About Me

I ramble about a number of things - but travel experiences, movies and music feature prominently. See my label cloud for a better idea. All comnments and opinions on this blog are my own, and do not in any way reflect the opinions/position of my employer (past/current/future).

27 October 2010

More Interesting Phishing Emails

After the phishing email supposedly from Standard Bank, two weeks back, I got another two this morning, supposedly from FNB. This email was even more sophisticated - the from address made sense (at first glance): info@fnb.co.za, the dates were reasonable and the language; as well as the disclaimers etc. were all spot on. In fact, Google didn't even pick it up as a phishing email! And like the Standard Bank email, this email also asks the user to download a real life, proper anti-phishing/security product.



So why is it a phishing email? Firstly, the link that will supposedly allow you to download this file has nothing to do with FNB. Doing some digging, it seems that the site (seems like a personal site) has been compromised and is probably going to redirect the user to the malware or compromised application.

Secondly, as the headers of the email clearly show, the email from address has been spoofed, and it has nothing to do with FNB. The reputation check, as per below suggests that this is a new spam host, and one of the reasons it did not get picked up by the anti-spam engine.

Received: by 10.216.55.139 with SMTP id k11cs1749wec;
Tue, 26 Oct 2010 22:31:40 -0700 (PDT)
Received: by 10.213.13.80 with SMTP id b16mr216811eba.89.1288157499734;
Tue, 26 Oct 2010 22:31:39 -0700 (PDT)
Return-Path:
Received: from linux14.unoeuro.com ([94.231.101.70])
by mx.google.com with ESMTP id w3si18982624eeh.36.2010.10.26.22.31.39;
Tue, 26 Oct 2010 22:31:39 -0700 (PDT)
Received-SPF: neutral (google.com: 94.231.101.70 is neither permitted nor denied by best guess record for domain of minami.dk@linux14.unoeuro.com) client-ip=94.231.101.70;
Authentication-Results: mx.google.com; spf=neutral (google.com: 94.231.101.70 is neither permitted nor denied by best guess record for domain of minami.dk@linux14.unoeuro.com) smtp.mail=minami.dk@linux14.unoeuro.com
Received: from linux14.unoeuro.com (localhost [127.0.0.1])
by linux14.unoeuro.com (8.13.8/8.13.8) with ESMTP id o9R5VdDS015687
for ; Wed, 27 Oct 2010 07:31:39 +0200
Received: (from minami.dk@localhost)
by linux14.unoeuro.com (8.13.8/8.13.8/Submit) id o9R5VdFS015686;
Wed, 27 Oct 2010 07:31:39 +0200
Date: Wed, 27 Oct 2010 07:31:39 +0200
Message-Id: <201010270531.o9R5VdFS015686@linux14.unoeuro.com>


The new types of phishing are impressive in how well they masquerade as legitimate emails, and most Internet users will be fooled. If this persists, the next question really is - what should the banks do next? Go back to post?