RE: [Full-Disclosure] Your account at Wells Fargo has been suspended (Phishing Scam)

From: Larry Seltzer (larry_at_larryseltzer.com)
Date: 07/07/04

  • Next message: Bruce Ediger: "RE: [Full-Disclosure] IE Web Browser: "Sitting Duck""
    To: <bpasdar@igxglobal.com>, <full-disclosure@lists.netsys.com>
    Date: Wed, 7 Jul 2004 07:52:05 -0400
    
    

    >>There are no products to protect against phishing other than user
    education and vigilance along with refining the current model for mail.

    Sender ID would have blocked this because of the fraudulent From: header, even assuming
    it wasn't blocked because of envelope problems.
     
    This is yet another reason we need an SNTP authentication scheme in place, and not one
    just based on envelope data.

    Larry Seltzer
    eWEEK.com Security Center Editor
    http://security.eweek.com/
    http://blog.ziffdavis.com/seltzer
    larryseltzer@ziffdavis.com

     

    ________________________________

    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Babak Pasdar
    Sent: Wednesday, July 07, 2004 7:10 AM
    To: full-disclosure@lists.netsys.com
    Subject: [Full-Disclosure] Your account at Wells Fargo has been suspended (Phishing
    Scam)

    ATTENTION,

    We have uncovered a phishing scam. This is a perfect example of a
    phishing scam. All indicators (that the recipient sees) show a valid and
    legitimate e-mail from Wells Fargo. This e-mail tells the user their
    account has been frozen due to fraudulent activity and gives them a link
    to go to. However when you click on the link it takes you to a site in
    Korea and not Wells Fargo:

    http://online <http://online> _wellsfargo_com_account.rndsystems.co.kr:7301/wells.htm

    If you clink on the link an exact model of the Wells Fargo web site
    replicated. This is the exact type of issue we had success with in
    working with the FBI which led to an arrest of an unsavory Russian
    character.

    There are no products to protect against phishing other than user
    education and vigilance along with refining the current model for mail.

    Babak

    Here is a quick assessment that confirms the e-mail is fraudulent. In
    the header notice the source sending it to igxglobal is not identifiable
    via reverse DNS:

    Received: from dns (unknown [211.238.157.101]) by
    imgxs43.goimaginex.net (Postfix) with SMTP id 15105B0016 for
    <bpasdar@goimaginex.net>; Tue, 6 Jul 2004 15:08:21 -0400 (EDT)

    Further research shows that the contact for the network IP in question
    is Kanghyun Lee out of Seoul, South Korea:

    person: KANGHYUN
    LEE
    descr: BUSYKOREA
    descr: , Guro 5(o)-dong , Guro-gu
    descr: SEOUL
    descr: 152-055
    country: KR
    phone: +82-2-862-1780
    e-mail: YHMARIA02@HOTMAIL.COM
    nic-hdl: KL512-KR
    mnt-by: MNT-KRNIC-AP

    Further investigation on
    the web site shows the
    following owner:

    Domain Name : rndsystems.co.kr
    Registrant : R&D SYSTEMS
    Registrant Address : Pusan Venture Bldg.#305 651-1 Eomgung-dong, Sasang-gu,
    Busan, Republic of Korea
    Registrant Zip Code : 617831
    Administrative Contact(AC): Kang Young Gyun AC
    E-Mail : rndsys@chollian.net
    AC Phone Number : 0513261777
    Registered Date : 2002. 05. 17.
    Last updated Date : 2003. 04. 24.
    Expiration Date : 2005. 05. 17.
    Publishes : Y
    Authorized Agency : I-NAMES(the "I" stands for "Internet") Corporation
    (http://www.i-names.co.kr <http://www.i-names.co.kr> )
    Primary Name Server Host Name : www.rndsystems.co.kr
    <http://www.rndsystems.co.kr>
       IP Address : 211.33.221.36

    - KRNIC Whois Service -

    Return-Path: <services@wellsfargo.com> Received: from groupware.igxglobal.com ([unix
    socket]) by groupware (Cyrus v2.1.16) with LMTP; Tue, 06 Jul 2004 15:08:31 -0400
    Received: from dns (unknown [211.238.157.101]) by imgxs43.goimaginex.net (Postfix) with
    SMTP id 15105B0016 for <bpasdar@goimaginex.net>; Tue, 6 Jul 2004 15:08:21 -0400 (EDT)
    From: Wells Fargo National Association <services@wellsfargo.com>
    To: Bpasdar <bpasdar@goimaginex.net>
    Subject: Your account at Wells Fargo has been suspended
    Date: Wed, 7 Jul 2004 03:59:20 +0900
    Reply-To: Wells Fargo National Association <services@wellsfargo.com>
    Message-ID: <xxxxxxxx.xxxxxxxx@wellsfargo.com>
    MIME-Version: 1.0 X-Priority: 3 (Normal)
    Importance: Normal
    X-Mailer:
    EM: 4.52.0.790
    Content-Type: multipart/alternative; boundary="----_PartID_337380760025388"
    X-Virus-Scanned: IGX Global Secure Mail Relay
    X-Evolution-Source: imap://bpasdar@192.168.22.7:993/

    -----Forwarded Message-----
    From: Wells Fargo National Association <services@wellsfargo.com>
    To: Bpasdar <bpasdar@goimaginex.net>
    Subject: Your account at Wells Fargo has been suspended
    Date: Wed, 07 Jul 2004 03:59:20 +0900

    Dear Wells Fargo account holder,

    We regret to inform you, that we had to block your Wells Fargo account
    because we have been notified that your account may have been
    compromised by outside parties.

    Our terms and conditions you agreed to state that your account must
    always be under your control or those you designate at all times. We
    have noticed some activity related to your account that indicates that
    other parties may have access and or control of your information in your
    account.

    These parties have in the past been involved with money laundering,
    illegal drugs, terrorism and various Federal Title 18 violations. In
    order that you may access your account we must verify your identity by
    clicking on the link below.

    Please be aware that until we can verify your identity
    no further access to your account will be allowed and we will have no
    other liability for your account
    or any transactions that may have occurred as a result of your failure
    to reactivate your account as
    instructed below.

    Thank you for your time and consideration in this matter.

    Please follow the link below and renew your account information

    https://online.wellsfargo.com/cgi-bin/signon.cgi
    <https://online.wellsfargo.com/cgi-bin/signon.cgi>

    Before you reactivate your account, all payments have been frozen, and you will not be
    able to use your
    account in any way until we have verified your identity.

    -- 
    Babak Pasdar
    Founder / Chief Technology & Information Security Officer
    e-mail: bpasdar@igxglobal.com
    phone:  201.498.0555 x2205
    pgp fingerprint:  
    F901 028B 7658 8621 3EF9 D505 BBF2 35F2 C922 B416
    Get Daily Security Intelligence on the DSB Online
    http://dsb.igxglobal.com
    Subscribe to the igxglobal Daily Security Briefing Newsletter
    http://www.igxglobal.com/dsb/register.html
    igxglobal Announces the DSB Online Security Community Web Site
    http://www.prweb.com/releases/2004/6/prweb131815.htm
    igxglobal delivers integrated real-time security reporting
    http://www.igxglobal.com/rrf.html
    	
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Bruce Ediger: "RE: [Full-Disclosure] IE Web Browser: "Sitting Duck""