leaving it in for your amusement. Ain't it great, living in a slum?